Unlocking the Door to Web Service Security

Author(s)

Business Relationship Manager - Product Lifecycle Management, Chevron Corporation

Many companies have embraced the concepts of Service Oriented Architecture (SOA) at least to the point of creating a few Web Services that are consumed by different applications. Embracing the use of SOA often comes about when an Enterprise Architect is sitting in a kickoff meeting and the need to reuse some critical data foundation functionality, such as Customer Relationship Management (CRM) or Master Data Management (MDM)—through the use of a service interface rather than replication of a nightly batch feed—arises.

These initial services tend to not be secured, or they are secured through some non-standard means such as including username and password information directly in the SOAP body or through HTTP Basic Authentication. This article will outline some basic standards that can be set-up in an Enterprise with minimal effort.

Enable a Security Interceptor

Using a Security Interceptor is a basic way to quickly implement Enterprise-Wide Web Security. Employing the use of a standard Security Interceptor can bring an Enterprise a long way in Web Service Security. The concept of a Security Interceptor is shown in Figure A.

The basic concept shown in this diagram is that the web service producer has enabled a Security Interceptor to take care of all the functionality related to authentication of the web service. The interceptor can also insert information into the SOAP header of the message related to the user, such as groups the user belongs to, so that the service itself can respond in different ways based on the user’s role in the organization. Taking this process to a different level, the Security Interceptor can also be externalized from an individual service and actually be localized to a single provider that all consumers (clients) use for web service communication. The benefit here is that web service producers need not worry about setting up their own interceptors; they can rely on the central interceptor service to manage security and implementation of standards such as Web Service Security. The producers can, in turn, simply limit their network communication to only the interceptor.

Single Sign On and Web Service Security

Now that all of the web service traffic is going through security interceptors and verifying identity against a single repository, more architectural benefits are available. In Graphic A, it is possible to implement security several ways. One way is to create a single user in the repository used by the Authentication Provider to protect the service. This method is the most basic way to implement security. Although the least secure, it requires the same stringent management of the credentials that are typically employed for a database service account for a transactional application with direct database access. This method may be fine for services that are read-only in nature and do not deal with secure data. The credentials here may just be a means of tracking access to the application to ensure service level contracts are not being abused in terms of access. The more appropriate way to access services, however, is for the user to request information or to perform the transaction in question.

The architecture that provides this ability builds on the previous example and is shown in Figure B. In simple terms, the user logs into a web application that performs some look-ups or transactions through one or more Web Services. The Web Services have already been set-up to utilize a Security Interceptor which in turn leverages a central Authentication Provider. The web application can also be set-up to utilize the services of the Authentication Provider for the initial authentication into the application itself.

Typically, the Authentication Provider dispenses a token that the web application will store locally and is checked during each request to a protected resource. This same token can be passed down to the back-end code of the application making the web service calls, such that the token can be added to the SOAP header of the web service call. This process allows the Security Interceptor to validate the user without the need for their credentials and grants access to the service. Now there is no need to protect the service with service accounts. The interceptor can actually identify the user and provide that information to the web service producer itself for more intelligent processing if required.

Conclusion

While much of the information provided in Graphic B may be common knowledge at this point, few organizations implement it. The reason for this lack of implementation may be budgetary. It is widely believed that purchases must be made to implement this type of architecture over and above the purchases for application and web servers that host the Web Services themselves—specifically the central authentication provider.

With the ability to standardize on protocols such as Security Assertion Markup Language (SAML) and Web Service Security, it is very possible to create a local authentication provider that can be used for web site authentication and for Web Service authentication that is standards –based. With minimal effort and no additional dollars, the benefits that such architecture can provide are clear. What seems to be not as clear is the way to go about getting there. Standardizing usage on Security Interceptors authenticating against a central repository is a very basic first step which can unlock the door to achieving a solid Enterprise web service security architecture.

Similar Resources

Understanding the Difference Between a Certificate and Certification

Understanding the Difference Between a Certificate and Certification

Author(s):

Editor & Founder, BPMInstitute.org, BAInstitute.org and DBIZInstitute.org

As professionals seek to advance their careers or pivot to new fields, understanding the variety of learning and credentialing options is essential. At BPMInstitute.org, we often encounter students wondering whether they should pursue a certificate or certification in Business Process Management (BPM). This article is designed to clarify the differences, highlight the benefits of each, and guide prospective students in making the best decision for their career goals.

Enhancing Your Team’s BPM Capabilities: The Value of External Expertise

Enhancing Your Team’s BPM Capabilities: The Value of External Expertise

Author(s):

Editor & Founder, BPMInstitute.org, BAInstitute.org and DBIZInstitute.org

Enhancing Your Team's BPM Capabilities: The Value of External Expertise In today’s dynamic business environment, managing and improving business processes is critical for any organization aiming to maintain a competitive edge. Many companies consider handling Business...

Exploring Shared Data Model and Notation (SDMN) and Its Role in BPM+

Exploring Shared Data Model and Notation (SDMN) and Its Role in BPM+

Author(s):

Editor & Founder, BPMInstitute.org, BAInstitute.org and DBIZInstitute.org

Exploring Shared Data Model and Notation (SDMN) and Its Role in BPM+ Introduction In the evolving landscape of Business Process Management (BPM), the introduction of Shared Data Model Notation (SDMN) marks a significant advancement. As businesses increasingly seek to...

Featured Certificate: BPM Specialist

Everyone starts here.

You're looking for a way to improve your process improvement skills, but you're not sure where to start.

Earning your Business Process Management Specialist (BPMS) Certificate will give you the competitive advantage you need in today's world. Our courses help you deliver faster and makes projects easier.

Your skills will include building hierarchical process models, using tools to analyze and assess process performance, defining critical process metrics, using best practice principles to redesign processes, developing process improvement project plans, building a center of excellence, and establishing process governance.

The BPMS Certificate is the perfect way to show employers that you are serious about business process management. With in-depth knowledge of process improvement and management, you'll be able to take your business career to the next level.

Learn more about the BPM Specialist Certificate

Courses

  •  

 

Certificates

  • Business Process Management Specialist
  • Earning your Business Process Management Specialist (BPMS) Certificate will provide you with a distinct competitive advantage in today’s rapidly evolving business landscape. With in-depth knowledge of process improvement and management, you’ll be able to take your business career to the next level.
  • BPM Professional Certificate
    Business Process Management Professional
  • Earning your Business Process Management Professional (BPMP) Certificate will elevate your expertise and professional standing in the field of business process management. Our BPMP Certificate is a tangible symbol of your achievement, demonstrating your in-depth knowledge of process improvement and management.

Certification

BPM Certification

  • Make the most of your hard-earned skills. Earn the respect of your peers and superiors with Business Process Management Certification from the industry's top BPM educational organization.

Courses

 

Certificates

  • Operational Excellence Specialist
  • Earning your Operational Excellence Specialist Certificate will provide you with a distinct advantage in driving organizational excellence and achieving sustainable improvements in performance.
 

 

OpEx Professional Certificate

  • Operational Excellence Professional
  • Earn your Operational Excellence Professional Certificate and gain a competitive edge in driving organizational excellence and achieving sustainable improvements in performance.

Courses

Certificate
  •  

  • Agile BPM Specialist
  • Earn your Agile BPM Specialist Certificate and gain a competitive edge in driving business process management (BPM) with agile methodologies. You’ll gain a strong understanding of how to apply agile principles and concepts to business process management initiatives.  
 

Business Architecture

 

Certificates

  • Business Architecture Specialist
  • The Business Architecture Specialist (BAIS) Certificate is proof that you’ve begun your business architecture journey by committing to the industry’s most meaningful and credible business architecture training program.

  • Business Architecture Professional
  • When you earn your Business Architecture Professional (BAIP) Certificate, you will be able to design and implement a governance structure for your organization, develop and optimize business processes, and manage business information effectively.

BA CertificationCertification

  • Make the most of your hard-earned skills. Earn the respect of your peers and superiors with Business Architecture Certification from the industry's top BPM educational organization.

Courses

 

Certificates

  • Digital Transformation Specialist
  • Earning your Digital Transformation Specialist Certificate will provide you with a distinct advantage in today’s rapidly evolving business landscape. 
 

 

  • Digital Transformation Professional
  • The Digital Transformation Professional Certificate is the first program in the industry to cover all the key pillars of Digital Transformation holistically with practical recommendations and exercises.

Courses

Certificate

  • Agile Business Analysis Specialist
  • Earning your Agile Business Analysis Specialist Certificate will provide you with a distinct advantage in the world of agile software development.

Courses

Certificate
  • DAS Certificate
  • Decision Automation Specialist
  • Earning your Decision Automation Certificate will empower you to excel in the dynamic field of automated decision-making, where data-driven insights are pivotal to driving business innovation and efficiency.