REDMOND, WASH. - Microsoft last week took its first real shot at addressing Web services security shortcomings, though critics say the company will need to follow up with better support for heterogeneous networks and answer questions about the cultural side of adopting this emerging technology.
Microsoft's TrustBridge software is designed to help companies more easily and safely share information with trading partners and customers. TrustBridge would let an end user authenticate on his company's network and carry that authentication to other companies' networks to access resources, such as Web services.
Lack of security is the No. 1 issue inhibiting enterprise adoption of Web services, according to a recent study by Hurwitz Group.
The foundation of TrustBridge is Kerberos Version 5, a standard authentication technology supported in Microsoft's Active Directory, and WS-Security, a proposed Web services security specification based on Simple Object Access Protocol (SOAP) and introduced in April by Microsoft, IBM and VeriSign. TrustBridge fits into Microsoft's grand .Net scheme, under which the company is looking to supply software as services.
TrustBridge's major limitation - as even Microsoft acknowledges - is that it works only between companies running Microsoft's Active Directory or between Active Directory and Kerberos 5 Key Distribution Center (KDC) servers.
What's more, even though Kerberos support seems to move TrustBridge away from solely a proprietary Microsoft technology, there have been ongoing problems integrating Unix-based Kerberos services with Microsoft's implementation of Kerberos 5.
Even as TrustBridge might begin to solve technical issues, observers say it ignores the cultural issues involved in establishing policies and procedures for creating trust between companies.
"It is a huge change in the culture of IT to move to a centralized identity management structure," says George Defenbaugh, manager of global IT infrastructure projects for Amerada Hess, an integrated petroleum company in New York City that is crafting a directory environment with multiple instances of Active Directory. "We've been having conversations on just how to set this up across multiple forests. Security by its very nature is complex."
Critics say another shortfall is that TrustBridge does not support Security Assertion Markup Language (SAML), a Web services protocol to foster interoperability among disparate authorization and authentication systems that is slated for standards ratification next month by the Organization for the Advancement of Structured Information Standards. SAML-based products are expected to roll out in the next six to eight months, mostly in Web access management products, such as those from Oblix and Netegrity.
"TrustBridge is a move in the right direction for Microsoft, but it is still overlooking interoperability with all those organizations that will be using SAML," says Dan Blum, an analyst with The Burton Group. "Microsoft should include SAML in TrustBridge; these security environments should not roll out as two different worlds."
Other observers concur.
"They are going to have to support other Web services protocols and play with the niche security vendors like Netegrity," says Cate Quirk, a research analyst with AMR Research.
"You have to ask some questions, like what about X.509 [digital] certificates and [public-key infrastructure]," says Laura Koetzle, an analyst with Forrester Research. "Microsoft is seeing the world as all Kerberos and Active Directory."
Microsoft says WS-Security will evolve to support other authentication services, often called identity management, including those promoted by the 40-member Liberty Alliance effort led by Sun.
"It's a crawl, walk, run strategy, and this is [the crawl part]," says Steven VanRoekel, director of Web services technical marketing for Microsoft. He declines to say when the "walk" and "run" parts of the strategy will emerge or how the company will price and package TrustBridge.
Microsoft says TrustBridge will act as a gateway using Kerberos to speak to Active Directory or a Kerberos KDC server on an internal network (see graphic, above). TrustBridge then employs WS-Security to tuck Kerberos tickets inside SOAP messages that can be sent over the Internet to other TrustBridge nodes or nodes that support WS-Security.
Currently, no software exists that supports WS-Security. IBM announced last month support for WS-Security in the next version of WebSphere, due for release in the fall. Microsoft plans to release TrustBridge sometime next year, after it ships Windows.Net Server.
RELATED LINKS
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
