For Security & Risk Professionals

The Forrester Wave™: Identity And Access Management, Q4 2009

Oracle, CA, And IBM Lead, With Novell And Sun Microsystems Close Behind

by Andras Cser, November 3, 2009

In Forrester's 79-criteria evaluation of identity and access management (IAM) vendors, we found that Oracle, CA, and IBM lead the pack because of a rich IAM portfolio (both organically developed and acquired), an understanding of a rapidly changing market, . . .

For Enterprise Architecture Professionals

SOA Security 2009: Four Solution Patterns

A Two-Dimensional Continuum For Diverse SOA Security Solutions

by Randy Heffner, September 14, 2009

Architects crafting their organization's strategy and architecture for service-oriented architecture (SOA) security have a wide diversity of security requirements, business scenarios, and application infrastructure to deal with. To set a solid direction . . .

For Enterprise Architecture Professionals

SOA Security 2009: Products And Specifications

Selecting Standards, Specifications, And Products For SOA Security

by Randy Heffner, August 20, 2009

As enterprise architects set their organization's strategy for service-oriented architecture (SOA) security, they will have to filter through a variety of standards, emerging specifications, and products that can contribute features and functions for . . .

For Enterprise Architecture Professionals

SOA Security 2009: Requirements And Design

Understanding Your SOA Security Requirements And Iterative Solution Design

by Randy Heffner, July 16, 2009

In industry discussions about SOA, external integration is treated as the benchmark indicator of SOA security maturity: If it's secure enough for external integration, SOA must be secure. By that benchmark, 30% of SOA users think SOA security is mature . . .

For Enterprise Architecture Professionals

SOA Policy Management: Vendors And Products

The Market Landscape For SOA Policy Management Infrastructure And Services

by Randy Heffner, February 6, 2009

Service-oriented architecture (SOA) policy management is an important and emerging subset of SOA strategy, SOA governance, and SOA platform planning. Because SOA policy features and functions are arising within multiple types of products, many different . . .

For Application Development & Program Management Professionals

Web Services Specifications: Security

When To Use Which Secure Web Services Specifications

by Randy Heffner, December 28, 2006

Web services adoption continues, but it is taking a long time to work out all of the specifications and standards. According to data from recent Forrester surveys, among the specifications for secure Web services, both WS-Security and WS-I Basic Security . . .

Trends 2005: Application Security Architecture And Secure Web Services

by Randy Heffner, October 25, 2004

The 9/11 terrorist attacks and other heightened security concerns prompted IT to focus heavily on security. Appropriately, the first focus was infrastructure security. A higher-level focus on application security is now picking up steam and, together . . .

For Application Development & Program Management Professionals

Secure Web Services: Functional Design Priorities

by Randy Heffner, January 8, 2004

Many early, simple Web Services will make do with surface-level protection, simple authentication, node-to-node confidentiality and coarse-grained authorization. Sensitive Web Services may find business reasons to consider a much wider range of issues.

For Application Development & Program Management Professionals

Secure Web Services: Current and Future Architectures

by Randy Heffner, January 8, 2004

Future secure Web Services architectures will combine application platforms, identity management platforms, XML application firewalls/gateways and EASI. Architects may begin now to build a vision and a migration path around such a combination.

For Application Development & Program Management Professionals

New Concepts Add Complexity to Secure Web Services

by Randy Heffner, December 22, 2003

Dynamic policy negotiation, intermediaries and federation are three valuable new concepts contained within the emerging standards for secure Web Services. Although not high priority, they should factor into future plans for secure Web Services.

For Application Development & Program Management Professionals

IT Trends 2004: Secure Web Services

by Randy Heffner, November 19, 2003

Application architects should retain a tactical, low-investment stance toward secure Web Services throughout 2004, because the strategic picture of industry standards and practices will not be clear until at least 2005.

For Application Development & Program Management Professionals

Secure Web Services: Four Key Decisions that Impact the Business

by Randy Heffner, November 6, 2003

Four secure Web Services strategy decisions have the greatest business impact: client-side identity, federation, strength of audit, and security administration responsibility. Opt for low implementation cost, unless requirements demand otherwise.

For Application Development & Program Management Professionals

Web Services Distributed Management (WSDM) Must Wait for Secure Web Services

by Randy Heffner, September 17, 2003

WSDM must wait for secure Web Services standards before it will be important to Web Services environments. For now, IT shops should manage Web Services using the same tools and processes they use for their current application platform.

For Application Development & Program Management Professionals

Status for Secure Web Services: Doable for Small Communities

by Randy Heffner, September 8, 2003

It is not technically difficult to adequately secure Web Services, but it is difficult to scale a solution to large communities. Use simple, tactical methods for securing Web Services. Be prepared to throw away the solution in two years and start over.

For Application Development & Program Management Professionals

Secure Web Services Standards Will Almost Converge

by Randy Heffner, August 26, 2003

Secure Web Services standards from the Liberty Alliance and IBM/Microsoft will eventually converge, at least enough for security software vendors to bridge the gap. Until then, make minimal, tactical investments in secure Web Services architecture.

For Application Development & Program Management Professionals

WS-I Basic Security: Baby Step for Secure Web Services

by Randy Heffner, May 12, 2003

WS-I's Basic Security Profile will have only a minor impact on the overall secure Web Services landscape because it will formalize only levels of security that are either already in use or that depend on trust models that are out of its scope.

For Application Development & Program Management Professionals

WS-Security Sealed as the Foundation for Secure Web Services

by Randy Heffner, July 8, 2002

With WS-Security submitted to OASIS for standardization and Sun on the team, it is now clear that, although it is not a complete solution, WS-Security will be the foundation for future secure Web Services.

For Application Development & Program Management Professionals

Microsoft's Palladium Could Increase the Security of Secure Web Services

by Randy Heffner, July 8, 2002

Palladium's machine-specific keys could provide for more secure Web Services. Although such a result would be two or more years away, considering the possibilities may help application architects design more flexible solutions for secure Web Services.

Securing Web Services

by Laura Koetzle, Charles Rutstein, Heather Liddell, Frank Pandolfe, June 7, 2002

Web services have arrived, but without much security. However, with the right brew of standards and technologies, firms can apply what they already know about security - and put Web services to work for them.

For Application Development & Program Management Professionals

Secure Web Services: WS-Security Is a Formidable Proposal

by Randy Heffner, April 15, 2002

Giga believes that WS-Security will have a major impact on the future of secure Web Services. Any IT shops considering near-term use of Web Services to connect to customers or partners should immediately investigate WS-Security.