IBM faces criticism on Web services security initiative

IBM is trying to embed its technology at the core of emerging Web services standards, with the release of a set of application...

IBM is trying to embed its technology at the core of emerging Web services standards, with the release of a set of application programming interfaces (APIs) designed to address critical security and third-party integration needs.

The company says the APIs, to be included in the WebSphere Version 5.1 e-business platform later this year, are designed to give customers the ability to adopt a best-of-breed approach to incorporating competing security products into Web services environments.

Although the plan addresses enterprise concerns regarding the lack of standards around Web services security, industry executives argue that IBM risks being accused of pursuing its own agenda and adding to the myriad security efforts already under development.

Among the organisations pushing security initiatives are the World Wide Web Consortium (W3C), the Organization for the Advancement of Structured Information Standards (Oasis), and even the IBM and Microsoft-led Web Services Interoperability Organisation (WS-I).

Meanwhile, the Liberty Alliance is expected to announce its federated, single sign-on (SSO) system for e-commerce late this month.

"IBM has done a very good job of making itself look very open to the market, in effect taking away some of the cache Sun has had as the inventor of Java and developer of the Open Network Environment," said Laura Koetzle, an analyst at Forrester Research. "This opening up of WebSphere APIs is an extension of that."

Mike Kass, product manager of Microsoft .net, said his company was shaking off the proprietary label by delivering .net-ready standards - such as XML digital signature and XML encryption - that the software giant has helped present to the W3C.

In other Web services developments, IBM, Microsoft, and VeriSign have made good on their promises by submitting the latest version of the WS-Security specification to Oasis for development.

But because Microsoft's ultimate goal is to sell more copies of Windows and to impede Linux, as well as prevent LDAP from cutting into Active Directory's installation base, the company is pushing out "tilted" WS-Security standards to make Web services easier to pull off in a Windows - not Unix - environment, said John Pescatore, research director of Internet security at analyst group Gartner.

Despite its API efforts, IBM has to face the reality that companies do not want to lock themselves into one centralised server for Web services security or management. "The vast majority [of customers] are looking for Web services to make application integration easier, not to jump into some giant centralised framework for control," Pescatore said.

Read more on Web software