Scrambling to Secure Web Services

While much of the attention surrounding Web services security has focused on standards efforts, software developers and users are realizing that standards alone won't solve the problem.

While much of the attention surrounding Web services security has focused on standards efforts, software developers and users are realizing that standards alone wont solve the problem.

As a result, developers such as RSA Security Inc., Oblix Inc. and even networking manufacturer Cisco Systems Inc. are starting to take a more holistic approach to security with new products that address key Web services security matters. Potential users, however, still have questions about the technologys vulnerability.

RSA, which is counting on demand for Web services to drive much of its future growth, will partner with Sun Microsystems Inc. to integrate products and create an identity infrastructure across a network. RSAs ClearTrust and Keon software will be integrated with the Sun ONE (Open Net Environment) Directory Server and Portal Server, officials said. The packages are available from either company now.

Web services, with their universal accessibility, create a strong demand for authentication, authorization and identity management technologies. These not only allow access to the services but also do so in a simple, manageable manner, said Art Coviello, CEO of RSA, in Bedford, Mass.

"Its going to be fundamentally important to know who youre doing business with, and its important to make that user experience fluid and make sure transactions are private and confidential," Coviello said.

Cisco is also getting in on the act and developing cutting-edge technologies that enable a deeper level of packet inspection, which in turn allows for better identification of source and contents. The technology is due to be included in upcoming router software—officials would not say which series—within the next 12 months.

The approach is especially important since Web services traffic is likely to become the next playground for attackers, experts predict.

"Were looking at how you layer identity all the way through a transaction," said Bob Gleichauf, chief security officer at Cisco, in San Jose, Calif. "Its unclear if [Web services] are in the best interest of businesses because you might have XML services that tunnel through the firewall, [providing] an avenue for attacks."

Security administrators and IT managers say that while the vendors seem to be making progress, there is still work to be done.

"A lot of the questions people have about securing Web services are about how you solve the question of identity," said Steve Devoti, directory services manager at CUNA Mutual Group, in Madison, Wis., where small-scale, internal Web services deployments are planned.

"Just because [the Organization for the Advancement of Structured Information Standards] approves a new standard and someone hands us a security assertion doesnt mean we automatically know who they are," Devoti said. "The industry is still in the baby-steps stage here."

"I think that the market will eventually force all the different platforms to work together," said Vincent Senatore, a corporate security administrator at Airlines Reporting Corp., in Louisville, Ky.

"What I see is that somebody will develop a tool like the current LDAP protocol to handshake with all other platforms," Senatore said.

Meanwhile, Oblix, which has been a prime mover in the effort behind the SAML (Security Assertion Markup Language) standard, is one of the few companies with a working identity management product. The company has included a draft specification of SAML in its newest identity tool and is testing it in a production environment.

That product likely wont be released until the SAML specification is adopted next year. Company officials said that while security concerns may be preventing some companies from deploying Web services, there is little to those fears.

"People really havent thought beyond the words here," said Gordon Eubanks, CEO of Oblix, based in Cupertino, Calif. ".Net is beginning to be deployed. The thing that builds security and confidence in [Web services] is identity. Security comes from strong authentication."

Related stories:

  • Tech Analysis: Web Services Risks
  • Spec Secures Web Services Apps