View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Managing Web Services Managing Web Services SecuritySecurity
Kenny KhooKenny [email protected]@umbc.edu
Lina ZhouLina [email protected]@umbc.edu
University of Maryland Baltimore County, USAUniversity of Maryland Baltimore County, USA
AMCIS 2004, NYAMCIS 2004, NY
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 22
AgendaAgenda
Why is this Important?Why is this Important?Web Services StandardsWeb Services StandardsWeb Services Security ChallengesWeb Services Security ChallengesWeb Services Security StandardsWeb Services Security StandardsMeeting Business NeedsMeeting Business NeedsAdditional ConsiderationsAdditional ConsiderationsQuestionsQuestions
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 33
Why is this Important?Why is this Important?
Momentum to adopt web servicesMomentum to adopt web services Need for loose coupling, discoverable, platform Need for loose coupling, discoverable, platform
independent, and expressible with a self independent, and expressible with a self describing interfacedescribing interface
75% of senior IT executives plan to roll out Web 75% of senior IT executives plan to roll out Web Services (Services (Netegrity, 2003Netegrity, 2003))
Traditional security standards such as SSL, Traditional security standards such as SSL, VPN, IPSec etc are not able to address the new VPN, IPSec etc are not able to address the new challenges of Web serviceschallenges of Web services
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 44
Web Services StandardsWeb Services Standards
Web services typically consist of four main Web services typically consist of four main components: components: Web service consumerWeb service consumerWeb service providerWeb service providerBusiness agreementBusiness agreementWeb Service Registry Web Service Registry
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 55
Web Services StandardsWeb Services Standards Simple Object Access ProtocolSimple Object Access Protocol (SOAP) is an XML based (SOAP) is an XML based
messaging protocol for building and exchanging messaging protocol for building and exchanging distributed, structured information in a decentralized and distributed, structured information in a decentralized and distributed environment. Three parts to SOAP – an distributed environment. Three parts to SOAP – an enveloped, a set of encoding rules, and a convention enveloped, a set of encoding rules, and a convention representing RPC and responsesrepresenting RPC and responses
Web Services Description LanguageWeb Services Description Language (WSDL) is a (WSDL) is a standard XML based vocabulary used to describe web standard XML based vocabulary used to describe web servicesservices
Universal Description, Discovery and IntegrationUniversal Description, Discovery and Integration (UDDI) (UDDI) protocol is used to publish web services. Enables protocol is used to publish web services. Enables business to dynamically discover and interact with one business to dynamically discover and interact with one another independent of the platform.another independent of the platform.
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 66
Web Services ArchitectureWeb Services Architecture
Web Service Consumers
Web Service Providers
Web Service Registry
Searches for Web Services
Returns WSDL DocumentsS
OA
P R
equ
ests
SO
AP
Resp
onses Publishes Web
Services
Business Agreement
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 77
Integrity
Confidentiality Non-Repudiation
Authorization
Authentication
Safety of Information Exchange
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 88
Weaknesses of Traditional Web Weaknesses of Traditional Web SecuritySecurity
Information integrityInformation integrity provides the assurance that provides the assurance that messages are not modified deliberately or messages are not modified deliberately or accidentally during transit. Point to point is not accidentally during transit. Point to point is not end to endend to end
SSL is designed to encrypt the entire documentSSL is designed to encrypt the entire document Current corporate firewalls can only filter at the Current corporate firewalls can only filter at the
packet level but not at the content levelpacket level but not at the content level SOAP uses port 80 which is the same as that SOAP uses port 80 which is the same as that
used by HTTPused by HTTP
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 99
Web Services Security ChallengesWeb Services Security Challenges
Support single sign-on schemes. Without such Support single sign-on schemes. Without such mechanisms in place, each trading partner has mechanisms in place, each trading partner has to maintain its own authentication and to maintain its own authentication and authorization, which may greatly compromise authorization, which may greatly compromise the convenience of Web services. the convenience of Web services.
Consider the security implications of supporting Consider the security implications of supporting multiple devices (e.g. Personal Digital multiple devices (e.g. Personal Digital Assistants, 3G cell phones). For example, Assistants, 3G cell phones). For example, wireless standards such as GSM and WAP do wireless standards such as GSM and WAP do not offer end-to-end security not offer end-to-end security
Ensure confidentiality and integrity of the Ensure confidentiality and integrity of the transactions in a multi-step process. transactions in a multi-step process.
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1010
Web Services Security Challenges Web Services Security Challenges (cont.)(cont.)
Need to secure only portions of Need to secure only portions of documentsdocuments
Authorization policies are difficult to Authorization policies are difficult to implement for long duration operationsimplement for long duration operations
Web Services require a finer-grained Web Services require a finer-grained security protocolsecurity protocol
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1111
Web Services Security StandardsWeb Services Security Standards
XML Frameworks Non-XML Frameworks
High-Level Security Frameworks (SAML, XrML, XACML etc.)
WS-SecuritySimple Object Access ProtocolXML SignatureXML EncryptionXML FirewallXKMS
Transport-Level Security/Secure Socket Layer (TLS/SSL)
Transport Layer (HTTP, FTP, SMTP, etc.)
Transmission Control Protocol and Internet Protocol (TCP/IP)
(This list is not all inclusive)
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1212
Web Services ScenarioWeb Services Scenario
Joe Shopper
MyShopping.com (Purchasing Web Service)
MyShipping.com (Shipping Web Service)
MyBilling.com (Billing Web Service)
SOAP Security:-WS-Security, XML-Signature, XML Encryption, -SAML, etc
Transport Security: -Basic authentication- SSL
SO
AP M
essa
ges
Authentication
XML Firewall
SOAP Messages
WEB SERVICE CONSUMERS
WEB SERVICE PROVIDERS
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1313
Meeting Business NeedsMeeting Business Needs
Security considerations must be Security considerations must be customized to meet business needscustomized to meet business needs
The focus should be placed on reducing The focus should be placed on reducing the exposure and spread of riskthe exposure and spread of risk
Not uncommon for managers to implement Not uncommon for managers to implement more than one of the above standardsmore than one of the above standards
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1414
Meeting Business NeedsMeeting Business Needs
XML Standards Security Goals
WS-Security Authentication, Confidentiality
SAML Authentication
XML Digital Signature Authentication, Integrity, Non-repudiation, Audit, Trust
XML Encryption Confidentiality, Integrity
XKMS Confidentiality, Non-repudiation, Audit, Integrity, Trust
XACML Authorization
XrML Authorization
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1515
ConclusionConclusion
Traditional security infrastructure can still Traditional security infrastructure can still be usedbe used
A number of emerging standards – A number of emerging standards – selection is not a random walkselection is not a random walk
Need to strategically choose solutionsNeed to strategically choose solutionsNeed to combine multiple standardsNeed to combine multiple standardsWeb Services security must be integrated Web Services security must be integrated
into the overall security plan of the firminto the overall security plan of the firm
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1616
QuestionsQuestions
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1717
Additional ConsiderationsAdditional Considerations Financial considerations. Gartner predicts that in 2004, sales in the Financial considerations. Gartner predicts that in 2004, sales in the
Web services market is expected to grow to $28 billion (Gartner, Web services market is expected to grow to $28 billion (Gartner, 2002). However, A breach in corporate data integrity will have 2002). However, A breach in corporate data integrity will have serious financial impact. serious financial impact.
Legislative Compliance. Government legislation increasingly Legislative Compliance. Government legislation increasingly requires that consumer data are not revealed without the permission requires that consumer data are not revealed without the permission of its owner. HIPAA is expected to cost the healthcare industry at of its owner. HIPAA is expected to cost the healthcare industry at least $3.8 billion between 2003 and 2008 (Beaver and Herold, least $3.8 billion between 2003 and 2008 (Beaver and Herold, 2003). 2003).
Privacy. Using SOAP messages, data are increasingly being Privacy. Using SOAP messages, data are increasingly being exposed as it moves over the insecure Internet. Any breach of data exposed as it moves over the insecure Internet. Any breach of data privacy may result in the loss of trust from consumers and business privacy may result in the loss of trust from consumers and business partners.partners.
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1818
ReferencesReferences REFERENCESREFERENCES Beaver, K. and Herold, R. (2003) Chapter 3, HIPAA Cost Considerations, The Practical Guide to HIPAA Privacy and Security Beaver, K. and Herold, R. (2003) Chapter 3, HIPAA Cost Considerations, The Practical Guide to HIPAA Privacy and Security
Compliance, Auerbach Publications, Chapter 3. Compliance, Auerbach Publications, Chapter 3. Baldwin, A., Shiu, S. and Mont C, M. (2002) Trust Services: A framework for service-based solutions, Baldwin, A., Shiu, S. and Mont C, M. (2002) Trust Services: A framework for service-based solutions, Proceedings of the 26th Annual Proceedings of the 26th Annual
International Computer Software and Applications ConferenceInternational Computer Software and Applications Conference (COMPSAC’02) (COMPSAC’02) Chang, S., Chen, Q. and Hsu, M. (2003) Managing Security Policy in a Large Distributed Web Services Environment, Chang, S., Chen, Q. and Hsu, M. (2003) Managing Security Policy in a Large Distributed Web Services Environment, Proceedings of the Proceedings of the
27th Annual International Computer Software and Applications Conference27th Annual International Computer Software and Applications Conference (COMPSAC’03), 617 – 622. (COMPSAC’03), 617 – 622. Chen, M. (2003) An Analysis of the Driving Forces for the Adoption of Web Services, e-biz Web Workshop, Dec 13-14, Seattle, WAChen, M. (2003) An Analysis of the Driving Forces for the Adoption of Web Services, e-biz Web Workshop, Dec 13-14, Seattle, WA Claessens, J., Preneel, B, and Vandewalle, J. (2001) Combining World Wide Web and Wireless Security, Informatica 26, pp. 123-132.Claessens, J., Preneel, B, and Vandewalle, J. (2001) Combining World Wide Web and Wireless Security, Informatica 26, pp. 123-132. Gartner, (2002) Gartner Says Web Services Will Dominate Deployment of New Application Solutions for Fortune 2000 Companies by Gartner, (2002) Gartner Says Web Services Will Dominate Deployment of New Application Solutions for Fortune 2000 Companies by
2004, January 14, 20022004, January 14, 2002 Hanna, J. (2003) Web Services, Feb3, 2003. Available on the internet at Hanna, J. (2003) Web Services, Feb3, 2003. Available on the internet at http://http://hbsworkingknowledge.hbs.edu/pubitem.jhtml?idhbsworkingknowledge.hbs.edu/pubitem.jhtml?id
=3285&sid=-1&t=special_reports_cyber2003=3285&sid=-1&t=special_reports_cyber2003 Khaler, C. (2002) WS-Security. Available on the internet at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/Khaler, C. (2002) WS-Security. Available on the internet at http://www-106.ibm.com/developerworks/webservices/library/ws-secure/ Long, J., Yuan, M. and Whinston, A., (2003) Securing a New Era of Financial Services, IT Pro, July | August 2003, 15 – 21Long, J., Yuan, M. and Whinston, A., (2003) Securing a New Era of Financial Services, IT Pro, July | August 2003, 15 – 21 Morioka, M., Yonemoto, Y., Suzuki, T. and Etoh, M. (2003) Scalable Security Description Framework for Mobile Web Services, Morioka, M., Yonemoto, Y., Suzuki, T. and Etoh, M. (2003) Scalable Security Description Framework for Mobile Web Services, IEEE IEEE
International Conference on CommunicationsInternational Conference on Communications, 804 – 808., 804 – 808. Naedele, M. (2003) Standards for XML and Web Services Security, Naedele, M. (2003) Standards for XML and Web Services Security, ComputerComputer, 36, 4, 96 – 98. , 36, 4, 96 – 98. Nakamur, Y., Hada, S. and Neyama, R. (2002), Towards the integration of Web Services Security on Enterprise Environments, Nakamur, Y., Hada, S. and Neyama, R. (2002), Towards the integration of Web Services Security on Enterprise Environments,
Proceedings of the 2002 Symposium on Applications and the InternetProceedings of the 2002 Symposium on Applications and the Internet (SAINT’02w), 166 – 175 (SAINT’02w), 166 – 175 Netegrity, (2003) “Netegrity Web Services Survey Result” Dec 08, 2003. Available on the internet at Netegrity, (2003) “Netegrity Web Services Survey Result” Dec 08, 2003. Available on the internet at
http://www.netegrity.com/txmindersurvey/TxMSurveyAnalysis.htmlhttp://www.netegrity.com/txmindersurvey/TxMSurveyAnalysis.html OASIS, (2003) SAML Version 1.1. Available on the internet at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=securityOASIS, (2003) SAML Version 1.1. Available on the internet at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security Reagle, J. (2002) XML Encryption Requirements, W3C. Available on the internet at http://www.w3.org/TR/xml-encryption-reqReagle, J. (2002) XML Encryption Requirements, W3C. Available on the internet at http://www.w3.org/TR/xml-encryption-req UDDI, (2001) UDDI Executive White Paper, Nov. 14, 2001. Available on the internet at UDDI, (2001) UDDI Executive White Paper, Nov. 14, 2001. Available on the internet at
http://www.uddi.org/pubs/UDDI_Executive_White_Paper.pdfhttp://www.uddi.org/pubs/UDDI_Executive_White_Paper.pdf W3Ca, XML Signature Syntax and Processing, February 2002. Available on the internet at http://www.w3.org/TR/2002/REC-xmldsig-W3Ca, XML Signature Syntax and Processing, February 2002. Available on the internet at http://www.w3.org/TR/2002/REC-xmldsig-
core-20020212/core-20020212/ W3Cb Web Services Activity, January 2002. Available on the internet at http://www.w3.org/2002/ws/W3Cb Web Services Activity, January 2002. Available on the internet at http://www.w3.org/2002/ws/ Xu, H., Seltsikas, P. and O’Keefe, B. (2003), The Implications of Web Services Innovation for General Adopters: Findings and Xu, H., Seltsikas, P. and O’Keefe, B. (2003), The Implications of Web Services Innovation for General Adopters: Findings and
Recommendations, Recommendations, Proceedings of the Second Workshop on e-Business (Web), Proceedings of the Second Workshop on e-Business (Web), Dec. 13 – 14, 2003, Seattle, WA.Dec. 13 – 14, 2003, Seattle, WA.
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 1919
Thank You!Thank You!Kenny KhooKenny Khoo
[email protected]@umbc.eduLina ZhouLina [email protected]@umbc.edu
University of Maryland Baltimore County, USAUniversity of Maryland Baltimore County, USA
AMCIS 2004, NYAMCIS 2004, NY
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 2020
Supplementary InformationSupplementary Information
Benefits of Web ServicesBenefits of Web ServicesComparing traditional E-business with Comparing traditional E-business with
Web ServicesWeb ServicesWhat is REST?What is REST?
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 2121
Benefits of Web ServicesBenefits of Web Services Improving Innovation and LearningImproving Innovation and Learning
Information Sharing and CollaborationInformation Sharing and Collaboration Organizational AgilityOrganizational Agility
Improving Internal Business ProcessesImproving Internal Business Processes Process Automation and AccelerationProcess Automation and Acceleration Interoperability and IntegrationInteroperability and Integration Process DesignProcess Design
Improving Customer ValueImproving Customer Value Customer IntimacyCustomer Intimacy Customer RetentionCustomer Retention Customer valueCustomer value
Improving Shareholder ValueImproving Shareholder Value Operating CostsOperating Costs RevenueRevenue
Source: Huang, C.D. and Hu, Q., Integrating Web Services with Competitive Strategies: The Balanced Scorecard Approach, CAIS, 13, 2004, 57-80.
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 2222
Comparison of Traditional E-Comparison of Traditional E-Business to Web ServicesBusiness to Web Services
TraditionalTraditional CentralizedCentralized Contained and ControlledContained and Controlled Limited, defined user baseLimited, defined user base Secure (risk minimized)Secure (risk minimized) ProprietaryProprietary Fixed, well-defined, compiledFixed, well-defined, compiled Incremental scale based on Incremental scale based on
known demandknown demand Staged, periodic changesStaged, periodic changes
Web ServicesWeb Services DecentralizedDecentralized Open and unmonitoredOpen and unmonitored Unknown, unlimited user baseUnknown, unlimited user base Exposed (open to random Exposed (open to random
events)events) SharedShared Built dynamically, on-the-flyBuilt dynamically, on-the-fly Unlimited scale, based on Unlimited scale, based on
unknown, unpredictable unknown, unpredictable demanddemand
Continuous, a hoc changesContinuous, a hoc changesSource: Ratnasingam, P., The Importance of Technology Trust in Web Services Security, 2002, 255-260
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 2323
What is REST?What is REST?
Representational State Transfer, two core Representational State Transfer, two core specifications: URIs and HTTPspecifications: URIs and HTTP
Developed in a doctorate dissertation in 2000 by Developed in a doctorate dissertation in 2000 by Roy Fielding, Chief Scientist, Day SoftwareRoy Fielding, Chief Scientist, Day Software
Architecture based on components already in Architecture based on components already in placeplace
Problem is nobody is marketing it!Problem is nobody is marketing it! More info on RESTwiki siteMore info on RESTwiki site
http://rest.blueoxen.net/cgi-bin/wiki.pl?FrontPage#nid6W http://rest.blueoxen.net/cgi-bin/wiki.pl?FrontPage#nid6W
August 8, 2004August 8, 2004 Managing Web Services Security, AMCIS 2004Managing Web Services Security, AMCIS 2004 2424
SOAPy ProblemsSOAPy Problems
Runs on HTTP and therefore inherits any Runs on HTTP and therefore inherits any problems in HTTP implementationsproblems in HTTP implementations
SOAP is designed to slip through firewalls SOAP is designed to slip through firewalls as HTTPas HTTP
Uses port :80Uses port :80