| dc.description.abstract | Web Service security is an ongoing battle. On one side are those who want to break into the service providers system, either for fun or for some advantage to themselves or their organization. On the other side are people who are putting up defences to prevent these break-ins. This ongoing battle results in continuing changes to security solutions. Another dimension is that there is an evolving set of security requirements, such as giving a new group of outsiders controlled access to the system for e-business purposes. The breadth of information security in Web Services applications is broader than one might expect. Web Services change the risk levels associated with deploying software because of the increased ability to access data, and as a consequence, security is becoming an important design issue for any for any e-business software component, and the security solution depends on the security mechanisms available on the selected application platform. In this work it has been shown that applications requiring Web Security services can utilize a unified architecture. Authentication, authorization, administration and cryptography security services can be provided by a lightweight but strong architecture common to most applications.
Security of Web Services is still under the ongoing working draft by the OASIS WS-Sec Technical Committee. There are some implementations provided by Microsoft, Verisign, IBM Sphere, BEA, etc. The use of new and emerging security standards such as XML Signature, XML Encryption/Decryption, WS-security and SAML is both a benefit and a threat for the Web Services application. The implementation of such service might face major obstacles because of a continuous changes in the specifications. In addition, the specifications are often too complicated, which indicates misunderstandings and implementations that possibly will not interoperate. To avoid this type of problems the specifications of the standard bodies should be written more tightly and include more examples addressing practical use cases. In the future, the new security standards will certainly be dominating the Web Services on the Internet and may be a good investment.
In this work, an assessment of the various security concerns and implications for Web Services, and the different means to address them with a focus on security standards have been provided. Standard bodies W3C, OASIS, and other industry leaders are intensively reviewing security techniques and models to ensure the protection of exposed critical business data and processes in a standard way. Technologies to secure Web Services at the transport level and at the XML level play a crucial role when designing and developing the security architecture of services on the Internet. These include the emerging XML security standards such as XML Digital Signatures, XML Encryption/Decryption, Security Assertions Markup Language, WS-Security and long-accepted standards such as SSL and Kerberos. Each of them addresses various aspects of the security requirements for authentication, authorization, confidentiality, integrity and non-repudiation. Standards are fine and extremely important to achieve interoperability among different security implementations, though there still does not exist a clear way to combine them in order to compose a comprehensive end-to-end security framework. In the absence of such Web Services implementers are turning to specific products and vendors to address critical security needs. The Web Services security challenges include interoperability problems (between tiers, between security technologies, processing domains, that is, corporate enterprises or business units), lack of sufficiently detailed specifications, overlap and redundancy among specifications, and a high total cost of implementation. The specifications are important for security because, in these area more than any other, it is needed to use the techniques that have been designed and tested by independent security professionals and that have withstood the assaults of these professionals for some time. Security is complex. It requires the skill and experience of professionals to design a model to avoid vulnerabilities. Web Services will take a long time before the full security implications are understood and then resolved. For the time being I recommend, to have a Microsoft strategy, because Microsoft will promote its own security products and strategies and will inevitably be successful in acquirement of various users. In general, it seems that the security specifications are moving in the right direction and addressing the right problems, but that they still have a way to go to be practically applicable. | nor |