Trust-Based Security Model and Enforcement Mechanism for Web Service Technology

The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. Compared to centralized systems and client-server environments, the Web service environment is much more dynamic and security for such an environment poses unique challenges. For example, an organization (e.g., a service provider or a service broker) cannot predetermine the users of its resources and fix their access privileges. Also, service providers come and go. The users of services must have some assurances about the services and the organizations that provide the services. Thus, the enforcement of security constraints cannot be static and tightly coupled. The notion of trust agreement must be established to delegate the responsibility of certification of unknown users, services, and organizations. In this paper, we describe a Trust-based Security Model (TSM) that incorporate the traditional security concepts (e.g., roles, resources, operations) with new security concepts that are specific to the Web service environment. The security concepts of TSM are then applied to the general Web service model to include security considerations. Finally, an event-driven, rule-based approach to the enforcement of security in a Web service environment is described.

[1]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[2]  William E. Johnston,et al.  Authorization and attribute certificates for widely distributed access control , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[3]  Elisa Bertino,et al.  Data security , 1998, Proceedings. The Twenty-Second Annual International Computer Software and Applications Conference (Compsac '98) (Cat. No.98CB 36241).

[4]  Steven J. Vaughan-Nichols Web Services: Beyond the Hype , 2002, Computer.

[5]  Joan Feigenbaum,et al.  REFEREE: Trust Management for Web Applications , 1997, Comput. Networks.

[6]  Marianne Winslett,et al.  Assuring security and privacy for digital library transactions on the Web: client and server security policies , 1997, Proceedings of ADL '97 Forum on Research and Technology. Advances in Digital Libraries.

[7]  Sanjiva Weerawarana,et al.  Unraveling the Web services web: an introduction to SOAP, WSDL, and UDDI , 2002, IEEE Internet Computing.

[8]  Amir Herzberg,et al.  Access control meets public key infrastructure, or: assigning roles to strangers , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[9]  Thomas Hildmann,et al.  Managing trust between collaborating companies using outsourced role based access control , 1999, RBAC '99.

[10]  Jean Bacon,et al.  Access control in an open distributed environment , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[11]  Stanley Y. W. Su,et al.  An extensible knowledge base management system for supporting rule-based interoperability among heterogeneous systems , 1995, CIKM '95.

[12]  Sylvia L. Osborn,et al.  The role graph model and conflict of interest , 1999, TSEC.

[13]  Herman Lam,et al.  A Web-Based Knowledge Network for Supporting Emerging Internet Applications , 2001, World Wide Web.

[14]  Herman Lam,et al.  An information infrastructure and e-services for supporting Internet-based scalable e-business enterprises , 2001, Proceedings Fifth IEEE International Enterprise Distributed Object Computing Conference.

[15]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[16]  Ben Y. Zhao,et al.  An architecture for a secure service discovery service , 1999, MobiCom.

[17]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.