The Web    Google
SAML Just The Start For Web Services Security

SAML Just The Start For Web Services Security
November 11, 2002

With the Nov. 6 announcement that OASIS has ratified the Security Assertion Markup Language (SAML) v1.0 as a standard, you may be tempted to think that security has finally come to Web services. But while SAML is without question an important link, the remainder of the Web services security chain remains rather tangled.

SAML defines a way to bring authentication, authorization and non-repudiation services to Web services applications -- key capabilities, without question. But about 10 other standards that likewise play a role are still under consideration by three different standards bodies: OASIS (the Organization for the Advancement of Structured Information Standards), the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C).

One of the biggies is WS-Security, a specification intended to add security to the Simple Object Access Protocol (SOAP), which is used to enable communication among XML-based applications. WS-Security, the brainchild of IBM, Microsoft and VeriSign, uses encryption and digital signature technology that comes from the W3C. Thankfully, the W3C and OASIS reached an agreement in August to have OASIS take over development of the standard, thus heading off what might have been competing standards, but the work is in its early stages.

Other standards in various phases of development address policies that govern who gets to access what (Extensible Access Control Markup Language, or XACML), copyright management (Extensible Rights Management Language, or XrML) and encryption (XML Encryption).

The point is that there is a lot more work to be done before you can be assured of Web services security solutions that will work across company boundaries. The work is underway, and the groups seem to be cooperating where necessary, but these things take time. Often, lots of time.

Lofty Claims, Ambitious Plans

Of course none of this stops vendors from announcing products that purport to address all of your Web services security concerns. Already, established players including IBM, Check Point, Microsoft and Entrust have gone public with their plans, which range from products that are mostly months away from delivery (IBM) or of rather limited scope (Check Point and Microsoft), to all-encompassing architectures that actually might work (Entrust). Yes, Web services could finally prove to be the killer app that Entrust's public key infrastructure technology has been waiting for.

A number of startups likewise have ambitious plans, including Forum Systems, Reactivity and NetContinuum, each of which sells security appliances. An appliance approach makes sense for Web services in part because of the significant amount of processing required to parse XML data, apply digital signatures and encrypt and decrypt data streams. In most appliances, such functions are offloaded to processors dedicated to each task.

Security Guard Archives

An appliance also typically obviates the need to build security functions into each application that needs to take advantage of them. That would be a huge inhibitor for Web services, given they are intended to enable the integration of existing applications.

One appliance that merits a look is Forum Sentry, which Forum Systems announced in June. Forum Sentry addresses a good number of the security disciplines that the Web services puzzle requires, including W3C encryption and digital signature technologies, auditing, archiving and non-repudiation. The appliance sits in front of an application server and examines any traffic that's in an XML format, applying policy to it according to predefined criteria. NetContinuum just came out of stealth mode on Nov. 11. Its product performs much the same function as Forum Sentry but has a more industrial-strength base, based on a proprietary chipset with multiple processors dedicated to different security functions, all connected by a 280G bit/sec switching fabric. While the appliance is intended to provide security for any Web-based application, the company does expect Web services to be a major focus, albeit down the road.

That's a prudent tack to take. There seems to be little question that Web services will become an integral part of the IT landscape, but -- thanks in no small part to legitimate security concerns -- it's much tougher to say exactly when that will happen. If Web services don't catch on soon, companies counting on selling Web services security appliances to make a living may not last long. Perhaps not even long enough to see the Web services security standards picture clear up.

Desmond is president of Paul Desmond Editorial Services, an IT publishing firm in Framingham, Mass. He serves as editor of, a source of practical security information for IT managers, CIOs and business executives. Email him at .

  • 10/11: Noomy-A Worm Exploits Email, IRC
  • 1/18: Rbot-TS Worm Spreads to Weak Shares
  • 2/21: Derdero-B Worm Uses File Sharing
  • 2/17: Rbot-WB Worm Has Trojan Functions
  • 11/4: Rbot-OX Worm Has IRC Functions
  • 10/28: Agobot-NU a Worm and Backdoor
  • Intellitactics Upgrades Security Manager Tool
  • InstaGate SCM Offers Integrated Secure Content Management
  • 10/20: Mydoom-AA Worm Spreads Via Email
  • Sony Bundles Backup and Disaster Recovery Solutions
  • Protect Your Passwords -- Part 1
  • Compare Security Camera Products