Beyond that, these mechanisms did not lend themselves to non-invasively providing application security between the requestor and the service. Rather, they assumed a tight coupling, unlike the loosely coupled model of XML Web services, so it was difficult to insert additional functionality into the message stream without modifying one or both of the nodes.

By contrast, XML Web services provide an easily parsable syntax with well-defined schemas and transformation mechanisms that support intermediate value-added services. By contrast, older technologies implemented closed binary formats for their in-transit messages.

[an error occurred while processing this directive]

The adoption of XML Web services is both dramatically increasing an existing need and creating a new opportunity to address that need. By opening up business systems to much broader programmatic access, both internally and cross-organization, XML Web services are driving the need for highly functional and provably consistent application-level security. However, by providing a standard for loosely coupled program-to-program communication, XML Web services have created the environment that enables the deployment of XML application firewalls as the standard infrastructure that meets this need.

A basic functionality within any XML application firewall is authentication and access control. This includes the ability to:

• Confirm the identity of the entity (person, program, organization) for whom this service is being requested
• Recognize to what level of access that requestor is entitled

• Checking a username and password with an LDAP directory
• Confirming the identity of a certificate or digital signature with a PKI
• Checking a SAML ticket that was generated by a single-signon tool

• The level of security a particular operation requires
• The preferred mechanism of partners and customers
• Standard industry agreements and conventions
• The requirements of a regulatory scheme, such as HIPAA, GLBA, or FISMA
• The desire to leverage existing infrastructure

• Transport level encryption (such as SSL)
• Message/element level encryption (such as XML Encryption)
• Transport-level certificate-based hand-shaking (such as SSL)
• Message/element level digital signature (such as XML Signature)

Another functionality area for XML application firewalls is protection from malicious attacks, such as password dictionary attacks or denial-of-service attacks. Since XML application firewalls will be used in combination with network firewalls and other existing network infrastructure, they will not need to replicate the protections that are already provided by those tools. However, they will be able to take advantage of their detailed knowledge of the specific profiles of individual operations and requestors to implement protections that cannot be enforced by a network-level infrastructure.

We believe that XML application firewall technologies are the right approach to meet this need, and that they will eventually become as pervasively deployed as network firewalls are today.

Kerry Champion is president of a Westbridge Technology.

Have security concerns held back your company from deploying XML Web services? TalkBack below or e-mail us with your thoughts.

Previous page |   1 2 3 4

[an error occurred while processing this directive]

[an error occurred while processing this directive]