Some companies experimenting with Web services over the Internet are doing so only with established business partners, skirting the issue of creating on-the-fly contracts and connections with unknown partners. Security becomes less of an issue if you are dealing with a limited number of users, says Perry Cliburn, CIO of early Web services adopter Hewitt Associates. The Lincolnshire, Ill.-based human resources outsourcer offers 401(k), health plan management and data exchange via Web services to five of its customers and two third-party service providers. While some companies are offering secure Web services by setting up VPNs to essentially bring the user behind the company's firewall, Hewitt wanted to do Web services as close to the textbook - using the public Internet, that is - as possible, Cliburn says. "We could have bypassed the Internet and had a unique pipe that was a lease line, but we had to figure out how to do it [over the Internet] anyway," he says. Hewitt's Web services authenticate users based on private and public-key infrastructure (PKI) certificates, which are embedded in headers. According to Cliburn, all requests are made and responses given over an SSL-encrypted channel, and each Web services request is authenticated using a digital signature embedded in the header.

That solution results in the proverbial good news and bad news. Tim Hilgenberg, Hewitt's chief technology strategist for applications, says that it is a great way to tell client A from client B. The bad news is that it makes sense when you have a client A and a client B, and not an alphabet of other clients. The necessary protocol that describes what a particular application actually does (known as Web services description language, or WSDL), however, doesn't support PKIs: The PKIs have to be hand coded, which Hilgenberg says "is easy to manage with a couple of services. But if you have 1,000 services [across a set of clients] you don't want to be touching it by hand. That just isn't cost-effective."

Turning to the big picture, in all likelihood the security standards will be ready for one-off Web services - such as getting a buyer's credit card verified for a one-time sale - before you are. In the meantime, a handful of startup vendors, such as Grand Central Communications and Flamenco Networks, are willing to serve as third-party authenticators for CIOs looking to get an early jump on the competition. But in a space this new, many CIOs are reluctant to trust a startup - particularly one whose role depends on vendors' inability to agree on security standards.

The Reliability Runaround

In a recent speech, Joseph Williams, global chief architect for Sun One professional services in Denver, summed up Web services' other weaknesses as "all the '-ilities," listing reliability and scalability as the chief culprits, but leaving the door open for others.