Layer 7 Unveils Clustered SOA Security

In introducing clustered SOA security, Layer 7 has provided a container for managing rules across multiple firewalls and gateways, rather than setting and maintaining rules for each device, Ron Schmelzer, analyst for ZapThink LLC, said. The feature marks the beginning of a trend toward more mature security features for SOAs, a form of distributed computing that loosely couples systems via technologies based on extensible markup language, or XML.

“It’s another indication of the market maturing,” Schmelzer said. “Clustered security is pretty advanced.”

Whereas vendors in the past have tended to over-hype announcements, they’re now starting to deliver on useful products, which means more customers are demanding better technology for their SOAs.

“It’s not so much sizzle now. There’s more meat,” Schmelzer said.

“WS-Policy is seen as the accepted container from which you can exchange security policy information,” Schmelzer said.

Read more at: CMP / TechWeb

Federated identity start-up reveals SAML 2.0 beta

According to Ron Schmelzer, analyst with ZapThink, security specs are all starting to converge.

“In practice, a lot of the issues around spec collision [or] confusion will be going away very quickly. If companies want to implement SAML or WS-Security or both, they can now certainly do that,” he said, adding that in the long run, the issue will come down to what WS-I, a cross-vendor group, does with their proposed Security profile. “Wherever the WS-I goes (or doesn’t), so too will the industry. We’ll see if they have the guts to take a real stand on the disparate security and federated identity specs.”

Read more at: Computer Business Online

Web Services Still at an Impasse

Technical disparities are old hat and legion for Web services, a space research firms like ZapThink estimates will balloon to reach several billion dollars over the next few years.

Read more at: InternetNews

Liberty Alliance Touts Adoption Of Identity Standard

Wednesday’s announcement showed that the alliance was making progress in building the foundation for widespread adoption of its technology, Ronald Schmelzer, analyst for ZapThink LLC, said. Beyond information technology products, Liberty will have to show that major retailers, banks, credit card companies and more are also adopting the technology, since those are the companies that will have direct contact with consumers.

That, however, is expected to take time, since companies have only recently started installing identity-management software, Schmelzer said. Those systems will have to be in place first, before they can start using Liberty standards in sharing customer data during transactions.

“Companies have yet to build good, robust identity management systems in general, but that’s rapidly changing,” Schmelzer said. “Companies are implementing them very rapidly. That’s a really hot growth area.”

In the meantime, Liberty Alliance has a potential competitor in the Web Services-Federation Specification under development by IBM, Microsoft Corp., BEA Systems Inc., RSA Security Inc. and Verisign Inc., Schmelzer said.

Nevertheless, IBM supporting Liberty is an “important step, and a positive one” he said. “There’s nothing negative about this announcement.”

Read more at: TechWeb

Intel Joins Liberty Alliance

Intel’s membership is more important to the alliance than to Intel, particularly since tech heavyweights Microsoft and IBM have chosen not to join and to pursue different approaches to web authentication, Ronald Schmelzer, analyst for market researcher ZapThink LLC, said.

In general, industry groups like the alliance find it difficult to get specifications in products and out to end users quickly. Depending on the amount of vendor support, the process can take years, and sometimes never happen at all.

“Intel is giving the alliance a bit of a leapfrog by supporting them and giving them credibility in front of customer demand,” Schmelzer said.

Read more at: CMP

Web services security vendors focus on access control, XML firewalls

That hasn’t changed much, as customers wait for vendors to finalize standards such as XML Key Management Specification (XKMS is for managing the keys needed to encrypt and decrypt Web services messages), says Jason Bloomberg, a senior analyst at ZapThink, an analysis and consulting firm in Waltham, Mass.

Single-point authentication and access control are important because Web services can’t make users more efficient if those users have to enter a new user ID and password each time their request hits another application. “Larger entities might have [10,000, 20,000] or 30,000 users,” says Bloomberg, each of whom might have different access rights on dozens of different systems — access rights that need to be changed, or even withdrawn, as the employee’s responsibilities change or they leave the company.

Major vendors such as Microsoft, IBM and Sun Microsystems Inc. are building Web services security into their broader product platforms. Sun “has leadership in the directory space with their Directory Server,” says Bloomberg, which is the foundation for the Sun ONE Identity Server. Microsoft has also announced plans for a technology code-named “TrustBridge,” which would allow secure authentication of users, and sharing of their user identities across business and security boundaries.

Read more at: SearchWin2000

Service Orientation Market Trends

While Web Services have been getting the attention through 2003, in 2004 the IT computing story will be focused squarely on Service Orientation. Offering an evolutionary approach to distributed computing that provides greater business agility while enabling companies to use heterogeneous resources more efficiently, Service Orientation, based on established Web Services standards, is set to fundamentally change many different IT markets as enterprises transition to Service-Oriented Architectures.

In particular, the markets of application security, security appliances, system management, application integration, data integration, and business process management are six key markets that will become transformed as vendors in those markets Service-enable their products. Furthermore, there is a window of opportunity for new entrants in each of these markets to build Service-oriented offerings. Those windows will soon close, however, as the established, incumbent vendors in each space consolidate their respective markets.

These consolidation trends will continue through the rest of the decade, as large vendors round out their suites of software that support Service Orientation, resulting in a combined market consisting of vendors offering a full-function SOA Implementation Framework. These frameworks will offer enterprises all the functionality they need to build, run, and manage SOAs. The market for SOA Implementation Frameworks is still nascent as of 2004, but will dominate the distributed computing arena by 2010.

Grading On a Curve

“Web services is a disruptive technology for big vendors,” says Jason Bloomberg, senior analyst with Zapthink, a consultancy in Waltham, Mass. “Enterprise applications are being sold more as bite-sized components than as big applications, so there’s less integration of products and more focus on changing business processes.”

Read more at: VarBusiness

Identity, authentication key to Web services security

When people think of Web services security issues, they tend to think of hacking or other forms of traffic snooping, said Ron Schmelzer, founder and senior analyst of Waltham, Mass.-based consulting firm ZapThink LLC. But those problems are solved easily, he said, using SSL at the protocol layer, and encrypting SOAP messages.

Schmelzer said the most significant external Web services security problems lie in the realm of authentication and identity management, because Web services transactions are conducted between two computers.

As a Web services provider, Schmelzer said, “you’re not providing access to a human; it’s another system. If we expose an interface to our SAP system, how do we know whoever is making that Web service request is authorized to make it?”

So how can a requester’s identity be verified? It’s tricky, Schmelzer said, because there’s a lack of context in public, machine-to-machine communication, making it difficult to track what company or system is initiating a Web service call. “Plus, the request may not be made directly,” he said. “It may be made through a portal or other composite application. It gets complicated very quickly.”

Read more at: SearchWebServices

WS Security and Adoption

Without WS Security and its affiliated standards, some of which have yet to be submitted to OASIS — a sore point with competitors of MS and IBM — WS will remain behind the firewall and used primarily the way it is being used today, as an integration tool, said Jason Bloomberg, senior analyst at ZapThink, a New York-based Web services-centric consultancy.

“We see it as the primary road block to Web services adoption, both within the enterprise and particularly for business-to-business communication of Web services,” he said. “The importance of WS Security is really best understood in the context of (the) road map. WS Security by itself builds a layer of abstraction on top of underlying security mechanism. So, if one company or department is using Kerberos and another is using PKI, you can use WS Security to federate those two. So, all by itself, it’s a piece of the puzzle.”

Read more at: eSecurity Planet