Exploring the Security Situation

2.3.1

E-Business and B2B Security

Security has always been a serious consideration for businesses but with the widespread adoption of the Internet, its significance—whether voluntarily or not—has exponentially increased. By simply connecting internal networks to the Internet, businesses are susceptible to a variety of attacks [135, 31] and as recent surveys [166, 170, 171, 210, 33] exhibit, they are being exploited. Malware, viruses and even directed attacks (such as Denial of Services (DoS)) identified as some of the prime threats.

Within e-businesses where the aim is conducting business electronically, the risks faced are again drastically increased [85]. Businesses have to be cognizant

(in their planning and strategies) of the fact that the ubiquitous nature of the Internet means that attacks can occur at any time, from anywhere. Nachtigal and Mitchell [132] aptly stress that the openness to the environment which is the uniqueness of e-business also acts to be its real danger. A problem compounded, they argue, by the fact that traditional security approaches, even though no longer adequate in the era of e-business, are still in use and being developed.

In addition to the problems faced by e-businesses individually, in the con- nected B2B domain, the significance of security is also prevalent. One of the core drivers behind this is purely monetary and is linked with the enormous value (trillion-dollar market) of B2B and its continued high growth rate [108]. These factors plus the unique challenges already facing e-business make B2B a natu- rally alluring target for malicious parties. The second noteworthy driver is that as businesses attempt to work together thus forming extended networks, negotiat- ing, accommodating and managing the security desires of each partner represents a formidable challenge [205]. This reality is highlighted by Tiller [205] when he states, “different partners have unique access requirements, want specific security policies in place, and have varying SLAs [Service-Level Agreements] and legal obligations, all leading to security mayhem” (p.68).

A third driver for B2B security is rooted in one of its core benefits, that is, the ability to facilitate very closely knit and highly automated and accelerated processes across enterprise boundaries. This is a point argued in the specific context of the e-supply chain in Baker et al. [6] and more generally in the extended enterprise context by authors in [49, 48].

The problem in these cross-enterprise situations as researchers stress is that as organizations increasingly rely on the Internet to closely join companies and support internal and external business processes, each firm’s individual security decisions impact the overall security infrastructure for all the businesses it inter- acts with [48]. This perspective is validated by an independent survey in Baker et al. [6]. The most significant finding of that survey however is the establishment of a positive correlation between the degree of collaboration (between supply chain

2. E-Business, Web Services, and their Security: State of the Art 21

partners) and the prevalence of IT security incidents and risk. Common examples of these incidents being unauthorized network access, data theft and malicious code infections, all linked to business partners as the source.

The dilemma faced by businesses therefore is that in fostering the close relationships to enable streamlined interactions, they have also made themselves susceptible to peculiarities in their partners’ security posture. This consideration is novel in that it emphasizes what is in essence a complex security problem as businesses try to (i) protect themselves individually and (ii) devise a strategy to protect collections of legally autonomous businesses, when aiming to form closely knit hybrid organizations like the extended enterprise. The anatomy of the extended enterprise provides just one example of how B2B itself can increase the complexity of the security problem.

With the significance of the security problem outlined, it is worth assessing how security has been achieved in these online systems thus far. In examining this topic, Padmanabhuni and Adarkar [155] note that to achieve security in effect means the satisfaction of a collection of implicit security objectives/requirements. These requirements for online systems are stated broadly to be confidential- ity, data integrity, authentication, authorization, non-repudiation, privacy, trust, availability and intrusion detection.

To consider how well the requirements listed have been met in the e- business arena, Padmanabhuni and Adarkar [155] state that the current set of available security technologies is proven to be adequately able to handle these re- quirements. Examples of these technologies include passwords, encryption, digital signatures, Public Key Infrastructure (PKI), traditional network-level firewalls and Secure Sockets Layer (SSL). Boncella [17] agrees with this perspective as he argues that SSL, PKI and firewalls are able to meet the technical-level secu- rity requirements for conventional Web traffic over Hyper-Text Transfer Protocol (HTTP). Work in [100] is yet another research reference that supports this view. A salient point made by Katsikas et al. [100] which is of great relevance to this research is that if technology exists to solve e-commerce security problems,

why do breaches persist at such alarming rates? Their answer to this is founded in the reality that security is not only a technical or physical concept. Specifically, they state, “. . . while everyone recognizes the need for securing e-commerce, what they do not know is that security is more than erecting physical and electronic bar- riers. The strongest encryption and most robust firewall are practically worthless without a set of organizational security measures, built around a security policy that articulates how these tools are to be used, managed and maintained” [100] (p.556).

The remarks above help to identify that security, even in the highly dis- persed e-business world, is much more than just technical solutions. This reality can also been seen in Dynes et al. [49] in terms of extended enterprise business col- laborations. This is as companies look towards creating an appropriate security approach (for interacting partners) consisting of strategies, processes, systems, culture and incentives. Building on this more comprehensive view of security (thus, not only technologies), the work of Laudon and Traver [107], displayed in Figure 2.3 is cited. This model perfectly exemplifies the layered nature of security both in e-commerce and also, broadly to all business security.

Data Technology Solutions Organizational Policies

& Procedures Laws and Industry

Standards

Figure 2.3: The e-commerce security environment [107]

In Figure 2.3’s layered model, laws and industry standards guide companies in security but also put regulations in place that enable security violators to be in- vestigated and prosecuted. Secondly, organization policies and procedures mainly attempt to have rules and processes (or generally higher-level approaches) inter- nally that enable the fulfilment of a company’s security objectives/requirements. Finally, technology solutions are the specific, lower-level mechanisms that imple- ment the security objectives/requirements for the data and systems. In practical

2. E-Business, Web Services, and their Security: State of the Art 23

terms related to the previous paragraphs, organizational security measures such as a security policy would fit in the ‘policies and procedures’ layer, whereas encryp- tion, digital signatures, PKI, traditional network-level firewalls and SSL would be part of the ‘technology solutions’ layer.

In the next section, the security aspects of WS as an enabling technology for e-business are discussed. Emphasis is placed on the significance of security, current approaches towards achieving it and its outstanding issues.

2.3.2

Securing e-Businesses that use Web Services

The substantial advantages to e-business that WS promises regrettably come at a high cost in the area of security. In [217, 194], authors stress that WS by its very nature creates a multitude of new security challenges. Apart from these views, companies in industry have also identified the importance of the security problem in the area of B2B as is seen in the study in [167]. This section identifies and briefly discusses three of the most significant challenges.

The first challenge faced in using WS for business-to-business interactions is that conventional mechanisms used to satisfy security requirements of normal e-business interactions fall short when applied to WS [17, 62, 122, 10]. Typical examples are SSL’s inability to provide end-to-end security—SSL is only point- to-point; and the inadequacy of traditional firewalls to protect against XML- based threats—traditional firewalls cannot scan documents for included XML- based threats. Padmanabhuni and Adarkar [155] sum up the disparity between mechanisms in e-business and those in WS as they emphasize that the loosely coupled, dynamic nature of SOA (which can be also taken to apply to WS) necessitates additional security features and mechanisms.

Secondly, with the new technologies constituting WS, an abundance of new and adapted technical threats has surfaced, a reality worsened by the fact that WS was conceived primarily for interoperability, speed and convenience and not with security natively in mind. These threats endanger all aspects of the WS paradigm and target the range of security objectives.

Another important factor is that threats are not only targeted at the sur- face level (that is, the application directly interacting with the Internet), but at internal business applications as well. As organizations look to WS-enable their legacy systems to facilitate streamlined integration, they also provide a di- rect line and new avenue of attack into these systems [189, 197]. Publications in [189, 92, 218, 62, 228] together provide an extensive list of now common attacks and threats against WS. Further to this, some authors [233] even contend that there is a lack of products to aid in providing sufficient security against these threats.

The last challenge considers WS at somewhat of an overarching business level. In their work on WS, Hartman et al.[77] stress that despite its numerous benefits, WS adds significant complexity to the e-business security landscape. Security is now a much broader and comprehensive concern which cuts across

business lines much easier and quicker than before. As such, an inadequate

security posture in one company can become a real-time increased security risk for its partners—immediate and extended.

Due to the complexity with using WS, trust between businesses has also been identified as a related concern. Prokein et al. [167], for example, conclude that WS technology was primarily being used for connecting well-known transac- tion partners due to a lack of trust in using them with unknown businesses. Trust here and generally in this thesis is defined as the belief that a party’s promise or word is reliable, and that a party will fulfil his/her obligations in an exchange relationship [185]. With just three challenges outlined, it is understandable that some industry professionals (such as Curphey [36]) have deemed WS ‘a devel- oper’s dream and hacker’s heaven’.

As was done in discussing e-business and B2B security, this section now examines how security is achieved when WS is used in business. Generally how- ever, WS security techniques are the same regardless of where they are applied, business or elsewhere. This examination starts by considering the security re- quirements that lead towards the fulfilment of security.

2. E-Business, Web Services, and their Security: State of the Art 25

At a basic level, WS is simply another technology that enables business online (e-business). Deductively therefore, all the security requirements for online systems (named in Section 2.3.1) still do apply when approaching security with WS. This point is seen in [194, 228] as they identify WS security requirements that are similar to e-business requirements, for example, confidentiality, integrity, authentication, authorization, auditing, and intrusion detection and prevention.

For WS specially, work by Steel et al. [194] extends the basic requirements above with three aspects. The first is Single Sign-On (SSO) and delegation. This is the ability to transparently handle authentication to multiple interacting services and also decentralized access controls. The second aspect is identity and policy management. This enables the sharing of identities and policies that spread across disparate systems and trust boundaries. Finally, there is security interoperability which in simple terms, ensures that the standards/protocols used are interoperable. All of these additions specifically target the unique security challenges accompanying the distributed, loosely coupled and highly dynamic WS technology suite.

Apart from analysing WS security requirements only, due to WS’s close association to SOA, SOA-related security requirements also have proved to be

applicable. In their work on SOA requirements for example, Padmanabhuni

and Adarkar [155], like Steel et al. [194], show appreciation for SSO and del- egation requirements. Additionally, Padmanabhuni and Adarkar [155] identify two more requirements: malicious invocations—having appropriate code inspec- tion technologies to assess for malicious data in service invocations, and repeated invocations—ensuring mechanisms are in place to protect against repeated WS- specific attacks leading to denial of services. From the set of requirements covered in this and the previous paragraph, one can begin to grasp the complexities of providing even technical-level security to WS interactions. With these require- ments outlined, the next step is to present how they are currently being handled (or the proposals publicized to handle them) in the literature.

tioned above, consortiums such as OASIS and W3C have developed and ratified numerous standards. These standards aim to solve problems caused by common threats and also to further the WS paradigm by enabling substantially more dy- namic security interactions between services. Due to the large number of these standards and their inherent complexities, this section does not aim to discuss them in detail. The intention instead is to provide a contextual overview.

Arguably the best and most intuitive approach to this review is to present standards according to the challenges and requirements they address. The Na- tional Institute of Standards and Technology (NIST) article in [189] (based on the work in [136]) is one work that provides a detailed categorization of security

standards. The security dimensions NIST identifies are secure messaging, re-

source protection, negotiation of contracts, trust management and security prop- erties. That article was chosen as the primary resource for the following overview mainly due to its extensive coverage and well established literature base. For clar- ity in presentation and to put some of the standards to be identified in context, Figure 2.4 has been included.

Security Management Identity Management

WS-Federation SAML

Liberty Alliance WS-Trust

XKMS

Message Security Reliable Messaging Policy

WS-Reliability WS-Security

WS-Policy WS-SecureConversation WS-ReliableMessaging

SOAP Foundation XACML SAML

Access Control

XML Security

Transport Layer Security Network Layer Security

XML Encryption XML Signature

SSL/TLS IPSec

Figure 2.4: Web Services Security Standards: Notional Reference Model [189]

One of the primary goals of WS security issecure messaging. In this dimen-

sion, security specifications include SSL and Transport Layer Security (TLS) to secure the message at the transport layer and WS-Security (which leverages XML security techniques such as XML Encryption and XML Signature) to secure the

2. E-Business, Web Services, and their Security: State of the Art 27

message at the SOAP level. These specifications satisfy the security requirements of authentication, confidentiality, non-repudiation and integrity. WS-Security specification in simple terms can also be thought of as a mechanism to support the security credential interoperability requirement [155].

At the resource protection dimension, thus considering the service as a

resource itself, requirements for privacy are met by OASIS’s eXtensible Access Control Markup Language (XACML), whereas ensuring only authorized use is addressed by eXtensible rights Markup Language (XrML) and again, XACML. The basis behind both standards is in providing a universal syntax for managing rights and authorization decisions.

To facilitate the technical level trust and trust management capabilities

required between disparate services, various standards are proposed. These in- clude: WS-Trust and XML Key Management Specification (XKMS) for estab- lishing trust, Security Assertion Markup Language (SAML) and WS-Trust for trust proxying, and finally WS-Federation and Liberty Alliance ID-FF for fed- eration, or loosely, ‘sharing’ of trust. Another way to view these standards as shown in Figure 2.4 is to associate WS-Trust and XKMS with security manage- ment, and SAML, WS-Federation and Liberty Alliance with federated identity management (or simply, identity management across trust domains). Research in [155] can supplement or at least simplify some of these descriptions as they specifically identify that SAML addresses the security requirements of SSO, and authentication and authorization interoperability, and XKMS addresses the need for XML-based PKI.

Beyond the topic of trust, contract negotiation is also regarded as a key

dimension of WS security. In its requirement for registries and semantic dis- covery, the two highlighted standards are: Universal Description, Discovery, and Integration (UDDI), which from its inception has been considered a place to hold description information (including contracts) on services, and the Ontology Web Language for Services (OWL-S), a newer standard which focuses on semantic markup for WS to enhance discovery capabilities.

The last dimension of security is related specifically to security properties

of services and the requirements pertaining to their usage policy, security policy and availability. The first two requirements are supported by WS-Policy and WS-SecurityPolicy respectively, and focus on how to express capabilities, prefer- ences and needs of a service in a standardized way. The availability requirement is simply concerned with ensuring a level of reliability in message transmission and this is addressed by standards WS-ReliableMessaging and WS-Reliability as shown in Figure 2.4.

This concludes this overview of WS security standards landscape. For detailed information on the standards mentioned above, readers are directed to: [153] for WS-Security, WS-Trust, WS-SecurityPolicy, WS-ReliableMessaging, WS-Reliability, XACML, SAML and UDDI, [225] for XKMS, XML-Signature, XML Encryption, WS-Policy and OWL-S, [9] for WS-Federation, [110] for Liberty Alliance ID-FF, [34] for XrML, and in general see [157, 189, 36, 155, 14, 68, 214]. From this overview of standards, one can appreciate that there is a large amount of resources dedicated to the security of WS. Regardless of this progress however, and contrary to the perspective that there are already too many stan- dards (see Alonso et al. [4]), there still remains the view that existing proposals are not an adequate solution to the technology level security problem. In Zhang [231] for example, the argument is made for a new layer called WS-Trustworthy. Zhang hypothesizes that WS-Security and related technologies at their core only address the security issue of Web services-centred computing. Thus, overlooking the issue of the overall service trustworthiness; trustworthiness in this regard deals with the level of confidence that services will act as intended, and encompasses attributes such as reliability, availability, interoperability and fault tolerance [231].

Additionally, Sidharth and Liu [187] highlight the need for their new frame- work based on the notion that the applicability of protocols such as WS-Security, WS-Trust and WS-Federation are in fact limited, as they only protect communi- cations between trusted parties who share an established security context. The following statement aptly sums up their contentions, “The pervasiveness of web

2. E-Business, Web Services, and their Security: State of the Art 29

services and SOAP API [Application Programming Interface] that can be in- voked by anonymous consumers introduces security vulnerabilities [that] are not addressed by the existing standards” [187] (p.23).

Aside from WS standards and the systems which implement them, appli-