Quadrasis next month will release a gateway designed to let corporations securely pass Web services traffic internally and over their firewalls.
The company, a business unit of Hitachi Computer Products America Inc., will unveil its SOAP Content Inspector (SCI), a software proxy that intercepts and validates Simple Object Access Protocol (SOAP) messages, a standard format used by Web services applications to communicate.
The proxy is based on a subset of features from Quadrasis' Security Unifier, a gateway that integrates disparate network security products from multiple vendors.
At the heart of SCI is support for the Security Assertion Markup Language (SAML), an emerging standard protocol that creates "assertions" used to authenticate and authorize users of Web services.
Because SOAP traffic contains executable code and moves over the Web's standard HTTP, which passes easily through firewalls, the protocol can pose a security risk.
Security has emerged as the No. 1 inhibitor to cross-enterprise rollouts of Web services, according to a handful of recent surveys from research firms such as the Hurwitz Group and ZapThink.
"We are transferring any request that comes into our network - for data, a transaction or a Web page - into a SAML assertion because we wrap all of our applications with an understanding of the protocol," says an information security manager with a large financial services firm. "The point is we don't have to create a one-off security mechanism for each application we develop." It also allows him to use the SAML assertion as a single sign-on token for users to access multiple applications without having to authenticate to each one.
The manager says SCI makes his security infrastructure more consistent across a range of front-office and back-office applications available to employees, customers and business partners. He says SCI also reduces costs by allowing his developers to plug their applications into a security gateway instead of having to create security unique to each new application.
"From here on the new applications we develop will use this security framework. It just takes two or three applications to see the benefits." But he said he is not retrofitting all older applications for SCI because the level of effort to do that may not be justified.
The manager, however, says he is using SCI only to turn incoming requests for access into SAML assertions and is not using the software to send outbound SAML assertions over his firewall, which may eventually become the second phase of his rollout.
SCI is a proxy that sits behind a corporate firewall and in front of a Web server. The proxy inspects SOAP traffic moving over HTTP and uses SAML to create an assertion that authenticates, signs and validates the messages.
The software can be used to support single sign-on and to check the structure and content of the SOAP message to prevent buffer overflow like attacks.
The SCI proxy also supports Secure Sockets Layer certificate-based authentication and HTTP Basic Authentication, which can be converted into a SAML assertion.
The authorization mechanism is role-based and supported by a directory based on the Lightweight Directory Access Protocol (LDAP). Users can replicate data from an existing directory into SCI. The proxy also features auditing and policy enforcement.
The proxy supports Web services based on either Java 2 Enterprise Edition or Microsoft's .Net. SCI runs on Windows 2000 and is designed for deployment on a server dedicated to running the proxy. The SOAP Content Inspector can run as a standalone product or in parallel with Quadrasis' Security Unifier.
"What we do is security integration, and that means we provide hooks to integrate with other security products in the enterprise," says Bret Hartman, chief technology officer for Quadrasis. "We may be the integration point between, say, RSA's ClearTrust and Netegrity's SiteMinder." Both are Web access management products that are adding support for SAML.
SCI is expected to ship in September and is priced at US$35,000 for a standard configuration.