A Framework for Securing Web Services by Formulating an Collaborative Security Standard among Prevailing WS-* Security Standards

Security in Service Oriented Architectures

Web Services Security Development and Architecture ◽

10.4018/978-1-60566-950-2.ch009 ◽

2010 ◽

pp. 187-211

Author(s):

Anne V.D.M. Kayem

Keyword(s):

Web Services ◽

Information Exchange ◽

Mitigation Strategies ◽

Security Architecture ◽

Security Model ◽

Service Oriented Architectures ◽

Security Standard ◽

Service Oriented ◽

Soa Security ◽

Security Standards

Service Oriented Architectures (SOAs) have become the defacto standard for defining interoperable architectures on the web with the most common implementation of this concept being in the form of web services. Information exchange is an integral part of SOAs, so designing effective security architectures that ensure data confidentiality and integrity is important. However, selecting a security standard for the architecture is challenging because existing solutions are geared toward access control in relatively static scenarios rather than dynamic scenarios where some form of adaptability is needed. Moreover, when services interact across different domains interoperability becomes a problem because of the lack a consistent security model to handle service interactions. This chapter presents a comparative analysis of SOA security standards. The authors discuss the challenges SOA security architecture designers face, in relation to an example travel agent web services scenario, and outline potential mitigation strategies.

Download Full-text

Security in Service Oriented Architectures

Digital Rights Management ◽

10.4018/978-1-4666-2136-7.ch004 ◽

2013 ◽

pp. 50-73

Author(s):

Anne V.D.M. Kayem

Keyword(s):

Web Services ◽

Information Exchange ◽

Mitigation Strategies ◽

Security Architecture ◽

Security Model ◽

Service Oriented Architectures ◽

Security Standard ◽

Service Oriented ◽

Soa Security ◽

Security Standards

Service Oriented Architectures (SOAs) have become the defacto standard for defining interoperable architectures on the web with the most common implementation of this concept being in the form of web services. Information exchange is an integral part of SOAs, so designing effective security architectures that ensure data confidentiality and integrity is important. However, selecting a security standard for the architecture is challenging because existing solutions are geared toward access control in relatively static scenarios rather than dynamic scenarios where some form of adaptability is needed. Moreover, when services interact across different domains interoperability becomes a problem because of the lack a consistent security model to handle service interactions. This chapter presents a comparative analysis of SOA security standards. The authors discuss the challenges SOA security architecture designers face, in relation to an example travel agent web services scenario, and outline potential mitigation strategies.

Download Full-text

Applied Cryptography in E-mail Services and Web Services

Applied Cryptography for Cyber Security and Defense ◽

10.4018/978-1-61520-783-1.ch005 ◽

2011 ◽

pp. 130-145

Author(s):

Lei Chen ◽

Wen-Chen Hu ◽

Ming Yang ◽

Lei Zhang

Keyword(s):

Web Services ◽

Communication Networks ◽

Secure Communication ◽

Transport Layer ◽

Public Key ◽

Applied Cryptography ◽

Public Networks ◽

Trust System ◽

Security Standards ◽

E Mail

E-mail services are the method of sending and receiving electronic messages over communication networks. Web services on the other hand provide a channel of accessing interlinked hypermeida via the World Wide Web. As these two methods of network communications turn into the most popular services over the Internet, applied cryptography and secure authentication protocols become indispensable in securing confidential data over public networks. In this chapter, we first review a number of cryptographic ciphers widely used in secure communication protocols. We then discuss and compare the popular trust system Web of Trust, the certificate standard X.509, and the standard for public key systems Public Key Infrastructure (PKI). Two secure e-mail standards, OpenPGP and S/MIME, are examined and compared. The de facto standard cryptographic protocol for e-commerce, Secure Socket Layer (SSL) / Transport Layer Security (TLS), and XML Security Standards for secure web services are also discussed.

Download Full-text

Access Control and Information Flow Control for Web Services Security

International Journal of Information Technology and Web Engineering ◽

10.4018/ijitwe.2016010103 ◽

2016 ◽

Vol 11 (1) ◽

pp. 44-76 ◽

Cited By ~ 2

Author(s):

Saadia Kedjar ◽

Abdelkamel Tari ◽

Peter Bertok

Keyword(s):

Web Services ◽

Access Control ◽

Flow Control ◽

Information Flow ◽

Information Flow Control ◽

User Access ◽

Web Services Security ◽

Information Confidentiality ◽

Security Standards

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Download Full-text

Mapping information security standard ISO 27002 to an ontological structure

Information and Computer Security ◽

10.1108/ics-07-2015-0030 ◽

2016 ◽

Vol 24 (5) ◽

pp. 452-473 ◽

Cited By ~ 6

Author(s):

Stefan Fenz ◽

Stefanie Plieschnegger ◽

Heidi Hobel

Keyword(s):

Information Security ◽

Formal Representation ◽

Content Type ◽

Security Standard ◽

Compliance Checking ◽

Baseline Knowledge ◽

Standards And Guidelines ◽

Security Compliance ◽

Security Standards ◽

Machine Readable

Purpose The purpose of this paper is to increase the degree of automation within information security compliance projects by introducing a formal representation of the ISO 27002 standard. As information is becoming more valuable and the current businesses face frequent attacks on their infrastructure, enterprises need support at protecting their information-based assets. Design/methodology/approach Information security standards and guidelines provide baseline knowledge for protecting corporate assets. However, the efforts to check whether the implemented measures of an organization adhere to the proposed standards and guidelines are still significantly high. Findings This paper shows how the process of compliance checking can be supported by using machine-readable ISO 27002 control descriptions in combination with a formal representation of the organization’s assets. Originality/value The authors created a formal representation of the ISO 27002 standard and showed how a security ontology can be used to increase the efficiency of the compliance checking process.

Download Full-text

Enhancing Security Modeling for Web Services Using Delegation and Pass-On

International Journal of Web Services Research ◽

10.4018/jwsr.2010010101 ◽

2010 ◽

Vol 7 (1) ◽

pp. 1-21 ◽

Cited By ~ 4

Author(s):

Wei She ◽

I-Ling Yen ◽

Bhavani Thuraisingham

Keyword(s):

Web Services ◽

Web Service ◽

Information Flow ◽

Security Model ◽

Security Issues ◽

Web Service Security ◽

Security Models ◽

Composite Services ◽

Service Environments ◽

Security Standards

In recent years, security issues in web service environments have been widely studied and various security standards and models have been proposed. However, most of these standards and models focus on individual web services and do not consider the security issues in composite services. In this article, the authors propose an enhanced security model to control the information flow in service chains. It extends the basic web service security models by introducing the concepts of delegation and pass-on. Based on these concepts, new certificates, certificate chains, delegation and pass-on policies, and how they are used to control the information flow are discussed. The authors also introduce a case study from a healthcare information system to illustrate the protocols.

Download Full-text

Engineering Secure Web Services

Performance and Dependability in Service Computing - Advances in Web Technologies and Engineering ◽

10.4018/978-1-60960-794-4.ch016 ◽

2012 ◽

pp. 360-380

Author(s):

Douglas Rodrigues ◽

Julio Cezar Estrella ◽

Francisco José Monaco ◽

Kalinka Regina Lucas Jaquie Castelo Branco ◽

Nuno Antunes ◽

...

Keyword(s):

Web Services ◽

Business Processes ◽

State Of The Art ◽

Security Requirements ◽

Security Assessment ◽

Service Oriented Architectures ◽

Practical Engineering ◽

Service Oriented ◽

Security Standards ◽

Art Techniques

Web services are key components in the implementation of Service Oriented Architectures (SOA), which must satisfy proper security requirements in order to be able to support critical business processes. Research works show that a large number of web services are deployed with significant security flaws, ranging from code vulnerabilities to the incorrect use of security standards and protocols. This chapter discusses state of the art techniques and tools for the deployment of secure web services, including standards and protocols for the deployment of secure services, and security assessment approaches. The chapter also discusses how relevant security aspects can be correlated into practical engineering approaches.

Download Full-text

Challenges in Securing ESB Against Web Service Attacks

Advances in Business Information Systems and Analytics - Exploring Enterprise Service Bus in the Service-Oriented Architecture Paradigm ◽

10.4018/978-1-5225-2157-0.ch006 ◽

2017 ◽

pp. 74-96 ◽

Cited By ~ 1

Author(s):

Rizwan Ur Rahman ◽

Divya Rishi Sahu ◽

Deepak Singh Tomar

Keyword(s):

Distributed Computing ◽

Web Services ◽

Web Service ◽

Service Oriented Architecture ◽

Service Research ◽

Internet Protocols ◽

Is Implementation ◽

Security Issues ◽

Service Oriented ◽

Security Standards

Web services and Service oriented architecture are innovative phase of distributed computing, build on top of the distributed computing models. Web services are being used mostly for the integration business components. One of the key concerns in web services and service oriented architecture is implementation of adequate security. Security issues in SOA are still probing and in spite of an increase in web service research and development, many security challenges remain unanswered. This chapter introduces the vulnerabilities, threats associated with web services and addresses WS-Security standards and countermeasures. Web service protocol is designed to provide connectivity. Not any of these standards of web services contain any inbuilt security aspect of their own. Web Services are exposed to attack from common Internet protocols and in addition to new categories of attacks targeting Web Services in particular. Consequently, the aim of this chapter is to provide review of security mechanism in web services.

Download Full-text

Enhancing Security Modeling for Web Services Using Delegation and Pass-On

Web Service Composition and New Frameworks in Designing Semantics ◽

10.4018/978-1-4666-1942-5.ch013 ◽

2012 ◽

pp. 286-307

Author(s):

Wei She ◽

I-Ling Yen ◽

Bhavani Thuraisingham

Keyword(s):

Web Services ◽

Web Service ◽

Information Flow ◽

Security Model ◽

Security Issues ◽

Web Service Security ◽

Security Models ◽

Composite Services ◽

Service Environments ◽

Security Standards

In recent years, security issues in web service environments have been widely studied and various security standards and models have been proposed. However, most of these standards and models focus on individual web services and do not consider the security issues in composite services. In this article, the authors propose an enhanced security model to control the information flow in service chains. It extends the basic web service security models by introducing the concepts of delegation and pass-on. Based on these concepts, new certificates, certificate chains, delegation and pass-on policies, and how they are used to control the information flow are discussed. The authors also introduce a case study from a healthcare information system to illustrate the protocols.

Download Full-text

Web services and web service security standards

Information Security Technical Report ◽

10.1016/j.istr.2004.11.001 ◽

2005 ◽

Vol 10 (1) ◽

pp. 15-24 ◽

Cited By ~ 16

Author(s):

Christian Geuer-Pollmann ◽

Joris Claessens

Keyword(s):

Web Services ◽

Web Service ◽

Web Service Security ◽

Security Standards

Download Full-text