The recent spike in insider threats, coupled with a rise in compliance
considerations, has forced organizations to ensure only authorized users
access sensitive application functionality and data. Historically, user
entitlements or authorization logic has been embedded inside an application.
For example, if the user of an application meets specific conditions, such as
a specific role, access to that application function will be granted at
runtime. But if the definition of specific authorization conditions changes
over time, then the application developer needs to modify the application's
source code, test, and re-deploy the application.
Suppose a homegrown portal application must present a sensitive piece of
customer information such as a Social Security Number (SSN) when a service
representative views a customer's profile. It is determined that in order to
ensure ... (more)
One of the challenges IT organizations face is how to propagate identities in
complex business processes that are commonly found in Service Oriented
Architectures (SOAs). Identities, which are passed from one service
invocation to the next in a business process, give the process a user
context. Identities can be used to determine access rights to SOA services
and for audit and compliance purposes.
For example, consider a procurement business process for an application
that's used by a number of purchasing agents. Each agent has a different
purchasing privilege. Say a senior agen... (more)
Web services are past the initial marketing hype. Early Web services were
part of experimental one-off projects within a single enterprise department.
Now, larger Web services deployments are moving outside of the enterprise
firewall to better leverage existing business partnerships and value chains.
Larger Web services projects come with a price, however. They are more
complicated to implement and more costly to manage. They require careful
deployment planning throughout the enterprise based on well-established
The emerging proliferation of Web services netwo... (more)
Last month (WSJ, Vol. 4, issue 2), we looked at how Web services should not
depend on specific security environments and rules but should be managed as
part of all of an enterprise's corporate data assets such as Web
applications, ERP systems, and in-house applications.
We recommended that Web services security be integrated with the overall
enterprise security infrastructure at the very beginning of the Web services
deployment phase. This month, we'll look at some of those possible deployment
There are four deployment models based on the guidelines pres... (more)
This article focuses on the value of Web services security. It is important
to understand what Web services are and their challenges, particularly
related to security. Traditionally, companies have relied on conventional,
transport-level security but this approach has its limitations. The market
now offers complementary XML-based solutions designed to secure documents
used in Web services requests and responses. We will explore these solutions
and outline "typical case scenarios" to provide a comprehensive landscape on
the current offering of Web services security solutions.