Business Process Management

Webservice security is my current field of interest because from my experience I see a fast increase in security questions for distributed computing.

Webservices have been mostly a technique to integrate heterogenous systems and technologies. These were within one secure network and therefore security was not a big issue. But two trends change this:

1. Webservices become more important for B2B communications. This communications uses the internet. Secure transportation and client/server authentication is always necessary. Even though the data might not be very confidential in many cases, attacks might harm the business continuity.
2. Cloud computing puts business critical applications outside the company network. Business critical and confidential information has to be transported through the interntet. VPN connections are usually not possible with cloud solutions.

 
Here is one example:
During a project I was implementing the webservice connectivity between SAP and Oracle CRM on Demand  for a large global corporation. Oracle CRM on Demand is a CRM cloud solution. It stores the revenue calculations and revenue forecasts, customer prospects etc. This is very confidential data for every company.
The communication with Oracle CRM on Demand is done via webservices.

The security consits of two techniques:

1. Transport Layer security through SOAP over https. One way authentication as usual.
2. Client authentication and authorization through a simple login webservice. This service asks for username and password and returns a token which has to be used as a session identifier in the URL of all subsequent webservice calls.

• Let's assume, the revenue data is written in books and not in it systems.
• The data is not in a cloud but in a house.
• I assume further, that besides the standard interfaces, the cloud is very secure. Therefore we image that the house which contains the books is Fort Knox. You have no chance of entering besides through the standard gate.
  

With these assumptions, the security concept of Oracle CRM on Demand / Fort Knox looks like this:

The people which approach Fort Knox know for sure that it is Fort Knox and not a different house which pretends to be Fort Knox. They know it because there is a certificate at the gate which is very believable.

Furthermore, the persons which come to and leave Fort Knox and  protected by the so called 'https security corporation' which accompanies them on their way. This makes sure that the persons are not attacked and their goods which they bring to or bring from Fort Knox cannot be stolen on the way.

But now let's have a look at the people which approach Fort Knox. They have to present a simple peace of paper which has a username and password on it. If both are correct, the guard will let them through into the house and they can look at all books.
Only when somebody comes three times with a peace of paper which contains the same username but different password and all password are wrong, then the guard will change the password for this user. But one person can come unlimited times and try different usernames and passwords. The guard will never become upset and will never call the police.

Furthermore, the security of Fort Knox knows how many usernames they have issued. But they don't know how often they were copied. Therefore they don't know how many people have access to Fort Knox. Because they never check the identity of the people which try to enter and not even of the people which do enter.
They don't care if the person is a friend or a rival. Anybody can enter with a copy of the paper.
Don't forget that the person which gets into Fort Knox cannot only look at the books, they can also destroy books or bring new books. But nobody checks if the new books are correct. Is is not clear if these are the same books which the sender gave to the messenger person.
Because don't forget that the messenger person has a long journey to bring the books from the sender to Fort Knox. He has protection while he is walking on the street, but he has to stay overnight in several hotels. Inside the hotels he has no protection. Bandits can exchange or edit the books while the messenger person is sleeping in a hotel. Or the bandies can create a copy of the books while the messenger is at lunch in the hotel's restaurant. All the revenue data is written in clear text in the book. They can just put in on a mobile copy machine.
Once the message arrives in Fort Know, nobody checks the integrity of the books. Nobody knows if anybody did read the books. They just put them into the shelves.

Obviously, this company would not organize its security like this if the data wouldn't consist of these intangible bits and bytes and if the gate security concept of it systems would be easier to understand. At least they would check the identity of people which enter their library of confidential data. At every company gate you have to present your identification. But not at the virtual company gates. At least since the companies outsource their IT systems.

It is easy to talk smart, but it is not easy to implement all desired security into webservice communication. Therefore I will  try to implement a simple webservice communication with Apache Axis2 in Java which is protected by Transport Security, Authentication and Authorization and Message Layer security like XML Signature and XML Encryption.