Modernizing Authentication — What It Takes to Transform Secure Access
and IBMearlier this year is finally bearing fruit, as the firms Monday announced their first set of jointly-created security Web services and software.
Holding forth at the Gartner Symposium IT Expo in Orlando, Fla. this week, IBM and VeriSign said the new services are designed to help companies build security and trust into e-business applications. The goal of this arrangement is the same of most Web services philosophies -- to allow enterprises to extend proprietary, legacy or Web-based apps to customers, and to enable enterprises to reduce costs and improve business collaboration in a secure fashion.
Indeed, as financial institutions, government agencies and other organizations move business processes to an Internet-based environment, they face complex challenges in connecting multiple applications in a secure and seamless manner.
This alliance, first announced last January between the Armonk, N.Y. technology giant and Mountain View, Calif. digital trust service provider, should attract attention from a number of e-business software players; emphasis on security is at a premium and IBM and VeriSign garner respect for their track record of technological innovation and trust provisions, respectively.
https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i Lack of consistent security standards, analysts say, has been a key barrier to Web services adoption.
"Web Services offer great potential for business-to-business communication and integration," said Jason Bloomberg, senior analyst at Web services research firm ZapThink. "But the lack of robust security and management solutions currently inhibit the ability for companies to conduct business with each other via Web Services over the Internet. You can't just buy a little security. You have to cover all the bases to be secure."
For the service side of the play, VeriSign is offering customers its Access Management Service (AMS), positioning it as the first fully managed service for access control and authorization. Based on IBM Tivoli's Access Manager, as well as VeriSign's identity verification, public key infrastructure (PKI) and validation services, AMS has sign-on feature for authorized users, allowing them to quickly gain access to network applications and services, which can save organizations time and money on help desk support. Sunnyvale, Calif. software concern Kontiki plans to be the first company to provide Web services applications primed for AMS.
For the software portion of the pact, the firms are offering the co-branded, co-developed IBM-VeriSign Trusted e-business Integration Solution. Built on VeriSign's Digital Authentication Services, IBM WebSphere MQ and IBM Tivoli Access Manager, this is enterprise application integration (EAI) software for secure extranets. Users of this may build portals, extranets and other business applications that connect users within the enterprise or outside the firewall without compromising security.
IBM and VeriSign are posing this as a breakthrough offering for integrating heterogeneous internal and external applications -- new, legacy, back-end and Web-based systems -- securely. The support for non-repudiation and audit logging services can help reduce fraud and lower risk by maintaining an electronic record of each on-line transaction.
What analysts are saying
ZapThink's Bloomberg told internetnews.com the service and software will be attractive to large enterprises who are struggling with issues of single-sign on, enterprise user identity management, and comprehensive application security.
"These new solutions are particularly attactive for existing VeriSign PKI and IBM Tivoli customers," Bloomberg said. "Enterprises that have already decided to take the PKI path have found that the infrastructure and support costs associated with enterprise PKI can be high, and these new announcements will help those companies get the most out of their existing investment."
The service and software may be less attractive to the small-to mid-size players, he said.
"There are many single sign-on and other security solutions that offer much of what the VeriSign/IBM solution does, without relying upon substantial PKI infrastructure or investment in IBM products like WebSphere MQ, including solutions from Baltimore Technologies, Entrust, and Netegrity," Bloomberg said.
Zapthink's Ronald Schmelzer noted that the play was evidence that technology firms are not simply sitting idly by, waiting for standards to be hashed out.
"The MQ Series-Tivoli-Verisign solution is an example of an increasing number of vendors joining up to solve hard security, management, transaction, and reliability problems rather than waiting for the standards to be solidified," Schmelzer said. "If anything, it helps illustrate why vendors are pushing for solutions much faster than the standards bodies can deliver. This might lead to conflicting standards and solutions in the long-haul, but at least in the short term, Web Services can live up to their promise."
Not every analyst was sold, however.
"The Access Management service isn't a very big deal," said Gartner Dataquest security analyst John Pescatore. "Verisign had announced a service like this over a year ago (using Netegrity's software), as had many other vendors. There just isn't any demand for outsourced Access Management that isn't embedded in an application and Verisign isn't offering that, other than their Signio payment applications."
"The e-business integration solution is pretty much what IBM already sells, so it is mostly just a co-marketing initiative between Verisign and IBM," Pescatore told internetnews.com. "IBM and Versign made some business alliance agreements a while back and Versign is using IBM hardware and software as part of its service offerings now, and so IBM is doing co-marketing with them as a payback. I don't see either of these announcements as being very meaningful to enterprise customers."
VeriSign spokesperson David Berkowitz responded: "The point of the VeriSign AMS isn't that we're co-marketing a product in a space that is already crowded with software products. Rather, it's that we've joined with IBM to create the first MANAGED SERVICE for access control and authorization. This IS a big deal because it means we're significantly reducing the cost and complexity of access management so that small- to mid-sized enterprises can deploy robust security technology that, previously, was only available to large enterprise customers."