The pervasive reach and platform-agnostic nature of Web Services demands a security framework that enables enterprises to secure and control access to applications and data, without impeding the exchange of data that is essential for successful Web Services.
Web Services Security Requirements
Let’s begin by defining some core security services that are fundamental to end-to-end application security across multitier applications. They are:
- Authentication. Verifies that principals (human users, registered system entities, and components) are who they claim to be. The result of authentication is a set of credentials, which describes the attributes (for example, identity, role, group, and clearance) that may be associated with the authenticated principal.
- Authorization. Grants permission for principals to access resources, providing the basis for access control, which enforces restrictions of access to prevent unauthorized use. Access controls ensure that only authorized principals may modify resources and that resource contents are disclosed only to authorized principals.
- Cryptography. Provides cryptographic algorithms and protocols for protecting data and messages from disclosure or modification. Encryption provides confidentiality by encoding data into an unintelligible form with a reversible algorithm, which allows the holder of the decryption key(s) to decode the encrypted data. A digital signature provides integrity by applying cryptography to ensure that data is authentic and has not been modified during storage or transmission.
- Accountability. Ensures that principals are accountable for their actions. Security auditing provides a record of security-relevant events and permits the monitoring of a principal’s actions in a system. Nonrepudiation provides irrefutable proof of data origin or receipt.
Security administration. Defines the security policy maintenance life cycle embodied in user profiles, authentication, authorization, and accountability mechanisms as well as other data relevant to the security framework. All security services must be trustworthy and provided with adequate assurance. That is, there must be confidence that security services have been implemented correctly, reliably, and without relying on the secrecy of proprietary mechanisms
Next >> Web Services Pros-and-Cons |