Web services are demonstrating their value and exhibiting the potential to substantially enhance enterprise productivity and reduce operating costs. But they will never reach their full potential without two things: trust and security. That's because Web services are based on open, dynamic exchange of valuable data and services. But for everything to work the way it's intended, those deploying Web services must be able to ensure that the data or services being exchanged are kept confidential, secure, and reliable.

To deploy trusted Web services, you really need five things:

• High availability: The Web services must be easy to find using public or private directories.
• Privacy: Communications absolutely must be safe from eavesdroppers.
• Data integrity: Data exchanged by Web services must be safe while in transit.
• Authentication: Web services must positively identify the services with which they communicate.
• Authorization: Web services must intelligently restrict access to sensitive data and functions.

There are a number of standards and specifications floating about right now that attempt to address each of these specific areas. Most notably, VeriSign, Microsoft, and IBM recently co-authored a spec called WS-Security that attempts to add a layer of security to SOAP messages. WS-Security will serve as the foundation for a number of subsequent specifications the three companies hope to sponsor, including WS-Policy, WS-Trust, WS-Privacy, WS-Secure Conversation, WS-Federation, and WS-Authorization. Some of these names may change, but this roadmap does show a strategic approach to building out the standards and technology for enabling trusted Web services.

It will be critical, however, to keep the industry on track. No significant Web-based technology has taken off without addressing security issues in some way. During the past decade, VeriSign spurred the first wave of secure Internet commerce by embedding the VeriSign Trust Root in all the major Web browsers.

We must be just as diligent in trying to embed elements of trust and security into the fabric of Web services infrastructure. Loosely coupled applications must be able to make critical determinations at runtime, such as whether to entrust an inquiry, reveal strategic data or invoke contingent services. In addition application users who do not know one another must have access to a secure payment mechanism that allows them to pay for services that operate via the Web services platform. Finally, enterprises must provide a mechanism that allows applications to easily locate one another across the Internet and determine their suitability for interaction based on predefined criteria.

To meet these requirements, there must be an underlying trust infrastructure that is dynamic, reliable, and easily accessed by many applications. This infrastructure and the digital trust services that it provides must be integrated into Web services at both the network and application levels, enabling enterprises to securely utilize existing technology assets while participating as fully as possible in the emerging digital economy.

A number of industry players, including VeriSign, IBM, Microsoft, Sun, Oracle, and BEA, are currently cooperating to make it easier for developers and partners to create or resell trusted Web services by providing a single resource for integrating digital trust services into Web services architecture. It's early yet, but the idea is that developers will be able to easily integrate digital trust services into their Web services using a single, unified API, which is currently provided in VeriSign's Trust Services Integration Kit. So far, there have been more than 2,000 downloads of this kit from www.xmltrustcenter.org, indicating tremendous early interest in trusted Web services.

In any case, efforts to integrate digital trust services across all major Web services platforms will continue, and work on standards and technology will move forward. If it doesn't, and the industry doesn't adequately address issues of trust and security, Web services will be dead on arrival.