How you secure web services depends on whether they are intranet or internet facing.

Internet Facing Services

For an internet facing web service, you need message level encryption. The encryption key can be a simple username – however, as a best practice it is better to use certificate based public keys. The public key can be requested by anyone directly from the host – once available, all messages are encrypted using this public key. The public key can only encrypt- not decrypt any messages. The private key is only available to the host – so the host is able to decrypt the message successfully. Once decrypted, the host scans the message for the username, which it then uses to authenticate the service.

INTRANET Facing Services

These do not need message level encryption. Simply using windows identify (windows auth) should successfully allow the client credentials to be authenticated. One can use Windows-based security for transfer security, authentication,and authorization. The client process (which uses a service proxy to call the service) automatically knows it has to send its windows credentials to the service (the service configures this in the endpoint configuration).

Authenticate end users – Two-Way Certificates

One way to ensure that your end client is truly your end client is to distribute a certificate that you create and maintain – purely for end user authentication purposes. This is different from the server certificate – which identifies, not the end user, but the actual website that is hosting the web service.  This requires the host (server) to maintain a list of issued certificates (a local Certificate Authority in a sense).  This can quickly become unmanageable as the number of end users grows. However, it is a super-secure model – as it is impossible for either the clients or the server to bypass trust.

Glossary

: Web Services can be secured using a combination of the following:

  1. Transport Layer Security—SSL.
  2. XML Encryption (Confidentiality)
  3. XML Signature (Integrity, Authenticity)
  4. WS-Security.
  5. WS-Security Tokens. Username. X.509 Certificate. Kerberos Token. SAML Token.
  6. WS-Policy.
  7. WS-SecurityPolicy.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.

 Twitter Linkedin