Web Services Security Overview
Web services technologies and the usual methods of securing applications are not relevant anymore. New challenges have arisen from the very paradigm of Web services, which remain unaddressed by the traditional security methods.
Thus, the promoters of Web services needed to figure out some way of securing Web services Without the proper security infrastructure in place, This realization gave birth to a surplus of technologies and standards that can be used to secure a Web service.
Challenges of Securing Web Services
The main benefit of Web services architecture is the ability to deliver integrated, interoperable solutions.
Define a wide security model for Web services requires the combination of currently available security processes and technologies with the evolving security technologies.
It demands the unification of technological concepts relevant to Web services, such as messaging, with process based concepts, such as policies, trust, and so forth. This unification of technologies and concepts should take place in such a way that it supports the abstraction of functional requirements of application security from the specific implementation mechanisms.
For example, an online bank customer viewing his
banking financial details should not be impacted by whether he is using a cell phone or a desktop to do so, as long as the device on which he is viewing his account details and able to properly convey security information, such as identity trust, and so on, to the Web service.
Also, the goal of a Web services security model should be to make it as easy as possible for implementers of Web services to build interoperable security systems based on heterogeneous solutions. For example, the Web services security model should enable the provisioning of authentication services based on any architecture, such as PKI (public key infrastructure) or Kerberos.
The idea is to come up with technologies that can leverage upon existing security architectures as well as make them interoperate with one another.
On the other hand, every customer and Web service has its own security requirements based upon their business needs and operational environment.
For example, interactions of services and service consumers that take place within an enterprise may focus more on the ease of use, Because the requirements for security architectures is a product of permutations and combinations of various factors, it is all the more sensible to define an approach towards securing Web services where the services can be secured via a set of flexible, interoperable security , which can be configured, thus enabling a variety of security solutions.
To address these challenges, several initiatives in the area of Web services security are currently underway.