Single point of entry: A WS-Security gateway provides not only a single point of entry for Web services into the enterprise, but a single point of policy enforcement across the enterprise, improving consistency in the application of security policies and lowering the cost of management. Auditing and logging also can be consolidated at the gateway, ensuring that requests and responses are tracked accurately. Your integration costs--specifically when taking advantage of third-party identity stores--can be mitigated by the need to integrate only one or two devices, rather than multiple servers across the enterprise.
Vendor neutrality: Embedding security policies within application logic could tie you to one vendor. By moving security to a separate device, you remove dependence on a specific implementation. This move also offers better interoperability: Because WS-Security gateways must play nicely with a variety of vendor implementations, they are more likely to interoperate and integrate with a variety of Web services and identity-management platforms.
The idea of using an intermediary as a security mechanism is not new. A WS-Security gateway operates on the same principles--and provides the same financial and operational benefits--as other security intermediaries, such as proxies, firewalls and Web application security gateways. But don't be fooled into thinking that these other devices will provide you with the level of security necessary to protect your Web services. None can provide the validation, authentication and authorization features found in a WS-Security gateway.
WS-Security gateways also provide outbound security, a necessity when engaging in B2B endeavors, and can digitally sign and encrypt outbound documents, as well as insert the security headers necessary for automating business processes via Web services.
ROI models for security products are always difficult to compute because they are based primarily on the premise that implementation will mitigate risk and the costs associated with it. These are bound to be guesstimates, however, unless you have empirical evidence of the costs associated with specific risk scenarios. As an example, for an organization such as NWC Inc., which uses its Web services as a method of earning revenue, these costs can be closely associated with the effects of an attack or fraud on our revenue stream.
NWC Inc. earns approximately $4,375 per hour through its Web services. If an attack on those services caused downtime of 24 hours, the company would lose roughly $105,000. If the attack were to affect the integrity of its mission-critical databases, as, say, a SQL injection attack can, the cost of the attack would increase with the need to recover the database and bring it back online. If even 1 percent of all orders are fraudulent, we'd lose $230,000 annually. Comparing this with the anticipated cost of a WS-Security gateway shows a quick payback (see chart at left).
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
