Web Services Gets Security Blanket

The Web services industry got a boost with the introduction Thursday of a
new security standard by three high-tech leaders.

Microsoft , IBM and VeriSign released WS-Security to the world, putting to rest some of the
questions surrounding the adoption of next-generation application services.

Though the three companies plan on sending the security plan to a
standard’s body for final ratification, no timetable has been established,
though industry experts expect to see widespread WS-Security adoption as
early as the end of this year.

Mike Gilpin, an analyst at Giga Information Group, said the announcement of
a security standard is a welcome surprise to the industry.

“Lack of security has been one of the major impediments to Web services
being used widely outside companies in a business-to-business mode,” he
said. “We hadn’t expected the standard to be agreed upon until later in
the year. This is very positive for the Web services industry in the longer

Web services, lauded by many as the future of business productivity, ties
together the corporate infrastructure and its e-commerce functions,
bringing real-time accountability to the forefront.

One of the biggest questions for the technology, however, was keeping
unwanted visitors from stealing sensitive information found on the Internet.

Eric Rudder, Microsoft senior vice president of the developer and platform
evangelism group, said the incorporation of a failsafe security policy is a
tremendous boon for businesses.

“Today’s announcement of WS-Security is a major milestone on the road from
today’s situation, where Web services security is left as an exercise for
the individual developer, to a world where we have broadly interoperable
standards for Web services security,” he said.

WS-Security, according to the working group, “supports, integrates and
unifies several popular security models, mechanisms and technologies,
allowing a variety of systems to interoperate in a platform- and
language-neutral manner in a Web services context.

In addition to the security standard, the working group outlined a road map
for future security implementations. Its report, “Security in a Web
Services World,” is the start of what should be a continuing process for
security measures.

The three companies took a three-prong approach to laying out a security

  • Enhancing single-message authentication, message integrity and
    confidentiality through the simple object access protocol (SOAP) messaging
  • Security tokens for individual users to access different levels of the
    Web service infrastructure (i.e., customers and administrators).
  • Using encrypted keys on X.509 and Kerberos tickets and how they should
    be encoded.

Dr. Phillip Hallam-Baker, VeriSign’s principal scientist and WS-Security
co-author, said the business world will see immediate gains with Web
services, it’s just a matter of trust. With continued work on security
measures, he said, corporate adoption will become more widespread.

“The industry is making solid inroads on the interoperability front, and
the new WS-Security spec is among a series of open security specifications
paving the way for widespread adoption of trusted Web services,” he said.

While the three companies say the initiative is a joint venture of the
three companies, Microsoft produced the lion’s share of the work with nine
of the 16 WS-Security group members.

The software giant has the most to gain from a secure service platform, as
it moves forward with its .Net framework for Web services. The company has
spent a tremendous amount of time and energy (as well as marketing
revenues) to get their framework out and in the public before the competition.

WS-Security is only one initiative out of many at the Web Services
Interoperability Organization (WS-I), a coalition of the high-tech
community’s biggest names. In addition to companies like Microsoft and
IBM, Intel andHewlett-Packard have
signed on as members. Sun Microsystems , a Microsoft
rival, is still looking at joining but hasn’t made a decision.

The group has several working groups established, aimed at improving Web
services, among them WS-Policy, WS-Trust and WS-Privacy.

News Around the Web