A practical approach to secure Web services

Web services provide the potential to offer interoperability of distributed business-to-business application integration between autonomous organisations, regardless of platforms, operating systems or languages. For both user and vendor organisations, this raises immediate problems of trust, security, privacy and prevention of malicious attacks. Until these problems are addressed and solved properly, the use of Web services will be severely restricted because no-one will trust them. We describe in this paper a service-oriented architecture and an attack-tolerant information retrieval (ATIR) service which tackles certain classes of privacy problems. In particular, we address the problem of protecting a user against malicious attacks upon an information service when the user retrieves some information from the service. Although there have been many theoretical solutions to certain aspects of this problem, the results have yet to be adapted to real systems. We report our experience of integrating the ATIR service with Taverna, a popular workflow system used amongst the UK e-science/grid computing community, to support secure information retrieval in the biology context. Performance studies show that the overhead of ATIR server-side processing is trivial (<5%) in comparison with the total processing time of the integrated Taverna. Our experimental results also show that the major processing overhead is caused by the Taverna enactor operations which consume no less than 50% of the total processing time