Abstract
Web service is becoming an important area of business processing and research for enterprise systems. Various Web service providers currently offer diverse computing services ranging from entertainment, finance, and health care to real-time application. With the widespread proliferation of Web Services, not only delivering secure services has become a critical challenge for the service providers, but users face constant challenges in selecting the appropriate Web services for their enterprise application systems. Security has become an important issue for information systems (IS) managers for a secure integration of Web services with their enterprise systems. Security is one of the determining factors in selecting appropriate Web services. The need for run-time composition of enterprise systems with third-party Web services requires a careful selection process of Web services with security assurances consistent with the enterprise business goal. Selection of appropriate Web services with required security assurances is essentially a problem of choice among several alternative services available in the market. The IS managers have little control of the actual security behavior of the third-party Web services, however, they can control the selection of right services which could likely comply their security requirements. Selecting third-party Web services arbitrarily over the Internet is critical as well as risky.
Key Terms in this Chapter
Security Property: A security property is an implementation element used in a security function. A set of security properties can form a security function. A security property is an element at the lowest level of the implementation.
Security Profiling: Security profiling is the security characterization of an entity, a service, or a component in terms of security objectives as well as security properties. It spells out the actual implemented security characteristics of an entity.
Security Objective: A security objective is an abstract representation of a security goal. A security objective defines a desired security state of an entity or data of the system. It represents the main goal of a security policy.
Security Function: A security function is the implementation of a security policy as well as a security objective. It enforces the security policy and provides required capabilities. Security functions are defined to withstand certain security threats, vulnerabilities, and risks. A security function usually consists of one or more principals, resources, security properties, and security operations.
Security Criteria: A security criteria is a rule with a set of security properties that can be used to assess a security function or security objective. A security criteria tests whether a security function has desired security properties.
Web Services: A Web service is a platform-independent and self-contained software with defined functionality that can be available over the Internet. It provides a standard way of integrating mechanisms with enterprise applications over the net. A Web service can perform one or more functionalities for the complex application system.
Security Class: A security class represents a generic grouping of similar types of security objectives that share a common focus while differing in coverage of security functions as well as security properties.