Home : Forum S3A™
Forum S3A™ - Seamless Security Solutions Architecture

Forum S3A (Seamless Security Solutions Architecture) is a life cycle approach to protecting next generation service oriented architectures and data-level networks. Forum S3A relies on an adaptive approach to create trustworthy, ubiquitous and robust security architectures that are customized to the business application. Because it tailors information security to the way information assets are created, moved and shaped, Forum S3A is not only methodical but also comprehensive.

click to enlarge

The following sections describe the three principles behind Forum S3A.

1. Trust, threats, and the requirement for information assurance

  • Trust Management: In an open and distributed computing environment where information is shared among numerous entities (whose level of trust varies), organizations must determine the rights appropriate for each entity (user, person, machine or software agent), even when that entity cannot be known in advance. Granting privileges to a user based on his or her digital identity and determining the user's degree of trustworthiness are part and parcel of information trust management.
  • Threat Protection: The process of quantitative and qualitative risk assessment for information security begins by: 1) identifying the assets, 2) their dependencies, and 3) any associated vulnerabilities be they accidental or malicious (errors, attacks, breaches and exploits). Forum solutions include capabilities that focus exclusively on information threat protection and offer specific remedies for known vulnerabilities, continuing updates for assessments and remediation efforts for impending (or unknown) threats.
  • Information Assurance: To be useful, information must be available and the degree of this availability impacts its risk level. Because connectivity makes information available, it also exposes information to risks both outside and inside an organization's control. Forum information assurance solutions offer business continuity, availability and reliability using measures that protect and defend information and information systems by incorporating protection, detection and reaction capabilities.

2. Staged solutions for Web services security

  • Simple Web services: By ensuring data conforms to well-known patterns and detecting anomalies early, a solution can dramatically increase Web services security. This type of conformance testing is one of the most valuable, but overlooked ways of protecting Web services against accidental or malicious content corruption, maintaining consistent transactional processing, and keeping the "bad guys out." Intrusion prevention has proven effective in stopping attacks and malicious activity, Exception Based Security provides even better security by enforcing an integrated set of policies that increase the level of trust by making it difficult to do bad things in the first place.
  • Advanced Web services: The decision to allow or deny a Web service request lies deep within the XML structured messages. This is because attaching permissions to use Web services can only be achieved by first recognizing the nature of the request. For example, is it a purchase order update or is it a request to delete a purchase order? Secondly, in order to authenticate a consumer, a digital identity has to be verified. Not unlike selecting whether to accept a diver's licenses or passport for identification, Web services identification has to be based on a token. Well-known tokens already exist within an enterprise in the form of passwords, Kerberos tickets, and SSL (Secure Sockets Layer) digital certificates. The decision to use digital signatures or even physical tokens may not make sense for most application models. Instead, well-known tokens that are compatible within existing infrastructures which are then applied at the data-level are recommended as a means to effectively enforce trusted machine-to-machine interactions.
  • Sophisticated Web services: Sophisticated Web services typically involve long-running transactions that traverse multiple enterprise boundaries. In this application model, the sensitivity of the data is high, and there is a need to protect messages persistently. The reasons may be due to un-trusted intermediaries or simply because an organization wants to create an efficient federated security model where autonomous businesses can exchange credentials and authorization information using a common trust model. Security mechanisms such as SAML, XML Encryption, and Digital Signatures work well for such an enterprise. It is important to note that with XML Encryption and Digital Signatures a well thought out Public Key Infrastructure is likely to be needed. In addition, with SAML for cross-enterprise single-sign-on and distributed authorized transactions, a trust model with a third party credentialing and entitlement server will have to be maintained and agreed upon by participating enterprises.

click to enlarge

3. End-point to end-point protection

Web services are consumed by devices, software, and other Web services. The flow of information can be compromised at multiple points in its lifecycle. An enterprise will need to address not only perimeter but also client and system-wide threat profiles. Forum S3A solutions include testing, vulnerability assessment, firewalls, and gateways as a means to provide the best security coverage for:

  • Hosts
  • Networks
  • Consumers
  • Responders


For more information:

Forums Adaptive Approach to Web Services Secrutiy White Paper

© Copyright 2001-2008, Forum Systems, Inc. All rights reserved.