This document raises information security issues for consideration by justice and public safety managers who are deploying justice XML-based systems for the exchange of justice and public safety information, for the purposes of understanding and managing risk.
The authors of this 2003 document provide background information on the basics of Web services by presenting definitions, including a terms glossary, an overview of standards, and a summary of security concerns and approaches to mitigate those concerns. The authors also describe the security practices employed by the Southwest Alabama Integrated Criminal Justice System (SAICS) as an operational example. The purpose of this document is to raise information security issues for consideration by justice and public safety managers who are responsible for deploying justice XML-based systems, to help them understand and manage risk. The document presents an overview of what Web services (WS) are as well as an overview of standards. The discussion on standards notes the WS-Security specification, which describes enhancements to Simple Object Access Protocol (SOAP); provides a discussion of the Roadmap to Security-Conscious Web Services Implementations document as well as the various organizations working on Web services security standards including the W3C and OASIS. The authors note some additional considerations about information sharing and communications protocols behind the Web, including information confidentiality, integrity, availability, and identification and authentication (I&A). They also discuss security workarounds such as SSL (Secure Sockets Layer), application-level security, operational restrictions on data environment, tightening internet security policies and practices, and general proprietary solutions. In conclusion, the authors note that justice information system software engineers are responsible for developing secure Web services and that without a comprehensive set of standards and complying products, those engineers will need to develop solutions that use temporary workarounds and have proprietary aspects.