Sorting out Web services security standards
Computerworld - One of the most active parts of the XML Web services community is the groups developing security standards.
Today, we have more than 40 security standards in various stages of specification at several different organizations, as well as various implementations in similar states of completion and conformance.
On the one hand, this is good news, because good security is crucial to the widespread adoption of XML Web services. One of the expected benefits of XML Web services is a more direct connection between back-office systems and a larger group of potential customers by providing a common set of "Web middleware" that removes barriers to connecting. In order for this to happen without undue risk, security standards are needed that can provide assurances about identity, message content and data protection.
On the other hand, the number of security-related specifications (not to mention their page count!) can overwhelm all but a vast team of the most dedicated architects or developers. This article provides a road map to help you pick your way through the major players and the specs they're writing.
It's helpful to view the development of Web services security standards as a pipeline with three parts: initial development, standardization and profiling.
The initial development stage tends to be led by vendor-driven organizations. Two of the most important ones are the WS-Workshop headed up by IBM and Microsoft, and the Liberty Alliance, which has more of a mix of vendors and customers.
The goal of the WS-Workshop effort is to define a SOAP-based infrastructure for secure, distributed transactions over the network. The first few dozen specifications were by Microsoft, IBM and BEA, leading some to call this the "Men In Black" (MIB) group. The process is much more open these days, although participants must sign a nondisclosure agreement so that early results aren't disclosed prematurely. They must also promise not to "taint" the process with any intellectual property that could prevent royalty-free implementations.
The WS-Workshop efforts seem to be standards-body-neutral. For example, WS-Security has been an OASIS activity for some time, while WS-Addressing just started at the World Wide Web Consortium (W3C).
But the workshop members aren't above political infighting. When the Liberty Alliance turned over its specifications to OASIS, and the SAML group picked up the "federated identity server" concept and added it to SAML 2.0, there was an effort to declare it out of scope, because it conflicted with a more general federation concept in the WS-Federation workshop specification.
The Liberty Alliance is working on Web- and XML-based federated identity. That is, trusted peers vouchsafe the originating
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!