News

IBM reaches security 'checkpoint'; champions SOA

• By John K. Waters
• November 10, 2003

Early last year, IBM published a Web services security roadmap outlining its plans to support evolving industry standards and to deliver new security features in its products. Last week the company marked a "checkpoint" on that roadmap with the announcement of new support for Web services security across IBM's WebSphere infrastructure and Tivoli identity management middleware.

Big Blue has been something of a driving force in the development of Web services security standards. The company co-authored WS-Security, currently in the hands of the OASIS standard group, and supports standards for expressing identity information such as the Security Assertion Markup Language (SAML), an industry specification for identity assertion, and Kerberos, a network authentication protocol.

"When we started the security standardization work around Web services," said Bob Sutor director of WebSphere software at IBM, "we knew that of all the areas we were going to look at -- from basic messaging through the descriptions, and even up through the choreography and management -- we knew that security would be the trickiest area. Security is not something you want to get 'more or less' right."

The company plans to introduce security enhancements for WebSphere later this quarter through an upcoming version of Tivoli Access Manager (V5.1), which provides Web single sign-on capabilities to access portals, applications and back-end systems. Tivoli has long provided integrated security for WebSphere, including federated identity interfaces for deploying Web services. The new version will include support for SAML and Kerberos.

IBM also plans to include new security features in upcoming versions of WebSphere Business Integration and WebSphere MQ to allow its mainframe and distributed customers to define security policies for select groups of Web or legacy applications, according to company reps.

Future versions of WebSphere and Tivoli will support advanced federated identity management through WS-Federation, the company said, which automates the process of creating identifications for trusted users. In fact, federated ID will be a focus of IBM's product development efforts in 2004, added Sutor. IBM's federated ID technology is designed to allow enterprises to create a single, uniform way to set parameters for allowing access to Web applications, packaged software such as CRM and ERP applications, and legacy systems running high-volume transactions such as CICS.

With this announcement, IBM is extending its middleware platform for building a secure Services Oriented Architecture (SOA), Sutor said. "People have been zeroing in on [SOA]," he said. "Beyond the basic Web, they're now doing Web services where you have business-critical processes that have to talk across the Internet to those of your partners, suppliers and customers. To make that real, you have to have appropriate security."

In an SOA world, Sutor explained, business processes are exchanged as interchangeable tasks or services, such as Web services, Java adaptors, or older APIs like CORBA or SNMP (systems network management protocol). For example, a bank can use the same computing services infrastructure to handle account transfer requests whether they are coming from a teller, an ATM or a Web application, avoiding the need for multiple applications.

But as the scope and number of services flow through the system, customers have a greater need to manage security and assign appropriate access to confidential data, Sutor said. The issue becomes even more critical for companies undergoing mergers or acquisitions or that have a big turnover of employees, since passwords and access are constantly in flux.

"Basically, we're saying that SOA appears now to be the best bet for implementing all this," Sutor said. "Simply put, we see it as the best way to allow enterprises to connect things that aren't normally connected."