Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Be Nimble, But Be Safe

April 3, 2003
By Lori MacVittie

>> continued from previous page

Too Good To Be True?

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Too Good To Be True?
	Standards Watch
	Executive Summary
	How'd We Get Here? Evolution, Baby!
	Fatter Payloads, Bigger Bulge
	Epoll Results

Sounds great. But industry experts agree that security is a major source of angst. "Security is the primary and most immediate roadblock to Web services adoption today," says Ronald Schmelzer, senior analyst with ZapThink, a research firm focused on XML and Web services. "It's not simply because XML is text-based and sent over transparent protocols like HTTP. Common encryption technologies like SSL can solve that problem. The bigger problem is one of authentication and authorization."

This is the crux of the problem: WSDL provides a human-readable pointer into your internal business process and data structures--possibly exposing juicy field-level details such as credit card and authorization numbers and shipping addresses. With a single WSDL file, anyone can see what services you have available and, worse, how to access them. With such information readily available, it's imperative that services are invoked by authorized users only.

Consider, too, your B2B Web services. You don't want just anyone submitting purchase orders or invoices. You need to keep firm control over access and ensure you have a way to audit who has been making use of your Web services.

While SSL is commonly accepted as the best way to keep prying eyes from your data during transport, it is not a panacea. SSL protects a transaction only while it is in transit. Unless you're taking advantage of client-side certificates to authenticate the consumer of a Web service, SSL is not going to provide the needed level of security.

Several standards attempt to address these security concerns, although some are still works in progress. WS-Security, XML-SIG and XML-Encryption are among the earliest such specifications. WS-Security (now under OASIS) introduces a set of SOAP (Simple Object Access Protocol) extensions that can be used to implement message-level security. WS-Security aims to define a framework for basic Web services security. It does not, in and of itself, comprise a complete security solution; designed simply to assist in building a secure system, WS-Security can be successful only when used in concert with other security products, such as X.509 certificates.

XML-Encryption defines a mechanism for securing the actual data being exchanged--down to the element level, if necessary. Using this standard, you can encrypt small, single data elements. And XML-SIG describes how individual elements or entire XML documents can be digitally signed to provide nonrepudiation.

Yet none of these standards addresses the real issue of securing individual services, because none prevents an unauthorized user from invoking a service. This type of security needs to be integrated at the code level or, ideally, managed by an external system designed to secure Web services at several levels. Appliances and software like those from DataPower, Reactivity and Westbridge Technologies offer a single point of entry to Web services in the enterprise. This approach provides a centralized point at which Web services can be secured via your existing security infrastructure. In addition, you'd have the capability of keeping detailed logs on the use of your Web services. While Web services platforms can provide the level of detail necessary, this generally involves modifying the underlying code.

Web services security breaks down into four distinct categories:

• Secure Transport: Shields data from prying eyes

a) SSL--At the network level

b) XML-Encryption--at the data level

• Data Integrity: Ensures data is unchanged in transit

a) XML-Encryption--Encrypts data and uses checksum to ensure integrity

b) XML-SIG--Signs elements or documents and provides nonrepudiation

• Authentication: Identification of client

a) WS-Security--Token-based identification

b) SSL--Client-side digital certificates

• Authorization: Determine client access to services

WS-Security--Message-level access, tokens

The potential for disaster here is huge, including the possible violation of federal regulations in some organizations, so build your Web services infrastructure with security in mind from day one.