Entrust and RSA Security unveiled new products and initiatives this week designed to hammer home the message that both companies intend to leverage existing security technology and development efforts to construct a comprehensive Web services security infrastructure for customers.
Deeply rooted in PKI, authentication, encryption, and SSO (single sign-on) software, RSA and Entrust see the need to secure multiple aspects of Web services operations as catalysts to jumpstart sagging fortunes, say security analysts. PKI and SSO resisted consistent adoption and failed to resonate with end-users.
On Tuesday, RSA announced its RSA ClearTrust 5.0 Web access management solution. Designed to protect and manage user identities and administration across an enterprise, the software features enhanced ease-of-use through a new Web-based GUI, beefed-up password management, and improved application plug-ins for customized third-party database and server integration, said Ted Kamionek, senior product manager at Bedford, Mass.-based RSA.
In addition, the product supports the Security Assertion Mark-up Language (SAML) 1.0 Web services specification, an XML-based framework used for exchanging authentication and authorization information. "Trust is probably the most critical element that has been missing from the Web services space to date," said Kamionek.
Kamionek said that as more customers adopt Microsoft Corp.'s .Net Web services platform, RSA will produce tighter integration of its product line with .Net and other Microsoft-related services and standards efforts such as WS-Security. Launching that effort, on Tuesday RSA announced that Microsoft will imbed RSA's SecurID agent into its applications, starting with the next shipment of Microsoft's Internet Security and Acceleration (ISA) server, to offer customers out-of-the-box support for two-factor authentication.
Also, RSA outlined its plans to develop an RSA SecurID software token for the Microsoft's PocketPC 2002 platform to prevent unauthorized access without a separate hardware token. A new partnership between iRevolution and RSA will create a solution to enable Microsoft Passport users to sign on to Passport-enabled sites using RSA Mobile software for secure one-time authentication.
According to Jason Bloomberg, security analyst at Boston-based Web services research firm ZapThink, the comprehensive "wealth of experience" in PKI, digital certificates, and ID management technology from vendors such as Entrust, RSA, and Baltimore Technologies should prove an immediate boost in the cramped market to secure Web services.
"There are a lot of pieces to a PKI solution -- certificates, management, revocation, and tying each of those in with user management. Web services will help that," said Bloomberg. "Passwords only get you so far. To take that extra step, whether it's a PKI token or Kerberos ticket, or a token like a smart card, a lot of companies need to make that move for business requirements for [Web services] security."
However, deeming the "horse race" too early to call, ZapThink LLC's Bloomberg said vendors rushing the market must take care to make their offerings platform neutral and capable of working within J2EE, Microsoft .Net, and legacy environments.
This week, Entrust announced its new Web services product delivery road map spearheaded by the Entrust Secure Transaction Platform. Offering support of multiple application servers and platforms, Entrust Secure Transaction Platform will integrate security onto Web services applications through three new "services," or products, said Leah MacMillan, director of solutions marketing at Dallas-based Entrust.
The new services include Entrust Identification Service, Entrust Entitlements Service, and Entrust Verification Service. According to MacMillan, the Identification Service will enable validation of federated and non-federated identities, using multiple standards, digital certificates, and UserID/passwords. Next up, the Entitlements service, which implements SAML, will decide that an identity is granted permission to interact with specific Web services. Finally, the Verification Service offers digital signature and time-stamping capabilities.
Down the road, the upcoming release of Entrust Authority 7.0 will secure Web services for administration through an interface with which partners and third-party vendors can integrate.
"Some people have said we've been quiet for Web services, but we wanted to have visions and products in place," said MacMillan. "Web services [security] isn't going to be stand alone. It's going to be one element of doing secure back-end-to-back-end integration and the need to leverage against client server security, supply chain, e-mail, or Web portal [processes] for the end-user."
The Entrust Verification Service will be available this fall. The Identification and Entitlements Services will be available in Q1 of 2003.