The Navy, meanwhile, has decided to adopt security assertions markup language (SAML), an emerging standard that supports authentication and authorization of end users. As a member of the Oasis standards body, the Navy has been involved in the development of SAML. "Based on what we know, we think that's a good choice," says Monica Shephard, director of command, control, communications, computer and combat systems for the Navy's Atlantic Fleet. Because Navy personnel are stationed around the globe and support contractors require access to both classified and unclassified information, Shephard says a standard sign-on capability managed as a reusable Web service is essential to ensure that everyone who needs access gets it. And that those who don't, don't.

If the market takes a different tack and the Navy decides to change protocols, Shephard would follow change management policies set out by the Navy's CIO, David Wennegren. To facilitate technical changes, the Navy has spent about $1 million to develop what it calls a "portal connector," a middleware layer that lets the Navy substitute standards or data definitions without forcing changes to user services or to underlying databases. Shephard has already been through one forced technology change - the choice to adopt new portal software, made by managers of the Navy's enterprise network, the Navy Marine Corps intranet. With that experience behind her, she is confident that she can change Web services standards successfully, if need be.

RISK NO. 2: The lack of standards breeds complexity.
MITIGATION: Support multiple standards for now.

The users of my information and my services and my architectures are frequently disconnected, often have extremely small bandwidth, and have to do business in real-time with organizations that are dispersed globally," says the Navy's Shephard. A big benefit of Web services is that those disparate groups - whether a land-based command center or a battleship - can easily access centrally managed data. But there's no consistent way to deliver that information through the many proprietary portal platforms Navy users have deployed.

A standard called Web services for remote portals would provide a common way to plug Web services into any portal, but it's still under development by Oasis. As part of the Navy's coping strategy, it's using its market power (the Navy spends $1 billion a year on its intranet alone) and influence with standards organizations to cajole vendors into supporting as many of the emerging standards as possible. The Navy calls its strategy "vendor neutrality" because it presumes infrastructure vendors will eventually provide products that will work with any standard and therefore will be easy to integrate.

"It's a difficult strategy for the short term, and the most powerful strategy for the long term," says Shephard. In the short term, Shephard's staff has to put extra effort into making Web services work in a nonstandard environment and keep up with technical details. The alternative - picking a few software products that every Navy unit would use - would ultimately be a more difficult strategy to execute, says Shephard, because it would risk getting stuck with proprietary software. "Then we would be tied to a single view change and a single company's ability to generate new and inventive ideas," she adds. In the meantime, the Navy is using its portal connector to facilitate integration between Web services and proprietary applications.