The two previous articles in this series discussed various aspects of Web services security: the fundamental facets of enterprise security in article 1, and Web services authentication and authorization using SAML in article 2.
Our next challenge is to ensure the confidentiality of data within the XML documents that are being exchanged across diversified Web services. XML encryption is the technology used for this purpose, and we will discuss it in detail in this article.
Please note that we have other security aspects to address (for example, integration and non-repudiation), which will be discussed later in this series.
As has been stressed repeatedly, Web services imply constant service interactions and exchange of XML-formatted business data across different subsystems. Many of these may involve confidential business transactions, in which the data exchanged must be private throughout the transaction.
Also, during complex business process, the XML business data has to pass through several systems, applications, and networks. It becomes important to ensure that the confidentiality of information is being protected during this commutation.
If Web services are to succeed in networks as insecure as the Internet, then we need to evolve rock-solid security mechanisms to protect the confidentiality of XML. Even within an organization's boundaries, we need to exercise privacy over sensitive XML information. For example, an XML document containing an employee's salary or bonus information needs to be protected against unintended audience.
In the conventional enterprise IT realm, the proven mechanisms for protecting the confidentiality of information across different systems and networks are is encryption and cryptography. The idea is to adapt these mechanisms so that that they can be used to secure XML data exchanged between Web services.
As with all other XML/Web service security standards, the challenge lies in evolving platform-independent/vendor-neutral XML standards and syntax for encoding/decoding XML documents.