Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Emerging Web services security standards and practices

Although many teams leave security as an afterthought, it's very important to ensure your Web services are secure and that all users (and their data) are safe.

Although many teams leave security as an afterthought, it's very important to ensure your Web applications are secure and your end users (and their data) are safe. Securing Web applications means using secure Web services.

According to Gartner Research VP Ross Altman, the forefront of concerns for Web services security includes authentication and authorization, security tokens, and REST, among others. Authentication and authorization are the two basic building blocks of Web services security. Your system, for example, has to figure out if a message request is coming from the source it says it's coming from. Then you have to make sure that source is authorized to make the request (and have it granted).

One of the most widely accepted practices for securing Web services is the security token system. The OASIS Web standards group has made great strides in regulating and improving the security token system. Their WS-* standards for security include WS-Security (WSS), WS-Trust, WS-SecureConversation, and SAML (security assertion markup language). These standards paved the way for our current understanding of Web security tokens by proposing a standard set of SOAP extensions for security tokens, methods for issuing, renewing, and validating those security tokens, and providing for  the interoperability of those security tokens between services.

Another important standards group, the W3C, took a different approach to securing Web services. While tokenization is a hallmark of OASIS efforts, the W3C approach focused more on encryption and XML security. Various workgroups within the W3C have worked to establish guidelines for digital content encryption, key management, Web services signatures. In August of 2010, their work culminated in the user interface guidelines that describe both acceptable and best-case procedures for handling Web security. The user interface guidelines are intended to ensure that users are able to make trust decisions under the best informed – and therefore safest – conditions possible.

Web services security in the cloud

Cloud computing and Web services has an affinity. According to Gartner research fellow John Pescatore, "People will extend the idea of SOA governance boxes out to the cloud." He was discussing the similarity of cloud security and XML security appliances that have become an accepted route for separating XML security concerns from infrastructure operations. According to Pescatore, a possible route is to keep all the data in the cloud in an encrypted state, and only decrypt it after it's taken out of the cloud.

Still, there are those who are working to make the cloud itself secure – yet easy to use. A major cloud platform provider recently revisited their Web services security after user backlash related to difficulties in identity and access management (IAM). Amazon Web Services introduced IAM tools, including scripts and APIs, designed to make it easier for security administrators to manage and restrict access at more granular levels than were previously available.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.