Web Services Security - Essay Example

Web services allow accessing information on the global internet. The value of the web services are well recognized not just by the managers and executives. It has also not escaped the attention of hackers and cyber-criminals who attempt to damage the system and the organization. Threats to an organization can be both from internal sources and external. Even customers and business partners pose a threat. While the motives may vary, the system is vulnerable to several risks. This paper will examine the technology that has evolved over the years to keep the system secure. Ratnasingam (2002) points out the advantages of web services over the traditional business-to-business applications. He also highlights the security concerns, how the risks occur, the barriers to security, and the role technology plays in combating these concerns. He discusses encryption, HTTP, reliable and conditional messaging, and the use of open standards like XML, SOAP, UDDI and WSDL for security but he does not address the shortcomings of each of these methods although he has used the latest technology adopted. Bussler (2003) points out that web services help distinguish two different types of integration because it provides a higher layer of abstraction that hides implementation details from applications (Gao, Hayes & Cai, 2005). They point out that it integrates existing system with existing business logic and also integrates existing system to define new business logic through the integration but do not provide a clear picture as to how this is done. Security measures like digital signatures, encryption mechanisms, which enforce quality and standards even according to Gao et al. Geuer-Pollmann & Claessens (2005) state that core security mechanisms like XML signature and XML encryption are directly integrated into the XML which provide integrity protection, data origin authentication and service field confidentiality to all applications that use XML for data storage and exchange. They too do not highlight its impact on business applications. Ardagna, Damiani, Capitiani di Vimercati & Samarati (2004) state that of the four standards that web services are based on, XML poses the greatest security concerns. HTTPS (i.e., HTTP over the Secure Sockets Layer protocol) can restrict access to authorized users while protecting the confidentiality and integrity of XML messages by encrypting private information but it cannot provide authorization or interfere in what the user is trying to do. HTTPS is a good solution for strong encryption and server identity authentication to the client and vice versa. They point out the advantages and shortcomings but do not specifically give examples of companies using HTTPS. Banks and other organizations where funds are transacted, or use of debit/credit card takes place, use HTTPS to protect customer security but this has not been highlighted by the authors. This has been pointed out by BBB (2006) that businesses can secure online data and transactions through SSL (Secure Sockets Layer), a technology that applies encryption. Sensitive information traveling on the internet like the debit and credit card numbers are secure through this and a number of companies offer this service. Firewall is another critical component of the web services security architecture. Rowan (2005) says the traditional walls can provide user authentication and can control to services but they cannot scan the information inside the data pockets. While the author aims to provide the real security requirement, he concedes that it is not possible to find a single person who understands all the three areas – security, network and applications. Being the principal security consultant, his opinion carries weight. MacPhee & O’Neill (2005) assert that at times companies have to trade off higher security for ease of administration and implementation. Extranet is a private network using web services to share business information or operations with the vendors, customers, or partners. It is the intranet extended to users outside the company. An extranet uses firewall, digital certificates, encryption and VPNs (virtual private networks) for its security and privacy. The security architecture consists of Policy Enforcement Points (PEPs) and Policy Decision Points (PDPs). If the password is authenticated over an SSL link, then it cannot be “sniffed” or replayed. As the user fills out the web forms, PEP filter in the web server communicates with the PDP server and decides if the user has access. This system is perfect for relatively low volumes of traffic per user but to send large volumes of data, re-keying into the web form in a browser is not an attractive option. To send data at 1 am every night, it is not feasible for the user to start the browser every night and fill out forms. For such cases XML-based interface is a better option. BBB (2006) strongly feels that firewalls and encryption are not enough to prevent criminals from extracting customer information. They do advise that data security plan has to be in order and the process or steps that firm should initiate. According to them, software alone cannot prevent employee error. The employees have to be trained properly in working with the software while Siponen (2006) contends that organizing training sessions are not enough. Companies are concerned that the security processes are in place but do not lay stress on how it is actually implemented. He also points out the security management standards do not provide advice on how to achieve the desired results. Siponen’s contention is realistic because most organizations invest on security standards without fully knowing its potential and putting it to effective use. Even if it is put to effective use, Singh (2006) while discussing Maruti Udyog, India points out that the lifecycle of the equipments is very low and to keep them ongoing at the same time is a big challenge. A company may invest heavily in the network platform but after six months the support is not available because technology has advanced. If this is upgraded, other platforms bought two years ago would not be compatible with this. Securing XML has a variety of problems and is vulnerable to a variety of attacks. There are too many web services security vendors but they have to advertise their messages in the right manner (Rowan). In the web services world all the vendors have to agree to a standard but different groups have emerged. Back lashing and copious reports about each other can be found although all are working towards ratifying the standards. Machine to machine communication poses a threat. Web services security can verify the origin of the messages but this necessitates that all members of the group have to be known to each other. This ensures participation only by invitation and restricting it to known sources. Most business systems have a built in security system. Every business wants to use web services and extend it beyond the boundaries of their organization. This requires new security demands and solutions. Research of the literature available suggests that technology is being upgraded regularly. It is possible to keep the web services secure although for small organizations it may be costly. Most importantly, the web security vendors have to agree to a standard. Most web services have the security packages in-built while Microsoft also allows free downloads. Nevertheless, as technology develops so does the efforts and technology of the hackers and cyber criminals. Data breach resulting from weak security practices can result in facing lawsuits from the federal and state agencies. This can in turn erode business equity, consumer trust and ultimately the business reputation. References: Ardagna, C. A. Damiani, A. Capitiani di Vimercati, S. & Samarati, P. (2004), A Web Service Architecture for Enforcing Access Control Policies, Electronic Notes in Theoretical Computer Science, Volume 142, 3 January 2006, Pages 47-62 BBB (2006), Security & Privacy —Made Simpler, 13 Oct 2006 Bussler, C. (2003), Semantic Web Services: reflection on Web Service mediation and composition, Proceedings of the Fourth International Conference on Web Information Systems Engineering (WISE’03), Computer Society. Gao, H. T. Hayes, J. H. & Cai, H. (2005), Integrating Biological Research through Web Services, IEEE Computer Society. Geuer-Pollmann, C. & Claessens, J. (2005), Web services and web service security standards, Information Security Technical Report, Volume 10, Issue 1, 2005, Pages 15-24 IBM-Microsoft (2002), Security in a Web Services World: A Proposed Architecture and Roadmap, 30 Sep 2006 MacPhee, A. & O’Neill, M. (2005), Notes from the field: Implementing a security solution for Web Services, Information Security Technical Report, Volume 10, Issue 1, 2005, Pages 25-32 Moses, T. (2004), Security in a Web Services World, 30 Sep 2006 Ratnasingam, P. (2002), The importance of technology trust in web services security, Information Management & Computer Security, Vol. 10 Np. 5 2002 pp. 255-260 Rowan, L. (2005), Security in a Web services world, Network Security, Volume 2005, Issue 6, June 2005, Pages 7-10 Singh, A (2006), CIO/CTO SPEAK MARUTI UDYOG, 13 Oct 2006 Siponen, M. (2006), Information Security Standards Focus on the Existence of Process, Not Its Content, Communications of the ACM, Vol. 49 No. 8 Read More