Microsoft Releases Web Services Security Spec

IBM and VeriSign to join Microsoft in developing specifications.

(New Orleans, Louisiana) Microsoft's new emphasis on security gained several prominent industry partners today with the announcement that the company has joined forces with IBM Corp. and VeriSign on a Web services security specification.

The partnership is a "roadmap for six specifications that talk about security from end to end," Microsoft vice president for .NET Enterprise Servers Paul Flessner announced at Thursday's TechEd keynote presentation.

The new specification, which the companies are calling WS-Security, "provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services," according to a Microsoft press release. Currently, there are no agreed-upon rules for Web services security, and many of the industry's heavy hitters, including IBM, Hewlett-Packard, Oracle, Sun and Microsoft are developing and implementing Web services frameworks.

At the heart of the model is an effort to bring together disparate security technologies like Public Key Infrastructure (PKI) and Kerberos for protecting the integrity and confidentiality of messages, "as well as mechanisms for associating security-related claims with the message," according to a joint Microsoft-IBM white paper on the subject, available at

Another key to WS-Security is its interoperability. It utilizes common Web services standards like XML and SOAP, allowing companies to configure their environments for the appropriate level of security across any platform.

The other proposed specifications include a modular approach to security, broken down into two general categories: the first three—WS-Policy, WS-Trust and WS-Privacy—relate to setting up a secure session and establishing privacy guidelines, while the second group—WS-Secure Conversation, WS-Federation and WS-Authorization—deals with message security, interoperability between different systems and authorization policies.

Web services is key to Microsoft's .NET strategy of connecting disparate systems for data exchange, and ensuring privacy and security is key to the success of .NET. Microsoft recently suffered a blow when the My Services initiative, formerly known as Hailstorm, was killed, partially due to concerns about Microsoft's ability to keep safe and secure data for millions of users in one repository. With .NET being a much bigger, broader and more important program, collaborating with companies like IBM and especially VeriSign, which provides digital certificates verifying the authenticity of information for much of the Internet, Microsoft is attempting to allay fears about how seriously it takes security.

WS-Security has yet to be submitted to a standards body.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Microsoft, Google and IBM Among First Members of Open Source Security Group

    Microsoft has joined a high-powered group of tech giants in a new industry foundation aimed at improving the security of open source software.

  • Microsoft In Talks To Acquire TikTok

    A deal between Microsoft and Beijing-based ByteDance is in the works that would have Microsoft acquiring some of ByteDance's holdings in the TikTok social media service.

  • Some Cortana Features Ending as Part of Microsoft 365 Shift

    Microsoft may be promoting Cortana more as a Microsoft 365 business perk, but the digital assistant will soon see several of its capabilities falling out of support.

  • 2020 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss. (Now updated with COVID-19-related event changes.)

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.