Securing Web Services

Interview: IBM's vice president of security products for Tivoli software predicts this is the year enterprises will really begin to use federated identity to protect computing environments.

One year after IBM and Microsoft Corp. released a number of standards for securing Web services, Dr. Arvind Krishna, vice president of security for Tivoli and IBM Security Products, says 2004 is the year enterprises will really begin to use federated identity to protect their computing environments.

Two frameworks have emerged for securing Web services: WS-Security, backed by IBM and Microsoft; and the Liberty Identity Federation Framework, from the Liberty Alliance, which counts Sun Microsystems Inc. and corporations such as American Express Co. among its biggest supporters.


See letter from Liberty Alliance president Michael Barrett.

Krishna, who is instrumental in managing the path IBM takes in this new arena, says both IBM and Microsoft will need to work with the Liberty Alliance to ensure that one standard will eventually emerge for federated identity.

eWEEK Labs Senior Writer Anne Chen recently spoke with Krishna regarding IBMs role in Web services security standards, how IBM and Microsoft will play nice with Liberty Alliance, and how federated identity will change enterprise computing.

eWEEK: Vendors have been talking about federated identity as the next big thing for more than a year now. What makes 2004 different?

Krishna: With the WS-Security set of standards and the Liberty Alliance, standards are reasonable enough that an enterprise can begin to do an implementation and deployment using those standards.

Enterprises are now ready to begin their first projects to leverage these technologies for a crucial business division.

In this year, well really see deployments that leverage technologies to solve problems we just could not solve before. Web services will enable us to knit together one vendors set of products with that of another vendors to leverage everything, and I think this will happen in a big way this year.

The idea that an enterprise can present all these different services to a customer using one interface is just tremendous.

eWEEK: What are some other drivers for the move toward federated identity?

Krishna: Compliance is a huge issue this year because it comes in many flavors and forms. Enterprises need to be compliant with the rules and regulations under which their business or industry operates. If they break these regulations, there is certainly more enforcement now because you can no longer loosely interpret anything.

Beyond legal rules, enterprises are becoming increasingly concerned with what could be perceived as bad behavior. They want to be models of good corporate governance beyond basic laws and are looking for solutions and technologies that will help them to achieve these goals

eWEEK: What are some common misconceptions about federated identity and Web services?

Krishna: Are we going to re-engineer old applications to work with federation? No. But we will use it in new markets to do just that. There is no cost benefit to re-engineer legacy applications, but on a Web site, there is only benefit to provide 17 different services but to require only one sign-on that enables you to use all of those services. Enterprises need to look at federation as an effective way to solve problems for new applications.

eWEEK: How is IBM responding to the idea that enterprises are now ready to deploy federated identity?

Krishna: In the identity management market, were observing a move, in the market, from point products that solve a particular problem to entire solutions that enable an enterprise to fulfill all of their software concerns.

Vendors are really realizing this and are moving to provide complete solutions. For example, Sun Microsystems Inc. has purchased iPlanet to complement its existing products. Netegrity Inc. purchased Business Layers to get focused on this space. Here at IBM, we are also striving to provide a more complete solution to our customers.

eWEEK: At last years Burton Group Conference, you said that IBM and Microsoft would need to work with Liberty Alliance to hammer out a single standard for federation. Since then, Liberty Alliance has released its own standard. What happened?

Krishna: The fact is that weve gotten to this point, but there is no maliciousness on either side. One organization began as a private consortium and the other began as an open consortium. Customers are confused. I dont think they should be, but they are.

Clearly, the desire is for anyones whos sensible to deploy both standards and merge the two. Who loses? No one does—except for those who want to have a proprietary implementation or architecture.

I believe in open standards. May the best implementation win. IBM is a huge endorser of WS-Is set of standards, but the reason for that is because the work is done in an open forum. Different people create the initial draft and individuals decide through an open process in which everything is open to inspection, and decide what should be the standard.

WS-Security needs to find a way to converge with Liberty. I encourage Liberty Alliance to work toward convergence. We need the help. We all do.

eWEEK: What are you telling customers who want to deploy federated identity projects but are reluctant because of the two frameworks?

Krishna: There is not much of a fundamental difference between the two standards. The WS-Security Framework standards are much broader than Liberty Alliances standards. We are interested in trust, policy and privacy. Liberty is more worried about single-sign-on in federation.

I have promised our customers that if we converge in a different direction from where were moving now, I will still support them.

I will always have to interoperate with standards and this means IBM will interoperate with products whether theyre from Liberty Alliance, Microsoft or someone else.

eWEEK Labs Senior Writer Anne Chen can be reached at

Editors Note: This story was updated to include information and comments from Arvind Krishna.