Web services will need managed IDs to stay safe

By

As web services evolve from app-to-app to more complex transactions, they introduce new challenges for CSOs to consider.

Consider this: a staff portal calls Weather.com's web service for local weather conditions. The portal's web service requests could include host location, so a Boston employee gets Boston weather, for example. This may seem low-risk, but what if the calls are made to the employer's 401(k) provider? The request and underlying security must be identity-centric – coarse-grained, all-or-nothing security will not suffice.

Web services will need managed IDs to stay safe

In simple point-to-point web services, scale is manageable because the tight coupling between partners restricts the number of authorized identities. But as companies expose more web services, bulk identities are not sufficient. Companies will require better visibility into who is accessing web services. Coarse- or bulk-level identity is not sufficient.

This is why industry pundits and the press stress the importance of identity management in web services. Initially, people tend to visualize web services as app-to-app, making identity straightforward. But as the point-to-point model expands, identities become more fine-grained and harder to manage.

To reap the full benefits of Service Oriented Architectures while mitigating the security risks, enterprises should couple identity management with web services and adopt these four points:

  • Ensure consistency in security policy – abstract security policy from the web service container to a third-party security solution;
  • Extend existing investment protection – for those who have invested in ID management (IDM) solutions to protect web apps, it is a natural evolution to extend that same infrastructure to web services;
  • Consider scalability – managing a growing number of user identities can become a nightmare;
  • Monitor compliance and segregation of duties – developers creating security run the risk of creating risks or gaps by coding security directly into the web services container. IDM can mitigate this risk, as well as easing compliance by providing centralized audit.

Companies that adopt identity-centric web services will realize stronger security, better scalability and greater flexibility. Enterprises that rely on coarse-grained security risk potential security breaches.

Merritt Maxim is director of XML technologies for Netegrity, a division of Computer Associates, Inc.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?