Web Services Policy: Using Policies to Secure Your Web Services

Defining Web services policy – in this case, security policy – and applying it to your Web services at runtime, is critical given all the services that are proliferating across corporate networks today. But how to manage it all?

Web Services Policy for Safety: Definition and Enforcement, Monitoring Alerting and Auditing

Policies can be simple to create. Using Actional's Web services management solution, they can be created from scratch, or built upon from a template provided with solution as shown in the screenshot below:

Actional SOAPstation simplifies Web services policy management with templates for rapid policy creation

Here are some examples of simple but useful policies that can be implemented to improve productivity:

• Audit message content – Useful if there is a need in the early stages of an application to be able to capture the content of messages. Seeing the content can help to troubleshoot message conversations when services are first put into production. Rule conditions can be set up to audit under certain conditions (e.g. if Web service response time is slow, then audit the message).
• Notify on "SOAP fault" messages – One of the simplest policies with the largest impact to delivering a quality service. This rule can notify an administrator / operator that a SOAP fault has occurred. When a SOAP fault occurs, the message will be logged for proper investigation. Corrective action can be automatically taken, though in early stages most organizations prefer limited, if any, automated activities.
• Performance management – Rules can be set up on statistics that are known performance boundaries, such as response time and data size, number of requests, number of failures, percentage of failures, number of outstanding requests, etc. as the basis for the operator or developer notification. Statistics can be gathered on the triplet group:service:operation for a high level of flexibility in ensuring service levels.
• Command and control – To gain insight into who is using the services. This is achieved by auditing customer ID fields or some other unique identifier.
• Content-based auditing – To keep track of daily volume or who has used a particular service for example. This is done by easily mining the data inside the XML messages passing through your systems.

These policy capabilities can be combined with the provisioning capability to provide policies that are specific to each consumer need, allowing IT to provide high levels of customer satisfaction and confidence. Together these provide IT with the ability to address each consumer's specific needs without impacting the entire community of consumers.

End-to-End Safety

The notion of a loosely coupled environment extends to the implementation of security around the services in the network. Unfortunately, most implementations hard-code security into the application, or tightly couple security policies into the use of the services.

In SOAPstation, Actional implements security contracts, allowing security policies to be set and applied to interfaces by a security team independent of the project development schedule. Policies are written in such a way that they are not tightly bound to the application, and can therefore be written by the security team without effecting service delivery.

This abstraction of security enables security consistency across all services and allows policies to be set and reset without impact to the delivery of individual Web services projects. It ensures that as security policies change, the burden of delivering new levels of security across all services is minimized.

SOAPstation integrates seamlessly with Active Directory, LDAP, Netegrity, and Oblix single-sign-on offerings, as well as SAML, WS-Security and XKMS Web services security standards. Bottom line, SOAPstation is a totally open platform: the ideal solution for automatically applying Web services policy and securing your network.

For More Information

Learn more about Web services policy – in the context of an overall SOA governance solution: read the free white paper, SOA Primer: Comprehensive Runtime Governance from Actional