Web services specs focus on simplified security

By Martin LaMonica

A group of companies led by IBM and Microsoft have published a series of specifications designed to make web services more secure.

The proposed specifications describe how companies can establish policies on exchanging information among trading partners and how to make disparate security systems interoperate. IBM and Microsoft co-authored the specifications with input from a number of companies including BEA Systems, RSA Security and VeriSign.

The companies will incorporate industry feedback and submit the specification to a standards body early next year.

Although security is often seen as a stumbling block to the adoption of web services, companies can already secure such applications using established products and processes. The proposed standards, if they become accepted among IT providers, would simply make it easier to incorporate secured communications and to establish policies.

"It's going to make web services easier, so that companies are doing less nuts-and-bolts development and are able to take product off the shelf, enter their configuration, hit go and make it work," said Jason Bloomberg, an analyst at ZapThink. "Now, if companies get into advanced applications that involves a sequence of steps in a business process and security, there's still a lot of guessing about the best way to do things."

The latest two groups of specifications introduced by IBM and Microsoft - called WS-Policy and WS-Trust - build on a number of proposed web services standards spearheaded by the companies. The most notable of them, WS-Security, is a technology that is making its way into web services software, allowing businesses to send messages that have a digital signature to ensure that a document has not been altered during its transmission.

WS-Trust is a proposed standard method for establishing secure communications between companies, including interactions that involve third-party certification authorities. It is designed to ensure document security even when companies are using different security systems, such as Kerberos or public key infrastructure (PKI) encryption. Two related standards, WS-SecureConversations and WS-SecurityPolicy, will make it easier to maintain security during multistep transactions such as building and submitting an electronic purchase order, the companies said.

"Now, when companies want to secure something across trusted boundaries, they need a leased line or a VPN (virtual private network), which is very inefficient when you have many customers," said Scott Collison, director of web services marketing at Microsoft. "These (specifications) leverage the security systems companies have and enhances them at the message level."

The second group of proposed specification, which includes WS-Policy, WS-PolicyAttachments and WS-PolicyAssertions, are designed to provide mechanisms that let businesses describe their security requirements in connection with web services applications, including how to work with third-party authenticating services.

The road map for IBM and Microsoft's web services security plan was laid out in April. The two companies said they would submit the follow-on specifications to either the World Wide Web Consortium (W3C) or the OASIS group.

Martin LaMonica writes for News.com