Microsoft Releases Web Services Security Spec

IBM and VeriSign to join Microsoft in developing specifications.

(New Orleans, Louisiana) Microsoft's new emphasis on security gained several prominent industry partners today with the announcement that the company has joined forces with IBM Corp. and VeriSign on a Web services security specification.

The partnership is a "roadmap for six specifications that talk about security from end to end," Microsoft vice president for .NET Enterprise Servers Paul Flessner announced at Thursday's TechEd keynote presentation.

The new specification, which the companies are calling WS-Security, "provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services," according to a Microsoft press release. Currently, there are no agreed-upon rules for Web services security, and many of the industry's heavy hitters, including IBM, Hewlett-Packard, Oracle, Sun and Microsoft are developing and implementing Web services frameworks.

At the heart of the model is an effort to bring together disparate security technologies like Public Key Infrastructure (PKI) and Kerberos for protecting the integrity and confidentiality of messages, "as well as mechanisms for associating security-related claims with the message," according to a joint Microsoft-IBM white paper on the subject, available at

Another key to WS-Security is its interoperability. It utilizes common Web services standards like XML and SOAP, allowing companies to configure their environments for the appropriate level of security across any platform.

The other proposed specifications include a modular approach to security, broken down into two general categories: the first three—WS-Policy, WS-Trust and WS-Privacy—relate to setting up a secure session and establishing privacy guidelines, while the second group—WS-Secure Conversation, WS-Federation and WS-Authorization—deals with message security, interoperability between different systems and authorization policies.

Web services is key to Microsoft's .NET strategy of connecting disparate systems for data exchange, and ensuring privacy and security is key to the success of .NET. Microsoft recently suffered a blow when the My Services initiative, formerly known as Hailstorm, was killed, partially due to concerns about Microsoft's ability to keep safe and secure data for millions of users in one repository. With .NET being a much bigger, broader and more important program, collaborating with companies like IBM and especially VeriSign, which provides digital certificates verifying the authenticity of information for much of the Internet, Microsoft is attempting to allay fears about how seriously it takes security.

WS-Security has yet to be submitted to a standards body.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Microsoft Publishes Windows Deadlines on Upgrading to SHA-2

    Microsoft on Friday described its 2019 timeline for when it will start distrusting Shell Hashing Algorithm-1 (SHA-1) in supported Windows systems, as well as in the Windows Server Update Services 3.0 Service Pack 2 management product.

  • Performing a Storage Refresh on Windows Server 2016, Part 1

    To spruce up some aging lab hardware, Brien decided to make the jump to all-flash storage. Here's a walk-through of the first half of the process.

  • Datacenters Are Cooling Down as Buildouts Heat Up

    Tech giants Google, Apple and others are expanding their datacenter footprints at a rapid rate, and it's pushing the industry to find better ways to power all that infrastructure.

  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.