SECURE COLLABORATION USING WEB SERVICES
Government agencies, which continue to struggle with integration and information-sharing challenges complicated by aging and siloed legacy systems, are increasingly looking to Web services to ease their pain.
A Web service is a software component that presents itself as a service on a network using a specific set of open protocols and standards like eXtensible Markup Language (XML); Simple Object Access Protocol (SOAP); Universal Description, Discovery and Integration (UDDI); and Web Services Description Language (WSDL). Because they are built on standards, Web services allow disparate computer systems to communicate and share information in a common language, building bridges to perform functions — from simple information requests to complex business processes.
Today, most government Web services implementations are confined to intra-agency environments. For example, an employee at the front desk of the Division of Motor Vehicles may use a Web service to access information from a back-office system to verify an applicant’s identity.
The next phase for Web services — cross-agency implementation — has the power to elevate government efficiency and constituent service to new heights. By presenting Web services over the Internet, a government agency can open its doors, share best practices and collaborate with other agencies, private sector partners, citizens and businesses. This interaction will automate many manual processes and allow government employees to focus on mission-critical tasks.
For example, the U.S. Small Business Administration (SBA) wanted to ease the process through which new business owners could apply for and obtain a state ID number and a Federal Employer Identification Number (FEIN). SBA worked with EzGov, a software company, to build a Web service on EzGov’s FlexFoundation platform. The Web service allows any state to integrate its existing business registration process with the FEIN application through an open standards-based interface. The project combined separate state and federal registration processes into one, allowing the smooth transfer of data between different systems and eliminating the need for business owners to access multiple Web sites and fill out repetitive forms. Georgia and Illinois were the first states to take advantage of the Web service. In the first nine months of its operation, more than 10,000 business owners used the application, saving more than $500,000.
This example illustrates the potential of cross-agency Web service implementations to drive government efficiency and improve constituent service. However, government agencies must ensure they have the proper locks and keys in place to keep out unauthorized parties. They must consider risks to system availability and performance; privacy/information security; unauthorized access to services; and presentation of misinformation.
Web services rely on many of the same technology building blocks as Web sites, and are vulnerable to the same kind of threats — including denial of service attacks, code-injection attacks, and attacks against the transport. However, technology teams can thwart these threats by putting appropriate security measures in place in four major areas:
-
Authentication and authorization — Addresses the questions: Who is accessing the system? What users have approved access to various functions or data?
-
Transport security — Secures the link between the nodes in the network that carry the Web service message
-
Server security — Ensures the integrity of the server, databases and enterprise systems through typical operating system and application security measures.
-
Message security — Wraps the message in a secure “envelope” to provide end-to-end protection between the user and the Web service.
Technology teams commonly deploy servers supporting Lightweight Directory Access Protocol (LDAP) to locate identification and passwords on the network directory to validate each user’s identity. In addition, many Web services architectures use Secure Sockets Layer (SSL) to encrypt data between two network endpoints, ensuring that information cannot be accessed at a mid-point on the network. Also, most operating systems leverage user IDs to secure servers and data encryption to secure messages.
When deploying Web services beyond the firewall, technology teams should also consider the level of risk to develop an appropriate security solution. There are various mechanisms to address lightweight, middleweight, and heavyweight security concerns.
-
A lightweight solution does not include sensitive information. An example would be an application that allows online payment of property taxes.
Security solution: The Web server’s ID/password functionality should address authentication. SSL technology, almost ubiquitous today, ensures message transport security. Traditional user IDs and permission schemes address server security adequately.
-
A middleweight solution includes some sensitive information. An example would be an application that provides visibility into student loan records.
Security solution: The technology team should implement WS-Security and Client SSL certificates. WS-Security is an industry standard that protects the integrity and confidentiality of a message and authenticates the sender. A Client SSL Certificate allows officials to verify that each message is actually coming from the state agency, and vice versa.
-
A heavyweight solution includes highly sensitive information. An example would be a Department of Defense application or a system dealing with funds disbursements
Security solution: The technology team should take full advantage of WS-Security, XML Encryption and XML Signature. While SSL encrypts data between two endpoints, it decrypts the data once it reaches the endpoint — leaving it somewhat vulnerable. WS-Security, XML Encryption and XML Signature take SSL to the next level, maintaining encryption to protect sensitive data even when it has reached its final destination. In addition, the team should continue to use Client SSL certificates and introduce a piece of hardware called an XML Firewall, which is in front of the application server and Web server, examining all messages coming in and applying appropriate rules to each message.
Web services are ready for prime time on the public Internet. As such, government agencies have much to gain by following the private sector’s lead in building and deploying Web services to share information with other organizations. The platform vendor community has embraced approved security standards like WS-Security, providing government agencies with robust security solutions for Web services. In order to truly realize the information sharing and collaboration benefits afforded by Web services, government agencies must build services that extend beyond their own networks. Security concerns are surmountable if technology teams carefully identify their risks and apply appropriate solutions.
ABOUT THE AUTHOR
DOUG WAIT is chief technology officer of EzGov Inc.