XML security integration worries AmEx

Identity management and service authorization remain two of the biggest hurdles in shifting from a traditional application security model to what’s needed for securing XML-based Web services, according to an IT executive at American-Express Co.

“These are the areas where we’re most collectively behind the eight ball in the industry,” said Phil Steitz, vice-president of e-commerce applications development at the New York financial services company. Steitz spoke at this week’s Web Services Edge 2003 Conference & Expo in Boston.

Vendors and businesses have a lot of experience securing applications, but securing services is a new ballgame that requires new tools, he said. Companies need to revamp their security review processes and clarify security responsibilities of business partners with which they intend to share services.

The model American Express wants to get to is one in which developers assembling applications don’t have to think about every usage scenario. Multiple internal and external applications would share common services, such as an identity service provider for consistently recognizing users and an authorization service for controlling Web services access.

Getting there requires that core security components currently embedded in applications be pulled out – no easy task. “When you start to try to expose services or pull apart the underlying services driving secure applications, the security model falls apart,” Steitz said.

Existing security integration technologies were designed to be embedded in applications. For example, Java 2 Platform Enterprise Edition container-based security works, but only as long as an application lives inside a J2EE container. Loose coupling eliminates security provided by containers or dedicated connections, Steitz said. Uniform Resource Identifier protection packages protect only the Web sources, operating under the assumption that there’s a trusted perimeter around enterprise resources.

As a result, when developers try to reuse code, they often create brittle, customized links between applications, each of which still maintains a separate user store, he said.

On the standards front, groups have made progress with respect to identity management, Steitz said. For example, Liberty Alliance specifications and WS-Federation tackle taxonomy, roles and responsibility of identity management. Existing standards start to address single sign-on at a basic level, although the issue of identity re-establishment – if, for example, a person forgets a password and wants to restore account access – has not been resolved. The ability for a user to delegate authority – such as to let an accountant access a client’s financial accounts – also needs to be addressed.

“Identity management is extremely difficult. It’s one of those things that gives me headaches every time I think about it,” Steitz said.

With respect to service authorization, companies need to establish procedures for making authorization requests, triggering service authorization and managing cross-domain authorization, he said.

While standards are progressing, there are still technology gaps. Steitz hasn’t found a packaged product that provides industrial-strength, platform-independent and standards-compliant authorization services – meaning it’s scalable to tens of millions of requests per day, cache-enabled, and allows for flexible deployment and configuration. “I’ve gone away hungry every time I’ve asked any vendor for this,” Steitz said.