SAN FRANCISCO -- As enterprises move from early-adopter stages of Web services to production scenarios that extend...
outside the firewall, security guidelines that identify threats and countermeasures become invaluable.
The WS-I (Web Services Interoperability) Organization's Basic Security Profile Working Group took a step toward being recognized as the oracle of Web services security best practices at the RSA Conference on Wednesday, when it published its Security Scenarios Working Group Draft for public review.
The inch-thick document, available online at WS-I.org, enumerates the challenges and threats faced when designing and implementing a Web service, in areas such as data integrity, confidentiality and message uniqueness. It also makes recommendations about how technologies like HTTP and SOAP Message Security 1.0 can defend against threats, and it details usage scenarios and solutions.
The working group hopes to get immediate feedback from enterprises.
"We are interested in feedback. We want to know if this is the right set of scenarios, or if we're missing anything," said Hal Lockhart, an architect with BEA Systems Inc. and a member of OASIS' technical committee on Web services security.
Once the feedback is gathered, it will be used in the WS-I's Basic Security Profile, Lockhart said. The profile is a document, due out in the second quarter, that will guide architects who have interoperability questions.
"The profile is a set of assertions that implementations would follow," said Rich Salz, a standards expert with DataPower Technology Inc. "It's a suite of assertions and conformance claims that say, 'If you're doing these things, you have a better shot of securely exchanging end-to-end, hop-to-hop messages."
Ray Wagner, research director of information security strategies for Gartner Inc., said that interoperability is a key challenge, and that the Security Scenarios draft is a solid step toward clarifying how to deploy security standards in Web services implementations.
"No question, we are in the early stages of deployments," Wagner said. "And the reason was because Web Services Security [WS-Security], SAML and other standards were in flux. This year, we're going to see a lot more companies wanting to do more."
Wagner said that a large percentage of Gartner clients doing Web services were not exposing them outside the firewall, so security has not been a major concern.
"Of those who were going across the firewall, about half of those who were doing so, the transactions were of such little value that they weren't putting much thought into security," Wagner said.
Web services security comes into play largely in the financial services market, where companies are doing huge amounts of sensitive data transfers requiring hardened messages and tunnels for transporting those messages.
"You could split those guys into two groups: one that's interested in all the latest stuff, like developing policies and fine-grain encryption, and the other deployments are replacing EDI [electronic data interchange]," Wagner said.
FOR MORE INFORMATION: