IBM, Microsoft Deliver New Security Specs

New set of security and policy specifications are based on the Web Services Security road map.

Web services giants IBM and Microsoft Corp. Wednesday announced, along with BEA Systems Inc., RSA Security Inc., VeriSign Inc. and SAP AG, a new set of security and policy specifications based on the Web Services Security road map that Microsoft and IBM developed last April to help enterprises share information securely.

The first in the set of specifications includes WS-Trust, which defines a framework for managing, setting up and assessing trust relationships to enable Web services to securely interoperate, a common way to access security services; WS-SecureConversation, which defines a framework to set up a secure context for parties that want to exchange multiple messages without having to continually re-authenticate; and WS-SecurityPolicy, which defines general security policies that can be associated with a service, said Karla Norsworthy, director of dynamic ebusiness technologies at IBM. IBM, Microsoft, RSA and VeriSign authored all three specifications.

The specifications fall into two categories, the companies said: those that build on technical issues in the Microsoft/IBM road map (the first three), and another group of three specifications that focus on implementing business policies into Web services.

Scott Collison, director of Web services management at Microsoft, said the new specifications are based on accepted standards in the areas of the Simple Open Access Protocol (SOAP), security, transactions and discovery to provide a framework for implementing business policy and security for a broad set of applications. "This is the next wave of our delivering specs in security," he said. "Were delivering some additional specifications that are part of our execution against an overall Web services vision to allow companies to have broadly interoperable Web services regardless of the platform their application sits on," he said.

"These are initial versions of the specs, so customers still need to give their feedback," said Jason Bloomberg, an analyst with ZapThink LLC, based in Cambridge, Mass. "There are no tools that support these specs yet, so todays announcement is only one in a series of steps that lead to the release of the specs to a standards body."

The second set of specifications includes WS-Policy, which outlines a way for Web services senders and receivers to communicate their requirements and capabilities, including the ability to search for and discover the information they need to access the service; WS-PolicyAttachments, which provides a standard mechanism for attaching requirement and capability statements to a Web service; and WS-PolicyAssertions, which describes general policies that can be affiliated with a service. BEA, IBM, Microsoft and SAP authored these specifications.

"Policy is important across a broad set of disciplines, including security but not exclusive to security," Norsworthy said. "A good example is I might want to express policy that tells what human language interface a Web service would need to expose to be appropriate for particular end user. Or I might want to express policy that tells what version of a standard like HIPAA [Health Insurance Portability and Accountability Act] that a Web service in the medical space needed to conform to in order for me to feel comfortable using it."

"The specs are more the concern of people developing software, and we implement them in a way thats seamless," Collison said.

Added Norsworthy: "The end goal is to make the time to implement this technology shorter."

Overall, said Bloomberg, "These specs overlap some of the work that the Liberty Alliance has been doing, which raised a red flag for me. SAP, VeriSign and RSA are members of Liberty as well, so youd think the two efforts would be working closely together, but apparently not. The WS-Security party line is that they hope Liberty will support these specs, and theyre anxious to get feedback from Liberty. Whether their lack of early input from Liberty will create a political issue remains to be seen, but it is a risk."

In a statement, Edward Cobb, vice president of architecture and standards at BEA, said: "BEA has long supported the goal of secure interoperability of Web services through the advancement of the WS-Policy standard. This specification promotes a common industry goal to help speed the adoption of Web services by delivering secure, reliable interoperability guidelines that span platforms, applications and programming languages."