| Title: |
Web Services Architectures for Security |
| Author: |
Jonathan Stephenson |
| Publication Date: |
12 February 2003 |
| Report Type: |
Journal |
| Report Class: |
Best Practice |
| Abstract: |
The new WS-Security protocols require a thorough review of our approach to security. The new protocols enable security at the application and message level, which theoretically open up opportunities for much finer grained control over security applied to specific transactions or messages. But how does this affect existing practices of session and firewall based security? We consider the issues, look at the support available from leading toolkits and make clear recommendations for revising the layered security architecture.
|
| Backgrounder: |
In this report we make the case that an application built with web services requires a new layer of security that is separate from the network firewalls, which in the main can do no more than block unwanted protocols and rogue IP addresses. There is an interesting conflict in that in order to empower an application, the credentials and encryption capabilities have to be moved nearer to the code and away from the infrastructure. But, to maintain a clean separation of concerns the service implementation must be clearly separated from the security management layer. The new SOAP protocols for WS-security allow an application to deal with data that is private, right from the point of entry, all the way through to the point of delivery, and even then it can remain encrypted in storage. Similarly, authentication is end-to-end, from the individual that signs the request right through to the business process that checks the ID. This is how you do conventional business you sign the check, not the postman. A system of commerce where you are forced to use the delivery mechanism to provide trust and privacy is never going to be as safe as one where protocols work at the message level.
In this report we take a closer look at the contributions that application servers and network firewalls can make in securing web services and reach the inevitable conclusion that the enterprise will ideally need both. Firewalls will evolve their XML capabilities to enforce company wide policies for SOAP access; application servers will control the finer grained access and service level management. This satisfies the requirements of the network management teams who control firewalls and the application developers who need to take responsibility for their assets.
|
| Report Access Type: |
 | Silver/Gold (Premium) |
|
| Available for separate purchase |
Single copies of recent CBDI Journals may be purchased |
| Login |
|
Home