New DataPower appliance to secure Web services transactions

Computerworld - DataPower Technology Inc. next week will join a small but growing number of vendors offering products aimed at securing XML-based Web services applications.
The Cambridge, Mass.-based company's new XS40 XML Security Gateway is a hardware appliance offering a range of security functions, including filtering, authentication, digital signature verification, encryption and data validation of XML and Simple Object Access Protocol (SOAP) messages.
The appliance will eliminate the need for coders to include such security functions in every application, according to Eugene Kuznetsov, president of DataPower.
Instead, companies will be able to pass multiple XML-enabled transactions through the appliance and let it take care of all the security functions, said Pete Lindstrom, an analyst at Malvern, Pa.-based consulting firm Spire Group.
"It allows for security folks to manage these functions from a central point, which provides good value," Lindstrom said.
RouteOne LLC, a joint venture formed by DaimlerChrysler Services, Ford Motor Credit Co., General Motors Acceptance Corp. and Toyota Financial Services, is using DataPower's XS40 Gateway to secure a Web-based credit application management system.
The RouteOne network acts as an intermediary for exchanging credit application and decision information between auto dealers and finance companies. DataPower's appliance takes a Secure Sockets Layer-encrypted message sent via SOAP, decrypts it, validates and verifies the signature on it, then routes it to the appropriate server on the RouteOne network for further processing. It then signs and encrypts processed messages before sending them back over the network.
"We needed everything to be encrypted. On top of that, we had a very big nonrepudiation and auditing requirement," said T.N. Subramaniam, chief technology officer at Southfield, Mich.-based RouteOne. "We needed to have a foolproof way of making sure that a person making a call was who he said he was."
In light of the high volume of applications processed over the RouteOne network, the company was also looking for a technology that would provide the needed security without degrading performance. DataPower's hardware-based approach "fit that bill," Subramaniam said.
DataPower's new appliance joins a handful of similar products from start-ups in a market that addresses security concerns associated with Web services transactions without slowing them down, said Ted Schadler, an analyst at Forrester Research Inc. in Cambridge, Mass.
Belmont, Calif.-based Reactivity Inc.'s Service Firewall and Salt Lake City-based Forum Systems Inc.'s Sentry products are similar hardware-based approaches for securing Web services. Other companies, such as Mountain View, Calif.-based Westbridge Technology Inc., offer software-based engines capable of filtering XML messages for compliance with security polices for Web services.
The key forusers when considering such products is to ensure that they don't get locked into a nonstandard technology, Schadler said.