Managing Web Services Security Kenny Khoo [email protected] Lina Zhou [email protected] University of Maryland Baltimore County, USA AMCIS 2004, NY

Managing Web Services Managing Web Services SecuritySecurity

Kenny KhooKenny [email protected]@umbc.edu

Lina ZhouLina [email protected]@umbc.edu

University of Maryland Baltimore County, USAUniversity of Maryland Baltimore County, USA

AMCIS 2004, NYAMCIS 2004, NY

August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 22

AgendaAgenda

Why is this Important?Why is this Important?Web Services StandardsWeb Services StandardsWeb Services Security ChallengesWeb Services Security ChallengesWeb Services Security StandardsWeb Services Security StandardsMeeting Business NeedsMeeting Business NeedsAdditional ConsiderationsAdditional ConsiderationsQuestionsQuestions


Why is this Important?Why is this Important?

Momentum to adopt web servicesMomentum to adopt web services Need for loose coupling, discoverable, platform Need for loose coupling, discoverable, platform

independent, and expressible with a self independent, and expressible with a self describing interfacedescribing interface

75% of senior IT executives plan to roll out Web 75% of senior IT executives plan to roll out Web Services (Services (Netegrity, 2003Netegrity, 2003))

Traditional security standards such as SSL, Traditional security standards such as SSL, VPN, IPSec etc are not able to address the new VPN, IPSec etc are not able to address the new challenges of Web serviceschallenges of Web services


Web Services StandardsWeb Services Standards

Web services typically consist of four main Web services typically consist of four main components: components: Web service consumerWeb service consumerWeb service providerWeb service providerBusiness agreementBusiness agreementWeb Service Registry Web Service Registry


Web Services StandardsWeb Services Standards Simple Object Access ProtocolSimple Object Access Protocol (SOAP) is an XML based (SOAP) is an XML based

messaging protocol for building and exchanging messaging protocol for building and exchanging distributed, structured information in a decentralized and distributed, structured information in a decentralized and distributed environment. Three parts to SOAP – an distributed environment. Three parts to SOAP – an enveloped, a set of encoding rules, and a convention enveloped, a set of encoding rules, and a convention representing RPC and responsesrepresenting RPC and responses

Web Services Description LanguageWeb Services Description Language (WSDL) is a (WSDL) is a standard XML based vocabulary used to describe web standard XML based vocabulary used to describe web servicesservices

Universal Description, Discovery and IntegrationUniversal Description, Discovery and Integration (UDDI) (UDDI) protocol is used to publish web services. Enables protocol is used to publish web services. Enables business to dynamically discover and interact with one business to dynamically discover and interact with one another independent of the platform.another independent of the platform.


Web Services ArchitectureWeb Services Architecture

Web Service Consumers

Web Service Providers

Web Service Registry

Searches for Web Services

Returns WSDL DocumentsS

OA

P R

equ

ests

SO

AP

Resp

onses Publishes Web

Services

Business Agreement


Integrity

Confidentiality Non-Repudiation

Authorization

Authentication

Safety of Information Exchange


Weaknesses of Traditional Web Weaknesses of Traditional Web SecuritySecurity

Information integrityInformation integrity provides the assurance that provides the assurance that messages are not modified deliberately or messages are not modified deliberately or accidentally during transit. Point to point is not accidentally during transit. Point to point is not end to endend to end

SSL is designed to encrypt the entire documentSSL is designed to encrypt the entire document Current corporate firewalls can only filter at the Current corporate firewalls can only filter at the

packet level but not at the content levelpacket level but not at the content level SOAP uses port 80 which is the same as that SOAP uses port 80 which is the same as that

used by HTTPused by HTTP


Web Services Security ChallengesWeb Services Security Challenges

Support single sign-on schemes. Without such Support single sign-on schemes. Without such mechanisms in place, each trading partner has mechanisms in place, each trading partner has to maintain its own authentication and to maintain its own authentication and authorization, which may greatly compromise authorization, which may greatly compromise the convenience of Web services. the convenience of Web services.

Consider the security implications of supporting Consider the security implications of supporting multiple devices (e.g. Personal Digital multiple devices (e.g. Personal Digital Assistants, 3G cell phones). For example, Assistants, 3G cell phones). For example, wireless standards such as GSM and WAP do wireless standards such as GSM and WAP do not offer end-to-end security not offer end-to-end security

Ensure confidentiality and integrity of the Ensure confidentiality and integrity of the transactions in a multi-step process. transactions in a multi-step process.


Web Services Security Challenges Web Services Security Challenges (cont.)(cont.)

Need to secure only portions of Need to secure only portions of documentsdocuments

Authorization policies are difficult to Authorization policies are difficult to implement for long duration operationsimplement for long duration operations

Web Services require a finer-grained Web Services require a finer-grained security protocolsecurity protocol


Web Services Security StandardsWeb Services Security Standards

XML Frameworks Non-XML Frameworks

High-Level Security Frameworks (SAML, XrML, XACML etc.)

WS-SecuritySimple Object Access ProtocolXML SignatureXML EncryptionXML FirewallXKMS

Transport-Level Security/Secure Socket Layer (TLS/SSL)

Transport Layer (HTTP, FTP, SMTP, etc.)

Transmission Control Protocol and Internet Protocol (TCP/IP)

(This list is not all inclusive)


Web Services ScenarioWeb Services Scenario

Joe Shopper

MyShopping.com (Purchasing Web Service)

MyShipping.com (Shipping Web Service)

MyBilling.com (Billing Web Service)

SOAP Security:-WS-Security, XML-Signature, XML Encryption, -SAML, etc

Transport Security: -Basic authentication- SSL

SO

AP M

essa

ges

Authentication

XML Firewall

SOAP Messages

WEB SERVICE CONSUMERS

WEB SERVICE PROVIDERS


Meeting Business NeedsMeeting Business Needs

Security considerations must be Security considerations must be customized to meet business needscustomized to meet business needs

The focus should be placed on reducing The focus should be placed on reducing the exposure and spread of riskthe exposure and spread of risk

Not uncommon for managers to implement Not uncommon for managers to implement more than one of the above standardsmore than one of the above standards


Meeting Business NeedsMeeting Business Needs

XML Standards Security Goals

WS-Security Authentication, Confidentiality

SAML Authentication

XML Digital Signature Authentication, Integrity, Non-repudiation, Audit, Trust

XML Encryption Confidentiality, Integrity

XKMS Confidentiality, Non-repudiation, Audit, Integrity, Trust

XACML Authorization

XrML Authorization


ConclusionConclusion

Traditional security infrastructure can still Traditional security infrastructure can still be usedbe used

A number of emerging standards – A number of emerging standards – selection is not a random walkselection is not a random walk

Need to strategically choose solutionsNeed to strategically choose solutionsNeed to combine multiple standardsNeed to combine multiple standardsWeb Services security must be integrated Web Services security must be integrated

into the overall security plan of the firminto the overall security plan of the firm


QuestionsQuestions


Additional ConsiderationsAdditional Considerations Financial considerations. Gartner predicts that in 2004, sales in the Financial considerations. Gartner predicts that in 2004, sales in the

Web services market is expected to grow to $28 billion (Gartner, Web services market is expected to grow to $28 billion (Gartner, 2002). However, A breach in corporate data integrity will have 2002). However, A breach in corporate data integrity will have serious financial impact. serious financial impact.

Legislative Compliance. Government legislation increasingly Legislative Compliance. Government legislation increasingly requires that consumer data are not revealed without the permission requires that consumer data are not revealed without the permission of its owner. HIPAA is expected to cost the healthcare industry at of its owner. HIPAA is expected to cost the healthcare industry at least $3.8 billion between 2003 and 2008 (Beaver and Herold, least $3.8 billion between 2003 and 2008 (Beaver and Herold, 2003). 2003).

Privacy. Using SOAP messages, data are increasingly being Privacy. Using SOAP messages, data are increasingly being exposed as it moves over the insecure Internet. Any breach of data exposed as it moves over the insecure Internet. Any breach of data privacy may result in the loss of trust from consumers and business privacy may result in the loss of trust from consumers and business partners.partners.


ReferencesReferences REFERENCESREFERENCES Beaver, K. and Herold, R. (2003) Chapter 3, HIPAA Cost Considerations, The Practical Guide to HIPAA Privacy and Security Beaver, K. and Herold, R. (2003) Chapter 3, HIPAA Cost Considerations, The Practical Guide to HIPAA Privacy and Security

Compliance, Auerbach Publications, Chapter 3. Compliance, Auerbach Publications, Chapter 3. Baldwin, A., Shiu, S. and Mont C, M. (2002) Trust Services: A framework for service-based solutions, Baldwin, A., Shiu, S. and Mont C, M. (2002) Trust Services: A framework for service-based solutions, Proceedings of the 26th Annual Proceedings of the 26th Annual

International Computer Software and Applications ConferenceInternational Computer Software and Applications Conference (COMPSAC’02) (COMPSAC’02) Chang, S., Chen, Q. and Hsu, M. (2003) Managing Security Policy in a Large Distributed Web Services Environment, Chang, S., Chen, Q. and Hsu, M. (2003) Managing Security Policy in a Large Distributed Web Services Environment, Proceedings of the Proceedings of the

27th Annual International Computer Software and Applications Conference27th Annual International Computer Software and Applications Conference (COMPSAC’03), 617 – 622. (COMPSAC’03), 617 – 622. Chen, M. (2003) An Analysis of the Driving Forces for the Adoption of Web Services, e-biz Web Workshop, Dec 13-14, Seattle, WAChen, M. (2003) An Analysis of the Driving Forces for the Adoption of Web Services, e-biz Web Workshop, Dec 13-14, Seattle, WA Claessens, J., Preneel, B, and Vandewalle, J. (2001) Combining World Wide Web and Wireless Security, Informatica 26, pp. 123-132.Claessens, J., Preneel, B, and Vandewalle, J. (2001) Combining World Wide Web and Wireless Security, Informatica 26, pp. 123-132. Gartner, (2002) Gartner Says Web Services Will Dominate Deployment of New Application Solutions for Fortune 2000 Companies by Gartner, (2002) Gartner Says Web Services Will Dominate Deployment of New Application Solutions for Fortune 2000 Companies by

2004, January 14, 20022004, January 14, 2002 Hanna, J. (2003) Web Services, Feb3, 2003. Available on the internet at Hanna, J. (2003) Web Services, Feb3, 2003. Available on the internet at http://http://hbsworkingknowledge.hbs.edu/pubitem.jhtml?idhbsworkingknowledge.hbs.edu/pubitem.jhtml?id

=3285&sid=-1&t=special_reports_cyber2003=3285&sid=-1&t=special_reports_cyber2003 Khaler, C. (2002) WS-Security. Available on the internet at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/Khaler, C. (2002) WS-Security. Available on the internet at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ Long, J., Yuan, M. and Whinston, A., (2003) Securing a New Era of Financial Services, IT Pro, July | August 2003, 15 – 21Long, J., Yuan, M. and Whinston, A., (2003) Securing a New Era of Financial Services, IT Pro, July | August 2003, 15 – 21 Morioka, M., Yonemoto, Y., Suzuki, T. and Etoh, M. (2003) Scalable Security Description Framework for Mobile Web Services, Morioka, M., Yonemoto, Y., Suzuki, T. and Etoh, M. (2003) Scalable Security Description Framework for Mobile Web Services, IEEE IEEE

International Conference on CommunicationsInternational Conference on Communications, 804 – 808., 804 – 808. Naedele, M. (2003) Standards for XML and Web Services Security, Naedele, M. (2003) Standards for XML and Web Services Security, ComputerComputer, 36, 4, 96 – 98. , 36, 4, 96 – 98. Nakamur, Y., Hada, S. and Neyama, R. (2002), Towards the integration of Web Services Security on Enterprise Environments, Nakamur, Y., Hada, S. and Neyama, R. (2002), Towards the integration of Web Services Security on Enterprise Environments,

Proceedings of the 2002 Symposium on Applications and the InternetProceedings of the 2002 Symposium on Applications and the Internet (SAINT’02w), 166 – 175 (SAINT’02w), 166 – 175 Netegrity, (2003) “Netegrity Web Services Survey Result” Dec 08, 2003. Available on the internet at Netegrity, (2003) “Netegrity Web Services Survey Result” Dec 08, 2003. Available on the internet at

http://www.netegrity.com/txmindersurvey/TxMSurveyAnalysis.htmlhttp://www.netegrity.com/txmindersurvey/TxMSurveyAnalysis.html OASIS, (2003) SAML Version 1.1. Available on the internet at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=securityOASIS, (2003) SAML Version 1.1. Available on the internet at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security Reagle, J. (2002) XML Encryption Requirements, W3C. Available on the internet at http://www.w3.org/TR/xml-encryption-reqReagle, J. (2002) XML Encryption Requirements, W3C. Available on the internet at http://www.w3.org/TR/xml-encryption-req UDDI, (2001) UDDI Executive White Paper, Nov. 14, 2001. Available on the internet at UDDI, (2001) UDDI Executive White Paper, Nov. 14, 2001. Available on the internet at

http://www.uddi.org/pubs/UDDI_Executive_White_Paper.pdfhttp://www.uddi.org/pubs/UDDI_Executive_White_Paper.pdf W3Ca, XML Signature Syntax and Processing, February 2002. Available on the internet at http://www.w3.org/TR/2002/REC-xmldsig-W3Ca, XML Signature Syntax and Processing, February 2002. Available on the internet at http://www.w3.org/TR/2002/REC-xmldsig-

core-20020212/core-20020212/ W3Cb Web Services Activity, January 2002. Available on the internet at http://www.w3.org/2002/ws/W3Cb Web Services Activity, January 2002. Available on the internet at http://www.w3.org/2002/ws/ Xu, H., Seltsikas, P. and O’Keefe, B. (2003), The Implications of Web Services Innovation for General Adopters: Findings and Xu, H., Seltsikas, P. and O’Keefe, B. (2003), The Implications of Web Services Innovation for General Adopters: Findings and

Recommendations, Recommendations, Proceedings of the Second Workshop on e-Business (Web), Proceedings of the Second Workshop on e-Business (Web), Dec. 13 – 14, 2003, Seattle, WA.Dec. 13 – 14, 2003, Seattle, WA.


Thank You!Thank You!Kenny KhooKenny Khoo

[email protected]@umbc.eduLina ZhouLina [email protected]@umbc.edu

University of Maryland Baltimore County, USAUniversity of Maryland Baltimore County, USA

AMCIS 2004, NYAMCIS 2004, NY


Supplementary InformationSupplementary Information

Benefits of Web ServicesBenefits of Web ServicesComparing traditional E-business with Comparing traditional E-business with

Web ServicesWeb ServicesWhat is REST?What is REST?


Benefits of Web ServicesBenefits of Web Services Improving Innovation and LearningImproving Innovation and Learning

Information Sharing and CollaborationInformation Sharing and Collaboration Organizational AgilityOrganizational Agility

Improving Internal Business ProcessesImproving Internal Business Processes Process Automation and AccelerationProcess Automation and Acceleration Interoperability and IntegrationInteroperability and Integration Process DesignProcess Design

Improving Customer ValueImproving Customer Value Customer IntimacyCustomer Intimacy Customer RetentionCustomer Retention Customer valueCustomer value

Improving Shareholder ValueImproving Shareholder Value Operating CostsOperating Costs RevenueRevenue

Source: Huang, C.D. and Hu, Q., Integrating Web Services with Competitive Strategies: The Balanced Scorecard Approach, CAIS, 13, 2004, 57-80.


Comparison of Traditional E-Comparison of Traditional E-Business to Web ServicesBusiness to Web Services

TraditionalTraditional CentralizedCentralized Contained and ControlledContained and Controlled Limited, defined user baseLimited, defined user base Secure (risk minimized)Secure (risk minimized) ProprietaryProprietary Fixed, well-defined, compiledFixed, well-defined, compiled Incremental scale based on Incremental scale based on

known demandknown demand Staged, periodic changesStaged, periodic changes

Web ServicesWeb Services DecentralizedDecentralized Open and unmonitoredOpen and unmonitored Unknown, unlimited user baseUnknown, unlimited user base Exposed (open to random Exposed (open to random

events)events) SharedShared Built dynamically, on-the-flyBuilt dynamically, on-the-fly Unlimited scale, based on Unlimited scale, based on

unknown, unpredictable unknown, unpredictable demanddemand

Continuous, a hoc changesContinuous, a hoc changesSource: Ratnasingam, P., The Importance of Technology Trust in Web Services Security, 2002, 255-260


What is REST?What is REST?

Representational State Transfer, two core Representational State Transfer, two core specifications: URIs and HTTPspecifications: URIs and HTTP

Developed in a doctorate dissertation in 2000 by Developed in a doctorate dissertation in 2000 by Roy Fielding, Chief Scientist, Day SoftwareRoy Fielding, Chief Scientist, Day Software

Architecture based on components already in Architecture based on components already in placeplace

Problem is nobody is marketing it!Problem is nobody is marketing it! More info on RESTwiki siteMore info on RESTwiki site

http://rest.blueoxen.net/cgi-bin/wiki.pl?FrontPage#nid6W http://rest.blueoxen.net/cgi-bin/wiki.pl?FrontPage#nid6W


SOAPy ProblemsSOAPy Problems

Runs on HTTP and therefore inherits any Runs on HTTP and therefore inherits any problems in HTTP implementationsproblems in HTTP implementations

SOAP is designed to slip through firewalls SOAP is designed to slip through firewalls as HTTPas HTTP

Uses port :80Uses port :80