RSA and Entrust target Web services security returns

RSA yesterday unveiled its ClearTrust 5.0 Web access management solution, which has been designed to protect and manage user...

RSA yesterday unveiled its ClearTrust 5.0 Web access management solution, which has been designed to protect and manage user identities and administration across an enterprise.

The software features enhanced ease-of-use through a new Web-based GUI, improved password management, and improved application plug-ins for customised third-party database and server integration.

This week, Entrust announced its new Web services product delivery road map spearheaded by the Entrust Secure Transaction Platform, which aims to integrate security onto Web services applications through three new "services", or products.

ClearTrust 5.0 supports the Security Assertion Mark-up Language (SAML) 1.0 Web services specification, an XML-based framework used for exchanging authentication and authorisation information. "Trust is probably the most critical element that has been missing from the Web services space to date," said RSA senior product manager Ted Kamionek.

Kamionek said that as more customers adopt Microsoft .net Web services platform, RSA would produce tighter integration of its product line with .net and other Microsoft-related services and standards efforts such as WS-Security.

Yesterday RSA announced that Microsoft would imbed RSA's SecurID agent into its applications, starting with the next shipment of Microsoft's Internet Security and Acceleration (ISA) server, to offer customers out-of-the-box support for two-factor authentication.

RSA also outlined its plans to develop an RSA SecurID software token for the Microsoft's PocketPC 2002 platform to prevent unauthorised access without a separate hardware token. A partnership between iRevolution and RSA would create a solution to enable Microsoft Passport users to sign on to Passport-enabled sites using RSA Mobile software for secure one-time authentication.

Meanwhile, Entrust's latest offerings include Entrust Identification Service, Entrust Entitlements Service and Entrust Verification Service. The Identification Service will enable validation of federated and non-federated identities, using multiple standards, digital certificates, and UserID/passwords. Next up, the Entitlements service, which implements SAML, will decide that an identity is granted permission to interact with specific Web services. Finally, the Verification Service offers digital signature and time-stamping capabilities.

The upcoming release of Entrust Authority 7.0 will secure Web services for administration through an interface with which partners and third-party vendors can integrate.

The Entrust Verification Service will be available this autumn, and the Identification and Entitlements Services will be available in early 2003.

Jason Bloomberg, security analyst at Web services research firm ZapThink, believed the comprehensive "wealth of experience" in PKI, digital certificates, and ID management technology from vendors such as Entrust, RSA, and Baltimore Technologies should prove an immediate boost in the cramped market to secure Web services.

"There are a lot of pieces to a PKI solution - certificates, management, revocation, and tying each of those in with user management. Web services will help that," said Bloomberg. "Passwords only get you so far. To take that extra step, whether it's a PKI token or Kerberos ticket, or a token like a smart card, a lot of companies need to make that move for business requirements for [Web services] security."

However, Bloomberg warned that vendors rushing the market must take care to make their offerings platform neutral and capable of working within J2EE, Microsoft .net and legacy environments.

Read more on Web software