Wave XML Security Gateways

8/8/2019 Wave XML Security Gateways

1/16

March 29, 2004

Forrester Wave: XML SecurityGatewaysby Randy Heffner

T E C H

C H O

I C E S

Helping Business Thrive On Technology Change


2/16

2004, Forrester Research, Inc. All rights reserved. Forrester, Forrester Oval Program, Forrester Wave, WholeView 2, Technographics, andTechRankings are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forresterclients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additionalreproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflectjudgment at the time and are subject to change. To purchase reprints of this document, please email [email protected].

TECH CHOI CES

EXECUTIVE SUMMARY

Growing Web services adoption is driving demand for secure Web services. XML security gateways offer

a quick-hit solution perfect for high-priority projects operating on a tight schedule. But it is critical to

look at the early market in the broader context of application security architecture. Within three or four

years, XML security gateways will disappear into firewalls and identity management. In the meantime,

users can benefit from their integrated package of attack protection, trust enablement, and message

processing acceleration. Forum Systems and DataPower Technology hold a slight edge, but others have

unique value-add that may tip a buyers decision in their favor. Dont be afraid to buy in, but start with a

clear understanding of your application security requirements and architecture.

TABLE OF CONTE NTSSerious Web Services Need Security

Architecture

XML Security Gateways Are A Fast-Path Solution

Its An Early Market For XML Security Gateways

A Quantitative Assessment Of XML Security

Gateways

Two Early Leaders Have A Slight Edge On ThePack . . .

But Every Vendor Has Some UniqueValue-Add

Future View: What Is The Exit Strategy?

XML Firewall And Gateway Packaging Will Split

Identity And Firewall Vendors Split The Spoils

RECOMMENDATIONS

Take A Tactical Decision Stance

Dont Fear Less-Established Vendors

Have A Clear View of Security Requirements

For Heavy Application Security Requirements

For Broadly Accessible External Web Services

Remember Friendly Fire

Supplemental Material

NOTES & RESOURCESForrester interviewed 15 vendor and user

companies, including: Aeroplan, AmberPoint,

Blue Titan Software, Entrust, Government of

British Columbia, Oblix, and the seven XML

security gateway vendors included in the

evaluation.

Related Research DocumentsWatch Out! X-Malware Is Real

March 9, 2004, Quick Take

Secure Web Services: Current and Future

Architectures

January 8, 2004, Planning Assumption

Secure Web Services: Functional Design

Priorities

January 8, 2004, Planning Assumption

Market Overview 2004: Web Services Solutions

December 22, 2003, Planning Assumption

Market Overview 2003: Application Security

Architecture

September 25, 2003, Planning Assumption

March 29, 2004

Forrester Wave: XML Security GatewaysA Question Of Exit Strategyby Randy Heffnerwith Ted Schadler and Carey E. Schwaber

2

5

8

11

11

13


3/16

Tech Choices| Forrester Wave: XML Security Gateways

2004, Forrester Research, Inc. Reproduction ProhibitedMarch 29, 2004

2

SERIOUS WEB SERVICES NEED SECURITY ARCHITECTURE

Application developers building new Web services too oen approach security with

a limited mindset focused on their immediate requirements rather than on the broader

context of application security architecture (see Figure 1).1 But these new Web services

applications are really only creating a new access channel. Aer all, the underlying business

services will also be accessed via Web applications, rich-client applications, interactive

voice response systems, mobile applications, and any number of other interaction channels.

at means that IT should secure the Web services channel within a broader security

context to achieve:

Unified, consistent access policy for business services. Inconsistencies can easilyarise when access policy for Web services is managed separately from access policy

for other channels. is is especially troublesome when a given user base accesses the

same underlying services through a variety of interaction channels.

Stronger access control for business services. A separate secure Web servicesarchitecture may not integrate well with the security features of the underlying

application platform on which services run. is may require that the underlying

application platforms run business services in a relatively open access mode, relying

entirely on the secure Web services layer for its security, while also having a separate

security architecture for every other access channel.

Better planning for evolving security solutions. Even if cost or product maturityissues drive tactical compromises on access policy management or access control,

planning current implementations within a broad application security architecture

enables todays product and design decisions to evolve more cleanly into a future

strategic security architecture.

XML Security Gateways Are A Fast-Path Solution

But Web services are a new access channel with a new set of technologies that require new

solutions focused on securing XML messages and Web services endpoints. New vendors

have stepped into this vacuum with dedicated products that Forrester calls XML security

gateways. Ranging in cost from $30,000 to $55,000, these products provide:

Attack protection. XML-based applications are vulnerable to attacks based onmessage rates (such as a flood of messages in a denial of service attack), message flow

(such as a message replay attack), and X-Malware (malicious or malformed XML

messages).2 Attack protection features inspect incoming messages for these attacks and

reject messages or block message senders. e term XML firewall applies only to

these features, not to the rest of an XML security gateways features.


4/16


2004, Forrester Research, Inc. Reproduction Prohibited March 29, 2004

3

Figure 1 Understanding Application Security Architecture Solutions

Source: Forrester Research, Inc.

Application security architecture -- major market segments1-2

Market segment Descriptions Sample vendors

Accessinfrastructure andsingle sign-on

Applicationfirewalls andsecurity gateways

Ensures that an incoming requestdoes not get to an applicationunless it is an authorized request

from an authenticated user

Prevents malformed or maliciousrequests from reaching theapplication; may also serve asaccess infrastructure

Application platforms: BEA Systems, IBM,MicrosoftWeb SSO: CA, Entrust, Netegrity, Novell, Oblix, RSA

Security

Web application firewalls: KaVaDo,NetContinuum, Sanctum, TerosXML security gateways: DataPower, Forum, Layer7, Reactivity, Sarvega, Vordel, Westbridge

Enterpriseapplication securityintegration

Brokers security functions acrossdiverse application securitytechnologies (e.g., betweenJava and Microsoft platforms

BEA Systems, Quadrasis

Code security Tools and technologies to eitheridentify application vulnerabilitiesor to make an application more

difficult to compromise

Aspose, Cenzic, eEye, Foundstone, KaVaDo,Nessus (open source), Parasoft, PreEmptiveSolutions, Sanctum, SPI Dynamics

Libraries andframeworks

For application-levelimplementation of variouscustomized security featuresand capabilities

Certicom, Entrust, Phaos Technology, RSA Security

Application security architecture solution space1-1

Application

platform

A

Application

platform

B

Application security firewalls and gateways

Access infrastructure and SSO

Security libraries and frameworks

Enterprise application

security integration

Code security


5/16



4

Trust enablement. If one describes attack protection as keeping the bad guys out,then trust enablement is letting the good guys in. Authentication of the requesters

identity is first, then authorization of the request. Other major trust features are

administration, audit/logging, and security integration.

Cryptographic and XML acceleration. Cryptography is a major element ofXML and Web services security, and it is a heavy processing load to place on an

application server. XML security gateways reduce the load in two ways. First, they

provide an adjunct processor to remove the load from the server.3 Second, they

may include cryptographic hardware to reduce processing time. Similar arguments

go for acceleration of XML processing such as Extensible Stylesheet Language

Transformations (XSLT) transforms and evaluation of XPath expressions.

XML gateways can integrate to varying degrees with existing security infrastructure, butthey can also be deployed in a standalone mode, providing a relatively simple drop-in

solution (see Figure 2). us, with the right planning and product selection, you can get up

and running quickly with a standalone deployment, and over time integrate more deeply

with your application security architecture.

Its An Early Market For XML Security Gateways

e market for XML security gateways is only now starting to build momentum. So, even

though deploymentof an XML security gateway can be either tactical or strategic (that is,

standalone or integrated), anypurchase of an XML gateway must be viewed as a tactical

decision. is is clear when you consider that:

ere are no big players. All of the vendors are startups and few have more thana handful of paying customers. Each has a particular product focus, all are rapidly

expanding their products features and functions, and it is not yet clear which features

buyers will consider most important. Some vendors are showing early product or

market strengths, but this could change quickly as the market develops.

e market segment itself is not well established. As a market segment, XMLsecurity gateways will face future questions as to their relationship to several other

product categories portions of their functionality and deployment modes overlap

with or are similar to Web application firewalls, network firewalls, Web servicesmanagement, Web single sign-on (SSO), and application platforms. ere are

already vendor moves that blur the lines of these segments, and much more change

is yet to come.


6/16



5

Figure 2 XML Security Gateway Deployment: Standalone Versus Integrated

A QUANTITATIVE ASSESSMENT OF XML SECURITY GATEWAYS

Forrester evaluated the seven major players in the XML security gateway space using the

Forrester Wave methodology (see Figure 3).4

Two Early Leaders Have A Slight Edge On The Pack . . .

Although no vendor has an across-the-board lead on current offering, future strategy, and

market presence, Forum Systems and DataPower Technology have a slight lead over the

others. Both claim to have more than 15 customers for their gateways, which qualifies as a

lot in this market. Other ways in which they distinguish themselves include:

Forum Systems has the best product packaging strategy. While some gateways areoffered in appliance and soware-only form factors, Forum adds a third form factor,

PCI card, and it packages its XML firewall as a separate product, XWall, from its XMLsecurity gateway, Sentry. Both support acceleration, and the two can be delivered

together in an integrated package.5 Forum also has a third product, Presidio, an

Open Pretty Good Privacy (OpenPGP) security gateway. Multiple products and form

factors provide flexibility for user deployment and for Forums adaptation to future

market changes. In addition, Forum has competitive functionality across most of our

evaluation criteria.


Web serviceclient

ProtectedWeb service

StandaloneXML security

gateway

Users Policy

ProtectedWeb service

Web serviceclient

IntegratedXMLsecuritygateway

Existingusers

Existingpolicy

Securitycontext

Standalone

Integrated


7/16



6

DataPower has strong integration for security and management. AlthoughDataPower has only an appliance form factor, it has invested heavily to integrate

its gateway with existing infrastructure. For security integration, DataPowers XS40

can delegate authentication and authorization decisions to Web SSO and identity

management products like Netegrity SiteMinder, Tivoli Access Manager, and Sun

Identity Server. It has full APIs for custom integration and an SNMP implementation

that is complete with standard and DataPower-specific management information

bases (MIBs). It also integrates with upstream devices, such as load balancers, to block

malicious traffic before it even gets to the gateway. All of this adds up to the strongest

overall current feature set.

. . . But Every Vendor Has Some Unique Value-Add

XML security gateway vendors are showing their creativity in the breadth of features and

functions that they are implementing. is gives you the opportunity to find a product thatclosely matches the specific requirements of your environment and applications. Since the

market will be evolving rapidly in the next two to three years, there is a large risk that any

purchase will soon be obsolete, so you may well have to change products no matter what

you buy. e major ways in which the other gateway vendors distinguish themselves are:

Westbridge Technology balances attack protection, trust, and management.Westbridges XML Message Server has one of the strongest current offerings in terms

of all around balanced feature-function. In addition to strong attack protection

and comprehensive trust enablement features, Westbridge has basic Web services

management (WSM) capabilities, which may prevent having to buy a separate WSMproduct. Other highlights include highly flexible logging, strong decision delegation,

soware-only and appliance form factors, the ability to define multiple views over a

single underlying service (service views as Westbridge calls them), and a plug-in for

secure Web services access from Microso Excel. Service views and the Excel plug-in

are features unique to Westbridge.

Vordel understands deep application security integration. VordelSecure featuresan agent-based architecture and agent API that enables deep security integration

between the gateway and Web services endpoints. For sensitive services or when a

service is accessed through multiple channels, it is not acceptable to leave security

entirely up to a front-end gateway the application platform underlying the servicemust know the requestors identity and perform its own authorization checks. Using

Vordels agent API, you can more easily maintain a continuous security context

between your Web services channel and the native security of your underlying

application platform. Vordel focuses more heavily on trust enablement but provides

basic attack protection as well.


8/16



7

Figure 3 Forrester Wave: XML Security Gateways, Q1 04

Sarvega has strong features and a strong commitment to standards. Sarvega isamong the vendors most willing to implement standards early and to make firm

statements about the emerging standards it will support. It is currently shipping early

implementations of WS-Addressing and WS-Routing, and it is committed to future

implementation of Kerberos, XML Key Management Specification (XKMS), and

Liberty Web Services Framework, as well as WS-Policy, WS-SecurityPolicy, and the

rest of the IBM-Microso WS-Security road map. Sarvegas XML Guardian Security

Gateway provides message transformation and routing, complete APIs for customintegration, cluster-aware configuration, and prebuilt management integration with

Unicenter and Tivoli. Future releases will strengthen Sarvegas decision delegation and

credential propagation features.


RiskyBets Contenders LeadersStrongPerformers

Currentoffering

StrategyWeak

Weak

Strong

Strong Market presence

The spreadsheet detailing this Forrester Wave is available online.

Vordel

Layer 7 Technologies

Sarvega

Forum SystemsWestbridge Technology

Reactivity DataPower Technology


9/16



8

Reactivity has the best attack protection. Reactivitys design has focused heavily onattack protection and its XML Firewall features multiple ways to detect a denial

of service attack and it can automatically update attack processing logic. Reactivitysintegration of Tararis XML acceleration hardware will likely be the first to make it

to market in an XML security gateway. Other notable strengths include authorization,

administration tools, and flexible, secure logging. Future releases will include a

soware development kit for custom product extensions and decision delegation

to Web SSO and identity management products.

Layer 7 Technologies excels for end-to-end integration scenarios. One of thechallenges of secure Web services is that the client and server must be configured to

use the same security connection policies. e emerging WS-Policy standard will

provide a protocol for negotiating connection parameters, but even then both sides

must support a common set of connection capabilities and polices. Layer 7s trustenablement features support a broader vision around secure end-to-end integration,

so it tackles this problem head-on. SecureSpan provides a client-side agent that

communicates with the gateway to maintain consistent connection policy. is

provides strong trust for situations where you have influence over both ends of an

integration connection. As the most recent vendor to enter the market, Layer 7 is

still early in its product development.

FUTURE VIEW: WHAT IS THE EXIT STRATEGY?

For venture-funded startup companies, the question for venture capitalists is always,What will be our exit strategy? VCs want to know how they will extract the financial

value the company has built. For the XML security gateway space, the question goes

beyond a VCs financial view to reflect a critical question about the future of the market

segment itself. Because of overlapping and similar features and deployment models

between XML gateways and other market segments, and because each new infrastructure

device adds complexity to the data center environment, XML security vendors are wise

to ask, What will be our exit strategy as the XML security gateway market dissolves into

other segments?

XML Firewall And Gateway Packaging Will Split

e three major functions of XML gateways, attack protection, trust enablement, and

acceleration, are all important functions that require XML-specific product functionality.

is makes it a sure thing that these functions will remain. It also argues that the intellectual

property being created by the gateway vendors has real market value over the long term.

But it doesnt mean that XML gateway vendors current go-to-market product packaging of

these functions is the right one for the long term.


10/16



9

Within three or four years, the XML security gateway market will not exist in its current

form. e current overriding need for a quick solution to secure Web services will give way

to longer-term demands for integrated application security architecture and infrastructure.

As IT seeks security unification and infrastructure simplification, the attack and trustfunctions of XML gateways will be pulled apart. From the user side, this will happen

because:

Trust features have affinity with users and applications. Trust requires knowingusers identities and must be closely integrated with application policy. To achieve

unified identity and trust management across all users and application access channels,

XML trust enablement functions must be closely integrated with identity management

and application platforms.

Attack protection features have affinity with infrastructure. Attack protectionis anonymous by its very nature, and it is best handled before a malicious request

reaches an application. us, it is natural for XML attack protection capabilities to be

integrated with network and infrastructure security.

erefore, as users pursue integration and unification, they will move to pull XML security

into their existing architectures for application-level and infrastructure-level security,

rather than segregating XML security into its own separate top-to-bottom domain.

Identity And Firewall Vendors Split The Spoils

From the vendor side, the same forces are at work because:

Firewall vendors are looking for new territory. Attack protection has long been thedomain of network firewall and intrusion detection vendors XML presents a new

opportunity for them, as it does for Web application firewall vendors. Not that it is

simple for them to take on X-Malware protection XML attack checking is notably

different from their traditional strengths but network firewalls are already reaching

up to the application layer, Web application firewalls are already reaching into XML,

and more is yet to come.

Identity and application platforms need deep trust features. Web SSO vendors long

ago extended their authentication and authorization architectures to go beyondprotecting HTTP requests to integrate deeply with J2EE application servers XML

presents enticing new territory for them, as exemplified by Netegritys

TransactionMinder and Oblixs recent purchase of Confluent. Java and Microso

application platforms are already providing early implementations of secure Web

services standards to extend their built-in trust features to cover XML.


11/16



10

Acceleration will be available everywhere. Although cryptography accelerationand XML acceleration vendors are not about to encroach on XML gateway vendors

territory, they are happy to enable their chips to be deployed into as many different

devices as possible. is lessens the value of a separate XML security device because,

wherever XML and cryptographic processing occur, a chip will be available to

accelerate it.

Viewing the XML security gateway segment from the split between attack protection and

trust enablement functions, the potential future alignments among market segments

becomes clearer. XML security gateway vendors split into two groups of acquisition targets

(see Figure 4):

Firewall acquisition targets. Vendors with a strong focus on attack protection

become interesting targets for acquisition by network firewall vendors or merger withWeb application firewall vendors. In this category are Forum Systems, DataPower,

Reactivity, Sarvega, and Westbridge.

Identity management acquisition targets. Vendors with a heavy focus on securityintegration and core trust features become interesting targets for identity management

vendors. In this category are DataPower, Forum Systems, Layer 7, Vordel, and

Westbridge.

Westbridge, as the vendor that has pursued the greatest amount of functionality beyond

secure Web services (such as WSM and its service views) may find additional market

opportunities.

Figure 4 Identity Management And Firewall Vendors Split The XML Security Spoils


DataPower

SarvegaWestbridge

Forum Systems

Reactivity Vordel

Layer 7

Strong onattack protection Strong ontrust enablement

Firewall vendors Identity management vendors


12/16



11

R E C O M M E N D A T I O N S

TAKE A TACTICAL DECISION STANCE

Any purchase of an XML security gateway should be viewed as a tactical step. Forrester

recommends a 12-month payback target (or 24-month at most). The coming churn in the

market segment will sideline some vendors and find others refactoring their products

and integrating them with other product types. In any case, there is a strong possibility

that the vendors direction and your future needs will diverge, and you dont want to get

caught having to toss a solution out before it has paid for itself.

Dont Fear Less-Established Vendors

Although Forum Systems and DataPower Technology have a slight lead, none of the

vendors are beyond the high-risk startup stage so anydecision is to go with a

less-established vendor. Considering the above recommendation to stay tactical, you

are more likely to pay for a solution quickly if it has a strong match with your unique

requirements. If your vendor fails in a year, a migration to another vendor will have some

pain to it, but by then other vendors are likely to have implemented the special features

that drove you to your first vendor.

HAVE A CLEAR VIEW OF SECURITY REQUIREMENTS

Secure Web services is only one part of the complete security requirements of your

applications. Slapping an XML security gateway product in front of an application will

not ensure adequate or appropriate application security. Your current and future plansfor your Web services and your applications will have a major impact on your XML

security gateway decision.

For Heavy Application Security Requirements

The accountability requirements and sensitivity of the underlying services drive the

depth of application security architecture you should implement. In addition, it is

important to consider whether the services will be accessible only through Web services

or through other channels as well. High sensitivity, stringent accountability requirements,

and multichannel access all drive the need for an application platforms native security

to be operative, so that it can closely and consistently control application security. If

the application platforms security is supplanted by a drop-in XML gateway solution, it

is more difficult to construct a clean audit trail and enforce policy consistently across

multiple channels. If you have heavy security requirements:

Youll have to map XML security contexts to native security contexts.To allowyour application platforms native security to be operative, the security token from


13/16



12

an incoming message must be mapped to native security contexts (for example,

mapping an X.509 certificate to an EJB session context). This may require custom

integration work.

Consider XML security gateways with strong security integration. Vordel hasthe best feature set for deep application platform integration, but even it does not

provide a complete solution. DataPower, Forum Systems, and Reactivity all have

strong credential mapping features that may help as well, although you will have to

write all of your own agent code.

For Broadly Accessible External Web Services

External Web services are more risky because of the open exposure to potential attackers.

If your external services are exposed to a small set of partners, you can likely exchange

digital certificates with all your partners and use bidirectional SSL authentication as partof your security strategy. This will prevent unknown attackers from even establishing a

connection (unless, of course, an attacker gets a hold of one of your partners certificates

and private keys, which is certainly a possibility). If certificate management presents too

high a cost barrier or if you will have publicly accessible Web services you:

Must provide strong X-Malware protection. If attackers can establish connections,they can experiment with any type of X-Malware to see what damage they can do.

Should favor XML security gateways with strong attack protection. DataPower,Reactivity, and Westbridge are top of the list here.

Remember Friendly Fire

Even if your Web services are accessible only by internal users and highly trusted

partners, remember that:

Many attacks come from the inside. Unless Web service requests flow only overisolated network segments accessible only within a secure data center and really

even then, too you should assume that they will come under attack, especially

if they perform high-value transactions. An interesting deployment scenario that

may apply here is to use an XML gateway on both the client and server sides of a

connection.

An unintentional attack is still an attack.

Applications dont always formatmessages properly. Application developers dont always anticipate the side effects of

their design decisions. The higher the criticality of the service, the more value it is to

have the strong security for it.


14/16



13

SUPPLEMENTAL MATERIAL

Online Resource

Figure 3 is backed by an online spreadsheet that includes seven scorecards, each withabout 40 data points. Readers can use the spreadsheet in their own decision process by:

1) customizing the weightings for personal results; 2) trimming the vendors down to a

shortlist; 3) sharing the results with other team members; and 4) using the criteria set

in RFPs.

Methodology

Forrester conducted this research by starting with creation of Forrester Wave evaluation

criteria for XML security gateways, followed by vendor interviews and documentation

of each vendors standing against the criteria. Every vendor was given at least two

opportunities to perform fact checks reviews of their own evaluation. Users of XML

security gateways were interviewed to supplement and validate assessments.

Companies Interviewed For This Document

Actional

Aeroplan

AmberPoint

Blue Titan Soware

DataPower Technology

Entrust

Forum Systems

Layer 7 Technologies

Ministry of Attorney General,

Government of British Columbia

Oblix

Reactivity

Sarvega

Teros

Vordel

Westbridge Technology


15/16



14

ENDNOTES

1 ere are five major market segments that provide portions of a comprehensive application

security architecture. See the September 25, 2003, Planning Assumption Market Overview 2003:

Application Security Architecture. Of these five segments, XML security gateways provide both

firewall and access control capabilities, and they also provide ties to EASI. See the June 22, 2001

Planning Assumption Gigas Model for Enterprise Application Security Integration.

2 Forrester defines X-Malware as any XML payload that is constructed (intentionally or not) to

confuse XML infrastructure into bypassing security or disrupting processing. See the March 9,

2004, Quick Take Watch Out! X-Malware Is Real.

3 Note that confidentiality or data integrity requirements may dictate that a message be encrypted

through its entire path from client application to server application, so offloading of cryptographic

processing is not always the right answer.

4 When Forrester evaluates and ranks the major players in a market, we create a Forrester Wave. It

is a research graphic built on an open methodology and a straightforward algorithm that exposes

vendor scores, key attributes, and weightings in an interactive spreadsheet.

5 It is the integrated package assessed in the scorecards accompanying this report.


16/16

Australia

Austria

Brazil

Canada

France

Germany

Hong Kong

India

Israel

Japan

Korea

The Netherlands

Poland

United Kingdom

United States

Spain

Sweden

Headquarters

Forrester Research, Inc.

400 Technology Square

Cambridge, MA 02139 USA

Tel: +1 617/613-6000

Fax: +1 617/613-5000

Email: [email protected]

Nasdaq symbol: FORR

www.forrester.com

H e l p i n g B u s i n e s s T h r i v e O n Te c h n o l o g y C h a n g e

For a complete list of worldwide locations

visit www.forrester.com/about.

Research and Sales Offices