Web Service Security
Discussion
Hola Chaps,
Wrote a suite of web services about 18 months ago.
We have a client interested in using them who is ever so slightly paranoid about security after a bit of a monumental gaff on their part a few years ago.
The Service itself is called via SSL and is only available to a certain IP address range.
However, this client specifically wants the entire XML content body encrypted.
Now, this is going to be part of a highly transactional system at their end, with live calls to get data whilst customers are on the phone. Encryption/decryption will slow the round trip significantly.
Given that the transport is secure and the actual data returned by the service is fairly benign does this strike you as overkill?
I am inclinded to manage their expectations down a little but on the other hand see using something like WS-Security as useful should future services involve more sensitive data.
Thoughts anyone?
Wrote a suite of web services about 18 months ago.
We have a client interested in using them who is ever so slightly paranoid about security after a bit of a monumental gaff on their part a few years ago.
The Service itself is called via SSL and is only available to a certain IP address range.
However, this client specifically wants the entire XML content body encrypted.
Now, this is going to be part of a highly transactional system at their end, with live calls to get data whilst customers are on the phone. Encryption/decryption will slow the round trip significantly.
Given that the transport is secure and the actual data returned by the service is fairly benign does this strike you as overkill?
I am inclinded to manage their expectations down a little but on the other hand see using something like WS-Security as useful should future services involve more sensitive data.
Thoughts anyone?
Security is a Huge Buzz at present..
thankfully, alot of big business WANTS to spend money on security, even if they may not 'need' it.
Overkill it might be, but its still going to BE safer.. you dont know what SLA's / Contracts he has with his clients re: confidentiality. He might have some huge penalty clauses for breach of security, and as such is willing to pay the 'trivial' amounts for the extra security.
Speed will be decreased sure, so explain this, and spec better kit at both ends to cope with the increased CPU load. Dedicated SSL accelerators, Multi Chip Itanium Systems if needed, whatever they will authorise.
The only time an issue comes in, is if you are delivering to public clients, on hardware you cant control. then the Security will start to eat into performance, but this doesnt sound like that type of situation.
Its your duty to make the client aware of the implications, and suggest alternatives.. but think this.. its overkill maybe, but how will you look if they take your advice, go the 'easy' route, then get hacked.
If their pockets are deep enough, you can never have too much security, so long as its managed correctly.
Enjoy
thankfully, alot of big business WANTS to spend money on security, even if they may not 'need' it.
Overkill it might be, but its still going to BE safer.. you dont know what SLA's / Contracts he has with his clients re: confidentiality. He might have some huge penalty clauses for breach of security, and as such is willing to pay the 'trivial' amounts for the extra security.
Speed will be decreased sure, so explain this, and spec better kit at both ends to cope with the increased CPU load. Dedicated SSL accelerators, Multi Chip Itanium Systems if needed, whatever they will authorise.
The only time an issue comes in, is if you are delivering to public clients, on hardware you cant control. then the Security will start to eat into performance, but this doesnt sound like that type of situation.
Its your duty to make the client aware of the implications, and suggest alternatives.. but think this.. its overkill maybe, but how will you look if they take your advice, go the 'easy' route, then get hacked.
If their pockets are deep enough, you can never have too much security, so long as its managed correctly.
Enjoy
This is part of the issue.
We are a greenfield iSeries site.
We have just implemented a failover affair with two webservers.
£160K
As part of the contract we have to pick up the bill.
Been doing some reading into WS-Security.
It looks tricky and as its bespoke the client will have to pay the dev costs and I reckon theres a good few weeks in it over and above SLA's.
I just wish they hadnt cocked up in the first place, then I wouldnt have to deal with kneejerkism!
We are a greenfield iSeries site.
We have just implemented a failover affair with two webservers.
£160K
As part of the contract we have to pick up the bill.
Been doing some reading into WS-Security.
It looks tricky and as its bespoke the client will have to pay the dev costs and I reckon theres a good few weeks in it over and above SLA's.
I just wish they hadnt cocked up in the first place, then I wouldnt have to deal with kneejerkism!
Could be worth doing a google for XML Switches. I'm not sure what price they come in at, but from reading a load of blurb about them 12 months ago or so, they act as a proxy on the network and can route/encrypt XML data as you see fit.
One of these at each end might give the security the client's after.
One of these at each end might give the security the client's after.
Going on LexSports very good advice I found this crowd.
www.sarvega.com
Anyone used their appliances?
Is the implementation of ws-security neccesary in addition to this bit of kit?
Website doesnt make it all that clear...
www.sarvega.com
Anyone used their appliances?
Is the implementation of ws-security neccesary in addition to this bit of kit?
Website doesnt make it all that clear...
JamieBeeston said:
dont forget tho, adding a box like that adds in a new single point of failiure.
Someting which in the world of SLA's, should be considered very seriously.
GL with it tho
Dont even go there mate.
These two new webservers are one iSeries LPAR'd
They pointed out in the kick off meeting that surely there would be one power supply to which I had to say yes.
That was a mark down.
I felt I had to point out that they were using canned web pages on the old version that didnt even have a failover so whatever they get it will be better than what they have.
Perils of dealing with a true giant I suppose...
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff