Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How will WS-Security impact Web services deployments?

How will WS-Security impact Web services deployments?
WS-Security is the base security standard for Web services. It will have several major impacts:

1) Interoperability.

It will improve interoperability as it resolves some of the looseness found in SAML, XML Encryption and XML Signature by standardizing practices that previously had to be coordinated as conventions. However, it is far from a "solution" to the security interoperability challenges. WS-Security supports multiple authentication methods, it was four different styles of digital signature, and so on. It is very easy to end up with multiple endpoints all of whom are WS-Security compliant but which still do not interoperate.

The best way to address that challenge is to implement some middleware (an XML Firewall or security focused WSM product) that can bridge between endpoints that are using different security mechanisms. WS-Security will make it easier to implement and manage that sort of middleware but it won't remove the need for it.

2) Message oriented security

WS-Security is a big step in the general move away from pipe and perimeter oriented security (such as SSL and IP firewalls) and towards message oriented security.

Message oriented security is an approach that ensures the confidentiality and reliability of messages, even when neither endpoint fully controls the path the message will take or the intermediaries it will pass through. This is achieved through encryption and signature of the message itself, instead of simply encrypting and authenticating the transport pipe.

The move to a Web services world is driving the creation of sophisticated application level networks that have messages passing through multiple nodes with each node doing some specialized processing. Message oriented security is a key enabler of such application networks. Therefore any middleware infrastructure that supports such networks must support WS-Security to be effective long term.

Message oriented security also continues to add value even when the message is "at rest". Stored messages can have select fields encrypted and signed for protection and audibility.

3) Digital signature

WS-Security will drive much broader use of digital signatures. This has significant implications on the middleware used to build your Web services application network. It is not enough that you have infrastructure that can sign messages and validate signatures. You need infrastructure that addresses the two major challenges that have bedeviled cryptographic deployments. First it has to have excellent performance under heavy load. Second it must address the key management problem, how are the needed keys distributed, stored and updated.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.