Security Specs Evolve

I.T. security has come a long way in recent years. But much more needs to be accomplished to make it easier to secure systems, according to those attending the RSA Security conference on computer and information security last week.

Evolving standards may be the answer. Today, security applications designed to block attacks don't talk with apps that find application vulnerabilities. Building-access cards don't speak the same language as smart cards used to log on to a corporate network. And companies that want to use Web services quickly discover that the lack of security standards creates an integration nightmare.

For example, when American Express Co. sought to extend Web services to partners, the financial-services company had to create a unique security infrastructure for each partner, says Michael Barrett, VP of Internet strategy for American Express and president of the Liberty Alliance management board, a group dedicated to developing industry standards for identity management. The lack of standards and vendor interoperability in identity management "just destroys the economic model for Web services," he says.

Last week, the alliance introduced the second phase of its federated identity-management specification, which includes a standard way for users to choose which affiliated Web sites can access their personal information and whether their identity will be revealed. Such permission-based sharing, Barrett says, is critical for any universal identity-management initiative to be successful. The alliance also recently submitted version 1 of its specification to the Organization for the Advancement of Structured Information Standards for possible inclusion in the next version of SAML, the Security Assertion Markup Language, a widely accepted framework for authentication and authorization of Web-services communications.

Standards also are needed to deal with new application vulnerabilities that seem to crop up every day. A group of security vendors has submitted a proposal for an Application Vulnerability Description Language, based on XML, to standards body Oasis. AVDL will be designed to provide a standard way for application vulnerabilities to be defined and classified so security tools will speak the same language when it comes to security threats aimed at apps. The group, founded by Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics, and Teros, hopes to have a version of the spec completed by year's end.

AVDL will let application vulnerability-assessment tools, such as those provided by SPI Dynamics, better report to other security applications the state of app security throughout an organization at any point in time. Security event managers, such as those made by GuardedNet, will be able to better correlate security problems found in applications with actual security attacks and related events.

And there still are big integration challenges between building and IT-access devices. While the federal government has been working on methods for combining building-access cards and IT-access cards for some time, analysts say progress has been slow. "People at the Defense Department are still walking around with two access cards around their neck, one for building access and one for IT access," says John Pescatore, an analyst at Gartner.

Computer Associates last week unveiled the Open Security Exchange, which it says is a collaborative group to establish best practices and promote vendor-neutral specs for integrating the management of security devices and policies. The OSE aims to create a standard that will let physical security devices, such as building-access cards, interoperate better with conventional IT security applications, such as provisioning and access-management apps and smart cards used to access IT resources.