Securing Web services

Heavyweight security vendors and niche players alike are choosing the RSA Conference 2002 this week to present products designed to provide some of the missing pieces of real-world security environments for Web services.

Security players VeriSign Inc., Computer Associates International Inc., and the Liberty Alliance will introduce plans to bring authentication and ID management to Web services transactions, while a number of upstarts will introduce devices that secure XML-based Web services networks.

“The issue with Web services for the model as currently defined [is that it] has no inherent security built into it,” said Jamie Lewis, CEO of The Burton Group in Salt Lake City. “We have to figure out as an industry how to build [security] in. RSA is a great opportunity to build on that.”

VeriSign will unveil its long-awaited Web services road map this week. Joining multiple partners, including IBM and Grand Central, Mountain View, Calif.-based VeriSign will announce plans to tie authentication with secure transaction interoperability between apps.

Also, CA is set to announce the second version of its eTrust PKI product with an added online status checker for digital certificates and a new eTrust Web access control solution, company officials said.

Those products will form the basis of future CA Web services security and identity management by providing authentication and authorization server infrastructure to protect sessions and tie back in to user profiles in the database, said Piers McMahon, director of security product management at Islandia, N.Y.-based CA.

Burton Group’s Lewis said customers need to consider their network architecture and realize that centralized access and identity management is key to tying personalized directory and portal information back to network policy.

New alignments toward authentication will be addressed. The Liberty Alliance, a group of companies that includes Sun Microsystems and AOL, will announce new members, and its progress in creating an alternative to Microsoft’s Passport and .Net online authentication system.

In line with this trend, identity management vendor Oblix last week said it is extending its Web site SSO (single sign-on) function to Passport users and plans to repeat the effort with the Liberty Alliance. Sources say the next version of Passport will support federated Kerberos, Active Directory, and Windows Server.

Although the established players are focusing on authentication, the massive volume of data shared and delivered by Web services requires more security focus on the language inside the document in transit rather than on the verification session, said Pete Lindstrom, an analyst at Hurwitz Group in Framingham, Mass.

This week, Dublin, Ireland-based Vordel will unveil VordelSecure, that adds SOAP (Simple Object Access Protocol) messaging and routing for XML security in a Web services framework. It can be deployed to intercept SOAP requests as they arrive at the server for verification. It also forwards verified messages and deflects attempts to overpower SOAP messages such as buffer overflow.

Bridgewater Systems, of Kanata, Ont., will demo its Web services-tailored NetProfile access control device at RSA. Sitting between the firewall and app or Web servers, it looks into messages to perform credential checks and audit trails.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now