Columns

Looking Forward: New Strategies for Securing XML Documents

• By Mark McFadden
• 12/04/2001

At the foundation of Web Services is XML. When people think about thesecurity of Web Services, they naturally worry about two things: thesecurity of the XML documents as they are being transported over theInternet; and the security of the XML documents while they are being used at a server or client. In these days of heightened awareness ofsecurity, an interesting question arises: who controls access to the XML documents that power Web Services?

The natural response is that applications builders and networkadministrators use the tools they already have in hand for securing thenew applications. Web Services using XML as a universal format forinformation exchange is naturally protected by security standardslike Secure Sockets Layer (SSL) or Transport Layer Security (TLS) whilemoving between servers or between servers and clients.

We can also imagine the source of the information and businesslogic would be protected in the usual ways by underlying databases andoperating systems.

True enough, but is that good enough?

Consider this: in an imaginary health care application, XML data sources would have to be tailored to a variety of needs, a variety of audiences, and have a variety of access control in place. The access rules for patients is going to be different than the access rules for doctors and both will be different from the access rules for insurance companies or hospitals.

Wouldn't it be better if the access control rules were embedded orintegrated directly into the XML? Rather than having a database or anapplication server control the security attributes of a Web service, why not use XML to describe the access rules?

One huge advantage of this idea is that the access control policy could be built into the framework of the XML document itself. This would make it possible for an application designer to indicate which fields or attributes were subject to security policies.

Sounds interesting? You bet; but it's not ready for deployment. Yet.

Several proposals for incorporating access control directly into XMLexist. A standards effort is just now underway with the Organizationfor the Advancement of Structured Information Standards leadingthe effort to build an Extensible Access Control Markup Language. There are other groups working on the idea as well, but OASISappears to have made the greatest progress.

When standards finally appear, Web Services builders will have asophisticated tool for protecting the content of information while it is being exchanged - a tool as rich as the foundation of Web Servicesitself: XML.