Realising the promise of web-based services has become something of a Holy Grail for most large enterprises, but security remains a significant hurdle to their successful roll-out. As we explain, central to the IT security challenge is effective cryptography and key management.
Analyst the Gartner Group recently suggested that companies may have to be prepared to spend 50% of their web services investment on security. What do we really mean by the term 'web services', though?

Web services are essentially enterprise applications that use languages and protocols based on a universally-accepted standard known as XML to describe themselves – not only to other applications, but also to the outside world. Web services simplify the task of communicating – with devices, with people and, most importantly, with each other, using XML to describe what functions they perform, how they might be assessed and what kinds of data they require.

Even in the most technology-aware companies, it's not unusual to find a billing application that cannot ask a shipping application whether a delivery has been made. Integrating such applications is one of today's most important business problems – one that will typically involve significant investment of both time and resources for it to be resolved.

Web services are expected to reduce application integration costs significantly. Where application-to-application data exchange is essential – for instance in supply chain environments – web services can reduce costly custom integration work and allow applications to be leveraged for multiple purposes, making cost justification more straightforward. Furthermore, web services are being designed to aggregate information and services from multiple back-end systems, simplifying routine tasks and offering greater economies of scale.

With new development platforms – including Microsoft.Net, BEA Web Logic, Sun ONE and IBM WebSphere – web services mechanisms such as XML formatting and Simple Object Access Protocol (SOAP) messaging are becoming a ubiquitous part of the application development environment. This makes it faster, easier and more cost-effective to integrate heterogeneous resources, both within enterprises and between trading partners.

XML provides the building blocks of web services and SOAP. The XML-based messaging protocol offers a uniform way to exchange XML-formatted information across the Internet (eg using HTTP as a transport mechanism).

The return on investment argument seems compelling: reductions in application integration costs, the simplification of supply chains and subsequent automation of business processes. However, the availability of these new tools is something of a double-edged sword, as it has become relatively simple to build and deploy web services that interface to sensitive data – unknowingly exposing companies to a host of security risks.

The security challenge
The security challenges posed by web services mirror those of standard Internet communications, although it must be stressed that the stakes here are much higher.

Since web services provide far-reaching integration and access (often to a company's most sensitive data), IT vulnerabilities become a major concern. Security for web services centres on protecting a widening set of resources against increasing points of vulnerability, often without any human intervention. This creates new challenges, as the roll-out of web services involves scaleable machine-to-machine interaction which will often bridge the firewall, increasing vulnerabilities to malicious attack.

Not only is it vital to deliver confidentiality and integrity of transactions and communications, it's also important to manage user identities and verify who or what is on the other end of a network connection. This management must include the ability to enforce fine-grained control over user access to sensitive data.

Security technologies – most notably cryptography and Public Key Infrastructure (PKI) – provide tried-and-tested mechanisms for protecting data as it crosses public and private networks. In addition to safeguarding confidentiality through encryption, these technologies enable recipients to authenticate the sender via digital signatures, and verify the integrity of information to ensure a document has not been tampered with.

The World Wide Web Consortium (W3C) has approved the XML Signature specification, defining the rules for digitally signing XML documents and processing signatures.

However, web services present a more complex security challenge as they'll often aggregate information from multiple sources. This might require digital signatures and encryption to be applied by multiple parties to different sorts of information within a particular service, and at different points within a multi-tier system.

Different applications will also require differing levels of security, from passwords for less sensitive data such as shipment tracking through to digital certificates for more valuable processes like order entry.

Security for web services centres on protecting a widening set of resources against increasing points of vulnerability, often without any human intervention. This creates new challenges, as the roll-out of web services involves scaleable machine-to-machin

Protecting keys is important!
PKI plays an essential role in web services security, enabling end users and web services alike to establish trusted digital identities which, in turn, facilitate trusted communications and transactions.

The XML Key Management Services (XKMS) standard specifies a method for XML-based clients to securely access public key-related services: key generation, registration and revocation, as well as the validation of certificates and signatures. However, as the Gartner Group analysts recently stated: "Enterprises and vendors must still create the infrastructure for effective long-term management of keys and certificates."

The confidentiality of public and private keys used to implement signing and encryption underpins the security of cryptographic processes. This is particularly important as the value to the business of any specific key tends to increase over time as the amount of information it protects begins to grow. A cryptographic key is a self-aggregator of risk, since it transfers risk from the data that it protects to the key itself.

Frequently, cryptographic processes are performed in the 'de-miltarised zone' near public parts of the network, where threats from hackers are at their greatest. To support this, more and more cryptographic keys are being pushed out to sites at the edge of the network, where they're at the greatest risk of exposure and compromise.

Cryptography relies upon the relevant key being available only to appropriate and authorised parties and processes. Therefore, the security and management of encryption and signing keys themselves is highly critical to the overall security of any business deploying web services.

Hardware key security
The banking and finance world has long recognised that cryptographic keys must be protected by specialist cryptographic devices or hardware security modules (HSMs). For example, Visa and MasterCard mandate such protection in their 'Verified by Visa' and 'Secure Code' initiatives, which are designed to combat Internet credit card fraud.

Finance analyst KPMG has advised that industry Best Practice dictates a secret key should never become exposed outside a specialist cryptographic hardware device. This is a vital security mechanism for web services that are handling high volumes of sensitive information. XKMS, and other XML standards, help to define the use of cryptographic keys but do little directly to describe the life-cycle management of encrypting and signing keys on which XML security is built. High availability and scaleability requirements compound the problem still further.

From a security perspective, robust key management requires independent validation, with HSMs meeting the Federal Information Processing Standard 140 (recognised as the global standard for hardware-secured cryptographic key management).

However, enterprises implementing XML security should also consider how their systems will have the capacity to cope with ever-growing business loads, since cryptographic security comes at a price. Encryption, decryption and signing operations are computationally intensive, and designers of web services must always ensure systems that digitally sign and encrypt XML messages can also handle the resulting cryptographic processing load.

The penalty of getting it wrong is an exponential increase in message response times. This may cripple business, and undermine the benefits of the web service itself. For example, SSL – which provides confidentiality for data passing over the Internet – places such large computational loads on web servers that specialist cryptographic accelerator hardware is required to deliver sufficient capacity.

Security... from the ground up
Web services are opening up networks as never before. They promise a revolution in communication and integration that will result in significant cost savings, efficiencies and new business opportunities.

That said, they also depend completely on trust – trust in the identity of the application or machine at the end of the line, trust in the integrity of data being communicated and trust that privileges and access rights haven't been subverted in any way.

Web services security can provide the foundation stones of this trust. The development of standards for XML encryption and signatures is underway, but enterprises need to consider very carefully how these may be implemented.

Source

SMT

Postscript

Paul Galwas is director of strategic planning at nCipher (www.ncipher.com)