While SSL is commonly accepted as the best way to keep prying eyes from your data during transport, it is not a panacea. SSL protects a transaction only while it is in transit. Unless you're taking advantage of client-side certificates to authenticate the consumer of a Web service, SSL is not going to provide the needed level of security.
Several standards attempt to address these security concerns, although some are still works in progress. WS-Security, XML-SIG and XML-Encryption are among the earliest such specifications. WS-Security (now under OASIS) introduces a set of SOAP (Simple Object Access Protocol) extensions that can be used to implement message-level security. WS-Security aims to define a framework for basic Web services security. It does not, in and of itself, comprise a complete security solution; designed simply to assist in building a secure system, WS-Security can be successful only when used in concert with other security products, such as X.509 certificates.
XML-Encryption defines a mechanism for securing the actual data being exchanged--down to the element level, if necessary. Using this standard, you can encrypt small, single data elements. And XML-SIG describes how individual elements or entire XML documents can be digitally signed to provide nonrepudiation.
Yet none of these standards addresses the real issue of securing individual services, because none prevents an unauthorized user from invoking a service. This type of security needs to be integrated at the code level or, ideally, managed by an external system designed to secure Web services at several levels. Appliances and software like those from DataPower, Reactivity and Westbridge Technologies offer a single point of entry to Web services in the enterprise. This approach provides a centralized point at which Web services can be secured via your existing security infrastructure. In addition, you'd have the capability of keeping detailed logs on the use of your Web services. While Web services platforms can provide the level of detail necessary, this generally involves modifying the underlying code.
Web services security breaks down into four distinct categories:
• Secure Transport: Shields data from prying eyes
a) SSL--At the network level
b) XML-Encryption--at the data level
• Data Integrity: Ensures data is unchanged in transit
a) XML-Encryption--Encrypts data and uses checksum to ensure integrity
b) XML-SIG--Signs elements or documents and provides nonrepudiation
• Authentication: Identification of client
a) WS-Security--Token-based identification
b) SSL--Client-side digital certificates
• Authorization: Determine client access to services
WS-Security--Message-level access, tokens
The potential for disaster here is huge, including the possible violation of federal regulations in some organizations, so build your Web services infrastructure with security in mind from day one.
RSS
