Authenticating Web services

Secure Web services authentication that not only recognizes users but also grants access to particular systems is becoming a thorny and contentious issue with few signs of clarity in the near term.

With security so high in enterprises’ minds, a storm is brewing over standards to ensure that Web services via the Internet can be combined without compromising authentication methods. Microsoft is at the centre of the maelstrom, with Sun Microsystems Inc. and a cadre of third-party providers attempting to pose XML-based alternatives to Microsoft Corp.’s controversial Passport authentication.

Without many security standards in place, security vendors Netegrity Inc., Oblix Inc., and OpenNetwork Technologies are also readying products that allow users to pass along and manage user credentials among what may turn out to be disparate Web services environments.

Even as vendors jockey for position, users say the absence of robust authentication and interoperability could be a stumbling block for nascent Web services technologies.

“When you get into exposing applications into (Web) services, you’re getting into standards,” says John Reynolds, senior advisor of e-commerce architects at Indianapolis-based Anthem Blue Cross/Blue Shield. “If you implement and rely on (security) services around those components that are proprietary, you get yourself locked in.”

Storing user identity to enable Web services is particularly touchy for users, who are loath to hand over control of this data.

“Users are jittery. Companies don’t want to give up entire enterprises’ identities. They want to keep that in-house,” says Jim Ducharme, director of development at Waltham, Mass.-based Netegrity. “These companies are not going to throw away their ID management and give them to Microsoft or Liberty Alliance to manage. It’s all about interoperability.”

A “Brilliant Stroke”

Disavowing that it will lock in users, Microsoft is looking to transform Web services security from a necessity on every machine to a layer that spans the network. Its main vehicle for that push, Passport, has drawn mixed reviews due to its oft-perceived consumer orientation and concern that the company can gain control over user identity information.

In September Microsoft announced that it will add support for Kerberos in Passport during the next year as a way to create interoperability as well as beef up some of the robustness of the authentication. The software giant also abandoned its controversial plan of holding all user data, and instead gave merchants that use Passport the ability to store user data.

When Windows.Net Server comes out by mid2002, Microsoft’s idea of “federated” authentication will come into play, says Jim Allchin, Microsoft’s group vice-president. “You can do one level of authentication out on the Web to Passport using Kerberos. So you get an ID that works across (many environments),” he said in a recent interview.

Kerberos is a network-authentication protocol using strong secret-key cryptography. Microsoft rivals have criticized Microsoft’s use of extension fields in Kerberos, although Microsoft contends that does not compromise interoperability.

John Pescatore, vice-president and research director of Network Security at Stamford, Conn.-based Gartner Inc., calls the decision to turn Passport into a pure Kerberos base a “brilliant stroke.”

Because all Microsoft operating systems will include Kerberos, Pescatore says the PCs and servers that run Microsoft’s software will be able to communicate directly without having to go through an outside Web server or browser.

“Since Microsoft owns the desktop operating system, this gives them a way in authentication to go around other Web server packages, like Apache and iPlanet, and talk directly to the server OS. That’s a major change in the landscape,” Pescatore remarks.

For Passport to be accepted in the corporate world, Pescatore says the technology needs additional services tied around it to prove it does in fact belong to a live person. A sole e-mail address to prove verification is not enough, he adds.

Not content to sit this one out, Microsoft rival Sun hopes to create an open and federated solution for network identity with its Liberty Alliance Project. The Alliance was founded to allow authentication and authorization to reside in a realm of established trust – not for any single party to possess access to identity and preference information, says Marge Breya, Liberty Alliance representative and vice-president of Sun One. “Companies today make money off relationships they have earned with customers,” Breya says.

Countering the Microsoft approach, the Liberty Alliance vision of federated identity is built around three principles: Companies that create data will maintain control of it; data will be exchanged via open standards and not required to pass through a single central authorization; and authentication can occur using different devices.

Although it has yet to formally announce its intentions, SAP AG hinted that it is leaning toward backing Sun’s Liberty Alliance project at its SAP TechEd conference last month.

Sachar Paulus, director of product management for SAP security in Walldorf, Germany, notes that companies engaging in B2B exchanges would be against yielding control of corporate information for third-party collection, such as Microsoft. But Paulus says SAP must support Microsoft’s efforts to some degree because of the software giant’s front-end application market dominance.

The XML Way

Meanwhile, XML standards consortium Oasis is steering plans to create a universal security standard to deliver authentication and authorization regardless of platform or vendor.

Led by Patrick Gannon, president and CEO of Billerica, Mass.-based Oasis, the group is pushing for adoption of SAML (Security Assertion Markup Language). Developed within the Oasis XML-based Security Services Technical Committee, SAML will provide a basic and interoperable mechanism for exchanging authentication and authorization among applications and parties, Gannon says.

“The key paradigm of Web services is really extending application interaction outside of corporate boundaries. You want to have a standard way of receiving that,” he explains; SAML will help provision services by eliminating the need for users to log in each time to access “second (level) and third level” application entitlements.

A completed SAML draft is expected by early 2002. Oasis will accept specs for approval during the second quarter of 2002.

CUNA Mutual Group, the Madison, Wis.-based provider of financial services to credit unions, chose Oblix’s offerings due to its level of SAML involvement, says Steve Devoti, directory service manager at CUNA. “We know to deliver the type of services to (customers), we’re going to have to federate with people,” Devoti explains. “We need (a standard) to ensure there’s a smooth hand-off to other directions to ensure what (ID) credentials are.”

Third-party security companies are looking to provide some of that interoperability, too, although offerings are still in the works.

“There has to be a bridge between the .Net and non-.Net services way for someone running .Net and someone running SunOne to exchange information and transactions across boundaries,” says Bob Warner, senior vice-president of product engineering at Clearwater, Fla.-based OpenNetwork Technologies. “It’s not going to be an end-to-end Microsoft world in the near future.”

OpenNetwork’s DirectorySmart product works with Web servers, ActiveDirectory, and application servers to provide single sign-on, role-based access control, and policy management for user IDs.

But D.L. Ayers, a Java architect and senior systems architect at BEA Systems Inc., says that it is up to the Java community to offer an alternative to Passport. That alternative already exists in the form of Java smart cards, Ayers adds.

Some of the vendors offering Web services infrastructures say that existing security technologies will not be abandoned. PKIs (public key infrastructures) and SSL (Secure Sockets Layer), for instance, each have robust track records on the Web, says Scott Dietzen, CTO of BEA Systems’ e-commerce server division, in San Jose, Calif. “The key to Web services is to be able to leverage that” existing technology, Dietzen says. “(But) nonrepudiation is a big hole.”

(Tom Sullivan contributed to this report.)