They're live, but not exactly ready for prime time in the enterprise: Two new Web-based security services from Microsoft Live Labs are now available in beta for developers building Internet applications.

Microsoft Live Labs -- a partnership between MSN and Microsoft Research -- is offering Security Token Service (STS) and Relay Service, both part of what the company calls its "cloud services," or early test-phase technologies. STS is an authentication service and Relay Service provides secure, peer-to-peer Web applications like click-to-talk with voice-over-IP.

These services aren't for the faint of heart. Developers using them must use browsers with support for Microsoft's still-to-be-announced InfoCard, such as Internet Explorer 7 Beta 2 or later for each service, as well as WinFX Runtime Components Beta 2 in the authentication service. Microsoft's upcoming Vista desktop operating system will use these and other Live services.

A financial institution's online banking app would "call" STS to enroll and authenticate customers who want to bank online. Banking customers then register their personal data online using InfoCard, Microsoft's virtual information card technology (which hasn't yet been released). It saves the developer the work of writing her own authentication software, not to mention it helps Microsoft, too. "Life is much easier if all users have Vista and IE7 on their PC's," with STS, says John Pescatore, vice president of internet security for Gartner.

Microsoft Live Labs' Relay Service, meanwhile, gives apps like VOIP the ability to connect peer-to-peer between firewalls and network address translator (NAT) gateways that typically prevent inbound network connections. So a customer booking a reservation with an airline could hit a click-to-talk button that sets up a VOIP call to a customer service agent.

Microsoft says both technologies are being previewed by Live Labs, an applied research organization within the Windows Live group, but Live Labs is not actually hosting the services.

Like any service-oriented architecture (SOA) service, these Web-based services can come with security risks of their own. It's not the same as getting the software on a disk or online with updates and patches, Gartner's Pescatore says. Token authentication carries with it sensitive data. "With a service, how do you know you can trust that code and that there aren't vulnerabilities built into it or that Microsoft hasn't changed it the next day?" says Pescatore. "This is an SOA issue, not just a Microsoft thing."

The only way app developers can be sure it's secure is for Microsoft or other vendors providing these services to show third-party test results. "They need to come up with ways to demonstrate these services are safe to use or no one will use them," Pescatore says.

Microsoft has been there before. Its Passport single sign-on authentication service had its vulnerability problems early on. But Pescatore says if Microsoft builds and tests the new security services properly and provides developers assurances that they are airtight, it will be a win-win for developers and users. "This could provide tremendous security advantages," he says. "Otherwise, you might end up with 10 different versions of banking authentication out there. Reusing this technology instead of reinventing the wheel can lead to increased [online] security."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Companies mentioned in this article: