Special Publication 800-95 addresses security needs for networks in which automated Web services are being deployed in service-oriented architectures. Service-oriented computing uses protocols such as Extensible Markup Language and Simple Object Access Protocol to automatically access collections of software services.
As the publication points out, “many features that make Web services attractive . . . are at odds with traditional security models and controls.”
These features, including automatic access, dynamic application-to-application connections and the use of HTTP, mean that traffic passes through traditional perimeter defenses such as firewalls and intrusion detection systems without controls. Ensuring confidentiality, integrity and availability of Web services is a work in progress, with several standards organizations developing standards and practices.
