Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:55 AM
Connect Directly

Microsoft Serves Up Security Services

Live Labs services hit developer hot buttons like authentication and peer-to-peer apps

They're live, but not exactly ready for prime time in the enterprise: Two new Web-based security services from Microsoft Live Labs are now available in beta for developers building Internet applications.

Microsoft Live Labs -- a partnership between MSN and Microsoft Research -- is offering Security Token Service (STS) and Relay Service, both part of what the company calls its "cloud services," or early test-phase technologies. STS is an authentication service and Relay Service provides secure, peer-to-peer Web applications like click-to-talk with voice-over-IP.

These services aren't for the faint of heart. Developers using them must use browsers with support for Microsoft's still-to-be-announced InfoCard, such as Internet Explorer 7 Beta 2 or later for each service, as well as WinFX Runtime Components Beta 2 in the authentication service. Microsoft's upcoming Vista desktop operating system will use these and other Live services.

A financial institution's online banking app would "call" STS to enroll and authenticate customers who want to bank online. Banking customers then register their personal data online using InfoCard, Microsoft's virtual information card technology (which hasn't yet been released). It saves the developer the work of writing her own authentication software, not to mention it helps Microsoft, too. "Life is much easier if all users have Vista and IE7 on their PC's," with STS, says John Pescatore, vice president of internet security for Gartner.

Microsoft Live Labs' Relay Service, meanwhile, gives apps like VOIP the ability to connect peer-to-peer between firewalls and network address translator (NAT) gateways that typically prevent inbound network connections. So a customer booking a reservation with an airline could hit a click-to-talk button that sets up a VOIP call to a customer service agent.

Microsoft says both technologies are being previewed by Live Labs, an applied research organization within the Windows Live group, but Live Labs is not actually hosting the services.

Like any service-oriented architecture (SOA) service, these Web-based services can come with security risks of their own. It's not the same as getting the software on a disk or online with updates and patches, Gartner's Pescatore says. Token authentication carries with it sensitive data. "With a service, how do you know you can trust that code and that there aren't vulnerabilities built into it or that Microsoft hasn't changed it the next day?" says Pescatore. "This is an SOA issue, not just a Microsoft thing."

The only way app developers can be sure it's secure is for Microsoft or other vendors providing these services to show third-party test results. "They need to come up with ways to demonstrate these services are safe to use or no one will use them," Pescatore says.

Microsoft has been there before. Its Passport single sign-on authentication service had its vulnerability problems early on. But Pescatore says if Microsoft builds and tests the new security services properly and provides developers assurances that they are airtight, it will be a win-win for developers and users. "This could provide tremendous security advantages," he says. "Otherwise, you might end up with 10 different versions of banking authentication out there. Reusing this technology instead of reinventing the wheel can lead to increased [online] security."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Companies mentioned in this article:

  • Gartner Inc.
  • Microsoft Corp. (Nasdaq: MSFT)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-22
    The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
    PUBLISHED: 2020-02-22
    SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
    PUBLISHED: 2020-02-22
    SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
    PUBLISHED: 2020-02-22
    fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
    PUBLISHED: 2020-02-22
    CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.