1 / 24

Managing Web Services Security

Managing Web Services Security. Agenda. Why is this Important? Web Services Standards Web Services Security Challenges Web Services Security Standards Meeting Business Needs Additional Considerations Questions. Why is this Important?. Momentum to adopt web services

oded
Download Presentation

Managing Web Services Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Web Services Security

  2. Agenda • Why is this Important? • Web Services Standards • Web Services Security Challenges • Web Services Security Standards • Meeting Business Needs • Additional Considerations • Questions Managing Web Services Security, AMCIS 2004

  3. Why is this Important? • Momentum to adopt web services • Need for loose coupling, discoverable, platform independent, and expressible with a self describing interface • 75% of senior IT executives plan to roll out Web Services (Netegrity, 2003) • Traditional security standards such as SSL, VPN, IPSec etc are not able to address the new challenges of Web services Managing Web Services Security, AMCIS 2004

  4. Web Services Standards • Web services typically consist of four main components: • Web service consumer • Web service provider • Business agreement • Web Service Registry Managing Web Services Security, AMCIS 2004

  5. Web Services Standards • Simple Object Access Protocol (SOAP) is an XML based messaging protocol for building and exchanging distributed, structured information in a decentralized and distributed environment. Three parts to SOAP – an enveloped, a set of encoding rules, and a convention representing RPC and responses • Web Services Description Language (WSDL) is a standard XML based vocabulary used to describe web services • Universal Description, Discovery and Integration (UDDI) protocol is used to publish web services. Enables business to dynamically discover and interact with one another independent of the platform. Managing Web Services Security, AMCIS 2004

  6. Web Services Architecture Business Agreement Searches for Web Services Web Service Consumers Web Service Registry Returns WSDL Documents SOAP Requests SOAP Responses Publishes Web Services Web Service Providers Managing Web Services Security, AMCIS 2004

  7. Managing Web Services Security, AMCIS 2004

  8. Weaknesses of Traditional Web Security • Information integrity provides the assurance that messages are not modified deliberately or accidentally during transit. Point to point is not end to end • SSL is designed to encrypt the entire document • Current corporate firewalls can only filter at the packet level but not at the content level • SOAP uses port 80 which is the same as that used by HTTP Managing Web Services Security, AMCIS 2004

  9. Web Services Security Challenges • Support single sign-on schemes. Without such mechanisms in place, each trading partner has to maintain its own authentication and authorization, which may greatly compromise the convenience of Web services. • Consider the security implications of supporting multiple devices (e.g. Personal Digital Assistants, 3G cell phones). For example, wireless standards such as GSM and WAP do not offer end-to-end security • Ensure confidentiality and integrity of the transactions in a multi-step process. Managing Web Services Security, AMCIS 2004

  10. Web Services Security Challenges (cont.) • Need to secure only portions of documents • Authorization policies are difficult to implement for long duration operations Web Services require a finer-grained security protocol Managing Web Services Security, AMCIS 2004

  11. Web Services Security Standards (This list is not all inclusive) Managing Web Services Security, AMCIS 2004

  12. Web Services Scenario Joe Shopper WEB SERVICE CONSUMERS SOAP Security:-WS-Security, XML-Signature, XML Encryption, -SAML, etc SOAP Messages Transport Security: -Basic authentication- SSL Authentication SOAP Messages XML Firewall MyBilling.com (Billing Web Service) MyShopping.com (Purchasing Web Service) MyShipping.com (Shipping Web Service) WEB SERVICE PROVIDERS Managing Web Services Security, AMCIS 2004

  13. Meeting Business Needs • Security considerations must be customized to meet business needs • The focus should be placed on reducing the exposure and spread of risk • Not uncommon for managers to implement more than one of the above standards Managing Web Services Security, AMCIS 2004

  14. Meeting Business Needs Managing Web Services Security, AMCIS 2004

  15. Conclusion • Traditional security infrastructure can still be used • A number of emerging standards – selection is not a random walk • Need to strategically choose solutions • Need to combine multiple standards • Web Services security must be integrated into the overall security plan of the firm Managing Web Services Security, AMCIS 2004

  16. Questions Managing Web Services Security, AMCIS 2004

  17. Additional Considerations • Financial considerations. Gartner predicts that in 2004, sales in the Web services market is expected to grow to $28 billion (Gartner, 2002). However, A breach in corporate data integrity will have serious financial impact. • Legislative Compliance. Government legislation increasingly requires that consumer data are not revealed without the permission of its owner. HIPAA is expected to cost the healthcare industry at least $3.8 billion between 2003 and 2008 (Beaver and Herold, 2003). • Privacy. Using SOAP messages, data are increasingly being exposed as it moves over the insecure Internet. Any breach of data privacy may result in the loss of trust from consumers and business partners. Managing Web Services Security, AMCIS 2004

  18. References • REFERENCES • Beaver, K. and Herold, R. (2003) Chapter 3, HIPAA Cost Considerations, The Practical Guide to HIPAA Privacy and Security Compliance, Auerbach Publications, Chapter 3. • Baldwin, A., Shiu, S. and Mont C, M. (2002) Trust Services: A framework for service-based solutions, Proceedings of the 26th Annual International Computer Software and Applications Conference (COMPSAC’02) • Chang, S., Chen, Q. and Hsu, M. (2003) Managing Security Policy in a Large Distributed Web Services Environment, Proceedings of the 27th Annual International Computer Software and Applications Conference (COMPSAC’03), 617 – 622. • Chen, M. (2003) An Analysis of the Driving Forces for the Adoption of Web Services, e-biz Web Workshop, Dec 13-14, Seattle, WA • Claessens, J., Preneel, B, and Vandewalle, J. (2001) Combining World Wide Web and Wireless Security, Informatica 26, pp. 123-132. • Gartner, (2002) Gartner Says Web Services Will Dominate Deployment of New Application Solutions for Fortune 2000 Companies by 2004, January 14, 2002 • Hanna, J. (2003) Web Services, Feb3, 2003. Available on the internet at http://hbsworkingknowledge.hbs.edu/pubitem.jhtml?id=3285&sid=-1&t=special_reports_cyber2003 • Khaler, C. (2002) WS-Security. Available on the internet at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ • Long, J., Yuan, M. and Whinston, A., (2003) Securing a New Era of Financial Services, IT Pro, July | August 2003, 15 – 21 • Morioka, M., Yonemoto, Y., Suzuki, T. and Etoh, M. (2003) Scalable Security Description Framework for Mobile Web Services, IEEE International Conference on Communications, 804 – 808. • Naedele, M. (2003) Standards for XML and Web Services Security, Computer, 36, 4, 96 – 98. • Nakamur, Y., Hada, S. and Neyama, R. (2002), Towards the integration of Web Services Security on Enterprise Environments, Proceedings of the 2002 Symposium on Applications and the Internet (SAINT’02w), 166 – 175 • Netegrity, (2003) “Netegrity Web Services Survey Result” Dec 08, 2003. Available on the internet at http://www.netegrity.com/txmindersurvey/TxMSurveyAnalysis.html • OASIS, (2003) SAML Version 1.1. Available on the internet at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security • Reagle, J. (2002) XML Encryption Requirements, W3C. Available on the internet at http://www.w3.org/TR/xml-encryption-req • UDDI, (2001) UDDI Executive White Paper, Nov. 14, 2001. Available on the internet at http://www.uddi.org/pubs/UDDI_Executive_White_Paper.pdf • W3Ca, XML Signature Syntax and Processing, February 2002. Available on the internet at http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ • W3Cb Web Services Activity, January 2002. Available on the internet at http://www.w3.org/2002/ws/ • Xu, H., Seltsikas, P. and O’Keefe, B. (2003), The Implications of Web Services Innovation for General Adopters: Findings and Recommendations, Proceedings of the Second Workshop on e-Business (Web), Dec. 13 – 14, 2003, Seattle, WA. Managing Web Services Security, AMCIS 2004

  19. Thank You! Managing Web Services Security, AMCIS 2004

  20. Supplementary Information • Benefits of Web Services • Comparing traditional E-business with Web Services • What is REST? Managing Web Services Security, AMCIS 2004

  21. Benefits of Web Services • Improving Innovation and Learning • Information Sharing and Collaboration • Organizational Agility • Improving Internal Business Processes • Process Automation and Acceleration • Interoperability and Integration • Process Design • Improving Customer Value • Customer Intimacy • Customer Retention • Customer value • Improving Shareholder Value • Operating Costs • Revenue Source: Huang, C.D. and Hu, Q., Integrating Web Services with Competitive Strategies: The Balanced Scorecard Approach, CAIS, 13, 2004, 57-80. Managing Web Services Security, AMCIS 2004

  22. Traditional Centralized Contained and Controlled Limited, defined user base Secure (risk minimized) Proprietary Fixed, well-defined, compiled Incremental scale based on known demand Staged, periodic changes Web Services Decentralized Open and unmonitored Unknown, unlimited user base Exposed (open to random events) Shared Built dynamically, on-the-fly Unlimited scale, based on unknown, unpredictable demand Continuous, a hoc changes Comparison of Traditional E-Business to Web Services Source: Ratnasingam, P., The Importance of Technology Trust in Web Services Security, 2002, 255-260 Managing Web Services Security, AMCIS 2004

  23. What is REST? • Representational State Transfer, two core specifications: URIs and HTTP • Developed in a doctorate dissertation in 2000 by Roy Fielding, Chief Scientist, Day Software • Architecture based on components already in place • Problem is nobody is marketing it! • More info on RESTwiki sitehttp://rest.blueoxen.net/cgi-bin/wiki.pl?FrontPage#nid6W Managing Web Services Security, AMCIS 2004

  24. SOAPy Problems • Runs on HTTP and therefore inherits any problems in HTTP implementations • SOAP is designed to slip through firewalls as HTTP • Uses port :80 Managing Web Services Security, AMCIS 2004

More Related