Security development in Web Services environment

https://doi.org/10.1016/j.csi.2004.08.001Get rights and content

Abstract

Web Services model provides secure interoperability across platforms, organizational boundaries, and multi-language applications. This model also allows independent applications to interact with each other safely without human intervention. To fully realize this functionality, the model needs to ensure security within Web Services environment. Presently, several security specifications are developed to meet the requirements of this newly developed collaborative environment.

Introduction

Business world is deploying new business applications over the Internet. The Internet provides an excellent vehicle for corporate data communications and collaboration. The Internet has great potential for conducting electronic commerce without boundaries. Internet commerce must be operated in a high-availability and high-security environment in order to gain the advantage of this newly created electronic marketplace.

Connecting to the Internet could risk the threat of intrusion. The threat of computer security is one of the main barriers to Internet commerce. The causes of Internet security incidents include inherent risks, technology weakness, policy weakness, unauthorized intruders, and legal issues [2]. The Internet inherits vulnerability and incurs problems such as misrouting, transmission failure, data corruption, etc. Technology weakness of the Internet such as communication failure or system misconfiguration is another reason of causing security incidents. Security policy weakness is also a reason of causing security incidents. Corporate security policies serve as the foundation of the computer security framework. Any failure to implement these policies may cause security incidents. Unauthorized intruders make the next type of security incidents. Lastly, there are certain criminal activities that are pervasive on the Internet because of a lack of security and regulatory enforcement to Internet activities. Also, the dangers and annoyances to Internet security are caused by password-based attacks, IP (Internet Protocol) address spoofing, attacks that exploit trusted access, network snooping, and attacks that exploit technology vulnerabilities [2].

Internet security breaches cause many problems to Internet commerce. For example, data tampering, eavesdropping, and impersonation are common security problems in a non-secure electronic environment. There are a variety of methods that a company can use to protect itself from unauthorized access. Some of the most popular methods are firewalls, user authentication, intrusion detection systems, virus detection, digital certificates, date encryption, and public key infrastructure [3]. Developing a high-quality security mechanism has been a common target in the global software industry.

The information technology industry has targeted Web Services (WS) for more than 2 years. The benefits of having a loosely coupled, language-neutral, platform-independent way of linking applications within organizations, across enterprises, and across the Internet are becoming more significant as Web Services are used in business applications. The term of Web Service is to describe application components whose functionality and interfaces are exposed to potential users through the application of existing and emerging Web technology standards including XML, SOAP, WSDL, and HTTP. As Web Services become evident in the business mainstream, security issue becomes a focal point while developing such applications.

Two technology groups have recently emerged to develop XML-based Web Services. The first is Microsoft and its .NET platform group. The other group, led by Sun Microsystems and Oracle Corporation, is a group of vendors that supports J2EE standard. At this moment, Microsoft Corporation enjoys its leadership position to Web Services development, in terms of vision and fast delivery of development tools to the market.

The technologies that lay the foundation of Web Services are Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Description, Discovery and Integration (UDDI). XML is a technology standard that ties different technologies to facilitate the exchange of application logic that containing data and services among various applications. XML-based Web Services enable applications, written in different languages and run on different platforms, to communicate and collaborate with each other that carrying out tasks for the users.

System interoperability across multiple platforms and applications relies on its security. The primary objective of this study is to reveal the potential of the Web Services model by evaluating the security features reside in this model. This paper first discusses the creation of Web Services, the security specifications of Web Services, and additional security specifications in Web Services. Next, this paper identifies various scenarios of Web Services security implementation. The future developments to Web Services are discussed in the last section.

Section snippets

Creation of Web Services model

There have been three waves of Internet development: E-mail, Web sites and Web Services. E-mail and Web sites have a profound socio-economic impact since e-mail enables people to communicate with each other and Web sites helps people access to worldwide information. Web Services made a promise to reiterate the success of its predecessors and it should allow applications to communicate and collaborate with each other without manual intervention.

Microsoft, Sun Microsystems, IBM and Oracle are the

Structure of Web Services security

In April 2002, Microsoft and IBM jointly outlined the roadmap of security features for Web Services model. Their security strategy includes a set of specifications that call for creating trusted environments to improve interoperability across the Internet and connected information systems. Microsoft and IBM intend to work with customers, partners and standard organizations to evolve this security model in a phased approach.

An initial set of Web Services security specifications includes a

Scenarios of security implementation in Web Services model

The technology of Web Services (WS) inherits certain challenges. The security issue is especially critical. Microsoft and IBM integrated WS security concepts into business processes and business models. Microsoft and IBM have also developed a number of scenarios [4] that were built on Web Services security specifications. It is interesting to see how these security specifications meet the requirements of business processes.

Developers at Microsoft and IBM anticipated the way to secure

Future developments

Microsoft and IBM are the leaders of developing the Web Services Security Model. Their security strategy has emphasized a phased tactic since the beginning. The initial phase starts with XML and SOAP, the technologies that have been standardized by the computer industry, that form the foundation of the Web Services Security Model. Numerous businesses have incorporated WS into their enterprise systems.

Microsoft and IBM are currently focusing on the development of WS-Security specification, based

Conclusions

Web Services model has recently gained great attentions by the community of software developers. Enabling software applications to interact with each other without human intervention is viewed as a primary impact of Web Services. There are two industrial groups that support the advancement of Web Services. They are led by Microsoft Corporation and Sun Microsystems Corporation, respectively. Each of these groups has a distinctive vision for delivering Web Services to the market. While Microsoft

David C. Chou is Professor of Computer Information Systems at Eastern Michigan University. He received his M.S. and Ph.D. degrees from Georgia State University. Professor Chou has published more than 160 articles and papers in the fields of software engineering, systems design, telecommunications, Internet technology, and electronic commerce. His articles appeared in journals such as Technology in Society, Computer Standards and Interfaces, Information Systems Management, Total Quality

References (8)

  • B. Atkinson, G. Della-Libera, S. Hada, M. Hondo, P. Hallam-Baker, C. Kaler, J. Klein, B. LaMacchia, P. Leach, J....
  • D.C. Chou et al.

    Cyberspace security management

    Industrial Management and Data Systems

    (1999)
  • S. Hawkins et al.

    Awareness and challenges of Internet security

    Information Management & Computer Security

    (2000)
  • IBM and Microsoft, “Security in a Web Services World: A Proposed Architecture and Roadmap”, 2002, at...
There are more references available in the full text version of this article.

Cited by (21)

  • Qualitative trust modeling in SOA

    2009, Journal of Systems Architecture
    Citation Excerpt :

    One of the solutions are transport level security protocols like SSL/TLS and IPSec [29] that secure point-to-point interaction. As we deal with Web services interactions another possible solution is the use of WS-Security [15,16] facilities to protect the integrity and confidentiality of SOAP messages. Another possibility is a custom technique to secure SOAP messages (e.g. proposal by Damiani et al. [30]).

  • A framework with enhanced security for service oriented architecture

    2020, International Journal of Sensors, Wireless Communications and Control
  • Service identification by enhanced K-mean algorithm in service-oriented architecture

    2020, International Journal of Process Management and Benchmarking
  • Service level security enhacement for service oriented architecture

    2019, 2018 International Conference on Computing, Power and Communication Technologies, GUCON 2018
  • Message Level Security Enhancement For Service Oriented Architecture

    2018, International Conference on "Computational Intelligence and Communication Technology", CICT 2018
View all citing articles on Scopus

David C. Chou is Professor of Computer Information Systems at Eastern Michigan University. He received his M.S. and Ph.D. degrees from Georgia State University. Professor Chou has published more than 160 articles and papers in the fields of software engineering, systems design, telecommunications, Internet technology, and electronic commerce. His articles appeared in journals such as Technology in Society, Computer Standards and Interfaces, Information Systems Management, Total Quality Management, Internet Research, Industrial Management and Data Systems, International Journal of Technology Management, Interfaces, Information Management and Computer Security, Journal of Education for Business, and others.

Kirill Yurov is a Doctoral Candidate in Management Information Systems at the University of Illinois of Chicago. His research interests are software development in the context of global sourcing, use of IS/IT in distributed collaboration and knowledge management. He is a member of the Academy of Management and Beta Gamma Sigma Honor Society.

1

Tel.: +1 312 996 2676.

View full text