RSA yesterday unveiled its ClearTrust 5.0 Web access management
solution, which has been designed to protect and manage user
identities and administration across an enterprise.
The software features enhanced ease-of-use through a new Web-based
GUI, improved password management, and improved application
plug-ins for customised third-party database and server
integration.
This week, Entrust announced its new Web services product delivery
road map spearheaded by the Entrust Secure Transaction Platform,
which aims to integrate security onto Web services applications
through three new "services", or products.
ClearTrust 5.0 supports the Security Assertion Mark-up Language
(SAML) 1.0 Web services specification, an XML-based framework used
for exchanging authentication and authorisation information. "Trust
is probably the most critical element that has been missing from
the Web services space to date," said RSA senior product manager
Ted Kamionek.
Kamionek said that as more customers adopt Microsoft .net Web
services platform, RSA would produce tighter integration of its
product line with .net and other Microsoft-related services and
standards efforts such as WS-Security.
Yesterday RSA announced that Microsoft would imbed RSA's SecurID
agent into its applications, starting with the next shipment of
Microsoft's Internet Security and Acceleration (ISA) server, to
offer customers out-of-the-box support for two-factor
authentication.
RSA also outlined its plans to develop an RSA SecurID software
token for the Microsoft's PocketPC 2002 platform to prevent
unauthorised access without a separate hardware token. A
partnership between iRevolution and RSA would create a solution to
enable Microsoft Passport users to sign on to Passport-enabled
sites using RSA Mobile software for secure one-time
authentication.
Meanwhile, Entrust's latest offerings include Entrust
Identification Service, Entrust Entitlements Service and Entrust
Verification Service. The Identification Service will enable
validation of federated and non-federated identities, using
multiple standards, digital certificates, and UserID/passwords.
Next up, the Entitlements service, which implements SAML, will
decide that an identity is granted permission to interact with
specific Web services. Finally, the Verification Service offers
digital signature and time-stamping capabilities.
The upcoming release of Entrust Authority 7.0 will secure Web
services for administration through an interface with which
partners and third-party vendors can integrate.
The Entrust Verification Service will be available this autumn, and
the Identification and Entitlements Services will be available in
early 2003.
Jason Bloomberg, security analyst at Web services research firm
ZapThink, believed the comprehensive "wealth of experience" in PKI,
digital certificates, and ID management technology from vendors
such as Entrust, RSA, and Baltimore Technologies should prove an
immediate boost in the cramped market to secure Web services.
"There are a lot of pieces to a PKI solution - certificates,
management, revocation, and tying each of those in with user
management. Web services will help that," said Bloomberg.
"Passwords only get you so far. To take that extra step, whether
it's a PKI token or Kerberos ticket, or a token like a smart card,
a lot of companies need to make that move for business requirements
for [Web services] security."
However, Bloomberg warned that vendors rushing the market must take
care to make their offerings platform neutral and capable of
working within J2EE, Microsoft .net and legacy environments.