The road to secure Web services

WEB SERVICES ARE primed to be the next big development for Internet-based applications and transactions. As with any new technology, security eventually surfaces in the discussion — and Web services is no different. After all, the aim of Web services, which is to seamlessly integrate systems and applications that communicate over a network, will often allow access to sensitive information by unknown parties.

Although Web services are new, the main tenets of security never change. Any security solution for Web services should provide five things: authentication, authorization, confidentiality, integrity, and nonrepudiation. Users should be identified, whether through a basic user ID and password combination, or something a little stronger such as a digital certificate. Once a user is identified and authenticated, any request he makes should be authorized; the user should be granted the rights and permissions to perform the requested task. Additionally, any sensitive information should remain confidential throughout the entire process and data should not be altered in transit, retaining its original integrity. Once an order is placed or a request is made, nonrepudiation measures should be in place to prevent anyone from denying the order or request after the fact.

Security solutions exist for Web services, but many are not new. In fact, many security solutions for Web services today use technology that has been used for several years to secure e-commerce sites. A few new developments are under way, however, and many more will surface as the Web services market grows.

At the most basic level, Web services security can use a user ID and password for authentication, access control lists or file permissions for authorization, message digests for integrity, and SSL (Secure Sockets Layer) encryption for confidentiality. Digital signatures and time stamps can be used for nonrepudiation, but implementing these is a very complex task.

The solutions that can be implemented easily today do not provide a strong enough security infrastructure for such a critical architecture as Web services. Authentication with a user ID and password — or e-mail address in the case of Microsoft’s Passport — is trivial to crack if the communication is not encrypted. As a result, many solutions use SSL to encrypt network traffic, but SSL has its own problems. Most importantly, SSL greatly slows down the transaction process by utilizing massive amounts of CPU time for its encryption calculations. SSL accelerators can speed up this process, but they are often costly.

Another issue with SSL is that it does not provide end-to-end security. If a transaction passes through intermediary systems, such as a credit verification system or a smart gateway, there is really no way to tell whether the data was maliciously altered. Additionally, user credentials cannot be easily passed through each stop in the transaction chain, potentially hindering the success of the transaction and precluding the ability to log who initiated the transaction at each step in the process.

The next generation

New solutions are being developed, however, to provide better security that caters to Web services. Microsoft is implementing Kerberos in Passport to provide stronger authentication. In competition with Microsoft, the Liberty Alliance is developing a less centralized authentication model, but specifics have not yet been defined. Vendors such as Oblix and Netegrity are developing solutions to manage user credentials, which will help interoperability among the various Web services platforms.

Support for additional authentication and authorization solutions is also being developed. Smart cards and biometrics can be used to provide strong authentication. Plus, authentication frameworks are being developed to provide granular control over the authentication process.

Several developments on the XML front will provide more control than simply using SSL. The XML Signature specification defines how to represent digital signatures in XML, providing the capability to digitally sign entire documents or sections of documents. XML Encryption defines how to encrypt and decrypt documents, whether in their entirety or by section. And XKMS (XML Key Management Specification) defines how to register and distribute public keys, addressing the key distribution problems in transactions where the parties have not previously communicated.

SAML (Security Assertion Markup Language) is an XML-based mechanism to exchange authentication and authorization information. SAML will provide single sign-on capabilities to Web services, allowing a user to authenticate once and be able to access multiple applications.

Finally, no security architecture is complete without policies. XACML (Extensible Access Control Markup Language) specifies how to express policies for information access via a network.

Web services are complex, and this article has merely scratched the surface of related security issues. For example, we did not even touch on many of the server-side issues, such as how to prevent malicious code from being executed. Although new developments will make Web services more secure, the real answer to good security is always the same: Defined security policies and proper implementation, administration, and maintenance are key to the success of any security infrastructure.