Verisign, IBM Web Services Security Pact Bears Fruit

A partnerhsip inked between VeriSign
and IBM earlier this year is finally bearing fruit, as the firms Monday
announced their first set of jointly-created security Web services and

Holding forth at the Gartner Symposium IT Expo in Orlando, Fla. this week,
IBM and VeriSign said the new services are designed to help companies build
security and trust into e-business applications. The goal of this
arrangement is the same of most Web services philosophies — to allow
enterprises to extend proprietary, legacy or Web-based apps to customers,
and to enable enterprises to reduce costs and improve business collaboration
in a secure fashion.

Indeed, as financial institutions, government agencies and other
organizations move business processes to an Internet-based environment, they
face complex challenges in connecting multiple applications in a secure and
seamless manner.

This alliance, first announced
last January
between the Armonk, N.Y. technology giant and Mountain
View, Calif. digital trust service provider, should attract attention from a
number of e-business software players; emphasis on security is at a premium
and IBM and VeriSign garner respect for their track record of technological
innovation and trust provisions, respectively.

Lack of consistent security standards, analysts say, has been a key barrier
to Web services adoption.

“Web Services offer great potential for business-to-business communication
and integration,” said Jason Bloomberg, senior analyst at Web services
research firm ZapThink. “But the lack of robust security and management
solutions currently inhibit the ability for companies to conduct business
with each other via Web Services over the Internet. You can’t just buy a
little security. You have to cover all the bases to be secure.”

For the service side of the play, VeriSign is offering customers its Access Management
(AMS), positioning it as the first fully managed service for
access control and authorization. Based on IBM Tivoli’s Access Manager, as
well as VeriSign’s identity verification, public key infrastructure (PKI)
and validation services, AMS has sign-on feature for authorized users,
allowing them to quickly gain access to network applications and services,
which can save organizations time and money on help desk support. Sunnyvale,
Calif. software concern Kontiki plans to be the first company to provide Web
services applications primed for AMS.

For the software portion of the pact, the firms are offering the co-branded,
co-developed IBM-VeriSign
Trusted e-business Integration Solution
. Built on VeriSign’s Digital
Authentication Services, IBM WebSphere MQ and IBM Tivoli Access Manager,
this is enterprise application integration (EAI) software for secure
extranets. Users of this may build portals, extranets and other business
applications that connect users within the enterprise or outside the
firewall without compromising security.

IBM and VeriSign are posing this as a breakthrough offering for integrating
heterogeneous internal and external applications — new, legacy, back-end
and Web-based systems — securely. The support for non-repudiation and audit
logging services can help reduce fraud and lower risk by maintaining an
electronic record of each on-line transaction.

What analysts are saying

ZapThink’s Bloomberg told the service and software will be attractive to large
enterprises who are struggling with issues of single-sign on, enterprise
user identity management, and comprehensive application security.

new solutions are particularly attactive for existing VeriSign PKI and
IBM Tivoli customers,” Bloomberg said. “Enterprises that have already decided to take the
PKI path have found that the infrastructure and support costs associated
with enterprise PKI can be high, and these new announcements will help
those companies get the most out of their existing investment.”

The service and software may be less attractive to the small-to mid-size players, he said.

“There are many single sign-on and other security solutions that offer
much of what the VeriSign/IBM solution does, without relying upon
substantial PKI infrastructure or investment in IBM products like
WebSphere MQ, including solutions from Baltimore Technologies, Entrust,
and Netegrity,” Bloomberg said.

Zapthink’s Ronald Schmelzer noted that the play was evidence that technology firms are not simply sitting idly by, waiting for standards to be hashed out.

“The MQ Series-Tivoli-Verisign solution is
an example of an increasing number of vendors joining up to solve hard
security, management, transaction, and reliability problems rather than
waiting for the standards to be solidified,” Schmelzer said. “If anything, it helps illustrate why vendors are pushing for solutions much
faster than the standards bodies can deliver. This might lead to conflicting
standards and solutions in the long-haul, but at least in the short term,
Web Services can live up to their promise.”

Not every analyst was sold, however.

“The Access Management service isn’t a very big deal,” said Gartner Dataquest security analyst John Pescatore. “Verisign had announced a service like this over a year ago (using Netegrity’s software), as had many other vendors. There just isn’t any demand for outsourced Access Management that isn’t embedded in an application and Verisign isn’t offering that, other than their Signio payment applications.”

“The e-business integration solution is pretty much what IBM already sells,
so it is mostly just a co-marketing initiative between Verisign and IBM,” Pescatore told “IBM and Versign made some business alliance agreements a while back and Versign is using IBM hardware and software as part of its service offerings now, and so IBM is doing co-marketing with them as a payback. I don’t see either of
these announcements as being very meaningful to enterprise customers.”

VeriSign spokesperson David Berkowitz responded: “The point of the VeriSign AMS isn’t that we’re co-marketing a product in a
space that is already crowded with software products. Rather, it’s that
we’ve joined with IBM to create the first MANAGED SERVICE for access control
and authorization. This IS a big deal because it means we’re significantly
reducing the cost and complexity of access management so that small- to
mid-sized enterprises can deploy robust security technology that,
previously, was only available to large enterprise customers.”

News Around the Web