Ensuring the integrity, confidentiality and security of Web services through the application of a comprehensive security model is critical, both for organizations and their customers. Most organizations are already well prepared to implement secure Web services. The boom of Web-based applications and the drive to make information available to a larger and larger community of users has forced corporations to build a strong and scalable security infrastructure. Web services can avail themselves of these existing security systems and knit within an existing security framework.
It is also important to note that Web services can, just like Web-based applications, be internally or externally facing, with security requirements ranging from no security to complete lockdown. Whatever the security requirements, and whether deployed internally or outside the corporate firewall for customer and partner use, products and strategies successfully used for securing Web-based applications, such as portals, can be successfully applied to Web service security as well.
Proven technologies include https, X.509 certificates, Lightweight Directory Access Protocol (LDAP) and RSA encryption. Proven strategies include federate security domains and, for outside the corporate firewall deployment, the use of Demilitarized zones (DMZ). Proven products from vendors such as Cisco, Microsoft and Netegrity, can be brought to bear as securing Web service deployments as well. Most application servers themselves, including J2EE-based and .NET-based frameworks, provide extensive capabilities to lock down the environment.
Additionally, technologies and products also exist specifically for use in Web service deployments. Web service-specific standards, including WS-Security, XML Encryption, and Security Assertion Markup Language (SAML) have been developed by the industry to leverage these existing technologies and standards specifically in Web service environments. In some regards Web services provide greater and more granular security – for example, the ability to encrypt or provide authorization control at the level of specific pieces of a message.
All told, these standards, products and technologies cover most, if not all, of the various attributes of security needed for almost any range of security requirements and deployment models, from the loosest to the strictest. These include authentication, authorization, conversation encryption, message encryption and digital signatures. This authentication process is delegated to any number underlying security providers, including LDAP, MS-Active Directory, or any other strategy an organization might choose. The authentication model extends this further, with support for policy-based products like Netegrity and RSA, and provides support for X509 certificates to digitally verify a consumer's authenticity.
Web services security encompasses the transport, application, XML and Web service layers. It provides for robust authentication and authorization using pre-existing and widely adopted systems and standards. And it's available today.
Dig Deeper on Topics Archive
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.