Townsend Security Data Privacy Blog

XML, Web Services, and Encryption

Posted by Michelle Larson on Nov 14, 2014 1:37:00 PM

Real-time, Low-cost, Business Integration When and Where You Need It! 

Do you need a complete and affordable solution for implementing XML web services on your IBM i? Need a solution that won’t disrupt your existing applications and database so you can easily implement web services without complicated API programming or the deployment of external servers? Our Alliance XML solution includes all of the communications, XML parsing, data translation, and application integration components that you need. You can create XML documents from your existing database files and securely send them to remote web servers, and you can receive XML documents directly on your IBM i and process the data into your applications. XML, Web Services, Encryption

QSA auditors and other security professionals focus on the protection of sensitive data after it traverses the Internet and then lands in a database on a hard disk drive. You need a solution that provides security at every level of processing and protects data in transit using session encryption. When sending or receiving XML documents Alliance XML can use the Transport Layer Security (TLS) protocol for strong encryption of the transferred data. The Alliance XML TLS support is based on the IBM Digital Certificate Manager and related IBM APIs for TLS sessions. This gives you an implementation that is compatible with native IBM i security. As an additional layer of security the Alliance XML HTTP servers provide IP address controls so that only known clients can use the servers.

When receiving XML documents with sensitive data you can enable field level encryption to protect the data. For example, if you receive a document with a credit card number or social security number, you can use strong encryption of the data to protect it before it is written to your database table. User APIs provide a means of decrypting the data so that it can be used in your RPG and Cobol applications.

The web protocols HTTPS and FTPS provide for the ability to encrypt the data in transit, and Secure Shell SSH also provides strong encryption. But after the data reaches the end point of its journey it lands in a database somewhere, and it is often exposed to loss at that point. I believe that’s why security auditors put emphasis on making sure that data is encrypted when it hits it’s destination.

Many companies have implemented web services in combination with the XML data standard to take advantage of low cost, real time integration with their customers and vendors. When you combine the ubiquity of the web HTTPS protocol with the W3C XML standard you get a powerful incentive to use this platform for business integration.

Care should be given to what happens to data when it leaves the realm of encrypted transit and lands on server hard drives. The right thing to do is encrypt sensitive data at the very beginning. This means that the tools you are using have to support encryption as a natural part of the process of converting XML data. Standard XML processing tools such as Xerces and Xpath do not have built-in encryption. The same is true for XML toolkits and APIs provided by IBM, Microsoft, and others. This leaves it to developers to try to intercept data after it is transformed from XML and before it lands in a database table or on a hard drive. That’s a real challenge.
 XML and Web Services

In our Alliance XML/400 web services product on the IBM platform we built encryption right into the data transformation process. Alliance XML/400 customers can protect sensitive data by enabling the encryption option on a translation map. The solution does the rest. The data is encrypted before insertion into the database and there is no exposure as the data lands in the database on the hard drive. Our customers are taking advantage of this feature to meet PCI and other compliance regulations.

Encryption can help protect against another common threat, too. At the annual PCI SSC standards council meeting a few years ago, forensics expert Chris Novak of Verizon talked about how more than 75 percent of data loss events begin with a well known weakness that hasn’t been patched, and half of these are based on SQL injection attacks, this is still true today. With SQL injection, the attack on your servers starts with bad data inserted into a database in the clear, leaving open a later exploit. There are ways to prevent SQL injection through programming techniques, but encryption will also help defeat them.

Will encrypting your data provide all of the security protection you need? No, but it should be a major part of your defense-in-depth strategy to protect sensitive data.  

To view a replay of a webinar we presented on XML & Web Services, click below

Request the Webinar:   XML and Web Services  

Topics: IBM i, web services, XML, Alliance XML, Webinar

Gaining Efficiency & Business with XML & Web Services - Part 2

Posted by Luke Probasco on Jul 26, 2011 8:07:00 AM

Last week we posted part one of our two-part series covering XML & Web Services.  This second half covers how organizations are currently using web services, how the technology can increase revenue, and how the technology can reduce costs.  For even more information, we have made a recorded webinar available titled "XML & Web Services - How to Win More Business."

How are organizations currently using web services?

There are lots of ways web services are being used to help companies do business and make business work well.  Definitely in back-office processing, we see orders being placed via web services -- shipment requests, notification of order status, all types of business transactions that you can imagine are quite easily implemented as a web service.  So, sort of that fundamental day-to-day operational side of web services are there.  And then you see some really creative kind of things.  You see things like Microsoft SharePoint which provides a web service based collaboration tool that helps people share information and collaborate on documents.  These are powerful technologies that can really be used in a number of different ways.  So, really, almost any interaction that you have that involves information is quite susceptible to being engineered through web services. 

How can the technology increase revenue?

XML & Web Services
View Recorded Webinar Now

Well, think of new business.  Sometimes, when you want to bring onboard a new customer there is going to be some data interchange that you have to do with that customer.  Web services can make that really easy and fast to do.  Web services can really be an enabling technology to on-board entirely new sets of customers – perhaps in lateral opportunities.  In terms of increasing revenue, that is probably the main way we see XML and web services being deployed.

You mentioned that this technology can also reduce costs.  Can you explain?

In today’s world there can still be a lot of manual work as we move data through our various applications.  Web services can automate that.  We can gain efficiency within our own organizations by automating a lot of these processes.  So, again, XML and web services can be the transport mechanism or the enabling technology for these processes to happen automatically.  We push out inefficiencies, we automate processes, we make data flow faster, which then can improve customer service.  So XML and web services can be an important efficiency tool within an organization as well.

Are there any specific cost savings for our listeners who implement a SharePoint server?

A SharePoint server is a Microsoft server based product that is a collaboration tool and it really lets people in geographically different locations share information in real-time.  So you can push a document up to a SharePoint server, someone else can get notified that the document is available, and then immediately take a look and work on it. This is all done with a web services type of implementation.  Or imagine you are on an IBM Mainframe where you are running back-office applications. What if your daily reports could automatically be published to a SharePoint server and made immediately available to the people who need them?  You can now reduce printing costs, time for the information delivery, and you make that information much easier to share.   So this technology is really helpful for pushing cost out of an organization.

Are there any companies we might recognize using your XML?

Sure!  PotteryBarn is using the RightNow CRM and they needed a way to do bulk data transfers to a SharePoint server hosted by RightNow.  Our Alliance XML/400 was able to do that.  In this case, the payload was an Excel CSV file that had to be shared between PotteryBarn and RightNow.  Our technology made this sharing take place.

How complex is the implementation of XML and web services technology?

That’s a good question.  Let me take that in two parts.  XML and web services technologies have a fair amount of complexity in them.  You have issues of security with HTTP/HTTPS implementations and you have the complexities of dealing with XML payloads - they have to be parsed properly to extract data and make it useable. 

Encryption and encoding becomes an integral part of this technology, so there are a fair amount of really complex technologies integrated into a web services solution.  However, the actual solutions that get deployed don’t have to be complex. 

For example, in Alliance XML/400 we make the implementation of the client and server applications very simple.  They are natural native interfaces on the IBM i that any developer can use if they wish.  So in our solution we tried to hide the complexities of all these technologies in the solution itself, so that our customers don’t have to deal with that.  I think that deploying XML and web services with our product is a very straightforward and easy thing to do. 

We have had people in a very short period of time get up and running with integration with their customers – in as little as a couple of days.  This is something that can be deployed quickly.  Good solutions hide those complexities so that people can get on with doing business and not spend their time fussing around with the technology itself. 

This has been some great information.  Is there anything else you would like to say before we are done?

XML and web services are really enabling tools.  We are living today in a difficult economic time and yet the most successful companies are moving forward.  They are working to engage new opportunities, to reduce cost out of their organizations, and XML and web services technologies can help with this process.  So, being positive and looking for opportunities and being sure to look at the payback for web services as part of the whole picture is really important.

For more information on XML & Web Services, view our webinar titled "XML & Web Services - How to Win More Business."

 

Click me

Topics: IBM i, web services, XML

Gaining Efficiency & Business with XML & Web Services - Part 1

Posted by Luke Probasco on Jul 21, 2011 7:59:00 AM

XML and web services are tools that can help your organization respond faster to opportunities, win more business, and reduce costs.  Recently I was able to sit down with Patrick Townsend, Founder and CTO of Townsend Security, to discuss XML & web services.  One thing became crystal clear – using XML and web services does NOT have to be a hard project, in fact it can be relatively easy.

How can XML and Web Services improve an organization’s bottom line?

XML & Web Services
View Recorded Webinar Now

XML and web services are really designed to help make integration within an organization and between organizations a lot easier.  This technology is designed for the Internet and is an easy to implement integration strategy.  Companies can begin putting applications together within the organization and then start to work to integrate with their customers and service providers.  XML and web services makes business a lot easier to do.  And XML is a great technology for making this happen very quickly.  XML is a very light-weight technology, easy to implement, and very platform agnostic.  So anyone, with the right set of tools, which are not expensive, can begin doing this kind of integration very quickly.

Can you give me a brief overview of how XML and web services work together?

Well, there are several components to web services.  The first is you have a communications layer, which is based on HTTP and HTTPS – the same communications technology we have in our browsers on our PCs.  So the internet HTTP technology is the backbone of web services.  Communications are one big chunk of what web services are all about.

Next you have data that you are pushing between a client and a server, or between yourself and a customer.  This payload is usually in XML format -- which is again, an industry standard well adapted for the Internet.

Then you typically have client and server backend processes.  If I send an order to a customer over the internet in XML format, there needs to be a backend process that can receive that XML document, process it into the back-end order system, and properly handle the data.

So these are the fundamental components – communications, XML payload, and processing capability on both ends – that really make web services go.

What essential components would an organization need?

Since most of the web services are automated, you need a good client application and a good server communications application.  Where as you are browsing on your PC with Internet Explorer or Firefox, you are using a pre-packaged client going to a web server.  In web services between businesses, the client is usually an application, so you need some kind of client application capability that can perform the communications automatically.  In other words, there is not a human being there who is going to initiate a browser session.  It is going to be an automated process.  Likewise, on the receiving end, or the server end of the process, you need a server capable of receiving an XML web services request and invoking the backend application.  And almost always that means something that can parse an XML payload and make that information useable within the backend application.

What can you tell us about Townsend Security’s XML product?

Alliance XML/400 is an IBM i solution and it provides all of the components that a customer needs to really deploy web services on the IBM i platform.  It provides the communications transport – both the client and the server side, it provides the ability to form XML documents out of standard database information, and it provides easy mapping so that complex programming is not required.  It gives the IBM i enterprise customer that ability to easily and quickly deploy web services and take advantage of the technology.

 

This concludes part one of Gaining Efficiency & Business with XML & Web Services.  We will post the second half at the beginning of next week.  Until then, we have made a recording of our webinar "XML & Web Services - How to Win More Business" available for further information.

 

Click me

Topics: web services, XML, secure communications

XML, Web Services, and Encryption

Posted by Patrick Townsend on Dec 15, 2010 11:29:00 AM

XML, Web Services, EncryptionOne clear direction I’ve observed over the last few months is the focus of QSA auditors and other security professionals on the protection of sensitive data AFTER it traverses the Internet and then lands in a database on a hard disk drive. We have really good ways of protecting data in transit using 128-bit SSL encryption. For example, the web protocols HTTPS and FTPS provide for the ability to encrypt the data in transit, and Secure Shell SSH also provides strong encryption. But after the data reaches the end point of its journey it lands on a hard drive somewhere, and it is often exposed to loss at that point. I believe that’s why security auditors are putting a lot of emphasis now on making sure that data is encrypted when it hits a hard drive.

Many companies have implemented web services in combination with the XML data standard to take advantage of low cost, real time integration with their customers and vendors. When you combine the ubiquity of the web HTTPS protocol with the W3C XML standard you get a power incentive to use this platform for business integration.
 
But care should be given to what happens to data when it leaves the realm of encrypted transit and lands on server hard drives.

Of course, the right thing to do is encrypt sensitive data before it lands on the hard drive. This means that the tools you are using have to support encryption as a natural part of the process of converting XML data. Standard XML processing tools such as Xerces and Xpath do not have built-in encryption. The same is true for XML toolkits and APIs provided by IBM, Microsoft, and others. This leaves it to developers to try to intercept data after it is transformed from XML and before it lands in a database table or on a hard drive. That’s a real challenge.

In our Alliance XML/400 web services product on the IBM platform we built encryption right into the data transformation process about four years ago. Alliance XML/400 customers can protect sensitive data by just enabling the encryption option on a translation map. The solution does the rest. The data is encrypted before insertion into the database and there is no exposure as the data lands in the database on the hard drive. Our customers are taking advantage of this feature to meet PCI and other compliance regulations.

For non-IBM System i environments we now provide an easy way to retrieve encryption keys and perform encryption in a variety of development languages such as Microsoft .NET, Java, and C/C++.

Encryption can help protect against another common threat, too. At the annual PCI SSC standards council meeting in Orlando this year, forensics expert Chris Novak of Verizon talked about how more than 75 percent of data loss events begin with a well known weakness that hasn’t been patched, and half of these are based on SQL injection attacks. With SQL injection, the attack on your servers starts with bad data inserted into a database in the clear, leaving open a later exploit. There are ways to prevent SQL injection through programming techniques, but encryption will also help defeat them.

Will encrypting your data provide all of the security protection you need? Certainly not. I like to think of it this way:  Wearing a parachute on a skydiving expedition is no guarantee that you won’t be hurt when you land.  But that doesn’t mean you wouldn’t wear one, right? I think of encryption in the same way.

To view a replay of a recent webinar we presented on XML & Web Services, click here.

Patrick

Topics: Encryption, HTTPS, HITECH, HIPAA, AES, PCI, SFTP, web services, XML, FTPS, SSL/TLS, SSL