To help you evaluate your current needs before moving forward with Web services, Don Awalt, founder and CEO of RDA, a software engineering firm whose solutions help companies offer services over the Internet, provides some insight on these critical elements of Web services. Security
Security is the most important aspect of Web services. To successfully provide services and access to data and applications over the Web, organisations must determine how they can secure communications and transactions. Basically, Web services work to expose the inner workings of your company to the Internet, Awalt said. Public users of your Web services will have a window into your data and how you do business. This has both security and customer service implications, according to Awalt. Not only do you have to secure that access to the data, but you also have to account for customer issues that may arise from doing business in this manner. According to Awalt, the most important issues to consider with regard to security are:

• Authentication
• Authorisation
• Auditing
• Validation

Every company needs to determine how it will handle these issues, said Awalt. For example, if an organisation makes data available to users via a Web services interface, it has to decide whether it is going to develop and manage the authentication method itself or whether it will rely on a third-party system. Organisations also have to ask themselves if they have the infrastructure to support authenticating the number of users that they expect to access the system. Instead of any one authentication method moving to the forefront, Awalt said the current trend is for the adoption of Web services protocols that would support the infrastructures and protocols of existing systems. "Web services," said Awalt, "is basically an integration architecture. One organisation may be using X.509 and another may be using Kerberos, so we have to make this stuff work with architectures people already have in place." Awalt believes that security is the biggest obstacle organisations face in implementing Web services because many are naïve about security and do not consider all facets of security issues. For example, Awalt once dealt with a company that featured a financial system that enabled consumers to conduct transactions over the Internet. The system supported authentication of users to the system but not authentication of the system to users. This oversight, Awalt said, could have resulted in theft of customer data. Someone intent on stealing financial data could have set up a system pretending to be the customer's financial services system, and the customer might have transmitted sensitive data to it and never known the difference. "It's hard," said Awalt, "to find good blueprint architectures that consider all of the things you have to worry about so they can be properly covered in the applications you design." Another security consideration critical to Web services is auditing. Organisations will have to provide a means of recording transactions and being able to display that data securely to customers so they can verify what they've done. It's also an issue of being able to prove that a customer completed transactions. Awalt said that a scenario to consider is when customers claim that they did not perform transactions that have been recorded in the system. Two important questions to ask are: What kind of proof will you have that transactions have taken place, and who performed them? "All you can really prove, potentially," said Awalt, "is that somebody used some information of the customer's to perform a transaction." Reliability and architecture
Another important issue to consider when implementing Web services, said Awalt, is the reliability of the system. The architecture must be able to handle errors and be able to account for issues such as messages arriving in the wrong order or failing to arrive altogether. "About the only way you send messages over the Internet reliably," said Awalt, "is to send them multiple times." Because measures like this must be taken to ensure reliable communication over the Internet, Awalt said the way transactions are handled may have to be changed. For example, if you withdraw money from an account over the Internet, the system must be able to account for the possibility that requests may be sent multiple times for a single transaction. The logic of the system must be designed so that multiple communications like this are interpreted as the correct number of actual transactions instead of separate items.