Chapter 2: Presenting Security


Overview

It is traditional for texts on information security to begin with a description of a perfectly secure system—generally a sealed vault in an underground bunker—and then to consider how this tight security renders the contents of the vault useless because they cannot be examined, changed, or traded. In order to make the contents of the vault useful, some access to the vault must be granted. However, granting this access involves compromises that make the vault less secure. This analogy takes physical security and maps it to Internet security with a simple lesson to learn—the more access, the less security. We saw in the previous chapter that Web Services is about increasing access to functionality—using a services-oriented architecture to publish, find, and bind. If the physical security analogy is followed, then Web Services inevitably involves a trade-off of security for ease of access. Though valid, the physical security analogy is limited. The information security techniques we’ll be learning about in this chapter deal with securing the access to information.

Information on the Internet is in one of two states: in storage or in transit. When information is in storage, the locked vault analogy is apt. However, when it is in transit, a more appropriate analogy may be that of an armed escort who accompanies the information to make certain that it arrives intact at its destination. The escort ensures not only that the data is protected, but that it travels intact from the sender to the recipient and that the recipient knows who sent the data. This ensures that not only the data is secure, but the process is secure also. Comparing Web Services to a locked vault is always going to provide a negative view of security, because Web Services security is about making a process (not an entity) secure. We’ve seen that Web Services provides important new efficiencies by exposing functionality using a service-oriented architecture. The challenge is to leverage these efficiencies while taking the appropriate precautions that they will not be misused.

Security can be seen in either a positive or a negative sense. The positive aspect is when security acts as an enabler for a solution—for example, partner or supplier integration. The negative sense is when security acts as a blockade to stop unwanted access to resources. This is the contrast between “letting the good guys in” and “keeping the bad guys out.” Web Services security involves both. Different technologies are used for each aspect, with some overlap. But this does not mean that a mishmash of security technologies is used. Information security (sometimes shortened to “infosec”) can be sliced and diced into a set of logical components. In this chapter, we’ll examine these components, which form the basis for Web Services security.

The goal of this chapter is for you to start thinking like an information security professional, keeping in mind the logical components of information security. So, rather than first thinking “we need to use XML Signature for this project,” you should first think “we need to ensure data integrity in this project” before beginning to think about the specific technology that will be used to ensure data integrity.




Web Services Security
Web Services Security
ISBN: 0072224711
EAN: 2147483647
Year: 2003
Pages: 105
Authors: Mark ONeill

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net