DataPower Secures XML

DataPower Technology Inc. has launched a new security product for users of extensible markup language (XML). And the company is boasting a major customer for the new device (see DataPower Powers XML Security).

The news highlights a small but growing market for wares aimed at improving the security of XML, which increasingly is being used in Web applications, particularly those involving transactions like credit-card approvals and online payments.

While the text-based meta-language of XML allows for a much more flexible and independent exchange of information over the Web, it is also much easier for prying eyes to read; and security threats can lurk deep inside packets, undetectable to traditional security devices. XML users also need a way to authenticate data to make sure that it hasn’t been changed, and signatures are needed to make sure people sending data are who they say they are.

In a study published last year, HTRC Group LLC, a consultancy, cited security as the biggest concern for companies using XML today. "Everybody has to have a security story," says analyst and report author Greg Howard.

Enter DataPower, which offers a hardware-based XML gateway. The XS40, according to DataPower, sits behind the traditional IP firewall, or between different servers inside the enterprise, where it can enforce corporate policies. The box intercepts XML messages sent from users before they reach the application server -- checking, parsing, validating, decrypting, and transforming messages. According to DataPower, its hardware-based approach keeps performance high during a slew of security procedures.

The company says RouteOne, a venture formed by DaimlerChrysler Services AG, Ford Motor Company, GMAC, and Toyota Financial Services to provide a Web-based credit application management system for the auto finance industry, has already deployed an unspecified number of the $65,000 appliances.

DataPower would not specify how much the contract is worth. RouteOne declined to comment on the contract.

DataPower, which was founded in 1999 and has received $10.5 million in funding to date, started life as a maker of devices designed to accelerate the performance of XML in service provider and enterprise networks. Now, like a handful of other companies focused on the XML space, it's turned its attention to security.

DataPower faces a range of challenges, despite its customer win. Competition is one. Two other players, Sarvega Inc. and Forum Systems Inc., already have hardware-based XML security gateways (see Sarvega Accelerates XML). And, of course, their claims are similar.

Another challenge is that standards for securing XML aren't in place yet. At least one source says that could make it harder for DataPower and its competitors to sell their products.

“It’s more of a sales challenge than a technology challenge,” says analyst Ron Schmelzer of ZapThink LLC, a market researcher specializing in XML. In the absence of firm standards, customers may balk, even though DataPower and others make their products flexible enough to accommodate standards changes as they evolve.

DataPower also has would-be rivals in the software arena. The Cambridge, Mass., company faces competition from a long line of software vendors offering security products for XML, including Flamenco Networks, Metapa Inc., MultiNet, Vordel Ltd., and WestBridge Technology Inc.

But DataPower insists that software products are no match for the XS40, which incorporates the company’s experience offering XML acceleration with its earlier acceleration gateway, the XA35 product. Schmelzer of ZapThink agrees: "The big difference between XML security and IP-level security is that you have to inspect the content,” Schmelzer says. “That’s very processor intensive… Eventually, this is going to have to be in hardware.”

Of course, the software versions of XML security have their benefits as well. Schmelzer points out that software is more easily deployed and much more granular than hardware. It can be embedded with the application server and doesn’t have to be installed at the data center. “With hardware, you don’t have the same level of integration,” he says.

Observers say they expect the larger equipment vendors to wait on the sidelines a bit longer before deciding whether to create their own XML deep-packet intelligence, security, or acceleration technologies, or to start buying up some of the smaller companies already out there.

— Eugénie Larson, Reporter, Light Reading
Be the first to post a comment regarding this story.
Sign In