Chapter 7. Using Web services 185
Security requirements
To internally expose an EIS to an organization, we need the following service
features, which we call the
communication level:
???? Identification
: the party accessing the resource is able to identify itself to the
system.
???? Authentication: a procedure to verify the identity of the accessing party.
???? Authorization: a set of transactions that the authenticated party is allowed to
perform.
???? Integrity: the information is not changed on its way.
???? Confidentiality: nobody is able to read the information about its way.
The partner communication can be more sensitive, so we need to achieve a
deeper level security, which we call
absolute proof level:
???? Auditing: all transactions are recorded so that problems can be analyzed after
the fact.
???? Non-repudiation: both parties are able to provide legal proof to a third party
that the sender did send the information and that the receiver received the
identical information.
Security solutions
There are two possible solutions for the Web services to obtain communication
level security:
???? A secure transport layer as HTTPS
???? WS-Security, a standard specification to address the first level of security for
Web services that was finalized on March 2004.
An interesting benefit of the WS-Security technology is the ability to work at
message level, providing more flexibility. Despite the fact that WS-Security is
inherently better than the HTTPS solution, the recent finalization of the
specification makes it difficult to find consolidated implementations. Because this
technology is still so new and not always supported by all partners in an
interaction, it can cause problems for the interoperability which is the most
important feature of Web services technology. We suggest that, at this time, it is
better to use HTTPS. However, you might want to learn more about WS-Security,
because it will soon become a widespread standard.
The absolute proof level was identified, and there are some overcoming
standards that will address it. Today, it is only possible to look for a custom
solution.