Article Preview
Top1. Introduction
The Web service composition paradigm consists in aggregating and combining functionalities and/or data to create value added business processes.
Recently, there has been a proliferation of systems which are developed, deployed, and consumed in this way. Therefore, over the last decade, the service composition pattern has become a thriving area of research and development endeavors for application integration and interoperability. Although Web services composition has been heavily investigated, several issues still remain unsolved and need to be addressed. Current Web service composition technologies still present serious risks to individual and enterprise security and privacy. SOA is built on an insecure, un-monitored, and shared environment, which is open to events such as security threats. This may result in conflicts because the open architecture of Web services makes it available to many parties, who may have competing interests and goals. The information processed in Web services might be sensitive, so it is important to protect it from security threats such as disclosure to unauthorized parties.
The research area of Web services security is challenging, as it involves many disciplines, from authentication/encryption to access management/security policies. Security concerns and the lack of security conventions are the major barriers that prevent many business organizations from implementing or employing Web services. Such security concerns are also crucial when composing Web services. Similar to the dynamic composition of Web services there is a need for a dynamic and consistent composition of the related security policies of all participants.
Another security aspect is related to privacy dimension. Privacy is an important issue that has raised particular concerns among many research areas. This issue dramatically increases with the proliferation of the Web service compositions. This is mainly due to the high dynamism and untrustworthiness of the services to be composed, which cause high levels of risk on the interacting parties. Existing technologies for managing and applying data privacy policies fail to deal with this kind of applications as they involve autonomous entities and continuously exchange huge amounts of information of different natures. In the presence of multiple providers that coordinate together to provide a composite Web service, privacy issues are amplified, due to the larger number of service providers involved. This made urgent to have in place effective technologies for data privacy management when composing Web services. These technologies should (1) deal with the flexibility, scalability, and heterogeneity in the overall infrastructure in which data are exchanged; and (2) integrate privacy concerns into the development process of these compositions.
From a forensics point of view, investigating incidents of misuse of Web services requires that dependencies between service invocations be retained in a neutral and secure manner. Therefore, the alleged activity could be recreated in an undeniable way while preserving evidence that could lead to and support appropriate prosecutorial activity. Forensics on Web services could never be treated as a bilateral problem between two Web services while there are so many standards and architectures composing multiple services and generating global activities. Composed, choreographed or stand-alone Web services span over many applications and legal domains. Consequently, any vulnerability in one service could be exploited to affect more than one service. Once a complaint of an alleged attack is launched, it is necessary to investigate the nature and source of the attack and assign blame for it. For SOA, evidences can be considered as sound only if they are neutral, comprehensive, and reliable because of interdependencies between services and the ability to build global services using Web service compositions processes. Also, with the additional complexity involved with a distributed environment, to support forensic examination efficiently using Web services, one has to overcome many technical and social challenges such as platform independence, privacy and confidentially, neutrality, comprehensiveness, and reliability. Therefore, service providers and customers have yet to establish adequate forensic capabilities that could support investigations of criminal activities that may happen.