Enterprise Software

Will standards resolve Web services security?

Proposed Web services security specifications are to be submitted to an international standards body by some of the industry's major vendors. But is it enough to protect businesses against the threats?

Proposed Web services security specifications are to be submitted to an international standards body by some of the industry's major vendors. But is it enough to protect businesses against the threats?

The latest version of the Web Services Security (WS-Security) specification is being submitted to international standards body Organization for the Advancement of Structured Information Standards (OASIS) for it to oversee the development.

Late last month IBM, Microsoft and VeriSign announced they would submit the latest version of the WS-Security specification to OASIS for development, according to a briefing paper by analyst Gartner.

WS-Security allows systems to interoperate on a platform and language neutral manner, said Gartner.

Analysts are touting it as a good step towards standards, but warn that challenges remain.

"Web services have important security issues that remain unresolved," Ray Wagner, a research director at Gartner Research said in a First Take on the move. "Proposed Web service security mechanisms highly depend on the distribution of digital certificates, and the underlying trust that supports their use."

Wagner warns that lack of any guaranteed level of trust between enterprise Web service deployments represented a major stumbling block to widespread deployment beyond the enterprise. "This issue has slowed the acceptance of public key infrastructure for years and must be resolved for Web services to become ubiquitous beyond enterprise boundaries."

John Brand, senior program director of electronic business strategies at industry analyst META Group, sees the WS-Security specifications as a good example of standards evolving over time.

However, Brand believes it may take longer than people are anticipating. He said the vendors are recognising that they have to be seen to be working together on specifications. "The whole principle of Web services is interoperability," he said. "Web Services Security is an interim step—what we're ultimately going to see is a more secure network-based computing platform."

Brand doesn't think, at this stage, there is any reason for people not to use Web services based on lack of an integrated Web services security model. "Use existing tools, techniques, [and] methodologies and see how they can be applied to the benefits that Web services can provide."

Greta James, research director of application integration at Gartner Australasia, argues that one of the things which has really been holding Web services back is lack of security standards.

-To have IBM and Microsoft agree on [the WS-Security] standard and put it forward to OASIS is a huge step," James said.

Other vendors, among which are Baltimore Technologies, BEA Systems, Cisco Systems, Intel, Novell, RSA Security, and Sun Microsystems have said they would participate in OASIS development effort, according to Gartner.

Editor's Picks