Web Services Threats: Internal Employees

IT departments typically concern themselves with the notion of external attackers. However, many Web services threats originate from within the organization. With Web services, more sophisticated functionality is made available to a wider audience. Web Service interfaces are also human readable and much easier to use than previous integration and messaging technologies. Access – via standard network or Web services authorization procedures - to confidential information or embezzlement of funds are just some of the possible internal security breaches that can be performed by employees or former employees. Because employees are the most familiar with internal systems, detection can be extremely difficult. Firewalls, in general, are insufficient for detecting such breaches because the compromises are performed within the firewalls.

Unintentional compromises are also possible. If an interface is not secure, an employee may accidentally access information that they are not intended to view. With additional interfaces and access to data, more sophisticated compromises can occur. For instance, data can be pieced together from multiple sources which are independently secure, but when put together create confidential information. For instance, salary information with an internal key may be harmless by itself but when coupled with a harmless list of employee names and the internal key will result in highly confidential information.

Least privilege techniques are important to ensure that people do not have more access than what is absolutely needed to do their jobs. In addition, reporting and auditing can help detect anomalous behavior.

Threat Containment

Once a security breach is detected, Web services environments pose difficult challenges for handling threats because they typically comprise heterogeneous systems with decentralized administration. Getting consistent troubleshooting information is even a challenge. Each system may have its own log format and even their own slightly different timestamps. Piecing together information to determine unauthorized activity may be a difficult task.

Being able to shut down systems and reject traffic from specific sources are important for handling a compromise. Standardizing on log formats and developing Web services security policies and procedures for threat containment should help provide security to the overall system. Coordination among administrators, even across enterprise systems, is necessary to ensure timely and effective response.

It is possible, some recent studies have shown, that corporations are more vulnerable to Web services threats from within than from without. (Though the details are hard to confirm because many companies are not eager to share the specifics of their security situations.) Nevertheless, IT shops must pay rigorous attention to these very real internal threats – be they accidental or intentional.

For More Information

Learn more about Web services threats in the context of an overall Web services management plan: download the free webinar, SOA Governance: Where the Rubber Meets the Runtime