CIOs need a plan that promotes Web services benefits while minimising security risks. Smart IT executives will take an aggressive but pragmatic approach to Web services by adhering to the following policies: Policy #1
Start Web services efforts on corporate projects. The best place to begin Web services is within IT itself. Choose a project, such as integrating management tool data, that will result in an immediate payback and give the staff a chance to learn Web services technology in their own backyard. Once IT gets the hang of Web services project subtleties, move on to business requirements, such as improving business processes or sharing data between groups. These internal Web services efforts provide a low-risk classroom for IT to enhance its proficiency, accelerate projects, and decrease costs. Policy #2
Prepare internal systems. To ease future application development efforts, CIOs should look at their existing applications inventory and decide how to expose it to Web services development. Packaged applications from vendors such as PeopleSoft, SAP, and Seibel already support Web services interfaces, while software infrastructure providers such as Iona, Tibco, and Vitria are adding new Web services features to ease application integration. Homegrown applications should also be added to the list. Once you understand how to extend applications with Web services, determine which ones should come first. This planning effort will help IT set priorities so it can get the highest return on Web services and also determine how much work to anticipate over the long-term. The IT staff can also begin to explore creative ways to exploit Web services to drive new revenue, automate business processes, and cut costs. Policy #3
Keep the security group involved. Rather than deal with Web services security in isolation, IT managers must keep the security team informed about Web services applications, security standards progress, known bugs, and future plans. The security team can then assess whether Web services projects meet with business requirements, government regulations, and its own technology agenda. Open communication and collaboration with the security team will ensure that Web services applications will be included in the enterprise security plan and minimise any future surprises. Policy #4
Get involved with Web services security standards. Security-conscious CIOs should have their developers and security managers review security standards proposals to see if they meet their business requirements. Will the XML Key Management Specification (XKMS) scale to meet the volume needs of the financial services industry? How will XML encryption be implemented? What's included in WS-Security? Make sure to receive regular reports from IT staff and technology vendors. If you're not satisfied, push on partners such as IBM, Microsoft, and Sun to advance your cause. They, too, have a vested interest in getting Web services security right -- as soon as possible. Policy #5
Cooperate with outsiders. Just as developers should share their Web services plans with the security and business teams, make sure that your company is sharing its Web services plans with trusted business partners, suppliers, and large customers. Be cautious and keep this number small and selected to minimise your own security risk. Find out what types of applications would be most beneficial to them. Which of their systems will they enable with Web services interfaces? What are their security requirements? Collaborative planning with external constituencies will help set budget requirements, project schedules, and overall goals, and will also reveal opportunities where Web services can accelerate business processes, improve customer service, or cut costs. Remember that you can always secure Web services to a partner through existing network security technologies such as VPNs, PKI, and digital certificates. Policy #6
Anticipate management and operations needs. As development and security matures, Web services will become mission-critical applications with extensive management and operations requirements. Will Web services require sophisticated management tools from vendors such as BMC, Dirig, or HP? (The answer is probably yes.) Will you need specific processes and procedures to deal with Web services that touch your business partners' systems? (The answer here is probably also yes.) To anticipate these needs, add management and operations to your planning now. The bottom line
IT executives need to ignore all the hype to get moving ahead on Web services. The Internet technology boom is dead and gone, and Web services won't do a thing to change this fact. But don't make the mistake of dismissing Web services outright because of immature security. By taking a pragmatic approach, CIOs can benefit from Web services, lower costs, and minimise risk. Now, that ought to keep the CEO and CFO happy.
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
