Blog | Townsend Security

XML, Web Services, and Encryption

Written by Michelle Larson | Nov 14, 2014 9:37:00 PM

Real-time, Low-cost, Business Integration When and Where You Need It! 

Do you need a complete and affordable solution for implementing XML web services on your IBM i? Need a solution that won’t disrupt your existing applications and database so you can easily implement web services without complicated API programming or the deployment of external servers? Our Alliance XML solution includes all of the communications, XML parsing, data translation, and application integration components that you need. You can create XML documents from your existing database files and securely send them to remote web servers, and you can receive XML documents directly on your IBM i and process the data into your applications. 

QSA auditors and other security professionals focus on the protection of sensitive data after it traverses the Internet and then lands in a database on a hard disk drive. You need a solution that provides security at every level of processing and protects data in transit using session encryption. When sending or receiving XML documents Alliance XML can use the Transport Layer Security (TLS) protocol for strong encryption of the transferred data. The Alliance XML TLS support is based on the IBM Digital Certificate Manager and related IBM APIs for TLS sessions. This gives you an implementation that is compatible with native IBM i security. As an additional layer of security the Alliance XML HTTP servers provide IP address controls so that only known clients can use the servers.

When receiving XML documents with sensitive data you can enable field level encryption to protect the data. For example, if you receive a document with a credit card number or social security number, you can use strong encryption of the data to protect it before it is written to your database table. User APIs provide a means of decrypting the data so that it can be used in your RPG and Cobol applications.

The web protocols HTTPS and FTPS provide for the ability to encrypt the data in transit, and Secure Shell SSH also provides strong encryption. But after the data reaches the end point of its journey it lands in a database somewhere, and it is often exposed to loss at that point. I believe that’s why security auditors put emphasis on making sure that data is encrypted when it hits it’s destination.

Many companies have implemented web services in combination with the XML data standard to take advantage of low cost, real time integration with their customers and vendors. When you combine the ubiquity of the web HTTPS protocol with the W3C XML standard you get a powerful incentive to use this platform for business integration.

Care should be given to what happens to data when it leaves the realm of encrypted transit and lands on server hard drives. The right thing to do is encrypt sensitive data at the very beginning. This means that the tools you are using have to support encryption as a natural part of the process of converting XML data. Standard XML processing tools such as Xerces and Xpath do not have built-in encryption. The same is true for XML toolkits and APIs provided by IBM, Microsoft, and others. This leaves it to developers to try to intercept data after it is transformed from XML and before it lands in a database table or on a hard drive. That’s a real challenge.
 

In our Alliance XML/400 web services product on the IBM platform we built encryption right into the data transformation process. Alliance XML/400 customers can protect sensitive data by enabling the encryption option on a translation map. The solution does the rest. The data is encrypted before insertion into the database and there is no exposure as the data lands in the database on the hard drive. Our customers are taking advantage of this feature to meet PCI and other compliance regulations.

Encryption can help protect against another common threat, too. At the annual PCI SSC standards council meeting a few years ago, forensics expert Chris Novak of Verizon talked about how more than 75 percent of data loss events begin with a well known weakness that hasn’t been patched, and half of these are based on SQL injection attacks, this is still true today. With SQL injection, the attack on your servers starts with bad data inserted into a database in the clear, leaving open a later exploit. There are ways to prevent SQL injection through programming techniques, but encryption will also help defeat them.

Will encrypting your data provide all of the security protection you need? No, but it should be a major part of your defense-in-depth strategy to protect sensitive data.  

To view a replay of a webinar we presented on XML & Web Services, click below