Web services is a new breed of application integration animal and ideally should have a security blanket that covers
it from head to foot.
This blanket should allow users to sign in once and get only the access to which they are entitled, even as those users cross multiple applications and computing platforms. But right now, Web services security is more like a patchwork of gloves, scarves and hats -- some of which work well, while others are still being knit.
Web services is a way of integrating applications using standards such as Extensible Markup Language (XML), Universal Discovery, Description and Integration (UDDI) and Simple Object Access Protocol (SOAP) to describe (XML), find (UDDI) and transport data (SOAP) among applications and business partners. When I visited this topic last May, concerns about security were one reason most organizations were using Web services only within the corporate firewall, if at all.
That hasn't changed much, as customers wait for vendors to finalize standards such as XML Key Management Specification (XKMS is for managing the keys needed to encrypt and decrypt Web services messages), says Jason Bloomberg, a senior analyst at ZapThink, an analysis and consulting firm in Waltham, Mass.
Another much-anticipated standard is the Web Services (WS) Security specification, whose chief backers are Microsoft, IBM and Verisign. However, WS Security only includes umbrella mechanisms that will eventually enable more specific standards governing trust, privacy, authorization and other security. Reports of infighting among supporters could slow the specification's progress, with some observers suspicious that the WS Security backers are trying to create their own security standard. "People are mistrustful of Microsoft and IBM," says Gartner Inc. Analyst Ray Warner.
While they wait for the standards battles to play out, customers are turning to specific products to tackle specific needs. Two of the current areas in which vendors are rolling out products are tools for managing authentication and access control, and XML firewalls that can filter messages based on their content.
Single-point authentication and access control are important because Web services can't make users more efficient if those users have to enter a new user ID and password each time their request hits another application. "Larger entities might have [10,000, 20,000] or 30,000 users," says Bloomberg, each of whom might have different access rights on dozens of different systems -- access rights that need to be changed, or even withdrawn, as the employee's responsibilities change or they leave the company.
Netegrity Inc. has a head start in this area with its SiteMinder product, says Bloomberg, because it supports distributed administration of security policies, as well as the ability to let users sign on once and get access to multiple applications. Netegrity's TransactionMinder "is more of a Web services security platform," he says, that can delegate security administration within a single enterprise or across multiple organizations.
Another active area for Web services security tools is XML firewalls. A conventional network firewall scans the exterior of data packets to screen out those coming from suspicious IP addresses or that are aimed at possibly vulnerable servers or ports. An XML firewall, in contrast, understands the contents of an XML message and can accept or reject it based on context-sensitive criteria such as whether the sender of the message has the approval to take that action. Major players here include Westbridge Technology Inc., Quadrasis (with its SOAP Content Inspector) and Reactivity Inc.
Products offer another approach to such "content-aware" protection such as those from Forum Systems Inc., DataPower Technology Inc. and F5 Networks, says Bloomberg. These tools don't actually read the XML, says Bloomberg, but instead look for specific XML tags in the byte streams coming over the network. This takes less processing power than firewalls that can read XML, he says, "but is not quite as intelligent." DataPower's XS40 XML Security Gateway, for example, is a 1U rack-mountable device that provides XML encryption, XML/SOAP firewall filtering, XML Digital Signatures and other functions.
NCipher PLC takes a hardware-based approach to XML encryption and digital key management with its nShield hardware security module, which is resold or OEMed by Forum Systems, Reactivity and Westbridge.
Major vendors such as Microsoft, IBM and Sun Microsystems Inc. are building Web services security into their broader product platforms. Sun "has leadership in the directory space with their Directory Server," says Bloomberg, which is the foundation for the Sun ONE Identity Server. Microsoft has also announced plans for a technology code-named "TrustBridge," which would allow secure authentication of users, and sharing of their user identities across business and security boundaries.
Quadrasis (the Software Solutions Division of Hitachi Computer Products Inc.) is tackling the need for an end-to-end Web services platform with its Enterprise Application Security Infrastructure (EASI) Security Unifier. The unifier provides interfaces and mappers based on SAML to allow Web services security services to recognize each other and work together. It also includes a developer toolkit to provide links to legacy applications that need to be brought under the security umbrella.
Entrust Inc. plans a portfolio of Web services security products called the Entrust Secure Transaction Platform. The first product, the Entrust Verification Server 6.0, audits Web services transactions through centralized digital signatures and time stamping. Baltimore Technologies Inc., a company that first gained prominence as a vendor of public key infrastructure tools, has released KeyTools XML 5.1, which includes the ability to create secure and trusted XML messages that comply with the XML Digital Signature specification.
The Web Services Interoperability Organization (WSI), formed last year and made up of vendors and customers, is also expected to come out with ground rules this year for ensuring interoperability among Web services security offerings from multiple vendors, says Bloomberg.
"Security has to be comprehensive to be effective," says Bloomberg. Security for Web services isn't comprehensive yet. Until it is, customers can only push vendors to support the key Web services security standards and use the growing number of point products available on the market.
About the author
Robert L. Scheier writes about security from Boylston, Mass., and can be reached at firstname.lastname@example.org.