IBM’s Web Services Security Answer Lies with Tivoli

IBM will release new software in its Web services suite of
applications early next year to address the problem of data security,
officials announced Wednesday.

The Tivoli Access Manager is scheduled for release in the first quarter of
2003, in what officials said would “provide integrity and confidentiality
in Web services applications.”

Tivoli’s upcoming version 4.1 in November lays the groundwork for
incorporating the different security standards found today. In early 2003,
Leo Cole, Tivoli director of security solutions, expects all security
standards to be supported under the Access Manager’s single-user,
single-authentication application.

Cole said the challenge in today’s Web service applications is bringing
disparate enterprises together, companies that don’t necessarily use the
same system.

“Before, it was just a single enterprise, the next step is to include
supply-chain management,” he said. “That’s more difficult, because you
might have one customer on WebSphere and another on .Net.”

A standard for Web services security, dubbed WS-Security, has been in place
for months now after ratification by the Organization for the Advancement
of Structured Information Standards (OASIS), and Web services providers
have been scrambling to incorporate the security enhancements on its
platform.

But WS-Security is just one of several standards used to secure a company’s
information passing back and forth on the Internet; other include Kerberos,
X.509 and SAML.

The promise of Web services have many corporations eager to get their
intranet enabled, which would streamline its inventory and order processes,
among other efficiencies. The problem, to date, has been the fact
always-available information makes it easy for crackers (malicious hackers)
to exploit.

IBM and Microsoft , two of the major Web services
platform vendors in the U.S., have been working on a WS-Security standard
for more than a year. Both have a vested interest in its success — IBM
with WebSphere and Microsoft with .Net — and have spent considerable time
looking for solutions.

It boils down to identifiers (called tokens) that certify the people
accessing the real-time database of information. WS-Security implemented
new headers in the Web service lexicon to meet those security needs, and
the other security standards used their own “branding” method.

This certification process makes it possible for information to reside
securely behind a firewall, regardless of the vendor (i.e., WebSphere or
.Net). IBM officials said its upcoming WebSphere Application Server version
5 would support WS-Security by the end of the year.