WS-I Releases Web Services Security Scenarios

At the RSA Conference in San Francisco, the group's Security Profile Working Group released the Security Scenarios Working Group Draft for public review. The 48-page document outlines common threats, challenges and possible solutions for implementing security around Web services-based messages, said Hal Lockhart, principal engineering technologist at BEA Systems and a member of the WS-I Security Profile Working Group.

Speaking at a press conference at the show, Lockhart called the release of the WS-I security scenarios "a very important step" in helping people identify key concerns and possible ways to solve implementing security around Web services when deployed across disparate technology.

Lockhart said there are an infinite number of ways for companies to use standards such as WS-Security and SOAP Message Security 1.0 to secure Web services messages. The WS-I is providing only a sample of those ways in its work, and encourages commentary from the industry on other possible scenarios.

"This activity will form the basis for what we consider to be the basic security profile," Lockhart said. "We really want feedback from people [about whether] this is the right set of scenarios, the right set of choices to make. We hope people will look at this document and feed back to us their reactions in terms of [whether we are] working on the right problems."

The WS-I plans to release a draft of its Basic Security Profile, which will deal with how to use WS-Security and SOAP Message Security--among other standards--in Web services-based transactions, by the end June, said Eve Maler, XML architect at Sun and another member of the Security Profile Working Group. The Basic Security Profile builds on the WS-I Basic Profile to propose how to provide security mechanisms around existing Web-services standards. The WS-I's Basic Profile 1.0, released in August, provides guidelines for using several established standards for building Web services--SOAP, WSDL, UDDI and XML Schema.

In the future, the Security Profile Working Group will address how to utilize other security standards, such as security assertion markup language (SAML) and Kerberos, with Web services, Maler said.

Led by IBM and Microsoft, the WS-I was chartered in February 2002 to ensure the interoperability of Web services between disparate vendor technologies. The group takes proposed Web services specifications before standards bodies such as OASIS and the W3C and defines how they can be used in real-world deployments.

Ray Wagner, research director for information security strategies at Gartner, said his clients continue to cite security as the chief obstacle to implementing Web services. This has been the case for some time, even though basic standards for deploying Web services have been solidified as industry standards for more than two years.

Companies still use Web services mainly within their own company infrastructure, Wagner said, and thus do not have major concerns about security as they would if they were implementing Web services beyond the firewall. Those companies that are trying to implement Web services to replace EDI transactions, which call for complex transactions between different companies, are certainly more concerned with security; however, they are only a small percentage of the early adopters, he said.

"There's no question it's at a very early stage," Wagner said. However, he said this year Web services security will be more of a concern as the use of the technology across company firewalls becomes more widespread.