Web services security takes shape
By Martin LaMonica
Staff Writer,
CNET News.com

Secure Web services took another step toward reality Monday with the introduction of implementation guidelines and progress on standards development.

Analysts said that security remains an important barrier to customer adoption of Web services, a set of evolving standards for sharing information. Businesses are using Web services software to link disparate systems internally, but no single standard for security exists.

Security software company Netegrity and several partners have published Web services reference architecture guidelines to help companies make decisions about security and navigate through a wide range of Web services products. The guidelines spell out the capabilities of Web services products from different providers and how their respective products should interact. The document also defines system requirements and provides templates for using Web services applications.

The majority of Web services sales have been for development tools and the server software required to run Web services applications once they are written. But at the same time, dozens of smaller companies have introduced niche products for functions such as authorizing a person's identity, ensuring performance levels, and accelerating system speed with specialized hardware.

Netegrity executives said the guidelines are necessary because there is a lot of confusion over the security and management capabilities that these niche Web services products provide.

People are picking up point products like an XML firewall and feel that solves the security. The danger is that down the road there will be isolated islands of implementation, said Prateek Mishra, director of technology and infrastructure at Netegrity.

Several specialized Web services providers have endorsed the Netegrity reference architecture for Web services security, including Web services management companies AmberPoint and Confluent, as well as hardware providers such as DataPower and Forum Systems.

Different products will share information using the WS-Security standard, which is still in development. For example, a company could ensure that an e-commerce Web site shares identity information from authorization software with a Web services management product, which guarantees certain performance thresholds.

In other Web services security news, the WS-Security standard has been functionally frozen, meaning that it's ready for companies to test, Mishra said. In addition to his duties with Netegrity, Mishra is the co-chair of the Security Services Technical Committee at the Organization for the Advancement of Structured Information Standards (OASIS), the body responsible for the WS-Security standards. The standard will now be published for public comments and is expected to be completed within a few months, Mishra said.

OASIS also announced Monday that the Secure Assertion Markup Language (SAML) version 1.1 has been ratified. The SAML specification provides a data format that allows a person to enter name and password information to log onto several networks.




Related News
Web services management heats up September 17, 2003
http://news.com.com/2100-7345-5077906.html

Web services spec invites controversy July 9, 2003
http://news.com.com/2100-1009-1024013.html

Group eyes Web services security April 1, 2003
http://news.com.com/2100-1012-994938.html

Web services specs focus on security December 18, 2002
http://news.com.com/2100-1001-978314.html

Get this story's Big Picture
http://news.com.com/2104-7345-5079937.html

CNET
Copyright ©1995-2003 CNET Networks, Inc. All rights reserved.