RealTime IT News

Web Services Gets Security Blanket

The Web services industry got a boost with the introduction Thursday of a new security standard by three high-tech leaders.

Microsoft , IBM and VeriSign released WS-Security to the world, putting to rest some of the questions surrounding the adoption of next-generation application services.

Though the three companies plan on sending the security plan to a standard's body for final ratification, no timetable has been established, though industry experts expect to see widespread WS-Security adoption as early as the end of this year.

Mike Gilpin, an analyst at Giga Information Group, said the announcement of a security standard is a welcome surprise to the industry.

"Lack of security has been one of the major impediments to Web services being used widely outside companies in a business-to-business mode," he said. "We hadn't expected the standard to be agreed upon until later in the year. This is very positive for the Web services industry in the longer term."

Web services, lauded by many as the future of business productivity, ties together the corporate infrastructure and its e-commerce functions, bringing real-time accountability to the forefront.

One of the biggest questions for the technology, however, was keeping unwanted visitors from stealing sensitive information found on the Internet.

Eric Rudder, Microsoft senior vice president of the developer and platform evangelism group, said the incorporation of a failsafe security policy is a tremendous boon for businesses.

"Today's announcement of WS-Security is a major milestone on the road from today's situation, where Web services security is left as an exercise for the individual developer, to a world where we have broadly interoperable standards for Web services security," he said.

WS-Security, according to the working group, "supports, integrates and unifies several popular security models, mechanisms and technologies, allowing a variety of systems to interoperate in a platform- and language-neutral manner in a Web services context.

In addition to the security standard, the working group outlined a road map for future security implementations. Its report, "Security in a Web Services World," is the start of what should be a continuing process for security measures.

The three companies took a three-prong approach to laying out a security approach:

  • Enhancing single-message authentication, message integrity and confidentiality through the simple object access protocol (SOAP) messaging standard.
  • Security tokens for individual users to access different levels of the Web service infrastructure (i.e., customers and administrators).
  • Using encrypted keys on X.509 and Kerberos tickets and how they should be encoded.

Dr. Phillip Hallam-Baker, VeriSign's principal scientist and WS-Security co-author, said the business world will see immediate gains with Web services, it's just a matter of trust. With continued work on security measures, he said, corporate adoption will become more widespread.

"The industry is making solid inroads on the interoperability front, and the new WS-Security spec is among a series of open security specifications paving the way for widespread adoption of trusted Web services," he said.

While the three companies say the initiative is a joint venture of the three companies, Microsoft produced the lion's share of the work with nine of the 16 WS-Security group members.

The software giant has the most to gain from a secure service platform, as it moves forward with its .Net framework for Web services. The company has spent a tremendous amount of time and energy (as well as marketing revenues) to get their framework out and in the public before the competition.

WS-Security is only one initiative out of many at the Web Services Interoperability Organization (WS-I), a coalition of the high-tech community's biggest names. In addition to companies like Microsoft and IBM, Intel andHewlett-Packard have signed on as members. Sun Microsystems , a Microsoft rival, is still looking at joining but hasn't made a decision.

The group has several working groups established, aimed at improving Web services, among them WS-Policy, WS-Trust and WS-Privacy.