Web Services Control: Taking Control of Your Network

Because Web services often move important and valuable business data, Web services control issues are critical. Enterprises must pay heed at least to the following baseline security concerns and thereby take control of their service networks.

One way to maintain Web services control is to verify that the users of such services are both authenticated (they are who they say the are) and authorized (they have permission, based on business rules) to access the service they are requesting.

Most organizations have already invested in user directories such as LDAP and identity management systems, as well as single sign-on systems such as Netegrity. However, integrating the Web services into these infrastructures requires custom coding for each service. Moreover, different services may need to authenticate and authorize users based on different user directories and or credential types. Lastly, there are many situations where access to services must be gated by business logic – for example, in many regulated security markets it is actually illegal to take orders during non-market hours.

General Products is faced with this exact problem. While they have implemented Netegrity Siteminder internally for single sign on to all applications, their customers and affiliate resellers are tracked in an LDAP directory dedicated to external users. While internal users have access to the SAP, Oracle and mainframe systems, external users do not. The extensive Web services control and security tasks that the development team must tackle include:

• Delegating authentication and authorization of internal service requests to the Netegrity system
• Authenticating via a look-up in the external LDAP and then authorizing external users based on their organization and the specific services and operations they wish to access.
• Securing the same service for both external users and internal employees, using the methods above
• Ensuring that customers that order directly do not exceed their credit limits
• Being prepared to take advantage of emerging Web services security standards as they become available in commercial products

In the end, Web services control means securing Web services into existing security systems – which requires creating and maintaining another layer of infrastructure: further increasing General Products' total project cost.

For More Information

Find out more about Actional's comprehensive approach to Web services control. View the webinar, SOA Governance: Where the Rubber Meets the Runtime