Microsoft makes move to add Web services security

Microsoft Corp. Thursday took its first small steps toward incorporating into its line of enterprise software security to support Web services.

The company unveiled a set of technologies codenamed TrustBridge designed to allow the sharing of user identity information across companies – so-called federated identity management – and the deployment of security to support Web services. Web services technology is a set of standard protocols based on XML.

The software would allow network executives to create a trust relationship between their directories in order to authenticate users and authorize the use of resources, such as Web services. Users could be authenticated in one company’s directory and carry that authentication to a second company’s directory to gain authorization to use services, therefore, federating, or joining, their identity management in their directory services.

The foundation of TrustBridge is Kerberos Version 5, a standard authentication service that is supported in Active Directory, and a proposed Web services security specification called WS-Security.

A major limitation, however, is that TrustBridge only works between companies running Microsoft’s Active Directory or between Active Directory and Kerberos Version 5 Key Distribution Center servers, a limitation that Microsoft acknowledges will have to be lifted as the software evolves.

The software doesn’t support the Security Assertion Markup Language, a Web Services protocol for supporting federated identity management, that is slated for standards ratification next month by the Organization for the Advancement of Structured Information Standards. Instead, it uses WS-Security, a proposed standard specification with six extensions introduced in April by IBM Corp., Microsoft and VeriSign Inc.

“WS-Security and TrustBridge is a good start but you have to ask some questions like what about X.509 certificates and [public-key infrastructure],” says Laura Koetzle, an analyst with Forrester Research Inc. “Microsoft is seeing the world as all Kerberos and Active Directory.”

“TrustBridge allows us to take the first step in realizing the WS-Security roadmap around building identity management and security for Web services,” says Steven VanRoekel, director of Web services technical marketing for Microsoft. “It’s a crawl, walk, run strategy and this is crawl.” VanRoekel said TrustBridge would evolve to support other identity management services. He would not say how it would be packaged or priced, but said it more than likely would be delivered in a single product.

TrustBridge represents Microsoft’s first real enterprise answer to nagging security and identity management questions that are the Achilles’ Heel of Web services, the cornerstone of Microsoft’s .Net initiative. Others such as the Liberty Alliance led by Sun Microsystems Inc. also are trying to solve the identity management issue.

TrustBridge also is Microsoft’s first implementation of WS-Security, a set of proposed Web services specifications for security, trust, routing and policy.

In essence, TrustBridge acts as a gateway using Kerberos to speak to Active Directory or a Kerberos KDC server on an internal network. TrustBridge then employs WS-Security to tuck Kerberos tickets inside Simple Object Access Protocol messages that can be sent over the Internet to other TrustBridge nodes or nodes that support WS-Security.

Currently, no software exists that supports WS-Security. IBM announced in early May support for WS-Security in the next version of WebSphere due for release this fall. Microsoft plans to release TrustBridge sometime in 2003 after it ships Windows.Net Server.

WS-Security’s foundation is the XML Encryption and XML Digital Signature standards. With TrustBridge, Microsoft also will include some of the WS-Security extensions, possibly WS-Trust and WS-Policy. WS-Trust is a framework for establishing direct and brokered trust relationship between Web services. And WS-Policy is used to express conditions and constraints of security policies. Microsoft officials said they are still determining which combination of extensions it will use.

Microsoft also plans to integrate TrustBridge with its Internet Security and Acceleration Server, which would serve as a packet-level and message-based filter of WS-Security traffic. It also plans to integrate its Passport authentication service into TrustBridge.

TrustBridge also is being used to solve limitations with a feature being added to Active Directory in the Windows .Net Server release.

That feature – called cross-forest trust – allows different Active Directory domains, or forests, to establish trust relationships. In doing so across the Internet, however, network executives must open as many as six ports on their firewalls.

“We know that can leave you more susceptible to malicious activity,” VanRoekel says. With TrustBridge, communication is handled entirely through Port 80 on the firewall, which handles HTTP, by encapsulating Kerberos tickets in a SOAP message.

“This gives you all the benefit of cross-forest trust in a Web services model,” VanRoekel says. Microsoft also will include a set of management tools in trust bridge for establishing and administering trust relationships. The tools can be used to set up relationships, such as which groups of users are members of the trust relationship and what privileges they have, and to manage change in the directories, such as deleting a user, that must be recognized across all the forests in a trust relationship.