Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet
/

Whirlwind of Web services work on tap

Today's breaking news
Send to a friendFeedback


A dizzying array of specifications being produced this year by standards bodies and other groups will fill glaring security and reliability gaps in nascent Web services technology.

In rapid-fire succession over the next six to eight months, network executives could see up to 30 new protocols emerge designed to advance Web services as a way to support secure and reliable interconnection of transaction-based business applications.

The protocols will help mitigate risk, enforce access and use policies, ensure nonrepudiation and guarantee execution and exception handling by defining authentication, authorization, trust, reliable messaging, transactional integrity and workflow. Standards for XML-based digital signatures and encryption already exist.

Standards bodies focused on XML include the Organization for the Advancement of Structured Information Standards (OASIS) and the World Wide Web Consortium (W3C). Vendor alliances such as the IBM, Microsoft and VeriSign trio, developed the recent WS-Security proposal.

The groups will be heavily active in the coming months on standardizing recommendations, introducing new specifications, hammering out guidelines for security requirements and focusing on creating consistency across a palette of security initiatives.

Getting the work done is imperative to providing the kind of security network executives need when they develop or deploy sophisticated Web services, which typically involve computers talking to one another without human intervention.

"This year is going to be pretty overwhelming in terms of standards," said Bob Sutor, director for e-business standards strategy at IBM at a meeting with Network World editors last week. "Standards will be coming at a fast and furious pace. Last year standards development was focused on connections. This year it will be focused on security, reliability, transactions and workflow. Soon it's going to be very difficult to keep track of what does what." He says there will be 20 to 30 specifications relatively soon. Currently there are six major security protocols either approved or in the draft stage. The WS-Security alliance has proposed seven others.

Network executives are bracing for the onslaught but say they hope it will not erode the simplicity of Web services.

"I would hate to see Web services get lost in the security forest," says John Studdard, senior vice president and CTO for the Virtual Bank in Palm Beach Gardens, Fla. "We are hoping for a simple security model as opposed to something that sounds good but has no chance of ever being implemented."

Studdard runs a dozen Web services internally to integrate banking systems, but says because of security concerns he has yet to run them outside his organization.

"Web services security is still the wild, wild West," Studdard says. "What we are seeing now is a reaction more than a well thought out security plan."

That may be true, according to a recent Hurwitz Group study, which among other issues showed that security was the No. 1 inhibitor to Web services adoption.

"We were surprised to see how quickly people were adopting the Web services development tools, but there is an immaturity level that is quickly being realized as people seek security, reliability and quality of service," says Tyler McDaniel, director of application strategies for Hurwitz. "As a result, there is a pressure on vendors and standards bodies to get security moving faster."

Existing security standards from the W3C - XML Signature (XML-Sig) and XML encryption, protocols for ensuring integrity and authorization - are creating the support for that movement. The W3C also is working on the XML Key Management Specification for distributing and registering public keys.

At OASIS, the Security Assertion Markup Language (SAML), Services Provisioning Markup Language (SPML) and the XML Access Control Markup Language (XACML) are all security proposals in line for approval.

"Security today is being done willy-nilly," says Terri Kouba, a systems developer at the University of California at Berkeley. "But as a whole under Web services it needs to be defined. Not just the transport but the whole authentication and reliability piece."

Work is under way to tie it all together for use in Web services development tools and other software.

Last week, OASIS created the Security Standards Joint Committee (SSJC), an oversight group to ensure consistency among its security working groups. Next month, OASIS will begin work on final approval of SAML and XACML. The SPML specification is set for standards review at year-end, and a fourth focused on digital rights management had its first committee meeting last week.

"If you can show me a PowerPoint slide that describes how security standards tie together, I'll give you a million bucks," says Darran Rolls, director of technology for Waveset and the co-chair of the SSJC. "We need common terms and a way to prevent overlap in the specs."

The W3C last month published the first draft of its Web Services Architecture Requirements, including a foundation for security based on accessibility, authentication, authorization, confidentiality, integrity and nonrepudiation. The final draft is due early next year, and the group is working on a proposal to create an umbrella security group that would work on security extensions to SOAP and examine new security proposals, says Philippe Le Hégaret, a member of the W3C technical staff.

One such effort to create new protocols is being led by IBM, Microsoft and VeriSign, which by year-end plan to introduce six specifications to extend the WS-Security specification they introduced last month (see graphic). The trio says it hopes to submit WS-Security, which is built on XML-Sig and XML encryption, to a yet-to-be determined standards body this fall.

IBM and Microsoft are at work independently on specifications - Web Services Flow Language and Xlang, respectively - for standardizing workflow, the process of managing the execution of Web services in business processes. IBM's Sutor says the company also is working on a specification for guaranteed delivery of messages, although he would not provide details.

But no matter how fast such efforts develop, securing Web services will be a complex undertaking for network executives.

"To think the complexity in the designing, developing, deployment and maintenance of secure distributed applications will go away with Web services is a cardinal sin," says Bernhard Borges, managing director of the advanced technology group at PricewaterhouseCoopers Consulting.

Others say Web services security is just a new set of protocols to address tried and true security tenants of today: Secure data where it resides, and secure it as it moves between two or more end points.

"The scary part is that we are starting to talk about linking up the whole Internet," says Pete Lindstrom, director of security strategies for the Hurwitz Group. But Lindstrom says the basics for getting started are there today.

Senior Writer Ann Bednarz contributed to this report.

Security initiative
IBM, Microsoft and VeriSign are proposing a Web services security framework beginning with WS-Security for message integrity and confidentiality. The WS-Security specification is available; the specification for the six extensions will be released in the coming months.

WS-Security: Describes how to attach digital signatures and encryption headers and security tokens, such as Kerberos tickets or X.509 certificates, to SOAP messages.

WS-Policy: Used to express conditions and constraints of security policies.

WS-Trust: Framework for direct and brokered trust relationship between Web services.

WS-Privacy: Model for stating privacy preferences and practices.

WS-Secure Conversation: Describes how to manage and authenticate message exchanges between Web services.

WS-Federation: Describes how to manage and broker trust relationships among unlike systems in a federated environment.

WS-Authorization: Describes how to manage authorization data and policies.

RELATED LINKS

Contact Senior Editor John Fontana

Other recent articles by Fontana


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.