EXECUT I V E S U M MA RY
Growing Web services adoption is driving demand for secure Web services. XML security gateways offer
a quick-hit solution — perfect for high-priority projects operating on a tight schedule. But it is critical to
look at the early market in the broader context of application security architecture. Within three or four
years, XML security gateways will disappear into firewalls and identity management. In the meantime,
users can benefit from their integrated package of attack protection, trust enablement, and message
processing acceleration. Forum Systems and DataPower Technology hold a slight edge, but others have
unique value-add that may tip a buyer’s decision in their favor. Don’t be afraid to buy in, but start with a
clear understanding of your application security requirements and architecture.
TABLE O F CO N T E N TS N OT E S & R E S O U R C E S
2 Serious Web Services Need Security Forrester interviewed 15 vendor and user
Architecture companies, including: Aeroplan, AmberPoint,
XML Security Gateways Are A Fast-Path Solution Blue Titan Software, Entrust, Government of
British Columbia, Oblix, and the seven XML
It’s An Early Market For XML Security Gateways
security gateway vendors included in the
5 A Quantitative Assessment Of XML Security evaluation.
Gateways
Two Early Leaders Have A Slight Edge On The Related Research Documents
Pack . . . “Watch Out! X-Malware Is Real”
… But Every Vendor Has Some Unique March 9, 2004, Quick Take
Value-Add “Secure Web Services: Current and Future
8 Future View: What Is The Exit Strategy? Architectures”
XML Firewall And Gateway Packaging Will Split January 8, 2004, Planning Assumption
Identity And Firewall Vendors Split The Spoils “Secure Web Services: Functional Design
RECOMMENDATIONS
Priorities”
11 Take A Tactical Decision Stance January 8, 2004, Planning Assumption
Don’t Fear Less-Established Vendors “Market Overview 2004: Web Services Solutions”
11 Have A Clear View of Security Requirements December 22, 2003, Planning Assumption
For Heavy Application Security Requirements “Market Overview 2003: Application Security
Architecture”
For Broadly Accessible External Web Services
September 25, 2003, Planning Assumption
Remember Friendly Fire
13 Supplemental Material
© 2004, Forrester Research, Inc. All rights reserved. Forrester, Forrester Oval Program, Forrester Wave, WholeView 2, Technographics, and
TechRankings are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester
clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional
reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflect
judgment at the time and are subject to change. To purchase reprints of this document, please email reprints@forrester.com.
2 Tech Choices | Forrester Wave™: XML Security Gateways
· Unified, consistent access policy for business services. Inconsistencies can easily
arise when access policy for Web services is managed separately from access policy
for other channels. This is especially troublesome when a given user base accesses the
same underlying services through a variety of interaction channels.
· Stronger access control for business services. A separate secure Web services
architecture may not integrate well with the security features of the underlying
application platform on which services run. This may require that the underlying
application platforms run business services in a relatively open access mode, relying
entirely on the secure Web services layer for its security, while also having a separate
security architecture for every other access channel.
· Better planning for evolving security solutions. Even if cost or product maturity
issues drive tactical compromises on access policy management or access control,
planning current implementations within a broad application security architecture
enables today’s product and design decisions to evolve more cleanly into a future
strategic security architecture.
Enterprise application
Application security integration Application
platform platform
A Code security B
Code security Tools and technologies to either Aspose, Cenzic, eEye, Foundstone, KaVaDo,
identify application vulnerabilities Nessus (open source), Parasoft, PreEmptive
or to make an application more Solutions, Sanctum, SPI Dynamics
difficult to compromise
Libraries and For application-level Certicom, Entrust, Phaos Technology, RSA Security
frameworks implementation of various
customized security features
and capabilities
· Trust enablement. If one describes attack protection as “keeping the bad guys out,”
then trust enablement is “letting the good guys in.” Authentication of the requester’s
identity is first, then authorization of the request. Other major trust features are
administration, audit/logging, and security integration.
XML gateways can integrate to varying degrees with existing security infrastructure, but
they can also be deployed in a standalone mode, providing a relatively simple drop-in
solution (see Figure 2). Thus, with the right planning and product selection, you can get up
and running quickly with a standalone deployment, and over time integrate more deeply
with your application security architecture.
· There are no big players. All of the vendors are startups and few have more than
a handful of paying customers. Each has a particular product focus, all are rapidly
expanding their product’s features and functions, and it is not yet clear which features
buyers will consider most important. Some vendors are showing early product or
market strengths, but this could change quickly as the market develops.
· The market segment itself is not well established. As a market segment, XML
security gateways will face future questions as to their relationship to several other
product categories — portions of their functionality and deployment modes overlap
with or are similar to Web application firewalls, network firewalls, Web services
management, Web single sign-on (SSO), and application platforms. There are
already vendor moves that blur the lines of these segments, and much more change
is yet to come.
Users Policy
Integrated
Existing
users
Integrated
Web service XML Security Protected
client security context Web service
gateway
Existing
policy
· Forum Systems has the best product packaging strategy. While some gateways are
offered in appliance and software-only form factors, Forum adds a third form factor,
PCI card, and it packages its XML firewall as a separate product, XWall, from its XML
security gateway, Sentry. Both support acceleration, and the two can be delivered
together in an integrated package.5 Forum also has a third product, Presidio, an
Open Pretty Good Privacy (OpenPGP) security gateway. Multiple products and form
factors provide flexibility for user deployment and for Forum’s adaptation to future
market changes. In addition, Forum has competitive functionality across most of our
evaluation criteria.
Weak
· Reactivity has the best attack protection. Reactivity’s design has focused heavily on
attack protection — and its XML Firewall features multiple ways to detect a denial
of service attack and it can automatically update attack processing logic. Reactivity’s
integration of Tarari’s XML acceleration hardware will likely be the first to make it
to market in an XML security gateway. Other notable strengths include authorization,
administration tools, and flexible, secure logging. Future releases will include a
software development kit for custom product extensions and decision delegation
to Web SSO and identity management products.
Within three or four years, the XML security gateway market will not exist in its current
form. The current overriding need for a quick solution to secure Web services will give way
to longer-term demands for integrated application security architecture and infrastructure.
As IT seeks security unification and infrastructure simplification, the attack and trust
functions of XML gateways will be pulled apart. From the user side, this will happen
because:
· Trust features have affinity with users and applications. Trust requires knowing
users’ identities and must be closely integrated with application policy. To achieve
unified identity and trust management across all users and application access channels,
XML trust enablement functions must be closely integrated with identity management
and application platforms.
Therefore, as users pursue integration and unification, they will move to pull XML security
into their existing architectures for application-level and infrastructure-level security,
rather than segregating XML security into its own separate top-to-bottom domain.
· Firewall vendors are looking for new territory. Attack protection has long been the
domain of network firewall and intrusion detection vendors — XML presents a new
opportunity for them, as it does for Web application firewall vendors. Not that it is
simple for them to take on X-Malware protection — XML attack checking is notably
different from their traditional strengths — but network firewalls are already reaching
up to the application layer, Web application firewalls are already reaching into XML,
and more is yet to come.
· Identity and application platforms need deep trust features. Web SSO vendors long
ago extended their authentication and authorization architectures to go beyond
protecting HTTP requests to integrate deeply with J2EE application servers — XML
presents enticing new territory for them, as exemplified by Netegrity’s
TransactionMinder and Oblix’s recent purchase of Confluent. Java and Microsoft
application platforms are already providing early implementations of secure Web
services standards to extend their built-in trust features to cover XML.
Viewing the XML security gateway segment from the split between attack protection and
trust enablement functions, the potential future alignments among market segments
becomes clearer. XML security gateway vendors split into two groups of acquisition targets
(see Figure 4):
Westbridge, as the vendor that has pursued the greatest amount of functionality beyond
secure Web services (such as WSM and its service views) may find additional market
opportunities.
Figure 4 Identity Management And Firewall Vendors Split The XML Security Spoils
DataPower
Reactivity Vordel
Strong on Forum Systems Strong on
attack protection trust enablement
Sarvega Layer 7
Westbridge
R E C O M M E N D AT I O N S
· You’ll have to map XML security contexts to native security contexts. To allow
your application platform’s native security to be operative, the security token from
· Many attacks come from the inside. Unless Web service requests flow only over
isolated network segments accessible only within a secure data center — and really
even then, too — you should assume that they will come under attack, especially
if they perform high-value transactions. An interesting deployment scenario that
may apply here is to use an XML gateway on both the client and server sides of a
connection.
· An unintentional attack is still an attack. Applications don’t always format
messages properly. Application developers don’t always anticipate the side effects of
their design decisions. The higher the criticality of the service, the more value it is to
have the strong security for it.
SUPPLEMENTAL MATERIAL
Online Resource
Figure 3 is backed by an online spreadsheet that includes seven scorecards, each with
about 40 data points. Readers can use the spreadsheet in their own decision process by:
1) customizing the weightings for personal results; 2) trimming the vendors down to a
shortlist; 3) sharing the results with other team members; and 4) using the criteria set
in RFPs.
Methodology
Forrester conducted this research by starting with creation of Forrester Wave evaluation
criteria for XML security gateways, followed by vendor interviews and documentation
of each vendor’s standing against the criteria. Every vendor was given at least two
opportunities to perform fact checks — reviews of their own evaluation. Users of XML
security gateways were interviewed to supplement and validate assessments.
Companies Interviewed For This Document
ENDNOTES
1
There are five major market segments that provide portions of a comprehensive application
security architecture. See the September 25, 2003, Planning Assumption “Market Overview 2003:
Application Security Architecture.” Of these five segments, XML security gateways provide both
firewall and access control capabilities, and they also provide ties to EASI. See the June 22, 2001
Planning Assumption “Giga’s Model for Enterprise Application Security Integration.”
2
Forrester defines X-Malware as any XML payload that is constructed (intentionally or not) to
confuse XML infrastructure into bypassing security or disrupting processing. See the March 9,
2004, Quick Take “Watch Out! X-Malware Is Real.”
3
Note that confidentiality or data integrity requirements may dictate that a message be encrypted
through its entire path from client application to server application, so offloading of cryptographic
processing is not always the right answer.
4
When Forrester evaluates and ranks the major players in a market, we create a Forrester Wave. It
is a research graphic built on an open methodology and a straightforward algorithm that exposes
vendor scores, key attributes, and weightings in an interactive spreadsheet.
5
It is the integrated package assessed in the scorecards accompanying this report.
34101