With that in mind, Motorola Inc. has turned to Web-services security startup Forum Systems Inc. as it morphs hundreds of IT processes into Web services. Motorola is deploying Forum's Sentry Web Services Security Gateway to provide secure transactions and authentication. Forum is expected to announce the deal shortly.
Motorola also is using Forum's XWall Web Services Firewall, which works much the same way as traditional application firewalls, albeit specifically for Web-service transactions. "It's helping us manage those operational requirements in a way that's optimized for the Web-services architecture. We don't have to worry about the regular firewall not having that [capability]," says William Boni, VP and chief information security officer at Motorola.
Cyberthreats are changing, Boni says, so it's more critical than ever to secure IT initiatives from the start. "We can no longer assume that it's hobbyists and hackers having fun," Boni says. "We're talking about significant customer and consumer information, things that can have a real financial impact. And all of that could be at risk if you don't put the right safeguards in place."
The modular nature of Web services presents a security challenge, potentially leaving companies that don't plan carefully open to attack, says Pete Lindstrom, research director at Spire Security. "And it'll be much more expensive trying to retrofit security later in the process than in the beginning," he says.
The risks include hackers placing malicious content within messages or infiltrating backend systems through misconfigured applications. "You have to absolutely build in the security upfront," says Toby Redshaw, Motorola corporate VP and director of IT strategy, architecture, and E-business. "You can't build a house out of concrete, and later have to add the plumbing because you forgot."
Motorola is adopting Web services to add efficiency to software development. "How many times should code be written to authorize credit-card payments online?" asks Redshaw. "Every piece of code requires licensing and someone to maintain it. If we can take 50 processes and turn it into one that can be reproduced, that's a powerful thing."
That promise, however, can only be realized if the approach remains secure. Says Redshaw, "The quickest way for me to kill the momentum around moving this company to a service-oriented architecture would be to have some failures on the security front."