Trust-based security model and enforcement mechanism for Web service technology

The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. Compared to centralized systems and client-server environments, the Web service environment is much more dynamic and security for such an environment poses unique challenges. For example, an organization (e.g., a service provider or a service broker) cannot predetermine the users of its resources and fix their access privileges. Also, service providers come and go. The users of services must have some assurances about the services and the organizations that provide the services. Thus, the enforcement of security constraints cannot be static and tightly coupled. The notion of trust agreement must be established to delegate the responsibility of certification of unknown users, services, and organizations. In this paper, we describe a Trust-based Security Model (TSM) that incorporate the traditional security concepts (e.g., roles, resources, operations) with new security concepts that are specific to the Web service environment. The security concepts of TSM are then applied to the general Web service model to include security considerations. Finally, an event-driven, rule-based approach to the enforcement of security in a Web service environment is described.