Security Requirements for RESTful Web Services

1. Web Services Security
1 SensorWeb Requirements
Pat Cappelaere
NASA EO-1 Team

2. 2 Definitions
Web Service:
From Wikipedia, the free encyclopedia
It is defined by the W3C as quot;a software system designed to support
interoperable machine-to-machine interaction over a network
It communicates over the HTTP protocol used on the Web. Such services tend
to fall into one of two camps: SOAP/WSDL and RESTful Web Services.
Both need to be supported [But our preference is to RESTful WEb Services to
reduce cost of implementations/operations]

3. Major Requirement
The RESTFul Way
3

4. 4 Scope
Web Services Need To Be Accessible From An Open Network BUT Are Not
(necessarily) On The NASA Network
They Are Used To Access Data And/or Assets In A Bi-directional Manner
They May Need To Communicate With Many Communities On A Permanent
Or Temporary Basis (Disaster Management)
Some Data To Be Exchanged May Be:
Mostly Public
Some Data May Be For Restricted Dissemination For Some Time Period (60days)
TBD License Agreements

5. Outside Of Scope
Direct Access To NASA Satellite Assets Or Sensitive Data

6. 6 User Scope: Web 2.0
Web Security Protocol Needs To Be Easy To Implement (Many Users Will
Have Low-IT Capabilities)
Target: Web 2.0 Mass Market Accessible
Implementable in Less Than Half a Day By Neo-Geographer
Leverage Existing Web 2.0 Standards As Possible To Lower Cost And Speed
Up Acceptance

7. SERVIR/CATHALAC
Red Cross
NGIT
USGS IKHANA
MODIS
NASA
DOD
SPOT
GMU SensorWeb
Collaboration
JPL
Challenge
AFRICOM
GEOSS
RCMRD
7
Hubs
NOAA Users
CA Firefighters Services
Sensors

8. 8 Federated Approach
Trust Relationships Between Communities Can Be
Permanent
Temporary (Under Admin Control)
[Permission Policies May Need To Be Exchanged Across Domains]
Local Trust Relationship Must Be Easiliy Discoverable By Local Service
Providers

9. 9 Federated Management
Each Community Needs to Manage its Users and Services In a Satisifactory
Manner (But Not Necessarily Identitical)
Provide a Recognizable Handle for a User or a Service (passport-like, openid...)
Provide An Accessable Profile for User/Service Attributes
Some attributes may be read-write
User Privacy Issue? User Consent May Be Required To Release Info

10. 10 User Profile
Standard Organizational Profile
Example: http://www.axschema.org/types/
Plus:
One or More Notification URI (SMS, XMPP...)
Roles/Permissions Granted By Organization
Some User Profile Attributes May Need To Be Writeable By Outside Services
DRM/License Agreements...

11. 11 Service Profile
Name / Description...
Main URL Web Page End Point
RSA Public Key

12. 12 Secure Transactions
Data Providers Need To Make Sure That:
Message Transaction Has Not Been Tampered With
Message Has Not Been Playedback
Message Is In The Clear
Message Comes From Valid Service Consumer
Message Comes From Valid User
User Has Proper Permission To Access Specified Security Realm
User Has Delegated Authority To Consumer (Confirmation May be Necessary)
User Has Agreed To Access/License Agreement

13. 1: User SSO
2: Secure Transactions
First Responder
Dispatch Office
3: Delegation
NOAA NGIT
3
(FRDO)
GFS Model Weather WPS (Plume)
Problems
Orchestrating SPS WPS
Worflow
Consumer SOS
13
Firewall
First Responder: Andy
NASA

14. 14 User Security Management
User Needs To Have One Place To Go To:
Manage Authorized Sites
Manage Grants
Access/Manage Profile Access (Some of the Attributes Only)
Access/Manage Services

15. 15 Max Degree Of Separation
2 Two Degrees
1 2

16. THANK YOU
Pat G. Cappelaere
Contact Information:
=cappelaere
http://blog.geobliki.com
Cell:410-340-4868
pat@cappelaere.com
16