Web Services Security Tightens

At the heart of two tools that will be unveiled this week is SAML, a standard that promises to ease the exchange of credentials on the Web.

Since security remains among the key challenges that must be met before Web services can become pervasive, some companies are moving to answer the call.

Baltimore Technologies plc. and Hitachi Computer Products Inc.s Quadrasis business unit this week will each deliver tools to help meet Web services security challenge.

At the heart of these technologies is SAML (Security Assertions Markup Language), an XML-based standard for exchanging security credentials among online business partners.

Nearing ratification by OASIS, or the Organization for the Advancement of Structured Information Standards, SAML enables users to sign on to one site and have their security credentials and information transparently transferred across affiliated sites.

"Security for Web services is the biggest single issue in the [lack of] maturity of Web services standards," said Randy Heffner, vice president and research leader at Giga Information Group Inc., in Stamford, Conn.

Baltimore, of Dublin, Ireland, will announce SelectAccess 5.0, which is the first access control and authorization product based on SAML, said Joyce Fai, vice president of Baltimores Authorization Solutions Group. In addition to delivering SAML-based affiliate services, SelectAccess features centralized management, reporting and alerting capabilities, multiple-directory support, and wireless authorization.

Fai called SAML a "very important" standard the industry needs, but not everyone agrees its ready.

"The hype about Web services kind of leaves you breathless," said Andrew Nash, director of technology and standards at RSA Security Inc., in Bedford, Mass. "All of these efforts like SAML and ... WS-Security [Web Services-Security specification] are not yet mature. ... I think there will be less security than would be desirable in a lot of [vendors] solutions. There are no completely agreed upon ways to do this yet."

Kim Vertucci, manager of engineering operations at CommWorks, 3Com Corp.s carrier unit, in Rolling Meadows, Ill., said she is less interested in SAML maturity than Baltimores SelectAccess in general "because it works." CommWorks is implementing SelectAccess 5.0 in an intranet environment to keep its research and development data out of the hands of other business units.

Quadrasis this week will announce its Enterprise Application Security Integration Developer Tool. It enables users to link security solutions via SAML wrappers and combine them to form a front-line defense for Web services security.

The EASI tool is part of the companys EASI Security Unifier, which is based on SAML. Bret Hartman, chief technology officer of Quadrasis in Waltham, Mass., said the EASI Developer Tool is like "[enterprise application integration] for security."

Additional reporting by Dennis Fisher

Related stories:

  • Spec Secures Web Services Apps
  • Here Be Dragons: Web Services Risks
  • SAML: Sign-On-And-Go Security
  • Baltimores Survival Plan