136 Copyright © 2009 Open Geospatial Consortium, Inc.
13 Recommendations
As a result of this work, mainly based on the evaluation of vulnerabilities and potential attacks for the current OGC Sensor Web Services specifications, we like to give
recommendations for implementing a Secure Sensor Web.
First of all we like to point out that it is important to implement all relevant requirements and not just one. For example, when implementing access control but the communication
is not secured, an attacker could steal security context information such a a session token or an identity token which would most likely cause the access control system to grant
requests, based on the stolen security context information.
Of course, it is not easy to say in general which requirements are to be implemented and in which way as this depend on many factors: i The architecture itself and which
services are deployed in which security domain, ii is there direct trust relationship between security domains, iii which informationobservation shall the system deal with
and is it classified, etc. One dominant questions is ―Do I have to use WS-Security with SOAP or can I do HTTP+TLS‖? This mainly depends on the architecture and the
orchestration of services. But as a rule of thumb, it is a good idea to use WS-Security and SOAP, even though the other variant using HTTP+TLS might also be applicable.
We like to point out the following recommendations knowing that there will always exist specific cases where these recommendations might not represent the most elegant
solution. However, the list of recommendation can be understood as a framework for securing the Sensor Web.
13.1 Use Message Level Security
W think, that the sufficient and relevant level of ensurance for implementing all relevant security requirements as outlined in earlier sections of this ER can only be undertaken by
leveraging message level security. The alternative – network level based implementation
– is difficult to achieve as it very much depends on underlying network administration. And, because the joining and leaving of parties in a Secure Sensor Web can much easier
be reflected and administrated based on security implementation on message level. The last argument for message level security is that the continuous protection of information
exchanged among services provided by different organizations is to be ensured, independent of different network segments that are potentially owned and administrated
by different parties using their own policies and service chains that might be required.
Independent of implementing security requirements such as Integrity, Confidentiality and Authenticity requires the existence of a Public Key Infrastructure PKI. Even integrity
and confidentiality could be guaranteed without a PKI, it is recommended to use X.509 certificates.
Copyright © 2009 Open Geospatial Consortium, Inc. 137
For the implementation of trusted Audit and Alarms, it is also relevant to have a PKI in place and trusted third parties that undertake and guarantee the correctness and
confidentiality of audit information.
13.2 Services shall support SOAP and WS-Security
In simple architectures that are based on transparent chaining, only direct communication links exist between the client and many services. Here, the use of HTTPS can be
leveraged in order to secure the communication and the security context information that is exchanged between the client and the secured service.
But in a more generic architecture, where a translucent or even opaque chaning of services shall be possible, the use of SOAP based interfaces leveraging WS-Securtiy for
securing the communication is recommended. Depending on the security model that is to be supported, X.509 certificates or other types of tokens must be created. This requires
naturally the existing of the associated infrastructure.
13.3 Describe security constraints for the service using WS-PolicySecurePolicy