Managing security policy in a large distributed Web services environment

Effectively managing security policies in a large distributed Web Services environment is the key to secure e-business transactions. Security policy must ensure the end-to-end agreement for many-to-many interoperation; ensure the versioning interoperability and privacy of collaborating partners; and ensure the dynamic establishment of security policies because any statically defined security policy tends to be unsecured after a certain period of time. The traditional security policy configuration mechanisms, either the local configuration mechanism or the centralized configuration mechanism, cannot fully meet the above requirements. In this paper we describe a solution for managing security policies in a collaborative Web Services environment. This solution is based on ebXML CPP/CPA model and uses Interoperability Contract Document (ICD). It allows the collaboration parties to establish security policy dynamically for each individual interoperation; makes the selected policy confidential; and addresses the software, message, and policy versioning and interoperability issues. Our experience reveals the advantages of this approach over others.