Securing Web services

Heavyweight security vendors and niche players alike are choosing the RSA Conference 2002 this week to present products designed to provide some of the missing pieces of real-world security environments for Web services.

Security players VeriSign Inc., Computer Associates International Inc., and the Liberty Alliance will introduce plans to bring authentication and ID management to Web services transactions, while a number of upstarts will introduce devices that secure XML-based Web services networks.

“The issue with Web services for the model as currently defined [is that it] has no inherent security built into it,” said Jamie Lewis, CEO of The Burton Group in Salt Lake City. “We have to figure out as an industry how to build [security] in. RSA is a great opportunity to build on that.”

VeriSign will unveil its long-awaited Web services road map this week. Joining multiple partners, including IBM and Grand Central, Mountain View, Calif.-based VeriSign will announce plans to tie authentication with secure transaction interoperability between apps.

Also, CA is set to announce the second version of its eTrust PKI product with an added online status checker for digital certificates and a new eTrust Web access control solution, company officials said.

Those products will form the basis of future CA Web services security and identity management by providing authentication and authorization server infrastructure to protect sessions and tie back in to user profiles in the database, said Piers McMahon, director of security product management at Islandia, N.Y.-based CA.

Burton Group’s Lewis said customers need to consider their network architecture and realize that centralized access and identity management is key to tying personalized directory and portal information back to network policy.

New alignments toward authentication will be addressed. The Liberty Alliance, a group of companies that includes Sun Microsystems and AOL, will announce new members, and its progress in creating an alternative to Microsoft’s Passport and .Net online authentication system.

In line with this trend, identity management vendor Oblix last week said it is extending its Web site SSO (single sign-on) function to Passport users and plans to repeat the effort with the Liberty Alliance. Sources say the next version of Passport will support federated Kerberos, Active Directory, and Windows Server.

Although the established players are focusing on authentication, the massive volume of data shared and delivered by Web services requires more security focus on the language inside the document in transit rather than on the verification session, said Pete Lindstrom, an analyst at Hurwitz Group in Framingham, Mass.

This week, Dublin, Ireland-based Vordel will unveil VordelSecure, that adds SOAP (Simple Object Access Protocol) messaging and routing for XML security in a Web services framework. It can be deployed to intercept SOAP requests as they arrive at the server for verification. It also forwards verified messages and deflects attempts to overpower SOAP messages such as buffer overflow.

Bridgewater Systems, of Kanata, Ont., will demo its Web services-tailored NetProfile access control device at RSA. Sitting between the firewall and app or Web servers, it looks into messages to perform credential checks and audit trails.