You didn't have to be there, and you didn't have to subscribe to the Golf Channel to know that at 3:29 pm on Thursday, Feb. 20, Spike McRoy sunk a birdie on the 11th hole, putting him one stroke under par on the 1st day of the PGA Tour's Nissan Open.

Information Week reports how "McRoy's outing along with 143 other tournament golfers was reported stroke by stroke, as it happened, over PGA Tour's Web site."

While the PGA admits that customer satisfaction was one rationale for providing real-time information, increased revenues drove the technology.

Lightship recommends: Take your game to the next level.

Collecting and disseminating the results of every stroke of every golfer reveals how committed some organizations are to delivering up-to-the-second information to their customers--in this case, golf fans.

Read how early adopters of real-time technology gain significant market advantages while competitors, without the foresight and flexibility to change, falter and fail.

Stay tuned for news on how Lightship's technological expertise is teaming with the PGA's Philadelphia section and GolfChamp to rank your own golf game locally, nationally and worldwide.

Business integration increasingly relies on Web services as its key technology component. Lightship concludes its e-tip series on issues surrounding Web services security with the final piece of the puzzle--Auditing.

How can you ensure that the request you receive is valid and the consumer is who he says he is?

Auditing for Web services provides two vital capabilities:

1. The ability to collect and record relevant system information (system errors, security breaches, etc.) concerning the Web service operation.
   
   
2. The ability to provide non-repudiation of Web service transactions and events. Non-repudiation provides proof that a particular Web service transaction (e.g., a purchase) occurred, should any conflict over the transaction arise after the fact.

The first set of capabilities can easily be provided by a server operating system or a systems management application (e.g., IBM's Tivoli), and does not involve the service consumer. On the other hand, the consumer is indeed involved in non-repudiation, a key aspect of which is the ability to unambiguously identify the parties participating in a transaction.However, technologies involved with non-repudiation in a Web services context are still evolving.

Lightship recommends:Positively identify your Web services consumer through their signature. Web services transactions that call for non-repudiation capabilities should require all inbound requests to be signed, employing the widely accepted XML Signature standard.

Web services promote business integration by enabling information to cross the firewall to and from other business units, vendors, partners, customers, etc. However, many of the IT resources (i.e., servers, files, databases) involved in this type of integration were never intended to connect to public consumers. Public access via Web services needs to be tightly controlled to keep your IT resources secure.

The Challenge: Your IT resources commonly exist in a heterogeneous environment characterized by disparate systems, each with its own proprietary protocols for requesting or granting access to information.

The Solution: A newly ratified standard, XACML, allows your resources to be utilized as part of a Web service. Using XML, the common language of Web services technology, the new open source standard simplifies and controls public access by standardizing the request and response dialog.

Lightship Recommends: XACML provides a great tool to create, deploy and enforce policies that control access to trusted assets, as well as for communicating between the Web services and IT resources behind the firewall.

Offering premium-based services to open new streams of revenue has proved too costly for small-to-mid-sized firms. However, recent advances in Web services security has brought the profitability of service stratification within reach.

Businesses opening their internal systems to trading partners and customers can rely on WS-Security, a new industry-supported standard, to identify and Authenticate Web service consumers. However, Authorization standards, necessary to determine if the service requestor is entitled to perform an operation (which could range from invoking the Web service to executing a certain part of its functionality), have not yet been ratified.

What to do in the interim? Lightship recommends: Define your service roles, responsibilities, and permissions using the facilities that currently exist within some of the Web services frameworks, such as .Net, while keeping an eye on emerging standards (e.g., WS-Authorization) to manage authorization policies and data.

As businesses open their internal systems to trading partners and customers (e.g., supply chain management) via Web services, technology managers fear that sensitive systems can be hacked or cracked.

The first step in protecting your systems is enforcing Authentication, the unambiguous identification of the service consumer. Lightship recommends using WS-Security specifications to enforce authentication, if for no other reason than the endorsement by the two industry heavyweights, Microsoft and IBM.

Read XML & Web Services Magazine's best methods of making sure that the person who asks to use your Web service is really the person they claim to be.

Increasing profitability through Service Stratification is not new. But, an affordable means of offering different levels of service to different users is very new and available right now.

No longer just for high-revenue, Fortune 500 companies, Web services makes differentiating between services based on level of membership affordable for smaller firms.

Example: A content service provider, like one that provides mutual fund rankings to subscriber web sites, wishes to provide public access to the rankings of the top 10 mutual funds, but requires a premium membership for more detailed information.

Web services enables these service stratifications through a suite of new security protocols. Recently adopted industry standards lets these protocols differentiate between levels of service by describing how users:

• are identified and authenticated,
• are authorized to use the appropriate level of service,
• have their access to different resources controlled.

Developing these types of Web services are no longer restricted to large companies, but are well within the reach of small- to-mid-sized firms. Premium-based services can open up new streams of revenue.

A new worm, dubbed W32.Slammer, crippled portions of the entire Internet on Saturday, January 25th, causing compromised systems and denial-of-service outages. Spreading through vulnerability in a popular database server, the worm would have been stopped dead had companies deployed industry-accepted best practices as part of their network security plan.

Lightship Recommends:

• 1. Never expose a database server directly to the Internet unless absolutely necessary. Web servers accessing databases behind the scenes can shield database servers, eliminating direct access from the outside world.
• 2. Make sure your firewall and/or router(s) allow only required services. (Note: That which is not explicitly allowed is denied.) For example, allow web traffic through but no database services from the outside.
• 3. Routinely test vendor patches as they become available and apply them to production machines after testing. Remember, these notifications are usually not released to the public until a patch is available. This means that the vulnerability has existed for some time and would-be hackers have a head start.
• Read-up on Network Security best practices.

While these defenses help prevent network-level attacks, when an application, such as your web site, is exposed to the outside world, attacks can still reach your server. "Server Hardening" ensures that all known security holes are patched, that no unnecessary applications are running on the server, and all "best-practice" security and deployment procedures are followed. It also provides added protection against attacks that do reach your servers. For even further hardening, deploy a new intrusion prevention system.

Benefits:

• Protects your system against external and internal attacks.
• Reduces security risks such as leakage of confidential data, loss of information assets, financial loss, or damage to reputation.
• Deters malicious use of your systems to attack other high profile targets.
• Increased system efficiency of 3% or more. (Read CIO's Everything's Coming Up ROSI for more about returns on security investment.)

Lightship Recommends: Go the last mile--Institute server hardening processes and procedures as part of your overall security policy.

If you spend too much, you're wasting money. Spend too little, and you're a sitting duck.

Giga Information Group recommends:

• Assess your security functions quarterly, defining metrics to evaluate your progress consistently.
• Devote an adequate number of technical employees to security within your organization.

Lightship Senior Engineer, Mike Piscopo recommends:

• Outsource your security needs to make it affordable and free precious resources for core responsibilities.
• Do it "by the numbers" to take the mystery out of IT security spending. Measuring the results of your efforts goes a long way in providing the information you need to make intelligent security spending decisions.

Read Mike's:Designing Firewall & Anti-virus Solutions

Real-time information offers the competitive edge:

• Increase profits by balancing supply and demand with pricing discounts and premiums.
• Reduce costs with better information for just-in-time inventory management.
• Increase customer service with up-to-the-minute order and claim status information.

The technical fly in the ointment is how to get real-time information out of existing data stores, whether batch legacy systems or newer enterprise systems such as CRM, ERP and others.

Lightship recommends: Identify time-critical data and utilize Web services to expose that difficult-to-reach information without investing in expensive and proprietary middleware.

Read more:

Beyond the Hype Part II: Using Web Services In Your Business A Knowledge Shift becomes a Power Shift Start Your Move to Real-time Enterprise with Web services

"83% of software projects fail because they are late, over budget or poor quality, or all of the above."

"Chaos '98" -- Standish Group

Do your IT projects experience:

• Project milestones coming and going without demonstrated progress?
• The project is over budget and no one can explain why?
• Project tasks cannot be traced to a requirement?

Standish recommends: "Project management that spans the full lifecycle of a project...Research clearly shows that projects are likely to be less challenged and more successful with a competent and experienced project manager on board."

Lightship recommends: Plan to succeed. Lightship employs PMI guidelines and practices for the planning and execution of all projects, increasing project coordination and user satisfaction. Read more about Lightship's proven development process.

Of the top-ten August viruses reported by anti-virus vendor Sophos on CIO.com, only two are brand-new entries. Translation: The remaining 8 attackers could have been caught with virus protection available since February.

Lightship recommends layering security to keep viruses from slipping through your network defenses:

Part 1--Utilize automated deployment systems to update your desktop anti-virus software weekly

Part 2--80% of viruses are now transmitted via email. Deploy a corporate SMTP application/anti-virus filter such as Trend Micro's Interscan® Messaging Suite, to guard your corporate network.

Part 3--Read Lightship's Designing Firewall & Anti-virus Solutions For Small and Medium Businesses.

The WLAN environment and the requirements for access security have become very complex. Securing an enterprise-class WLAN requires an 802.1X extensible authentication protocol such as EAP-TLS or Cisco's LEAP.

Lightship Warning: Make sure all of your wireless devices support your authentication protocol. Wireless print servers may not support any form of EAP, and Cisco's LEAP protocol requires Cisco wireless cards, access points, and an authentication server that understands LEAP.

Investigate current supporters of LEAP:

Cisco's Secure Access Control Server

Meetinghouse Data's newest AEGIS RADIUS Server

There are numerous broad claims to having solved the integration challenge: BEA's "Liquid Data," Sybase's "data liquidity," IONA, IBM, Oracle, PeopleSoft, Microsoft...

Lightship offers two safeguards against over-designing (and overspending):

1. Select an appropriate solution: Consider what's required -- Do you need simple data integration or sharing of behavior? Real-time or periodic data freshness? Does the solution map to your overall IT strategy? Your answers lay the foundation for integration tool selection.
   
   
2. Investigate the total cost of ownership: When comparing solutions, consider: What are the license fees? Recurring maintenance fees? Consulting fees? Training costs?

Gone are the days of investing in IT applications for chasing new revenue opportunities. The next new thing? Cutting operational and organizational fat with Web services.

By employing Internet standards, Web services are supplanting expensive and proprietary development and integration technologies with loosely coupled components, focusing IT development efforts on solving business process problems. The value of Web services becomes clearer with every successful integration project.

Cut the fat from your IT budget, read Aberdeen's Business Process Management - What Do Web Services Have to Do with It?, and Lightship's Using Web Services In Your Business.

When implementing Web services, Lightship recommends:

1. Spend sufficient time and attention on design -- Design-stage changes have far less impact on budget and schedule than changes made in later development phases.
2. Break it down -- Smaller components are easier to understand and transmit.
3. Use the right tools -- Web services are enterprise-level applications, you need enterprise-level tools. Spend the money, get the functionality.
4. Go to the source -- Lightship's How to Begin to Use Web Services in Your Business is a good place to start.

Our last e-Tip recommended setting short and long-term business goals when planning your next-generation, e-business initiatives. For tangible success, maintain your focus:

Reduce integration costs -- Transition to an open-standards-based platform.

Improve margins, productivity and customer relations -- Web-enable paper-based, manual processes.

Shorten development cycles -- Deploy extensible platforms to reduce development time and increase IT staff productivity.

Increased competition demands that you plan your next-generation e-business initiatives now. Lightship recommends setting short and long-term goals:

Short-Term Business Goal - Deliver real-time information and services on demand to stakeholders.

Action - Architect and build an open-standard, extensible platform infrastructure to support current and future applications.

Long-Term Business Goal -Reduce costs and meet increasing demands for scalability, manageability, functionality and serviceability.

Action - Create a service-driven architecture. Transform platform infrastructure from a proprietary infrastructure environment communicating with legacy systems to a Web-based, platform-independent service.

Imagine streaming a video file or moving huge database files quickly from an office desktop to a notebook in a conference room -- without running a single foot of cable. A new generation of wireless networking technology lets you do just that.

It sounds like something from Star Wars, but the standard behind WLAN's current popularity -- 802.11b, transfers data at speeds up to 11 Mbps in the 2.4-gigahertz radio band.

Newly Released
IEEE 802.11a , a sibling to today's 802.11b, promises throughput of up to 54Mbps in the 5GHz band, fast enough to manage the streaming video above.

Soon To Be Released
Wi-Fi compatible IEEE 802.11g , uses the same 2.4GHz radio frequency as 802.11b at a speed of 54Mbps.

Our last e-Tip recommended using components to put a modern face on legacy applications. To further leverage your legacy investment, expose the legacy application to internal or external users and trading partners. Now that a component is providing the interface, it is a simple matter to expose the component as a Web service: Code the XML and SOAP manually, or utilize one of many Web services development tools (Microsoft's .Net, IBM Web Services Toolkit, etc.).

Legacy systems -- You hate to touch them! They're easily broken and difficult to fix. They also represent an immense investment of time and money, and provide the very core processes your company relies on every day.

How can these investments be leveraged to face today's business challenges?

Lightship recommends building components that will provide a modern, friendly face for your legacy systems. A well-designed component aggregates the input information and submits it to the legacy system for processing. The component's modern programming interface can then be re-used and re-purposed.

Amid an explosion of virus hoaxes, computer users are often confused about how to respond to virus alerts. While you want to be responsible, heed all the warnings and take the necessary precautions, you can't hide under the covers every time a bogus threat rears its ugly head. How do you sort it all out?

These websites separate legitimate threats from mere hoaxes:

• Vmyths' simply stated goal: "The eradication of computer virus hysteria."
• Symantec, the maker of Norton AntiVirus, regularly updates this list of hoaxes
• McAfee's hoax list warns, "Always remain vigilant," and offers simple ways to avoid a virus infection.

Managing hundreds of valid, wireless, workstation addresses independently, on all of your wireless access points, can be a logistical headache. Software is available to manage and administer user access to hundreds or even thousands of access gateways in a network. For fast pain relief, Lightship recommends Web-based, centralized command and control for all user authentication, authorization, and accounting with the Cisco Secure Access Control Server.

When designing a wireless LAN to cover a large area, multiple access points may be needed. To allow users to seamlessly roam between multiple access points, Lightship advises avoiding overlapping channels between neighboring access points. Disregard this advice and you may experience unpredictable connectivity and performance problems.

"Wireless networks are now in such high demand that many businesses...have no choice but to roll them out. Yet...companies are neglecting to take even the most elementary steps to secure themselves from serious assaults-or even casual penetration."
               -- P.J. Connolly, Security Advisor, InfoWorld

When designing a highly secure WLAN, use an extensible authentication protocol such as Cisco's LEAP or industry standard 802.1x to control user access. Lightship recommends tightening security even further with strong two-factor authentications such as RSA Security's SecurID products.

One of the great challenges facing software project managers is translating requirements -- from a variety of formats -- into logical tasks that can be assigned and tracked. Feature-Driven Development methodology touts the development of features, which while providing well-bounded and well-understood units of work, do not necessarily translate one-to-one into project tasks. Often, a feature will be a coarse-grained summary task, with several undetermined sub-tasks.

If employing the FDD process, Lightship recommends that when building the feature list, you capture as much information as possible about each feature while the project team is on topic and focused. This additional information will be invaluable when determining the sub-tasks of each feature in the project plan.

Ensure your IT project's success by assembling a team to develop an overall object model. Lightship recommends including tech-savvy domain experts in the team's early modeling sessions. They provide an invaluable domain walk-through to educate the modeling team, and as the model takes shape, they guide the team to correctly identify objects in the system and how they inter-relate. They are also effective quality assurance assets, ensuring that the model satisfies the business case.

"Web Speed" signals the demise of the 2 to 5 year software project. The new, lightweight, agile methodologies enable you to complete your IT projects faster, but which should you choose for your development efforts?

This decision requires serious thought, but avoid getting so wrapped up in the process that you forget the desired results. To be successful, your process must adapt to the project goals. See what these experts are saying:

• Sizing Up Today's Lightweight Software Processes
  by Granville Miller
• Bridging the Business-IT Gap with Feature Driven Development
  by Douglas Wright
• Light Methodologies Best for e-Business Projects
  by Cutter Consortium

Develop Complex Services
The last of four steps in Lightship's S.I.D.D.® methodology for adopting Web services.

Develop & deploy a complex, DOCUMENT-oriented Web service.

With some simple Web service successes in hand, more custom, object data types can be tackled. Start with an internal project requiring different levels of security, like a Purchase Order Request. Accept the Request and publish fulfillment status. Lightship recommends: Avoid crossing the firewall until your proficiency has increased.

Develop Simple Services
The third of four steps in Lightship's S.I.D.D.® methodology for adopting Web services.

Develop & deploy a simple, PROCEDURE-oriented Web service.

Get your feet wet and improve your likelihood of success with a departmental project before opening your Web services to other business units and partners. Some good candidates: Extract an employee's vacation leave status or post your firm's current stock price to the company's intranet. Most importantly: Be sure to establish security procedures.

Identify
The second of four steps in Lightship's S.I.D.D.® methodology for adopting Web services.

Identify Simple and Complex pilot projects within your organization from your pool of surveyed candidates.

• Identify Simple Projects - that are PROCEDURE-oriented services, such as transmitting account information to customer service platforms (for a Bank they may be ATMs, Teller Platforms, Branch Offices, Credit Card Departments, etc.).
• Identify Complex Projects - that are DOCUMENT-oriented services, such as building an internal Purchase Order Request.

Survey
The first of four steps in Lightship's S.I.D.D.® methodology for adopting Web services.

Survey your organization for suitable pilot projects for Web services integration. Lightship recommends using three criteria:

• Simple - Keep pilot projects simple to build-an opportunity to gain experience while maximizing the probability of success.
• Internal - Minimize service disruptions with pilot projects that only involve internal systems like intranets and portals.
• Authentication - Security is part of any service that will eventually be exposed to external users.

It's Microsoft vs. the rest of the world...again. Microsoft has been aggressively pushing .NET as the de facto Web Services development and deployment platform built, surprise, around Microsoft technologies. Other companies' offerings (e.g., SunOne) are more Java-centric. See what these trade publications are saying:

• JavaWorld
• Web Techniques

Ready or not, Web Services are coming to your organization. In a recent survey, InfoWorld magazine found that 78% of those polled have made Web services an IT priority for the next 24 months. To avoid being blind-sided, here are some information sources to explore:

Read up-The timely whitepaper, Beyond the Hype: THE PROMISE of WEB SERVICES is a good start. If you'd like to dig deeper, Architecting Web Services by Ollerman is an excellent source.