Article

WS-I delivers Web services security best practices

Michael S. Mimoso, Senior News Editor

SAN FRANCISCO -- As enterprises move from early-adopter stages of Web services to production scenarios that extend outside the firewall, security guidelines that identify threats and countermeasures become invaluable.

The WS-I (Web Services Interoperability) Organization's Basic Security Profile Working Group took a step toward being recognized as the oracle of Web services security best practices at the RSA Conference on Wednesday, when it published its Security Scenarios Working Group Draft for public review.

The inch-thick document, available online at

    Requires Free Membership to View

WS-I.org, enumerates the challenges and threats faced when designing and implementing a Web service, in areas such as data integrity, confidentiality and message uniqueness. It also makes recommendations about how technologies like HTTP and SOAP Message Security 1.0 can defend against threats, and it details usage scenarios and solutions.

We want to know if this is the right set of scenarios, or if we're missing anything.
Hal Lockhart
security working group

The working group hopes to get immediate feedback from enterprises.

"We are interested in feedback. We want to know if this is the right set of scenarios, or if we're missing anything," said Hal Lockhart, an architect with BEA Systems Inc. and a member of OASIS' technical committee on Web services security.

Once the feedback is gathered, it will be used in the WS-I's Basic Security Profile, Lockhart said. The profile is a document, due out in the second quarter, that will guide architects who have interoperability questions.

"The profile is a set of assertions that implementations would follow," said Rich Salz, a standards expert with DataPower Technology Inc. "It's a suite of assertions and conformance claims that say, 'If you're doing these things, you have a better shot of securely exchanging end-to-end, hop-to-hop messages."

Ray Wagner, research director of information security strategies for Gartner Inc., said that interoperability is a key challenge, and that the Security Scenarios draft is a solid step toward clarifying how to deploy security standards in Web services implementations.

"No question, we are in the early stages of deployments," Wagner said. "And the reason was because Web Services Security [WS-Security], SAML and other standards were in flux. This year, we're going to see a lot more companies wanting to do more."

Wagner said that a large percentage of Gartner clients doing Web services were not exposing them outside the firewall, so security has not been a major concern.

"Of those who were going across the firewall, about half of those who were doing so, the transactions were of such little value that they weren't putting much thought into security," Wagner said.

Web services security comes into play largely in the financial services market, where companies are doing huge amounts of sensitive data transfers requiring hardened messages and tunnels for transporting those messages.

"You could split those guys into two groups: one that's interested in all the latest stuff, like developing policies and fine-grain encryption, and the other deployments are replacing EDI [electronic data interchange]," Wagner said.

FOR MORE INFORMATION:

Click here for SearchSecurity.com's coverage of RSA Conference 2004

Article: WS-I releases interoperability road map

Article: Members offer glimpse inside WS-I consortium


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: