Learn How a Virtual Networking Approach Can Strengthen the Security of Federal Networks REGISTER >
Federated identity management already is a critical component of Web services architecture, and access management and provisioning are moving to support Web services security, the report says.
Most companies have one or more of four application platforms today: Windows, Unix, Java or CICS/Cobol.
"Many companies have more than four," says Jamie Lewis, CEO and research chair of the Burton Group, and author of the report. "So the first question is, how do we turn the physically disjointed network into a logically whole thing? Web services are the clear trend to answer that question."
"What is new is, we are standardizing the infrastructure," around the Web services standards: XML, SOAP, UDDI and WSDL included.
"There is to some degree a light bulb that has gone on in everyone's head about service-oriented architecture," Lewis says, a term describing an architecture in which existing systems are abstracted and decoupled from platform technology and loosely coupled to work together. The onus shifts to the bus, which needs to support security, reliable messaging and transaction standards aligned with business strategy.
"It's a more practical approach than tightly coupled approaches," he suggests. "It's good news, but we have a long way to go."
Identity is crucial to making services-oriented architecture work.
"That is a point of contention we have to resolve before this infrastructure is standardized," Lewis says. "We need to support business processes across multiple systems, so security becomes the number one concern -- who can do what, where and when." Only identity-based mechanisms can deliver on this promise, he suggests.
The increasing use of the Security Asserts Markup Language (SAML), a standard from Oasis, the industry consortium effort to define application integration, to help manage identify in portal environments, is a step in the right direction. Microsoft and IBM, working together, have proposed certain standards that fit within the overall framework but conflict to some degree with SAML, so these remain to be worked out. Lewis sees that support for Web services over time will force a convergence.
The biggest mismatch today is between the tools developers are using -- Microsoft Visual Studio or IBM Eclipse, for instance -- to build applications having an "impedance mismatch" with building strong identify-based security mechanisms.
"If a Visual Studio developer wants to use strong authentication, they have to switch out to some incredibly complex security operations tools," Lewis says.
The potential is for a new generation of applications to be implemented with Web services interfaces, so that developers can use security services available on the network, without having to understand the deep complexity of the security functions.
"So developers who are not security experts, but are process-oriented, can use the standard bus with services baked in there for identity-based security," Lewis says.
The Microsoft and IBM Web services security efforts in this context are not expected to yield usable product before 18 months to three years out, Lewis says.
"SAML is a safe starting point for now," he says. Liberty Alliance, supporting SAML, is gaining momentum in the mobile environment.