Building Security In
Editors: John Steven, firstname.lastname@example.orgGunnar Peterson, email@example.comDeborah A. Frincke, firstname.lastname@example.org
COPublished by the ieee COmPuter and reliability sOCieties
1540-7993/09/$25.00 © 2009 ieee
more robust ways to protect Webservices, but they don’t provideservices or logging, audit log-ging, and detection and response.Moreover, Web services architec-tures are generally built on state-less protocols such as HTTP andSOAP, which don’t support evenbasic request-response correlation,leading to a major security archi-tecture and design challenge.
Logging and Web Services
Logs oer an endless well o valuable inormation about sys-tems, networks, and applications.Through logs, audit records, andalerts, inormation systems otengive signs that something is bro-ken (or “broken into”) or will bebroken soon. They can also reveallarger weaknesses that might aectregulatory compliance and evencorporate governance. However,more oten than not, system andapplication logs contain raw datarather than inormation, and thusrequire extra eort to extract or distill this data into somethinguseul, usable, and actionable.
At the very highest level, logsare a vehicle o accountability. O course, an organization has manyother mechanisms or accountabil-ity, but logs pervade all o its IT,and i its IT isn’t accountable, theorganization probably isn’t either.Various logs are also valuable or regulatory compliance programs.Many recent laws and mandateshave items related to audit logs— or example, a detailed analy-sis o the security requirementsand specications outlined in theHealth Insurance Portability andto solve. In this article, we describehow audit logging can be built intothe Web services inrastructure.
Why Web Services?
Web services aim to deliver vir-tualization, interoperability, andreusability via technology imple-mentations such as SOAP, service-oriented architecture (SOA), andRepresentational State Transer (REST). Interoperability in par-ticular is paramount or enterprisesthat must transact business acrossmultiple .NET, Java, open source,and mainrame platorms. Add inmessaging connections to custom-ers and partners located in dierentcountries or organizations, and thechallenges o getting protocols andmessage ormats to mesh together seem overwhelming. This is theproblem that Web services attemptto address. Unortunately, howev-er, most Web services implemen-tations oer their own challengesas well—namely, they don’t alwaysenable security by deault, and theyoten leave security decisions aboutauthentication, authorization, andaudit logging to the implementer,which can cause serious long-termproblems down the road.
Web services security has twoparts: interace and implementa-tion security and message secu-rity. Interace and implementationsecurity uses traditional Web ap-plication security controls such asSecure Sockets Layer (SSL) andaccess control lists (ACLs). For message security, XML mecha-nisms such as WS-Security, theSecurity Assertion Markup Lan-guage (SAML), XML Signature,and XML Encryption can sign,encrypt, and authenticate messagedata, giving the sender greater condence that the message stayscondential until delivery and therecipient greater condence in themessage’s authenticity.Instead o relying on role-basedaccess control, in which securityservices mediate the communica-tions o subjects, objects, and ses-sions in a central policy domain,Web services evaluate a message’sclaims against a specic policy.This claims-based access controlmodel lets the architect composesecurity protocols along the samelines as the application. Standards-based XML security mechanismssuch as WS-Security, SAML,XML Signature, and XML En-cryption are powerul tools or people building security architec-tures in distributed systems to de-liver message-level authentication,integrity, and encryption services.These standards oer new and
n today’s age o Web applications connected via Webservices, accountability has become both crucial andharder to achieve. The management o authentica-tion, authorization, and accountability in these ap-plications is thereore a very important and dicult problem
logging in theage of Web service