MS, IBM and Verisign team on Web-services security

Microsoft Corp., IBM Corp. and Verisign Inc. have devised a way to add integrity- and confidentiality-checking capabilities to upcoming Web-services applications, a first step in a broader joint effort to secure Web services, the companies said Thursday.

The jointly developed specification, dubbed WS-Security, defines a set of SOAP (Simple Object Access Protocol) extensions and describes how to exchange secure and signed messages in a Web-services environment, providing a foundation for Web-services security, Microsoft, IBM and Verisign said in a joint statement.

Web services are software applications or components linked together over the Internet using a standards-based approach. SOAP, itself based on XML (Extensible Markup Language), is one of the protocols enabling this. Web services as part of business-software applications could, for example, allow a PC vendor to link its order-entry application to a supplier’s system.

Microsoft, of Redmond, Washington, IBM, of Armonk, New York, and Verisign, of Mountain View, California, said the WS-Security specification will be submitted to a standards body. No submission plan or date was provided.

Security is important for Web services to gain credibility, and the three vendors driving the initiative form the right group size, said Rob Hailstone, research director with analyst firm IDC.

“(Security) is a very obvious next step needed for Web services to get credibility. The fact that the standards are being created by three vendors working in collaboration, vendors that have competitive stances in some markets, is good,” he said. “The next bid is to see whether the proposed standards are acceptable or not.”

In addition to the WS-Security specification, Microsoft and IBM said they plan to develop a range of security specifications for Web services together with key customers, partners and standards organizations such as the World Wide Web Consortium (W3C) and the Internet Engineering Task Force.

Six of the other proposed specifications are WS-Policy, WS-Trust, WS-Privacy, WS-Secure Conversation, WS-Federation and WS-Authorization. These proposed specifications can be grouped in two categories, with the first three dealing with defining security policies, establishing trust relationships and implementing privacy policies, and the last three handling the sending and receiving of messages sent between Web services.

Microsoft, IBM and Verisign, after gaining an official stamp from a standards body, expect implementations from multiple vendors. The Web-services security model should enable businesses to develop secure and interoperable Web services, the three companies said.

Businesses don’t need to wait for the new specifications to become standards before starting to use Web services, according to Charles Homs, a senior analyst with Forrester Research BV.

“Security is needed, but it is untrue to say that companies could not use Web services without these types of security standards. It would be bad if companies sit and wait for all security aspects to be in place. Dell (Computer Corp.), for example, already uses Web services without WS-Security,” he said.

IDC’s Hailstone said he agreed with this to some extent, but said that Web services won’t really take off until security standards are in place.

“A number of companies is using Web services in an open business to business deployment already and they are making do with SSL (Secure Sockets Layer), for example. However, for wide scale deployment it is a comfort to have security out there,” he said, adding that he expects the use of Web services to mature slowly over a few years.

The security initiative is not the first joint Web-services initiative involving Microsoft and IBM. In February the tech behemoths were part of the broad consortium of industry players that formed the Web Services Interoperability Organization, a consortium with the goal of ensuring that vendors developing products for Web services implement the most commonly used standards in the same way.