Considering web services security policy compatibility

For most organizations supporting business-to-business (B2B) web services interactions, security is a growing concern. Web services providers and consumers document their primary and alternative security policy requirements and capabilities in security policy files, defined by WS-Policy, WS-SecurityPolicy and WS-Security syntax. To secure message exchanges to the satisfaction of all parties, the security requirements of both web services providers and consumers need to be satisfied. This paper investigates how mutually agreed-upon security policies can be created. An analysis of the policy intersection algorithm highlights its deficiencies for finding mutually compatible policies. The interrelated effect that security policy assertion choices have on each other is identified as an important aspect not yet considered. Over and above security policy assertions, other influence on security policy choices, which may affect the security level supported by the organization, is identified. A proposal is made on how the assertions of two security policies should be considered, in order to create a secure, mutually agreed-upon security policy that will satisfy the requirements of both parties.

[1]  Karen A. Scarfone,et al.  Guide to Secure Web Services , 2007 .

[2]  Torsten Eymann,et al.  A Negotiation Protocol Description Language for Automated Service Level Agreement Negotiations , 2009, 2009 IEEE Conference on Commerce and Enterprise Computing.

[3]  Bernhard Hollunder Domain-Specific Processing of Policies or: WS-Policy Intersection Revisited , 2009, 2009 IEEE International Conference on Web Services.

[4]  Jorge S. Cardoso,et al.  Service Engineering for the Internet of Services , 2008, ICEIS.

[5]  Jeffrey Hasan Expert Service-Oriented Architecture in C# , 2004, Apress.

[6]  Luciano Baresi,et al.  WS-Policy for Service Monitoring , 2005, TES.

[7]  Anne H. Anderson An introduction to the Web Services Policy Language (WSPL) , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[8]  Asit Dan,et al.  Web services agreement specification (ws-agreement) , 2004 .

[9]  Christoph Schroth The internet of services: Global industrialization of information intensive services , 2007, 2007 2nd International Conference on Digital Information Management.

[10]  Mike P. Papazoglou,et al.  e-Business: Organizational and Technical Foundations , 2006 .

[11]  Jeffrey Hasan,et al.  Expert Service-Oriented Architecture in C# 2005, Second Edition , 2004 .