Securing Web Services to Deliver on Their Promise

Web services have the potential to be the next great paradigm that will once and for all change computing as we know it. The main promise of Web services is that business systems can be used by anyone , from anywhere , at any time ”and, of course, on any type of system. Another promise is that integration between disparate systems that are either internal to an organization or housed externally by another vendor or partner will be simplified. While these and other expectations surrounding Web services are tremendous, the truth about their potential may be somewhat less than what has been promised .

Truth be told, Web services are just the next leg of the ongoing journey to deliver ubiquitous business computing services. The journey started many years ago with business-to-business exchanges through the use of electronic data interchange (EDI) technology, and we've only scratched the surface to understand the journey's path or ultimate destination. But hold on tight; it is sure to be a long and thrilling ride.

Rosenberg's and Remy's book, Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, XML Signature, XML Encryption, and SAML , sheds light on new and innovative Web Services Security technologies. Most importantly, the authors clearly depict how to properly deploy these technologies to secure Web services.

By embracing and implementing the Web services model described in this book, organizations have the potential to do the following:

• Reduce cost by streamlining online transactions, automating more back-end processes, and increasing interoperability between disparate systems through standardization of protocols and data formats (XML);

• Ensure compliance, increase accountability, and reduce fraud via real-time transaction monitoring and security enforcement systems; and

• Strengthen security due to a focus on building better systems and securing the data from the inside out.

System integrators who enable their customers to successfully deploy and manage Web services will thrive in the years to come. To do this, traditional system integrators will need to refocus on building better quality systems and performing actual security integration at the application and data levels. This new breed of system integrators must be able to advise their clients on which business systems make sense to Web service-enable, and which do not.

So, will Web services make a difference to your business and to your customers? Yes, but like most over-hyped technologies, Web services will not live up to the excitement surrounding them. Web services are only part of the greater technology systems and solutions that organizations will adopt; a one- size “fits-all Web services approach does not exist for every business application or problem. The current Web services model is constantly maturing and evolving; for example, some speculate that Web services and grid computing will combine to form an even more powerful and distributed Web services model.

The great promise of Web services will never be realized unless they are proven to be reliable, available, and have the appropriate level of security. Rosenberg and Remy are among the first to accurately portray Web Services Security by addressing how to apply the correct amount and types of security solutions.

The security issues that apply to Web services are similar to those surrounding other technology solutions and systems. Business applications deployed as Web services need to incorporate security building blocks including authentication, authorization, confidentiality, availability and reliability, fraudulent transactions, nonrepudiation, compliance, and auditing and monitoring.

However, there is one big exception with Web Services Security: What the Web services model brings front and center is that organizations must focus on building more secure applications from the ground up while protecting their business data at all times in storage and transit. Gone are the days of saying core assets ”the organization's data and systems ”are secure because they are simply hiding behind the corporate firewall.

The new Web services model brings about unique security challenges because the applications themselves and business data traverse outside the once-trusted corporate enclaves. Business data stored in these new XML messaging formats travels across untrusted networks and is then manipulated by numerous distributed systems. The data next passes back through the corporate firewall to the automated back-office systems with the same XML document that has now potentially been compromised. Throughout the entire business transaction, different classes of users and systems need access to the data for inspection, approval, and treatment. If any part of this chain is compromised, the entire trust model breaks down, and the business application deployed as a Web service will fail.

To help counteract these security challenges, there has been a huge effort by a few innovative companies leading the way to develop Web Services Security standards by the traditional means of standards bodies. This concerted effort has been done in the same way the basic standards for Web services were created. The good news is that most of the security technologies that will be used to secure Web services have been deployed for years, are proven, and work. For example, cryptography is the backbone of Web Services Security; shared or symmetric key ciphers such as the United States' Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), and other proven ciphers will be used to provide the confidentiality of XML messages; public key cryptography or asymmetric cryptography will be used for the integrity and digital signatures of the XML message; and trust models, such as Kerberos or Public Key Infrastructure (PKI), will be used to share the cryptographic keys and enable trusted credentials, also known as digital certificates, between users and different systems.

One of the biggest obstacles for Web Services Security will be the management of the various security technologies, which includes securing multicast message communication and integrating new data formats and protocols. New emerging technologies will enable us to hurdle these latest obstacles. These solutions provide innovative ways to monitor and perform analysis on XML transactions in real time ”for example, cryptographic management systems that enable XML encryption and XKMS that supports secure multicast message communication. By utilizing the proven security technologies and emerging Web Services Security standards and technologies, an organization can have a comprehensive approach to Web Services Security.

While the security technologies needed to secure Web services are mature, companies looking to seriously deploy Web services will find that the best way to integrate these stovepipe solutions is through the use of common security frameworks that support the new emerging security standards discussed in this book. Properly implemented common security frameworks, or Security Service Oriented Architectures (SSOA), will aid in the deployment, management, and interoperability of Web Services Security.

Rosenberg and Remy have not only clearly defined Web Services Security, but they also have put together a great roadmap on how to properly deploy secure Web services at all levels. I hope you find this book as enlightening and informative as I did.

M.  Greg  Shanton
American  Management  Systems,  Incorporated
Chief  Technology  Officer  and  Security  Engineering  Director,  Enterprise  Security  Group