The road to secure Web services
Source: InfoWorld
WEB SERVICES ARE primed to be the next big development for Internet-based applications and transactions. As with any new technology, security eventually surfaces in the discussion -- and Web services is no different. After all, the aim of Web services, which is to seamlessly integrate systems and applications that communicate over a network, will often allow access to sensitive information by unknown parties.
Although Web services are new, the main tenets of security never change. Any security solution for Web services should provide five things: authentication, authorization, confidentiality, integrity, and nonrepudiation. Users should be identified, whether through a basic user ID and password combination, or something a little stronger such as a digital certificate. Once a user is identified and authenticated, any request he makes should be authorized; the user should be granted the rights and permissions to perform the requested task. Additionally, any sensitive information should remain confidential throughout the entire process and data should not be altered in transit, retaining its original integrity. Once an order is placed or a request is made, nonrepudiation measures should be in place to prevent anyone from denying the order or request after the fact.