The inherent insecurity of XML and standards-based Web services is causing many to rethink traditional approaches to identity management, experts say.
At the heart of this new school of thought on identity management is the question of where to draw "trust boundaries" in an era when users regularly interact with multiple applications -- such as customer relationship management (CRM) and enterprise resource planning (ERP) systems -- via portal applications and Web services.
Traditionally, said Ron Schmelzer, founder and senior analyst of Waltham, Mass.-based consulting firm ZapThink LLC, "trust boundaries" have been drawn at the very edges of the network and fortified with firewall software. But in the era of Web services, these lines aren't so clear.
One solution to the problem is to house login information about users within every application they might touch during a Web services request. However, keeping all of this information synchronized and properly updated can become a cumbersome process.
"The better idea is that you're really supposed to separate the notion of identity of who you are from the specific system," said Schmelzer. "You should have an identity that is separate from the portal and the ERP system and the CRM system. But somehow [those applications] have to respect that identity."
"There is this whole area of enterprise identity management that is really burgeoning because of this context issue," Schmelzer added.
The key to separating the notion of identity from specific systems is implementing an architecture that supports policy-driven identity management, explained Jason Bloomberg, also a senior analyst with ZapThink.
"You need to have an enterprise-wide sense of who the users are and what they're entitled to do that cuts across different applications," Bloomberg said. "And it has to be a way that maintains the policies that apply to those users."
XML: Inherently insecure?
This problem of maintaining proper information about identity and permissions across multiple applications in a service-oriented architecture (SOA) is compounded, Schmelzer said, by the fact that XML -- the foundation of Web services SOAs -- was not created with security in mind.
For one thing, unlike older technologies like IBM's MQ Series and Object Management Group's CORBA that traditionally operate within network parameters, XML does not restrict where traffic goes. Another problem is that XML is human-readable and contains meta data that can be exploited by malicious hackers.
It is not XML alone that leads to the problem of maintaining the context of a user's identity. But XML-enabled Web services, which in turn enable SOAs, lead to the context problem, Bloomberg explained.
"Web services, if anything, exacerbate the problem," Bloomberg said. "Now, with standards-based interfaces using XML, you're basically giving hackers directions and opening the door for them."
Ray Wagner, research director of information security strategies for Gartner Inc., said XML firewalls are a good choice for companies with complex security needs and multiple Web services.
More vendors standing by
To ultimately solve the context problem and properly secure XML-based traffic and Web services, companies first need to implement a corporate-wide identity policy and then implement the means to enforce those policies.
A growing number of vendors are standing by ready to fulfill those needs, analysts said.
Vendors that help people establish corporate identity policies with Web services in mind include Netegrity Inc., Oblix Inc., IBM Tivoli, Entrust Inc. and RSA Security Inc.
Others that set up policy enforcement with a focus on Web services traffic and who also sell XML firewalls include Reactivity Inc., DataPower Technology Inc., Sarvega Inc., Westbridge Technology Inc. and Forum Systems Inc.
"It's amazing that companies like Cisco and Nortel haven't really gotten into this space yet," said Schmelzer. "But I would imagine that at some point they will."