Web services security finally grows up

Recent ratification of two key standards means that web services security has finally reached a level of maturity acceptable to many enterprises, Gartner has reported.

The analyst firm's comments come after the Organisation for the Advancement of Structured Information Standards (Oasis) approved two key web services security components as agreed standards.

The Oasis Web Services Secure Exchange Technical Committee formally ratified WS-SecureConversation version 1.3 for establishing and maintaining extended secure sessions.

In addition it passed WS-Trust version 1.3, for obtaining and exchanging security credentials.

The ratification moves web services secure messaging from basic and limited implementation to a more extended and contextual model, according to Gartner.

However, the real value of these standards lies in the benefits they can provide for implementations of brokered authentication or security token services (STS), the analyst firm believes.

Web services typically authenticate clients across heterogeneous environments, but removing the need for a direct relationship with the client application and web service through a "trust negotiator" requires robust security.

"The availability of these new standards means that web services security has finally reached an acceptable maturity level," noted a new Gartner analysis by analysts Earl Perkins and Ray Wagner.

"The issuance and dissemination of credentials between different trust domains via an STS can now be achieved using a syntax that is familiar to most developers.

"The Oasis standards also provide for a scalability that had not been available before in transactional web services that required an STS, at least not in a standardised form with which most vendors involved in SOA applications and infrastructure comply.

"This adds to a credible toolset for federation efforts, which has proved elusive to many enterprises due to the issues of brokered authentication availability and scalability the standards address.

"WS-Trust alone is vital to enabling the credential use necessary for networked, consumable web services."

The Gartner research noted that some early adopters of web services continue to believe that existing security standards are "bloated and overly complex" and have rolled out simplified proprietary offerings.

"For simple requirements, mixed web security and 'classic' authentication coupled with services will still have a place," said the Gartner report.

"Other early adopters believe that IBM's and Microsoft's view of web services and SOA security, and particularly their roles in the development of WS-SecureConversation and WS-Trust and the standards' place in their architectures, gives them an advantage in this area.

"However, the standards have enough diversity of support within the developer and infrastructure community that their ratification must be viewed as a positive development for vendor and enterprise customer alike."