Welcome!

Microservices Expo Authors: Stackify Blog, Elizabeth White, Liz McMillan, Pat Romanski, Jason Bloomberg

Related Topics: Microservices Expo, Cloud Security

Microservices Expo: Article

SOAP and Security

SOAP and Security

Based on the number of questions I get on the subject, quite a few people think that SOAP isn't secure. It's a bit hard to answer these questions because SOAP is neither secure nor insecure. It's not within the scope of SOAP to implement security. SOAP is simply a mechanism to package information to send between two applications. Even so, it's easy to secure SOAP messages, and SOAP provides an extensible mechanism that allows you to convey security information in your messages.

Security is a complicated topic, so let me start by explaining the basic goals of security when dealing with distributed computing.

  • Message integrity ensures that it isn't modified in transit.
  • Message confidentiality ensures that the message can only be read by the intended recipient.
  • Proof of origin provides proof to the receiver that the message indeed came from the sender.
  • Mutual authentication allows the client to verify the identity of the service and the service to verify the identity of the client.
  • Authorization controls access to the service.
The most common mechanism used to implement message integrity, message confidentiality, and mutual authentication is a transport-level security system, such as the Secure Sockets Layer (SSL) or Transport Layer Security (TLS). SSL/TLS uses public key encryption to protect messages between two points. If the sender encrypts the message using its private key (as opposed to the receiver's public key), SSL/TLS also supplies proof of origin. All authentication and encryption actions occur at the transport layer, so SSL/TLS security is completely transparent to the communicating SOAP applications.

For simple communications, SSL/TLS is often sufficient, but as things get more complicated, additional security measures are needed. SSL/TLS only protects messages as they are transferred between two network ports. In many cases, a message may need to be routed through one or more intermediaries (such as a firewall or an auditing service) before reaching its final destination. So sometimes you need to use application-level security. Application-level security gives you end-to-end security control. It allows you to establish a separate identity for each service running on a server. It allows you to delegate or propagate security information across multiple hops. And it allows the service to implement authorization controls.

When using application-level security, you need to pass security information, such as user IDs, permissions, and security tokens (X.509 certificates or Kerberos tickets) within the message. A SOAP message normally passes this information in a header element. As the message travels through the routing path to its final destination, each intermediary can prepend additional security information to the security header element to indicate its progress through the path. You can still use SSL/TLS to encrypt these messages, but in some cases you might want to encrypt or digitally sign only certain parts of the message. (You might want to make only certain information available to each intermediary.) In this case, you need to use an application-level encryption service rather than SSL/TLS.

The W3C XML security standards can be used for this. XML Signature provides a mechanism to digitally sign all or part of a message. It relies on Canonical XML to normalize the XML message before encryption, and XML Encryption provides the encryption process. Signature information then needs to be specified in the security header element.

The OASIS Security Assertions Markup Language (SAML) is another handy standard. SAML is designed to support single sign-on operations. It provides a standard format to exchange security information, including authentication assertions, qualifying attribute information, and authorization decisions.

For example, a SAML assertion might specify that my corporate LDAP directory service asserts that I am Anne Thomas Manes, employee of Systinet Corp. This assertion is based on a password challenge that occurred at 11:20:22 on 04/16/02, and I am permitted to submit a purchase order to Acme Supplies for an order not to exceed $5,000; this assertion is good for 30 minutes. Once I obtain this assertion, I can plug it into a header element in a SOAP message containing my purchase order for Acme Supplies. Assuming that Acme Supplies trusts the Systinet LDAP directory service (we have a pre-existing trust agreement), it should allow me to make the purchase without requiring me to sign on to the Acme system directly.

As you can see, the basic technology is in place to support end-to-end Web services security. The only issue still at large is one of interoperability. If two applications are going to exchange security information, they must first agree on how to represent the information within SOAP messages. SAML provides a standard way to represent the security assertions, but we still need to define a standard format for expressing digital signatures and partial encryptions.

IBM, Microsoft, and Verisign recently published a WS-Security specification describing a set of SOAP conventions that can be used to exchange security information and to digitally sign messages. This specification focuses on direct authentication rather than single sign-on and doesn't include support for SAML assertions, but it does address the issues of digital signatures and partial encryptions. Unfortunately the copyright notice at the beginning of the specification makes it clear that it is not available to the general public.

I'd like to see the W3C set up a new working group to define a standard royalty-free Web services security specification. The sooner the better.

More Stories By Anne Thomas Manes

Anne Thomas Manes is a Research Director at Burton Group, a research, consulting, and advisory firm. Anne leads research for the Application Platform Strategies service. Named one of NetworkWorld's "50 Most Powerful People in Networking," in 2002 and one of Enterprise Systems Journal's "Power 100 IT Leaders," in 2001, Anne is a renowned technologist in the Web services space. Anne participates in standards development at W3C and OASIS. She is a member of the editorial board of Web Services Journal. She is a frequent speaker at trade shows and author of numerous articles and the book, Web Services: A Manager's Guide, published by Addison Wesley.
Prior to joining Burton Group, Anne was chief technology officer at Systinet, a Web services infrastructure company, and before that she pioneered Sun's Web services strategy. A 24-year industry veteran, Anne developed her expertise working at a number of the world's leading hardware and software companies. You can reach Anne via e-mail at [email protected] or through her Web site at http://www.bowlight.net.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
The “Digital Era” is forcing us to engage with new methods to build, operate and maintain applications. This transformation also implies an evolution to more and more intelligent applications to better engage with the customers, while creating significant market differentiators. In both cases, the cloud has become a key enabler to embrace this digital revolution. So, moving to the cloud is no longer the question; the new questions are HOW and WHEN. To make this equation even more complex, most ...
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
Don’t go chasing waterfall … development, that is. According to a recent post by Madison Moore on Medium featuring insights from several software delivery industry leaders, waterfall is – while still popular – not the best way to win in the marketplace. With methodologies like Agile, DevOps and Continuous Delivery becoming ever more prominent over the past 15 years or so, waterfall is old news. Or, is it? Moore cites a recent study by Gartner: “According to Gartner’s IT Key Metrics Data report, ...
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We view the cloud not as a specific technology but as a way of doing business and that way of doing business is transforming the way software, infrastructure and services are being delivered to business," explained Matthew Rosen, CEO and Director at Fusion, in this SYS-CON.tv interview at 18th Cloud Expo (http://www.CloudComputingExpo.com), held June 7-9 at the Javits Center in New York City, NY.
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently. In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, covered the union between the two topics and why this is important. He provided an overview of Immutable Infrastructure then showed how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He ended the session with some interesting case study examples.
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Archi...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
JetBlue Airways uses virtual environments to reduce software development costs, centralize performance testing, and create a climate for continuous integration and real-time monitoring of mobile applications. The next BriefingsDirect Voice of the Customer performance engineering case study discussion examines how JetBlue Airways in New York uses virtual environments to reduce software development costs, centralize performance testing, and create a climate for continuous integration and real-tim...