A secure model to establish trust relationships in web services for virtual organizations (original) (raw)

Toward Web Services Profiles for Trust and Security in Virtual Organisations

The rise in practical Virtual Organisations (VOs) requires secure access to data and interactions between their partners. Ad hoc solutions to meet these requirements are possible, but Web services hold out the potential for generic security solutions whose cost can be spread across several short lived dynamic VOs. This paper identifies trust and security requirements throughout the VO lifecycle and analyse current Web Services specifications to show their suitability to meet these requirements. Although they demonstrate the potential for generic security support, there are uncertainties concerning different level of interoperability and stability of implementation for different specifications, which may slow down their exploitation for security-critical business applications. However, research in Web services developments are well timed to avoid losing first adopter advantage when they become stable.

WSACT-A Model for Web Services Access Control incorporating Trust

2006

Abstract Today, organisations that seek a competitive advantage are adopting virtual infrastructures that share and manage computing resources. The trend is towards implementing collaborating applications that are supported by web services technology. Even though web services technology is rapidly becoming a fundamental development paradigm, adequate security constitutes the main concern and obstacle to its adoption as an industry solution.

An Approach for Establishing Trust Relationships in the Web Service Technology

IFIP – The International Federation for Information Processing, 2008

However, trust is one aspect in a set of aspects involved in Web service security that includes, for instance, privacy preservation. Based on this fact, the goal of this paper is to propose a trust approach for Web services. The approach integrates WS-Trust with standards for policy and ontology, which are used to preserve privacy.

A Framework for Web Services Trust

2006

Today, organisations that seek a competitive advantage are adopting virtual infrastructures that share and manage computing resources. The trend is toward implementing collaborating applications supported by web services technology. In order to enable secure interoperation between participants of these environments, trust is an important requirement to address. Current solutions to trust between web components are limited, as they are usually established via cryptographic mechanisms, in the presence of trusted third parties. To accommodate the dynamic and fluid nature of web services environments, a framework for trust assessment and computation is presented. The trust framework is characterised by information and reasoning. It has mechanisms that allow web services entities to manage trust autonomously, by activating a trust level and trust types by means of a rule-based fuzzy cognitive map.

Web services access control architecture incorporating trust

2007

Purpose–This paper seeks to investigate how the concept of a trust level is used in the access control policy of a web services provider in conjunction with the attributes of users. Design/methodology/approach–A literature review is presented to provide background to the progressive role that trust plays in access control architectures. The web services access control architecture is defined.

Aspects of Trusted and Secure Business-Oriented VO Management in Service Oriented Architectures

2005

Virtual Enterprises or Organisations (VO) have been the focus of research for over a decade 1 . Although proprietary implementations of VO management tools exist, secure tools based on interoperating open standards are not yet available. The open standards on which to build them are just being released as reliable implementations. The requirements of VOs for trust and security are presented, which lead to an architecture for a secure VO management framework. The design of such a framework is analysed to show how the current open Web Service specifications could be used to implement it in practice. The need for the reliable and interoperable implementation of these essential Web Services specifications is advocated.

An Authorization Architecture for Web Services

Data and Applications Security XIX, 2005

This paper considers the authorization service requirements for the service oriented architecture and proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The proposed architecture has several benefits. It is able to support legacy applications exposed as Web services as well as new Web service based applications built to leverage the benefits offered by the service oriented architecture; it can support multiple access control models and mechanisms and is decentralized and distributed and provides flexible management and administration of Web services and related authorization information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to exposed Web services. The architecture is currently being implemented within the .NET framework.

An Architecture for Unifying Web Services Authentication and Authorization

2005 International Conference on Service Oriented Computing, 2005

Security issues are one of the major deterrents to Web Services adoption in mission critical applications and to the realization of the dynamic e-Business vision of Service Oriented Computing. Role Based Access Control (RBAC) is a common approach for authorization as it greatly simplifies complex authorization procedures in enterprise information systems. However, as most RBAC implementations rely on the manual setup of pre-defined user-ID and password combinations to identify the particular user, this makes it very hard to conduct dynamic e-Business as the service requestor and service provider must have prior knowledge of each other before the transaction. This paper proposes a new Web Services security architecture which unifies the authorization and authentication processes by extending current digital certificate technologies. It enables secure Web Service authorization decisions between parties even if previously unknown to each other and it also enhances the trust-worthiness of service discovery.

A Privacy Trust and Policy Based Authorization Framework for Services in Distributed Environments

Distributed Environments are touching new heights, becoming more useful, popular and more complex with the emergence of service oriented architecture and computing technologies like peer-to-peer, autonomic, pervasive and grid etc. These technologies aim to enable large scale resource sharing. Security is a big and challenging issue in these environments as it involves the federation of multiple heterogeneous, geographically distributed autonomous administrative domains. The dynamic and multi-institutional nature of service oriented environments like grid and web introduces several challenging security issues that require new technical approaches. This paper proposes a privacy, trust and policy based authorization framework for grid and web services, but, in fact can be amended for any distributed, service oriented computing environment as most of the elements defined in the framework are general and adaptable in other computing environments. The framework is intended to provide a simple, powerful, flexible and scalable authorization infrastructure for services exposed in a large scale distributed environment. The paper also discusses a prototype implementation of the proposed framework. For implementation, we are making use of web services security specifications supported by WSE 3.0. Sample implementation has shown that the architecture is capable of meeting the identified security requirements and the approach is workable.

A Requirements-Driven Trust Framework for Secure Interoperation in Open Environments

Lecture Notes in Computer Science, 2006

A key challenge in emerging multi-domain open environments is the need to establish trust-based, loosely coupled partnerships between previously unknown domains. An efficient trust framework is essential to facilitate trust negotiation based on the service requirements of the partner domains. While several trust mechanisms have been proposed, none address the issue of integrating the trust mechanisms with the process of integrating access control policies of partner domains to facilitate secure interoperation. In this paper, we propose a requirements-driven trust framework for secure interoperation in open environments. Our framework tightly integrates game-theory based trust negotiation with service negotiation, and policy mapping to ensure secure interoperation.