Restful Security Requirements


Published on

Security Requirements for RESTful Web Services

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Restful Security Requirements

  1. 1. Web Services Security 1 SensorWeb Requirements Pat Cappelaere NASA EO-1 Team
  2. 2. 2 Definitions Web Service: From Wikipedia, the free encyclopedia It is defined by the W3C as quot;a software system designed to support interoperable machine-to-machine interaction over a network It communicates over the HTTP protocol used on the Web. Such services tend to fall into one of two camps: SOAP/WSDL and RESTful Web Services. Both need to be supported [But our preference is to RESTful WEb Services to reduce cost of implementations/operations]
  3. 3. Major Requirement The RESTFul Way 3
  4. 4. 4 Scope Web Services Need To Be Accessible From An Open Network BUT Are Not (necessarily) On The NASA Network They Are Used To Access Data And/or Assets In A Bi-directional Manner They May Need To Communicate With Many Communities On A Permanent Or Temporary Basis (Disaster Management) Some Data To Be Exchanged May Be: Mostly Public Some Data May Be For Restricted Dissemination For Some Time Period (60days) TBD License Agreements
  5. 5. Outside Of Scope Direct Access To NASA Satellite Assets Or Sensitive Data
  6. 6. 6 User Scope: Web 2.0 Web Security Protocol Needs To Be Easy To Implement (Many Users Will Have Low-IT Capabilities) Target: Web 2.0 Mass Market Accessible Implementable in Less Than Half a Day By Neo-Geographer Leverage Existing Web 2.0 Standards As Possible To Lower Cost And Speed Up Acceptance
  7. 7. SERVIR/CATHALAC Red Cross NGIT USGS IKHANA MODIS NASA DOD SPOT GMU SensorWeb Collaboration JPL Challenge AFRICOM GEOSS RCMRD 7 Hubs NOAA Users CA Firefighters Services Sensors
  8. 8. 8 Federated Approach Trust Relationships Between Communities Can Be Permanent Temporary (Under Admin Control) [Permission Policies May Need To Be Exchanged Across Domains] Local Trust Relationship Must Be Easiliy Discoverable By Local Service Providers
  9. 9. 9 Federated Management Each Community Needs to Manage its Users and Services In a Satisifactory Manner (But Not Necessarily Identitical) Provide a Recognizable Handle for a User or a Service (passport-like, openid...) Provide An Accessable Profile for User/Service Attributes Some attributes may be read-write User Privacy Issue? User Consent May Be Required To Release Info
  10. 10. 10 User Profile Standard Organizational Profile Example: Plus: One or More Notification URI (SMS, XMPP...) Roles/Permissions Granted By Organization Some User Profile Attributes May Need To Be Writeable By Outside Services DRM/License Agreements...
  11. 11. 11 Service Profile Name / Description... Main URL Web Page End Point RSA Public Key
  12. 12. 12 Secure Transactions Data Providers Need To Make Sure That: Message Transaction Has Not Been Tampered With Message Has Not Been Playedback Message Is In The Clear Message Comes From Valid Service Consumer Message Comes From Valid User User Has Proper Permission To Access Specified Security Realm User Has Delegated Authority To Consumer (Confirmation May be Necessary) User Has Agreed To Access/License Agreement
  13. 13. 1: User SSO 2: Secure Transactions First Responder Dispatch Office 3: Delegation NOAA NGIT 3 (FRDO) GFS Model Weather WPS (Plume) Problems Orchestrating SPS WPS Worflow Consumer SOS 13 Firewall First Responder: Andy NASA
  14. 14. 14 User Security Management User Needs To Have One Place To Go To: Manage Authorized Sites Manage Grants Access/Manage Profile Access (Some of the Attributes Only) Access/Manage Services
  15. 15. 15 Max Degree Of Separation 2 Two Degrees 1 2
  16. 16. THANK YOU Pat G. Cappelaere Contact Information: =cappelaere Cell:410-340-4868 16