Microsoft Releases Web Services Security Spec
IBM and VeriSign to join Microsoft in developing specifications.
(New Orleans, Louisiana)
Microsoft's new emphasis on security gained
several prominent industry partners today with the announcement that the company
has joined forces with IBM Corp. and VeriSign on a Web services security specification.
The partnership is a "roadmap for six specifications that talk about security
from end to end," Microsoft vice president for .NET Enterprise Servers Paul
Flessner announced at Thursday's TechEd keynote presentation.
The new specification, which the companies are calling WS-Security, "provides
standard mechanisms to exchange secure, signed messages in a Web services environment,
and provides an important foundation layer that will help developers build more
secure and broadly interoperable Web services," according to a Microsoft press
release. Currently, there are no agreed-upon rules for Web services security,
and many of the industry's heavy hitters, including IBM, Hewlett-Packard, Oracle,
Sun and Microsoft are developing and implementing Web services frameworks.
At the heart of the model is an effort to bring together disparate security
technologies like Public Key Infrastructure (PKI) and Kerberos for protecting
the integrity and confidentiality of messages, "as well as mechanisms for associating
security-related claims with the message," according to a joint Microsoft-IBM
white paper on the subject, available at http://msdn.microsoft.com/ws-security/.
Another key to WS-Security is its interoperability. It utilizes common Web
services standards like XML and SOAP, allowing companies to configure their
environments for the appropriate level of security across any platform.
The other proposed specifications include a modular approach to security, broken
down into two general categories: the first threeWS-Policy, WS-Trust and
WS-Privacyrelate to setting up a secure session and establishing privacy
guidelines, while the second groupWS-Secure Conversation, WS-Federation
and WS-Authorizationdeals with message security, interoperability between
different systems and authorization policies.
Web services is key to Microsoft's .NET strategy of connecting disparate systems
for data exchange, and ensuring privacy and security is key to the success of
.NET. Microsoft recently suffered a blow when the My Services initiative, formerly
known as Hailstorm, was killed, partially due to concerns about Microsoft's
ability to keep safe and secure data for millions of users in one repository.
With .NET being a much bigger, broader and more important program, collaborating
with companies like IBM and especially VeriSign, which provides digital certificates
verifying the authenticity of information for much of the Internet, Microsoft
is attempting to allay fears about how seriously it takes security.
WS-Security has yet to be submitted to a standards body.
Keith Ward is the editor in chief of Virtualization Review. Follow him on Twitter @VirtReviewKeith.