Sorting out Web services security standards
Computerworld - One of the most active parts of the XML Web services community is the groups developing security standards.
Today, we have more than 40 security standards in various stages of specification at several different organizations, as well as various implementations in similar states of completion and conformance.
On the one hand, this is good news, because good security is crucial to the widespread adoption of XML Web services. One of the expected benefits of XML Web services is a more direct connection between back-office systems and a larger group of potential customers by providing a common set of "Web middleware" that removes barriers to connecting. In order for this to happen without undue risk, security standards are needed that can provide assurances about identity, message content and data protection.
On the other hand, the number of security-related specifications (not to mention their page count!) can overwhelm all but a vast team of the most dedicated architects or developers. This article provides a road map to help you pick your way through the major players and the specs they're writing.
It's helpful to view the development of Web services security standards as a pipeline with three parts: initial development, standardization and profiling.
The initial development stage tends to be led by vendor-driven organizations. Two of the most important ones are the WS-Workshop headed up by IBM and Microsoft, and the Liberty Alliance, which has more of a mix of vendors and customers.
The goal of the WS-Workshop effort is to define a SOAP-based infrastructure for secure, distributed transactions over the network. The first few dozen specifications were by Microsoft, IBM and BEA, leading some to call this the "Men In Black" (MIB) group. The process is much more open these days, although participants must sign a nondisclosure agreement so that early results aren't disclosed prematurely. They must also promise not to "taint" the process with any intellectual property that could prevent royalty-free implementations.
The WS-Workshop efforts seem to be standards-body-neutral. For example, WS-Security has been an OASIS activity for some time, while WS-Addressing just started at the World Wide Web Consortium (W3C).
But the workshop members aren't above political infighting. When the Liberty Alliance turned over its specifications to OASIS, and the SAML group picked up the "federated identity server" concept and added it to SAML 2.0, there was an effort to declare it out of scope, because it conflicted with a more general federation concept in the WS-Federation workshop specification.
The Liberty Alliance is working on Web- and XML-based federated identity. That is, trusted peers vouchsafe the originating
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts