Sponsored By

Microsoft Serves Up Security Services

Live Labs services hit developer hot buttons like authentication and peer-to-peer apps

They're live, but not exactly ready for prime time in the enterprise: Two new Web-based security services from Microsoft Live Labs are now available in beta for developers building Internet applications.

Microsoft Live Labs -- a partnership between MSN and Microsoft Research -- is offering Security Token Service (STS) and Relay Service, both part of what the company calls its "cloud services," or early test-phase technologies. STS is an authentication service and Relay Service provides secure, peer-to-peer Web applications like click-to-talk with voice-over-IP.

These services aren't for the faint of heart. Developers using them must use browsers with support for Microsoft's still-to-be-announced InfoCard, such as Internet Explorer 7 Beta 2 or later for each service, as well as WinFX Runtime Components Beta 2 in the authentication service. Microsoft's upcoming Vista desktop operating system will use these and other Live services.

A financial institution's online banking app would "call" STS to enroll and authenticate customers who want to bank online. Banking customers then register their personal data online using InfoCard, Microsoft's virtual information card technology (which hasn't yet been released). It saves the developer the work of writing her own authentication software, not to mention it helps Microsoft, too. "Life is much easier if all users have Vista and IE7 on their PC's," with STS, says John Pescatore, vice president of internet security for Gartner.

Microsoft Live Labs' Relay Service, meanwhile, gives apps like VOIP the ability to connect peer-to-peer between firewalls and network address translator (NAT) gateways that typically prevent inbound network connections. So a customer booking a reservation with an airline could hit a click-to-talk button that sets up a VOIP call to a customer service agent.

Microsoft says both technologies are being previewed by Live Labs, an applied research organization within the Windows Live group, but Live Labs is not actually hosting the services.

Like any service-oriented architecture (SOA) service, these Web-based services can come with security risks of their own. It's not the same as getting the software on a disk or online with updates and patches, Gartner's Pescatore says. Token authentication carries with it sensitive data. "With a service, how do you know you can trust that code and that there aren't vulnerabilities built into it or that Microsoft hasn't changed it the next day?" says Pescatore. "This is an SOA issue, not just a Microsoft thing."

The only way app developers can be sure it's secure is for Microsoft or other vendors providing these services to show third-party test results. "They need to come up with ways to demonstrate these services are safe to use or no one will use them," Pescatore says.

Microsoft has been there before. Its Passport single sign-on authentication service had its vulnerability problems early on. But Pescatore says if Microsoft builds and tests the new security services properly and provides developers assurances that they are airtight, it will be a win-win for developers and users. "This could provide tremendous security advantages," he says. "Otherwise, you might end up with 10 different versions of banking authentication out there. Reusing this technology instead of reinventing the wheel can lead to increased [online] security."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Companies mentioned in this article:

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights