Vendors Issue 2003 Web Services Security Agenda

With the adoption of the WS-Security spec imminent, Microsoft, IBM and other WS-I members will push "up-the-stack" in 2003 to address two key web services security issues -- setting and managing security policies and communications between trusted partners. Take a look at the six new high-level security proposals on the table.

Tags: Web Services, Security, WS-Security, Security Policies, WS-I, WS-Policy, Vendors,

With the adoption of the core WS-Security spec imminent, IBM, Microsoft and other WS-I members (Web Services Interoperability Consortia) behind WS-Security have just before year's end laid out their most detailed plan to date for expanding web services security standards in 2003.

The proposals, which build on WS-Security, these "up-the-stack" proposals (also part of the WS-I security roadmap) address two key issues for web services security -- setting and managing security policies and inter-organizational (trusted partner) security issues.

The submitters, which include Microsoft, IBM, BEA Systems, RSA Security, Verisign and SAP, bring together leading software and security vendors from both the Java and .NET sectors.

The specifications fall into two key groups. The first helps address key technical concerns in the area of security:

  • WS-Trust describes a framework for managing, establishing and assessing trust relationships to enable Web services to securely interoperate.
  • WS-SecureConversation describes a framework to establish a secure context for parties that want to exchange multiple messages.
  • WS-SecurityPolicy describes general security policies that can be associated with a service.

  • The second group focuses on streamlining the implementation of business policies in a Web services environment:

  • WS-Policy outlines a way for senders and receivers of Web services to communicate their requirements and capabilities, which enables them to search for and discover the information they need to access the service.
  • WS-PolicyAttachment provides a standard mechanism for attaching the requirement and capability statements to the Web service.
  • WS-PolicyAssertions describes general policies that can be affiliated with a service

  • Many analysts have said that a multi-vendor standards-based approach to more complex web services security will make the integration time substantially shorter for developers and IT managers. And, while the current vendor sponsor list does not include other notable firms (some with competing approaches), such as Oracle, Sun and Cisco, analysts have expressed optimism that all vendors will eventually sign off on the "WS-x" approach, through organizations such as OASIS and W3C -- as well as Sun's expected membership in the WS-I in January.