I came across this interesting blog post from Gaurav Sharma that describes why he was initially skeptical of using OWSM to secure web services that are hosted in the intranet and what changed his mind.
What were the things that I found interesting?
- Gaurav focuses mainly on securing the message in transit
- His main concern even when discussing about securing messages when they are in transit is focused on apps handling sensitive information like financial information.
- If you are really a security fanatic - you will pick up on a third interesting tidbit - related to #2 - is that his main concern is around ensuring components
outside the intranet are not in a position to access the sensitive
- Discussion about the performance implications
I think there is a broader list of security aspects that you need to consider - many of these were discussed a long time back in an article I co-authored and is available here. I have re-enumerted them here for convenience.
- Authentication (AuthN for short)
- Authorization (AuthZ for short)
- Information Disclosure
- Denial of Service
- Replay attacks
- Virus attacks and Intrusion Detection
The list of security issues is pretty comprehensive for the most part - but I will elaborate on two - Authentication, Authorization here:
If you need AuthN - there are some additional considerations that need to be considered in this space:
- Does your Web Service need to support Identity propagation?.
- Does your Web Service need to support Brokered AuthN?
- Does your Web Service need to support Federated Identity scenarios?
If you need AuthZ - there are few additional considerations as it relates to AuthZ:
- Does your Web Service need to support Role based AuthZ?
- Does your Web Service need to support Permission based AuthZ?
- Does your Web Service need to support Fine grained AuthZ?
- Does your Web Service need to support Context aware AuthZ and in general Context-aware Security? (Here is an article on the need for Context aware security)
not all of these security aspects are not necessarily relevant; if you have web services that are exposed in the intranet or these are departmental web services.
However you do need to consider the surface area of exposure for your web services - especially with what is being termed as the "Consumerization of IT" and the security challenges this presents.
Even assuming your departmental web services are do no have a large exposure and are accessible only via the corporate intranet - they typically require authentication and authorization. In addition auditing is also typically required to address compliance needs mandated by various regulatory requirements.
It is worth noting that OWSM does not necessarily address all the security issues - especially relating to Virus attacks, Throttling of requests, Intrusion Detection, etc.
Oracle's SOA Security Strategy is shown in the below embedded picture.
Here is a link to this image. Hopefully this post helps people in considering the various security challenges and how the different Oracle products address these security challenges.
Updated: Corrected typos.