Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Kill switches coming to iPhone, Android, Windows devices in 2015
Still deploying 11n Wi-Fi?  You might want to think again
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases
6 Amazing Advances in Cloud Technology
Collaboration 2.0: Old meets new
Data breaches nail more US Internet users, regulation support rises
With a Wi-Fi cloud service, Ruckus aims to help hotspot owners make money
How to get Windows Phone 8.1 today
Secure browsers offer alternatives to Chrome, IE and Firefox
10 Big Data startups to watch
/

Whirlwind of Web services work on tap

Today's breaking news
Send to a friendFeedback


A dizzying array of specifications being produced this year by standards bodies and other groups will fill glaring security and reliability gaps in nascent Web services technology.

In rapid-fire succession over the next six to eight months, network executives could see up to 30 new protocols emerge designed to advance Web services as a way to support secure and reliable interconnection of transaction-based business applications.

The protocols will help mitigate risk, enforce access and use policies, ensure nonrepudiation and guarantee execution and exception handling by defining authentication, authorization, trust, reliable messaging, transactional integrity and workflow. Standards for XML-based digital signatures and encryption already exist.

Standards bodies focused on XML include the Organization for the Advancement of Structured Information Standards (OASIS) and the World Wide Web Consortium (W3C). Vendor alliances such as the IBM, Microsoft and VeriSign trio, developed the recent WS-Security proposal.

The groups will be heavily active in the coming months on standardizing recommendations, introducing new specifications, hammering out guidelines for security requirements and focusing on creating consistency across a palette of security initiatives.

Getting the work done is imperative to providing the kind of security network executives need when they develop or deploy sophisticated Web services, which typically involve computers talking to one another without human intervention.

"This year is going to be pretty overwhelming in terms of standards," said Bob Sutor, director for e-business standards strategy at IBM at a meeting with Network World editors last week. "Standards will be coming at a fast and furious pace. Last year standards development was focused on connections. This year it will be focused on security, reliability, transactions and workflow. Soon it's going to be very difficult to keep track of what does what." He says there will be 20 to 30 specifications relatively soon. Currently there are six major security protocols either approved or in the draft stage. The WS-Security alliance has proposed seven others.

Network executives are bracing for the onslaught but say they hope it will not erode the simplicity of Web services.

"I would hate to see Web services get lost in the security forest," says John Studdard, senior vice president and CTO for the Virtual Bank in Palm Beach Gardens, Fla. "We are hoping for a simple security model as opposed to something that sounds good but has no chance of ever being implemented."

Studdard runs a dozen Web services internally to integrate banking systems, but says because of security concerns he has yet to run them outside his organization.

"Web services security is still the wild, wild West," Studdard says. "What we are seeing now is a reaction more than a well thought out security plan."

That may be true, according to a recent Hurwitz Group study, which among other issues showed that security was the No. 1 inhibitor to Web services adoption.

"We were surprised to see how quickly people were adopting the Web services development tools, but there is an immaturity level that is quickly being realized as people seek security, reliability and quality of service," says Tyler McDaniel, director of application strategies for Hurwitz. "As a result, there is a pressure on vendors and standards bodies to get security moving faster."

Existing security standards from the W3C - XML Signature (XML-Sig) and XML encryption, protocols for ensuring integrity and authorization - are creating the support for that movement. The W3C also is working on the XML Key Management Specification for distributing and registering public keys.

At OASIS, the Security Assertion Markup Language (SAML), Services Provisioning Markup Language (SPML) and the XML Access Control Markup Language (XACML) are all security proposals in line for approval.

"Security today is being done willy-nilly," says Terri Kouba, a systems developer at the University of California at Berkeley. "But as a whole under Web services it needs to be defined. Not just the transport but the whole authentication and reliability piece."

Work is under way to tie it all together for use in Web services development tools and other software.

Last week, OASIS created the Security Standards Joint Committee (SSJC), an oversight group to ensure consistency among its security working groups. Next month, OASIS will begin work on final approval of SAML and XACML. The SPML specification is set for standards review at year-end, and a fourth focused on digital rights management had its first committee meeting last week.

"If you can show me a PowerPoint slide that describes how security standards tie together, I'll give you a million bucks," says Darran Rolls, director of technology for Waveset and the co-chair of the SSJC. "We need common terms and a way to prevent overlap in the specs."

The W3C last month published the first draft of its Web Services Architecture Requirements, including a foundation for security based on accessibility, authentication, authorization, confidentiality, integrity and nonrepudiation. The final draft is due early next year, and the group is working on a proposal to create an umbrella security group that would work on security extensions to SOAP and examine new security proposals, says Philippe Le Hégaret, a member of the W3C technical staff.

One such effort to create new protocols is being led by IBM, Microsoft and VeriSign, which by year-end plan to introduce six specifications to extend the WS-Security specification they introduced last month (see graphic). The trio says it hopes to submit WS-Security, which is built on XML-Sig and XML encryption, to a yet-to-be determined standards body this fall.

IBM and Microsoft are at work independently on specifications - Web Services Flow Language and Xlang, respectively - for standardizing workflow, the process of managing the execution of Web services in business processes. IBM's Sutor says the company also is working on a specification for guaranteed delivery of messages, although he would not provide details.

But no matter how fast such efforts develop, securing Web services will be a complex undertaking for network executives.

"To think the complexity in the designing, developing, deployment and maintenance of secure distributed applications will go away with Web services is a cardinal sin," says Bernhard Borges, managing director of the advanced technology group at PricewaterhouseCoopers Consulting.

Others say Web services security is just a new set of protocols to address tried and true security tenants of today: Secure data where it resides, and secure it as it moves between two or more end points.

"The scary part is that we are starting to talk about linking up the whole Internet," says Pete Lindstrom, director of security strategies for the Hurwitz Group. But Lindstrom says the basics for getting started are there today.

Senior Writer Ann Bednarz contributed to this report.

Security initiative
IBM, Microsoft and VeriSign are proposing a Web services security framework beginning with WS-Security for message integrity and confidentiality. The WS-Security specification is available; the specification for the six extensions will be released in the coming months.

WS-Security: Describes how to attach digital signatures and encryption headers and security tokens, such as Kerberos tickets or X.509 certificates, to SOAP messages.

WS-Policy: Used to express conditions and constraints of security policies.

WS-Trust: Framework for direct and brokered trust relationship between Web services.

WS-Privacy: Model for stating privacy preferences and practices.

WS-Secure Conversation: Describes how to manage and authenticate message exchanges between Web services.

WS-Federation: Describes how to manage and broker trust relationships among unlike systems in a federated environment.

WS-Authorization: Describes how to manage authorization data and policies.

RELATED LINKS

Contact Senior Editor John Fontana

Other recent articles by Fontana


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.