Next Phase For Web Services Pioneer

During his tenure with IBM, Toufic Boubez was a pioneer of XML Web services. Today, he is the CTO of startup Layer 7 Technologies. That company is focused on simplifying Web services management by means of a policy server hosted on a dedicated appliance. In an interview with Editor in Chief Michael Vizard, Boubez explains which advances will take Web services integration to the next level.

CRN: Why do think the adoption rate of Web services as a technology has been relatively slow?

BOUBEZ: I think more, better standards need to be in place. People are starting to use the technology and are getting their heads wrapped around how to use it. But there's a phase shift when people start realizing how powerful something is. I don't think we've reached that with Web services yet. People are still using it for simple remote requests. But people are starting to understand that there is this thing about loose coupling of systems that we need to start leveraging more.

CRN: Does Web services today live up to the original vision?

BOUBEZ: Let me tell you as someone who was [there] at the creation, there was nothing like a grand scheme of "we're going to change the world." It was, "Heck. How are we going to do integration a lot easier and cheaper and faster?" It was business driven more than anything else. We were getting customers yelling at us for taking so long to get things integrated. And actually it was a small evolutionary step more than anything else. We wanted to crank components up one more notch and make it a conceptual virtual service. And we already had portable data with XML, so we decided to just wrap it in these XML standards.

CRN: What is Layer 7 attempting to do?

BOUBEZ: Our eventual goal is to restore flexibility associated with building loosely coupled systems and in application development in general. Tactically, there are a couple of different things that happen today. One of the first things is, how do you build decoupled or loosely coupled security into these things? That's a fundamental issue for us, and we deal with that. The other thing is, how do you actually start integrating Web services with existing corporation infrastructure. Most corporations have multiple identity management systems, for example. And finally, how do you integrate them? Most organizations don't have HTTP internally.

CRN: How do you make all this happen?

BOUBEZ: We primarily believe that there's a particular service, and the business logic of that service lives somewhere--and that's it. Nothing else should be in that code. And everything else should be in what we call a policy layer. Policy to us is a declarative mechanism. How do you declare things like identity management around a particular service? How do you present credentials? Where is the end point of that service? How do you do routing? A lot of these things should not be in the actual service itself. You put them in this policy layer where you have these different policies that you can create and manage. That's essentially the main component of our product. The application doesn't need to worry about any of that stuff.

CRN: Where do you see the channel playing in all this?

BOUBEZ: We see leveraging channels as a very important part for us. We also want to leverage the systems integrators. We don't want to be in the professional services business, and we don't want to be a direct-sales entity. Our product comes on a gateway, an actual physical appliance. It's essentially a server that we close down and harden. Pricing starts out at about $50,000.

CRN: What vendors does Layer 7 Technologies have relationships with today?

BOUBEZ: We have software partnerships with IBM/Tivoli and Netegrity. We are not in the business of selling identity management systems to anybody. We say, 'Customers have multiple systems sometimes, [and] here's a way to actually bring in those identity management systems into the way you do Web services.' For Tivoli and Netegrity, this extends that franchise into the Web services arena.

CRN: Why then do people perceive that XML Web services and services-oriented architectures are complex?

BOUBEZ: It shouldn't be rocket science. I hate to burst the bubble, but it shouldn't be.

CRN: How tightly related should the conversation about business-process management and XML Web service be?

BOUBEZ: They are related, but they are not joined at the hip. Services orientation is an architectural principle that you can use to build anything, no matter what kind of application or architecture you do. The Holy Grail has been for us as a community to be able to build flexible systems. Services orientation is the latest attempt at an evolutionary step to do that better, so if something changes or breaks, you don't break the whole system. When people start thinking about business processes, that's where the rubber hits the road. There needs to be some computation, but you don't really care about the details or the nitty-gritty of that computation.

CRN: What's your take on attempts by Web services standards organizations to extend their efforts out to the realm of business-process standards?

BOUBEZ: Personally, I think it's a good, lofty, noble goal to be able to have companies standardize their business processes. But I think it should be separated from anything to do with Web services. I think there should be some kind of business-process standard somewhere, but mixing the two together does not make any sense. I think the standards group in Web services especially should stick to infrastructure issue like reliable messaging, security, trust and all of that kind of stuff.

CRN: What's next for Layer 7?

BOUBEZ: One thing we're going to do in a major new release in the September/October timeframe is identity bridging. Identity management integration assumes you control the identity management systems within the corporation. Now, what happens when you actually want to expose your services to somebody whose identity management is not under your control? You don't want them coming into your identity management system and creating their own account. So you need to have a system of trust bridging from one side to the other with certificates in PKI that actually allow you to trust somebody else's identity management system.

The other really important feature is more integration into asynchronous models. Right now, Web services are mainly synchronous. That doesn't work well for a lot of business processes that rely on queuing systems. So we're bringing that into the next release.