Maintaining control is critical in the management of security, be it electronic or physical security. In large organizations choosing to deploy XML, Web services and service-oriented architecture technology, there is an inherent transformation of the ability to control the information passing through an enterprise network.
While initially the integration of these technologies had involved considerable thought and planning, an invasion of user-generated XML is upon us. The user-oriented source getting most attention recently is Ajax. Suddenly the power of asynchronous user interface handling is becoming evident and it is generating a lot of XML traffic. It is already coming across your enterprise boundaries. Each of your users accessing Google Maps, Gmail or the new Yahoo mail client, or using the upcoming Microsoft Web Mail Browser (Kahuna), is already driving XML across your firewall. The next major driver for user-generated XML will be the introduction of Microsoft's Vista with XML document formats and Web services-based integration functionality.
Immediately, security control becomes much more elusive.
As hundreds or even thousands of additional XML messages quickly proliferate throughout the network, the traffic and latency problems will increase. Lots of XML traffic is going to be coming from lots of perfectly valid sources in your intranet, your extranet and directly from the Internet. A way to differentiate the good traffic from the bad traffic is critical to the integrity of the network.
Fortunately, there are standards and solutions that address the fundamental issues of XML and Web Service security now. However, composite and workflow applications are going to have a hard time both separating good and bad XML traffic and controlling trusted access to Web Services. Message-based attacks -- replay attacks, out of order message attacks and just plain fraudulent message insertions -- are going to be easier to perpetrate in the blizzard of XML traffic that will be flowing through your network firewalls and around your internal networks.
Ajax, for example, introduces a host of new threats and security issues that Web application developers may not recognize. Effective use of Ajax requires the efficient processing of XML and verification of identity and access rights. Security functions including signing, encryption, identity verification (not to mention threat mitigation such as schema validation, content inspection and denial-of-service detection) are really expensive -- expensive enough that they bring you average server platform to its knees, around 300-400 transactions per second for simple processing dropping to just tens of transactions for security functions.
Message-level security features have to be utilized. The flow of traffic in our new loosely-coupled, reusable-business-service world cannot be secured effectively using simple session-based solutions like SSL. Technology to off-load this XML related pressure is needed to create secure, trusted processing throughout the networks.
These processing changes can help to create enforcement, policy control, logging and add further audit capabilities to the network. The ability to implement a distributed mechanism for dealing with this traffic is critical to turning the invaded network into an XML-enabled network.
Ajax is here. Every application development environment and packaged application is generating XML and Web services interfaces. Microsoft Office embeds it. User generated XML will dramatically affect our IT and network infrastructure. The XML processing load, and more importantly the security of XML content, has to be addressed. Enterprise quality XML-enabled networks must route, filter, transform, monitor, audit and protect the privacy of XML messages based not only on URL's, but also on identities and content.
We are about to be deluged by XML in all of our organizations, ready or not. Taking steps to ensure that the influx of XML can be controlled will help enterprises to not only survive but also thrive in the new network environment.
About the Author
Andrew Nash is CTO of Reactivity and formerly the Director of Technologies at RSA Security in the Office of the CTO. Andrew is a known leader in PKI and Web-Services security markets and the co-author of numerous Web Services specifications including Web Services Security, WS-Trust, WS-Federation, WS-SecureConversation and WS-SecurityPolicy.