Gap Assessment of the Top Web Service Specifications Managing the Security of Web Services

1
Gap Assessment of the Top Web Service
SpecificationsManaging the Security of Web
Services

• Cristina Fhied
• SE690 Short Presentation
• Xiaping Jia

2
Outline

• 1. Introduction to Web Services
• 2. Problems with security
• 3. Security Enterprise Requirements
• 4. Project Goals
• 5. Current Enterprise Status Survey
• 6. Comparison Tables
• 7. Results
• 8. Conclusion and Recommendations
• 9.Potential Future Work

3
What Is a Web Service

• Software pieces that interact with each other
  using internet standards to create an application
  in response to requests that conform to
  agreed-upon formats.

4
What Are the Characteristics

• A web service is accessible over the internet.
• Provides an interface that can be called from one
  application to another.
• Interface can be called from any type of
  application client or service.
• Acts as a liaison between the web and the
  application logic that implements the service.

5
How Does a Web Service Communicate?

• Uses XML on top of HTTP
• XML is a widely accepted format for exchanging
  data and its semantics
• The Web service STACK consists of
• XML (eXtensible Markup Language)
• SOAP (Simple Object Access Protocol)
• WSDL (Web Services Definition Language)
• UDDI (Universal Discovery Description Language)

6
Web Services Stack
Returns the WSDL reference used to bind to web
service
UDDI
Specifies how to connect to a web service
WSDL
Better describes the data being sent
SOAP
XML
Acts as the envelope for XML messages
HTTP (SMTP, FTP, other)
Transport layer
7
What About Current Web Security?

• To date much of web security is built around
  encryption through secure socket layers (SSL)
  using simple object access protocol (SOAP).
• Not enough to protect supply-chain operations and
  other business to business transactions.

8
Threats to Security

• SOAP messages could be modified or read by
  hackers
• A hacker could send messages to a service that
  lack appropriate security claims
• Service theft (unauthorized users)

9
Problem With Web Services

• focuses on the technologys ease of development
  and extensibility, but security remains the major
  obstacle keeping most enterprises from deploying
  web services-based systems that reach outside
  their firewalls.

10
Enterprise Security Requirements

• Authentication
• Authorization
• Data protection
• Non-repudiation
• Confidentiality
• Integrity
• Accessibility

11
Defining Requirements

• Authentication involves accepting credentials
  from the entity and validating them against an
  authority.
• Authorization determines whether the service
  has granted access to the web service to the
  requestor.
• Data protection ensures that the web services
  request and response have not tampered with en
  route. Requires both integrity and privacy.
• Nonrepudiation guarantees that the message
  sender is the same as the creator of the message.

12
Cont. Defining Requirements

• Confidentiality contains information required
  for protection against unauthorized use or
  disclosure.
• Accessibility must be able on a timely basis to
  meet mission requirements or to avoid substantial
  losses.
• Integrity contained information must be
  protected from unauthorized, unanticipated or
  unintentional modifications.

13
Ws-security New Technology for Security

• Published in April 2002 by IBM, Microsoft, and
  VeriSign.
• Specification aims to help enterprises build
  secure web services, and applications based on
  them that are broadly interoperable.
• Specification proposes a standard set of SOAP
  extensions that can be used when building secure
  web services to implement integrity and
  confidentiality.

14
Current Enterprise State Survey
15
Goals of Ws-security

• Provide
• Security token propagation.
• Message integrity.
• Message confidentiality.
• Flexible set of mechanisms that can be used to
  construct a range of security protocols.

16
Key Driving Requirements

• Multiple security tokens for authentication or
  authorization
• Multiple trust domains
• Multiple encryption technologies
• End-to-end message-level security and not just
  transport-level security

17
Project Goal

• Explore WS-security in greater detail offering
• Formal definition.
• Outlining general concepts and related
  technologies.
• Integration with other offered specifications.
• Assess support for enterprise security concerns.
• Research available competing security
  specifications, and compare them against
  WS-security and the actual needed enterprise
  security specifications.

18
Project Goal

• Discuss the considerations involved in making a
  decision on whether to use one specification over
  another by including a gap assessment for each
  specification against the actual outlined
  required specifications.
• Discuss when to use a specific security framework
  by giving several situation example patterns.

19
Current Status

• Project Web Page
• Project Web Page
• Project Proposal
• Technology Review
• Ongoing Tasks
• Research more security specifications
• Gap Assessment development

20
Project Plan

• Phase 1 Analysis.
• Formal definition.
• Outlining general concepts and related
  technologies.
• Assess support for enterprise security concerns.
• First short presentation (Fall 2003).
• Phase 2 Gap Assessment.
• Gap assessment for each security specification
  against he actual outlined enterprise
  specifications.
• Integration with other offered specifications.
• Model of WS-Security integrating with different
  available specifications.
• Phase 3 Model Example.
• Examples on when to use one specification over
  another.
• Formalize gap assessment with WS-Security as
  stand-alone framework.
• Final Presentation (Winter 2004).
• Completion of SE 690 Winter 2004.

21
Conclusion

• Project Web Site
• http//cfhied_at_shrike.depaul.edu/se690/abstract
• More information on Web Security
• www.webservicesecurity.com
• Questions?