Welcome!

Microservices Expo Authors: Elizabeth White, Aruna Ravichandran, Pat Romanski, Liz McMillan, Cameron Van Orman

Related Topics: Microservices Expo

Microservices Expo: Article

Rogue Web Services

Risks and success strategies

Like the hero of a Greek tragedy, Web services' most compelling advantages are simultaneously its most serious dangers. Web services have passed the initial hype cycle. The convergence of industry support, ease of use, and the desire for cost-effective solutions for integration and services-oriented architectures (SOA) has made it a popular choice for architects, developers, and integration analysts, with numerous projects underway. Web services technologies are making inroads within organizations in much the same way Web site technologies proliferated. However, the benefits of loose coupling, decentralized development, and support for heterogeneity - rapid grassroots development of Web services with flexible, agile architectures - introduce a multitude of new issues organizations must address to prevent the negatives from outweighing the positives. Security, reliability, and performance are all critical issues to be specially managed in a Web services environment. This article looks at "rogue Web services," already a growing concern in IT, particularly for organizations that have not applied top-down governance on usage.

Rogue Web Services
A rogue Web service (RWS) is a Web service that's out of control. It might be perfectly benign, but unsanctioned by IT. Or it might be intentionally malicious - either attacking your systems or squatting and consuming your resources. It might even be an officially sanctioned service that unintentionally starts hammering other Web services due to a coding bug. Of course, even the most benign rogue service could turn up in the last category at any time - almost by definition it hasn't gone through the same QA or testing as production code.

Perhaps the most compelling reason RWS threaten to become a significant danger is the ease with which they can be created. Although veterans of earlier large-scale distributed technologies, such as DCOM and CORBA, frequently disparage Web services, those were very complex systems requiring a fair amount of knowledge and programming skill to deliver a functional application. In addition, distributed object technologies were never able to break out of their silos. The prime differentiators between these systems and Web services are the ease with which a Web service can be constructed to perform fairly sophisticated tasks, and the loosely coupled nature of Web services technologies. These significantly lower the barriers to entry for both the technical know-how for building a Web service and the time required to get a new service initiated or integrated with an existing service. And that significantly increases the number of people capable of building an RWS.

Unsanctioned internal Web services, particularly clients, but servers as well, can arise on any computer accessible through HTTP. It takes relatively little programming skill to execute a Perl or Python script in a Command shell to listen for requests on a particular port, do some additional processing, and return the results. From there, it's also possible to create a Web service client that creates messages for a variety of Web services and coordinates the result. These are often called "composite" Web services, but despite becoming a buzzword they are scarcely more difficult to build than ordinary ones, especially if you don't worry about making them safe.

The primary means of describing a Web service, WSDL, is a fairly easy-to-read interface definition language. Unlike CORBA or ASN.1 stub generators, an astute programmer can easily generate a stub from the description, and there are many easily available generators for common programming languages. Even where that is not available, a message itself is often self-explanatory - a new message can be "cloned" from an old one just by replacing bits and pieces.

The barrier is even lower when Web services are easily integrated into the latest versions of popular desktop software, such as Word macros, Excel spreadsheets, and PowerPoint slides. There is explicit Web service support in MS Office 2003, but it is possible to access Web services through macros and extensions in earlier versions. Given an RPC-style service, a stub only needs a URL, a function name, and a list of parameter names, types, and values, to create a SOAP message. For simple return values, little is needed beyond simple pattern matching to retrieve the answer. A PowerPoint slide set containing a Web services call made publicly available could generate a request every time a particular slide is viewed.

Once a Web services message is prepared, it moves along one of the most ubiquitous and familiar protocols created - HTTP. Many programming languages already have libraries to create HTTP messages, but it is easy to create an HTTP message by hand and send it along a socket. From a programming perspective, it is a simple request/response requiring very little code.

So we see that Web services lower the barriers to entry for the construction of distributed applications for legitimate developers and users as well as for illegitimate ones.

Risks Associated with Rogue Web Services
Rogue Web services traffic is more difficult to protect against than random traffic because much of the danger is in information targeted at the application level that cannot be filtered at the IP level the way traditional firewalls can. It is quite possible for rogue traffic to originate behind the firewall from people in your own IT shop or even from end users. Also, RWS cannot be identified just by source and destination IP - it may be that the message is coming from an RWS at a partner location, so it's important to cut off just the aberrant user, not the entire site. The destination host may contain any number of Web services through information not accessible at the IP or even Web server proxy level. While the server may recognize the URL, the actual identity of the operation being invoked is in the contents of the message, requiring a level of filtering capable of looking at application- level information.

RWS, even of the most benign sort, represent a threat to a company's ability to control its own destiny. Even avoiding, for the moment, the worst possible abuses, unknown Web services can create a considerable drain on network resources. Allowing unimpeded grassroots development of Web services without any centralized attempts at standardization can lead to significant duplication as well as many avoidable mismatches among Web services. While the flexibility of the Web services SOA makes it much easier to deal with independently developed Web services, a small investment in shared design can go a long way to avoiding extra work in the long run. Therefore, it is important for an organization to control the set of technologies used.

As many Web services are a thin layer over existing applications, once access to a Web service spreads beyond the approved users, the damage can be as bad as any other kind of intrusion. The intruder can have the same kind of impact as anyone who has logged into your system. As more functionality becomes accessible through Web services, such as management and provisioning, there won't be much that can't be done using Web services. Worse yet, if your security credentials, such as private key, are stolen, then it is not just your internal systems that are compromised, but your expanded Web services environment as well, including fee-based services.

Success Strategies
Every organization is different. The most successful strategies depend not only on the technologies that are being used but also on the people and organizations involved. Organizationally, many IT groups deal with the rogue service issue through top-down governance, usually by an architecture and standards body. These groups define the ground rules for how services are created, what standards should be followed, and the rules that are required for corporate and industry compliance. In other organizations, governance of Web services is enforced by the CISO or associated security group. In still other organizations, it may be defined and enforced by the IT operations group. More often than not, all of these groups are somehow involved in defining the minimum security, monitoring, and management requirements for WS development, deployment, and management.

Many tools are in existence for detection, enforcement, and management of the XML Web service environment. A variety of sniffer tools are available for detecting XML and SOAP traffic, many of them free. Using simple rules, you can determine if the traffic is unsanctioned and fire off the necessary alert. Firewalls and other proxies can also be configured to perform content inspection, although they may lack sophisticated rule sets and the performance for more robust environments. UDDI directories and other service directories can be used to store sanctioned Web services to help ease management. A new class of product called XML Firewalls and Web Services Management (WSM) platforms can be used to address the security, monitoring, and management of services. These products are typically noninvasive and help detect and address RWS while providing a management framework and set of tools to enforce top down governance requirements. Many analysts agree that a fully integrated XML firewall and WSM solution provides, among many other benefits, the best solution for enforcement and ongoing administration for RWS.

Nevertheless, an important part of the value of Web services is lost in a regime that is strictly maintained. Not all Web services are made equal, and infrastructures that don't appropriately distinguish between the varying requirements will veer unacceptably in one direction or another. An effective regime will be able to distinguish between core and periphery, where the core represents the bottom tiers of client/server architecture, and the periphery represents Web service clients. Another important distinction is among services that cause dynamic updates to information or consume significant resources (such as money), and those that don't and may be simply informational. Rather than taking an overly restrictive stance, tools can be used to create policies to adaptively manage Web services traffic so that important systems are only accessible from approved clients, but others can be accessed in a more relaxed fashion with content filters at the periphery to inspect outgoing information.

The proliferation of RWS is not necessarily a bad sign. In fact, it might be said that this is an indication of the benefits that Web services provides organizations today. However, there are associated risks when Web services traffic is not appropriately controlled. A combination of managing the proper procedures and controls mixed with the appropriate technologies can enable any organization to realize the full value of Web services while minimizing the security and cost risks.

More Stories By Matthew Fuchs

Dr. Matthew Fuchs is a member of the technical staff at Westbridge Technology. Previously, he was chief scientist for XML Technologies at Commerce One, and pioneered the theory and practice of using domain-specific languages in XML and SGML for distributed applications and agent-oriented communication over the Internet. At Commerce One he developed a variety of XML technologies, including SOX, the first implemented, publicly available, object-oriented Schema language and parser for XML

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
Transforming cloud-based data into a reportable format can be a very expensive, time-intensive and complex operation. As a SaaS platform with more than 30 million global users, Cornerstone OnDemand’s challenge was to create a scalable solution that would improve the time it took customers to access their user data. Our Real-Time Data Warehouse (RTDW) process vastly reduced data time-to-availability from 24 hours to just 10 minutes. In his session at 21st Cloud Expo, Mark Goldin, Chief Technolo...
Digital transformation leaders have poured tons of money and effort into coding in recent years. And with good reason. To succeed at digital, you must be able to write great code. You also have to build a strong Agile culture so your coding efforts tightly align with market signals and business outcomes. But if your investments in testing haven’t kept pace with your investments in coding, you’ll lose. But if your investments in testing haven’t kept pace with your investments in coding, you’ll...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Services at NetApp, will describe how NetApp designed a three-year program of work to migrate 25PB of a major telco's enterprise data to a new STaaS platform, and then secured a long-term contract to manage and operate the platform. This significant program blended the best of NetApp’s solutions and services capabilities to enable this telco’s successful adoption of private cloud storage and launchi...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
Containers are rapidly finding their way into enterprise data centers, but change is difficult. How do enterprises transform their architecture with technologies like containers without losing the reliable components of their current solutions? In his session at @DevOpsSummit at 21st Cloud Expo, Tony Campbell, Director, Educational Services at CoreOS, will explore the challenges organizations are facing today as they move to containers and go over how Kubernetes applications can deploy with lega...
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, will answer these questions and demonstrate techniques for implementing advanced scheduling. For example, using spot instances ...
SYS-CON Events announced today that Cloud Academy has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the leading technology training platform for enterprise multi-cloud infrastructure. Cloud Academy is trusted by leading companies to deliver continuous learning solutions across Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most...
The last two years has seen discussions about cloud computing evolve from the public / private / hybrid split to the reality that most enterprises will be creating a complex, multi-cloud strategy. Companies are wary of committing all of their resources to a single cloud, and instead are choosing to spread the risk – and the benefits – of cloud computing across multiple providers and internal infrastructures, as they follow their business needs. Will this approach be successful? How large is the ...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
DevSecOps – a trend around transformation in process, people and technology – is about breaking down silos and waste along the software development lifecycle and using agile methodologies, automation and insights to help get apps to market faster. This leads to higher quality apps, greater trust in organizations, less organizational friction, and ultimately a five-star customer experience. These apps are the new competitive currency in this digital economy and they’re powered by data. Without ...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
For most organizations, the move to hybrid cloud is now a question of when, not if. Fully 82% of enterprises plan to have a hybrid cloud strategy this year, according to Infoholic Research. The worldwide hybrid cloud computing market is expected to grow about 34% annually over the next five years, reaching $241.13 billion by 2022. Companies are embracing hybrid cloud because of the many advantages it offers compared to relying on a single provider for all of their cloud needs. Hybrid offers bala...
With the modern notion of digital transformation, enterprises are chipping away at the fundamental organizational and operational structures that have been with us since the nineteenth century or earlier. One remarkable casualty: the business process. Business processes have become so ingrained in how we envision large organizations operating and the roles people play within them that relegating them to the scrap heap is almost unimaginable, and unquestionably transformative. In the Digital ...
These days, APIs have become an integral part of the digital transformation journey for all enterprises. Every digital innovation story is connected to APIs . But have you ever pondered over to know what are the source of these APIs? Let me explain - APIs sources can be varied, internal or external, solving different purposes, but mostly categorized into the following two categories. Data lakes is a term used to represent disconnected but relevant data that are used by various business units wit...
The nature of the technology business is forward-thinking. It focuses on the future and what’s coming next. Innovations and creativity in our world of software development strive to improve the status quo and increase customer satisfaction through speed and increased connectivity. Yet, while it's exciting to see enterprises embrace new ways of thinking and advance their processes with cutting edge technology, it rarely happens rapidly or even simultaneously across all industries.
It has never been a better time to be a developer! Thanks to cloud computing, deploying our applications is much easier than it used to be. How we deploy our apps continues to evolve thanks to cloud hosting, Platform-as-a-Service (PaaS), and now Function-as-a-Service. FaaS is the concept of serverless computing via serverless architectures. Software developers can leverage this to deploy an individual "function", action, or piece of business logic. They are expected to start within milliseconds...