A Public Web Services Security Framework Based on Current and Future Usage Scenarios

—This paper discusses the security implications of Web Services and proposes a framework for providing security based on current and future requirements. The framework provides a basis for achieving end-to-end security for Web Services within the pre-existing security environment. Finally, lessons from initial experiences with Web Services security and advice for the future are provided. Web Services require stronger security than Web sites. They expose functionality (typically business logic) in an open, standardized way. This implies that they are more vulnerable than when business processes were exposed in proprietary ways. This means that security will become an automatic part of any Web Services development. In addition, Web Services will be interwoven with existing applications, so the Web Services security must also accommodate existing security infrastructure. The new Web Services security software and protocols are interesting, but suffer from immaturity, lack of widespread adoption (no critical mass), and lack of technical staff with specific knowledge. The first wave of Web Services, and the products used to build them, have used well-known and accepted security technology (such as access control and authentication) that have been borrowed from the Internet and the World Wide Web. However, Web Services have not reached beyond the requirement for basic security. The objective of this paper is to describe a public framework for Web Services, based on an analysis of current and near-future usage scenarios for Web Services. There is a long-term vision for Web Services where there will be " millions of Web Services " commercially available to consumers and organizations will use Web Services to expose systems to customers and partners. However, in the meantime, the most immediate use of Web Services is for tactical projects that rely on the technical advantages offered by Web Services: • Enterprise Application Integration: SOAP can be used to integrate Java and EJBs with logic deployed in other enterprise systems such as CORBA and .NET. The best initial projects for Web Services in organizations often involve the reuse of existing back-end systems – with Web Services used to expose them in a new way. This approach has the added benefit that the focus of the project has been the Web Services rather than developing some new business logic. For internal integration, the security implications for this have tended to depend on factors such as the sensitivity of the internal information being passed around and whether the information ever moves …