Managing the Security Aspects of Web Services
Web services can represent interfaces into business functions of a corporation. As such, proper levels of security must be strictly enforced. Early adopters are using Secure Socket Layer (SSL) technology as an introductory step to security. This technology secures the connection between two endpoints and allows for client- or server-side authentication and message encryption. It falls short, however, in the areas of:
- Storing a secured message in a queue for processing later
- Relaying a message through third parties
- Tunneling a message over other protocols
These concerns have generated much attention and led to the creation of the WS-Security industry standard, which is still evolving. The first release of the specification for this standard can be found at http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm
There are really two main issues for securing Web services. The first is the secure communication of SOAP messages across the network, which is addressed by the WS-Security standard. The other is the secure management of Web services.
Secure SOAP Messaging
When sending SOAP messages across the firewalls that protect enterprises from attack (and in some cases within an enterprise), there is a need for Web services to have adequate levels of security in the following ways:
- SOAP messages, in particular the payload of the message, must be capable of being encrypted in full or in part.
- SOAP messages must be capable of being digitally signed, such that there is trust in the origin of the message and the message may not be repudiated. Parts of a SOAP message must also be allowed to have separate digital signatures.
- SOAP messages must be capable of being relayed through several intermediary parties in a secure fashion before reaching their final destination.
- Replay and denial of service attacks using SOAP messages must be handled.
- Truncation of SOAP messages or of an ordered sequence of SOAP messages must be handled (for example, the deletion of a critical message from a series of messages).
The WS-Security specification addresses requirements 1 through 3, but does not address 4 and 5 as yet. WS-Security work includes key and certificate handling, called XKMS (XML Key Management Services). Further work is required in the WSDL area to ensure that the client invoking an operation from a WSDL specification is allowed to make that call.
Secure Management of Web Services
There are additional requirements, beyond the level of the SOAP message, for the secure management of Web services.
- Management of a Web service should be restricted to authorized individuals.
- Management roles, with different capabilities, are needed for managing the Web service
- for interrogating the current status of a Web service
- for starting a Web service up or shutting it down
- for allowing particular groups of users, or client programs, to use instances of the service (sometimes called provisioning the Web service)
- for measuring usage of the service by particular groups
These roles require that users be authenticated and granted different privileges for access to services via the management platform. Ideally, the developer should not be required to construct the security layer that protects the service from outside threats. This work should be accomplished in the management platform at service deployment time.
Putting Requirements to Good Use
The purpose of generating these requirements is to help developers who are building Web services achieve a successful, maintainable implementation over the long haul, regardless of their deployment platform. No single company or organization has yet proposed an implementation for the rich set of requirements for the management of deployed services, although the industry is working on this. For now, IT departments are on their own to define them.
Furthermore, these requirements can be used by IT developers and managers to influence tool and platform vendors and to judge management products for purchase decisions. If you're making a buying decision, do not hesitate to confront your vendor about all the requirements discussed in this article; each of them is important to your success.
Finally, developers who are keenly aware of deployment and management issues are on the right path to deploy truly robust Web services that will satisfy customers and partners and keep coming back for your business.