Securing Web Services
Today’s business demands an infrastructure that supports mission-critical Web services. Web sites are no longer about just providing information about a business, but increasingly are being positioned to deliver Web services—via both intranets and extranets. The challenge in providing Web services is security—how to manage users effectively while protecting access to sensitive business or consumer information. Security professionals and architects are increasingly finding themselves developing solutions that enable secure access to Web-based resources.
Businesses across almost all vertical industries are moving more and more of their business processes online. The e-business objective is to reach new markets and new users, increase revenues, reduce costs, reduce response times and enhance the customer experience with the organization. This requires providing online, real-time access to sensitive information for customers, employees and business partners. The challenge for the organization is how to provide such access so as to further enable the business, yet define and enforce Web-access privileges to limit exposure to authorized entities only.
What Is a Web Service?
Web services enable businesses to deliver business applications to customers, partners and employees over the Internet. The Web-service consumer or client makes the request and gets a response from one or more Web-service providers. The Web-service provider receives the request and sends the response to the consumer or client. The data format that enables this communication between the consumer or client and the provider is the extensible markup language (XML). The XML Schema is the framework that describes XML vocabularies used in business transactions.
The challenge with Web services is how to secure the exchange of information between the consumer and the provider. There are a few organizations that are influencing standards in the area of Web services security. These organizations include:
- World Wide Web Consortium (W3C)
- Organization for the Advancement of Structured Information Standards (OASIS)
- Liberty Alliance
- Web Services Interoperability Organization (WS-I)
The World Wide Web Consortium (W3C) was established in 1994 with the objective of creating standards for the Web. It is supported by more than 450 members and about 70 full-time employees. It is famous for introducing standards such as HTTP and HTML. W3C is involved in Web services activities as an extension of its core standards, such as XML. See www.w3c.org for more information.
Founded in 1993 under the name of SGML, the Organization for the Advancement of Structured Information Standards (OASIS) developed the security assertions markup language (SAML) standard. SAML is an XML framework for exchanging authentication and authorization information. OASIS has more than 600 corporate and individual members in 100 countries around the world. OASIS and the United Nations jointly sponsor ebXML (www.ebxml.org), a global framework for e-business data exchange. More information on OASIS is available at www.oasis-open.org.
The Liberty Alliance Project was formed in September 2001 with the objective of developing specifications in the area of identity management to enable the deployment of identity-based Web services. The Liberty Alliance Project has adopted SAML 1.1 as the foundation for its work on Federated Identity. Federated Identity allows users to link identity information between accounts without centrally storing personal information. The user can control when and how his accounts and attributes are linked and shared between domains and service providers, allowing for greater control over his personal data. In practice, this means that users can be authenticated by one company or Web site and be recognized and delivered personalized content and services in other locations without having to re-authenticate or sign on with a separate user name and password.
The Liberty Alliance Project membership includes VeriSign, Sony, Sun, HP, GM, Nokia, Netegrity, RSA Security and many others. More information on the Liberty Project Alliance is available at www.projectliberty.org.
Formed in February 2002, the Web Services Interoperability Organization (WS-I) is focused on providing consistent and reliable interoperability among Web services across platforms, applications and programming languages. WS-I recently introduced the Basic Profile 1.0. The Basic Profile 1.0 consists of implementation guidelines on how core Web services specifications should be used together to develop interoperable Web services. The specifications covered by the Basic Profile include SOAP 1.1, WSDL 1.1, UDDI 2.0, XML 1.0 and XML Schema. More information on the WS-I is available at www.ws-i.org.
Core Web Services Standards
There are four standards that provide the foundation for Web services. They are
- Extensible markup language (XML)
- Simple object access protocol (SOAP)
- Web services description language (WSDL)
- Universal description, discovery and integration (UDDI)
Created by the W3C, XML is what enables the flexibility of Web services. It makes it straightforward to develop customized markup languages that define how information is to be structured and processed. It is the lingua franca of Web services. All Web services communicate in XML.
SOAP is an XML-based messaging protocol that provides a uniform way to exchange XML-formatted information using HTTP. It is a communications protocol for Web services.
Developed by the W3C, WSDL defines methods for creating detailed descriptions of Web services. It is an XML-based language for describing, finding and using Web services.
UDDI provides a method for publishing service descriptions so Web services can be located and accessed by other Web services. It is a phone directory for Web services that lists available Web services from different companies, their descriptions and instructions for using them.
Security Assertions Markup Language (SAML)
The security assertions markup language (SAML) is an XML-based framework that enables Web services to readily exchange information relating to authentication and authorizations. SAML enables single sign-on, providing the ability to use a variety of Internet resources without having to log in repeatedly. SAML is a Web-services-based request/reply protocol for the exchange of authentication, attribute and authorization decision statements.
SAML takes the information in the form of trusted statements, referred to as security assertions, about end-users, Web services or any other entity that can be assigned a digital identity. SAML “buffers” the application from the complexity of the underlying authentication and authorization systems. Security assertion is a primary objective of the SAML specification. A security assertion is a claim or statement regarding the security properties of a given end-user that one organization needs to pass to another organization. Examples of types of security assertions are:
- Authentication assertion
- Authorization decision assertion
- Requesting assertion
SAML has received widespread support from the industry, including from Sun, IBM, HP, BEA Systems and RSA Security. The U.S. Navy is adopting it as the standard for supporting authentication and authorization of end-users for Web services.
Solution Questions to Consider
There are several vendors that offer solutions in this area. Some questions to consider as you review possible vendors’ solutions are: