Web services management tools are vital to ensure the smooth delivery of business-critical services to third parties. But there's a hidden catch.

	express delivery
	• print  • comment
	Management tools that drill down to detailed web services data may inadvertently expose sensitive information: The latest generation of tools let service providers observe individual user activity Improved visibility makes it much easier to troubleshoot problems But it could also impinge on confidentiality and user privacy Providers must strike a careful balance A more granular approach to security helps enforce proper controls
	Glossary terms: services management, firewall, SOAP, lookup tool Sponsored links: your text link here

Although most people think of management applications as tools for monitoring and measuring internal web services performance, they become even more crucial when delivering commercial services beyond the firewall to partners and customers.

The latest versions of such tools provide detailed information that helps providers identify faults and fine-tune their service delivery. But with this higher level of sophistication, an unexpected consideration comes into play: the improved analytical capability produces information that can have significant ramifications for customer confidentiality and user privacy.

That's been the experience of MapPoint, a Microsoft business unit whose online maps and driving directions are a familiar sight to users of popular websites such as Starbucks, which uses the mapping service to direct customers to its outlets. Behind the scenes, a sophisticated XML and web services infrastructure allows customers and third-party developers to embed the mapping capability in their own websites and applications, where they are delivered from MapPoint's own servers. Launched in February 2002, the service now handles a total of some 15 million transactions each day, making it one of the largest commercial implementations of SOAP web services.

At first glance, giving directions may not seem like a mission-critical activity. But in a retail business, a customer that can't find your store is a lost sale, and often a missed opportunity for much more. Other MapPoint users track and route deliveries and engineer calls using the services. For customers like these, MapPoint needs to maintain near-perfect availability, and must be able to troubleshoot any problems as rapidly as possible.

Drilling down

The requirements were quite a challenge when the service was initially set up, says Gary Ide, MapPoint's operations program manager: "There really weren't a lot of management tools around SOAP XML web services." As a result, the company started out by developing its own internal tools. These captured SOAP logs, monitored and measured transaction-level performance, and performed transaction reporting, accounting and royalty reporting. But the management capability was limited to aggregate analysis, which meant that if a customer reported a specific transaction had failed, MapPoint lacked the granular transaction-level management it needed to drill down and assess the problem. "It was at a relatively coarse level and not as deep as we'd like," says Ide.

In an effort to achieve better granularity, MapPoint began working with web services management specialist Adjoin Solutions, which was subsequently acquired by Computer Associates. It became one of a handful of customers that joined the beta program for CA's recently-released Unicenter WSDM, the management suite based on Adjoin's technology. Implemented in pre-production versions of the next release of the MapPoint service, the suite has given the company the ability to observe individual user activity — how they're accessing the platform, what the response times are, the data packet sizes, the different types of error and so forth.

From a development perspective, this improved visibility has helped MapPoint iron out problems in its own beta software prior to its release — within 24 hours of implementing Unicenter WSDM, for example, it was able to pinpoint specific configuration errors. More significantly, however, Ide believes the management application will now allow it to tackle individual customer problems. If a customer makes contact about a specific development issue, for example, frontline support agents can escalate the query to technical teams that can drill down to the relevant details.

Balancing act

Ide describes the ability "to quickly drill down on data that is unique and important to customers, and finding the data that matters," as one of the highest value returns from the implementation. "Being able to drill down into a single transaction — or a single parameter to a transaction — that can make or break a customer's business is incredibly important."

Yet it is this very granularity that has proved to be unexpected snag in some customer accounts, leaving MapPoint performing a delicate balancing act. On the one hand, it needs to improve the level of granularity to tackle individual customer service problems: at the same time, it must manage any personally-identifiable information to make sure that it protects both its customers' confidentiality and their users' privacy.

Data isn't held about individual consumers — in fact, MapPoint doesn't even log individual IP addresses — but the information it does track could still be sensitive. For example, in theory the company could find itself holding comparative information about the number of direction requests made for each individual store within a retail chain — information that could be highly damaging if disclosed to a competitor. And larger companies in particular — not to mention MapPoint's parent, Microsoft — are very concerned about respecting privacy rights. "We're very sensitive to that," says Ide. "We do not retain information that could ever be considered as personally identifiable, yet retaining the ability to support those customers who do have a problem is very difficult for large institutions."

The solution comes at two levels. To begin with, MapPoint will shortly be offering customers an opt-in capability for data logging, so that customers themselves will effectively define the level of granularity allowed. In addition, MapPoint controls and manages access to all data that's collated within the organization to ensure that confidentiality is maintained at all times.

Granular security

Further help will come from future CA products. Following the launch of Unicenter WSDM in December, CA is gearing up to release an integrated web services management and security management product in the first half this year. Dmitri Tcherevik, vice president web services at CA, says customers want security to be deployed as an intermediary layer between the consumer and producer of web services — abstracting security from the web services implementation itself makes it easier to update the security function in line with evolving corporate and industry standards.

Single sign-on will be another important feature of the new product, with access control tailored for what Tcherevik calls the "unique" demands of the web services environment. This refers to the need to control access according to the context of individual SOAP messages, rather than the traditional firewall approach of controlling access to a specific point in the network. This more granular approach to security mirrors the granularity of web services management, and requires a similar capability to analyze individual SOAP messages — thus creating an overlap between security and management that the combined product aims to exploit.

CA's move to SOAP-level security will help make it easier for MapPoint to control who has access to the information collected by its management tools, thus allaying customer concerns about the security of commercially sensitive or personal information. Such concerns are a potential — and frequently unexpected — pitfall for any enterprise providing services to third parties. Enhancing the quality of service delivered to customers means recording and analyzing increasingly detailed information. But providers must make sure that they have the ability to enforce security policies to protect that information as assiduously as they collect it.

More on this topic