Securing Web Services

Securing Web services is a necessity for Partners HealthCare. This non-profit health care system is a federation of community hospitals, academic medical centers, healthcare centers, and other health-related entities. So, of course, Partners must comply with the federal security regulations governing patient information under the Health Information Portability and Accountability Act (HIPAA). The question was how to do it most efficiently and effectively.

Partners HealthCare: The Challenge of Securing Web Services

Partners had deployed 50 Web services as a means to integrate multiple applications across 12 different hospitals. Its IT staff included 200 service developers/providers organized into small groups. These teams were dispersed over numerous locations and medical campuses and worked with different vendors via the Web services.

As a result, Partners faced several challenges in its Web services deployment, including:

• Integrating with external vendors securely
• Securing existing services with common policies
• Monitoring Web services operations and auditing for compliance

Putting responsibility for security policy into the hands of each of its local service development groups created the potential for inconsistent coverage. The company needed a way to ensure consistent security and avoid any coverage gaps, as well as to audit for compliance.

Securing Web Services with Actional for Active Policy Enforcement.

Progress® Actional® for Active Policy Enforcement provided an effective and efficient solution for ensuring security across and beyond the organization while also reducing service development work. Actional decouples or abstracts policies from services, providing tools for centralized management of policy and local deployment at relevant service endpoints. This approach allowed knowledgeable security staff to create and control security policy at the enterprise level, while ensuring its consistent enforcement across Web services.

The Actional solution made integrating with suppliers over the Internet—as well as integrating Partners own distributed organizations over its intranet—simpler as well as secure. With Actional, Partners could develop services once and use them for both Internet and intranet access just by applying policies for different levels of security for external versus internal communications, rather than by coding policy on a service-by-service basis. This approach saved service developers a significant amount of work while ensuring correct HIPAA compliance without gaps.

Partners HealthCare used Actional for Active Policy Enforcement for securing Web services efficiently by instituting a higher level of security controls—mutual SSL (secure socket layer) for authentication, plus intellectual property (IP) restriction—for Internet versus intranet communications.

Actional also gave Partners visibility into its entire Web services implementation, with its automatic end-to-end Web service monitoring as well as compliance auditing and troubleshooting capabilities. With end-to-end visibility, Partners was able to find performance issues such as faults sooner. Actional also provided insight into the volume of requests, enabling Partners to adjust consumption of services that weren't business critical to off-peak hours.

This centralized system monitoring and control also relieved service developers of the burden of gathering operational metrics via coding services, while providing them with reports on their services on the intranet. In addition, no changes were required in services to enforce policies. All necessary SOA rules could be applied centrally—making security part of the infrastructure and enabling service developers/providers to focus on their functions.

For More Information on Making SOA Policy Enforcement Easier

For more information on how securing Web services with Actional for Active Policy Enforcement reduced both risks and costs for Partners HealthCare, listen to "SOA Security and Compliance: How to Avoid the Risks."