Achieving Data Privacy and Security Using Web Services

The Internet has proven to be a powerful enabler for anywhere/anytime access to data and software located through the world. The downside of this capability is that it exposes these resources to information leakage, malicious invasion by hackers, and damage due to software viruses. This risk can be mitigated by the intelligent use of a web services architecture than can enforce both data privacy and security. In this talk I will propose a security architecture that enforces information security by addressing the key issues of authentication, authorization, and federation. Authentication results in a security token that conveys both the identity of the requestor and the trust level of the identification technology. Authorization determines what objects are accessible by a user given his identity token, request, role, context, and privileges. Federation, using both direct and indirect trust, addresses the problem of how identity, once legitimately established in one trust domain, can be reliably exported to another cooperating trust domain. I will discuss our implementation of these ideas in an on-going research project to protect medical data, and will illustrate how the concepts generalize to protect arbitrary data resources.