Microsoft Releases Web Services Security Spec

IBM and VeriSign to join Microsoft in developing specifications.

(New Orleans, Louisiana) Microsoft's new emphasis on security gained several prominent industry partners today with the announcement that the company has joined forces with IBM Corp. and VeriSign on a Web services security specification.

The partnership is a "roadmap for six specifications that talk about security from end to end," Microsoft vice president for .NET Enterprise Servers Paul Flessner announced at Thursday's TechEd keynote presentation.

The new specification, which the companies are calling WS-Security, "provides standard mechanisms to exchange secure, signed messages in a Web services environment, and provides an important foundation layer that will help developers build more secure and broadly interoperable Web services," according to a Microsoft press release. Currently, there are no agreed-upon rules for Web services security, and many of the industry's heavy hitters, including IBM, Hewlett-Packard, Oracle, Sun and Microsoft are developing and implementing Web services frameworks.

At the heart of the model is an effort to bring together disparate security technologies like Public Key Infrastructure (PKI) and Kerberos for protecting the integrity and confidentiality of messages, "as well as mechanisms for associating security-related claims with the message," according to a joint Microsoft-IBM white paper on the subject, available at

Another key to WS-Security is its interoperability. It utilizes common Web services standards like XML and SOAP, allowing companies to configure their environments for the appropriate level of security across any platform.

The other proposed specifications include a modular approach to security, broken down into two general categories: the first three—WS-Policy, WS-Trust and WS-Privacy—relate to setting up a secure session and establishing privacy guidelines, while the second group—WS-Secure Conversation, WS-Federation and WS-Authorization—deals with message security, interoperability between different systems and authorization policies.

Web services is key to Microsoft's .NET strategy of connecting disparate systems for data exchange, and ensuring privacy and security is key to the success of .NET. Microsoft recently suffered a blow when the My Services initiative, formerly known as Hailstorm, was killed, partially due to concerns about Microsoft's ability to keep safe and secure data for millions of users in one repository. With .NET being a much bigger, broader and more important program, collaborating with companies like IBM and especially VeriSign, which provides digital certificates verifying the authenticity of information for much of the Internet, Microsoft is attempting to allay fears about how seriously it takes security.

WS-Security has yet to be submitted to a standards body.

About the Author

Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.


  • Azure AD B2B Now Officially Supports Google IDs

    A feature that lets users of the Google identity and access service use their personal log-in IDs with Microsoft's Azure Active Directory B2B service is now generally available.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.

  • Microsoft, Salesforce Ink Deal Around Azure Cloud and Teams

    As part of a new partnership, CRM service provider Salesforce will leverage certain Microsoft Azure services, as well as Microsoft Teams, for services to customers.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

RCP Update

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.