New Zealand Secure Web Services Standard
This document specifies the standards for secure Web Services for the New Zealand Government. The standard guides the reader through a series of steps that leads to the selection of a secure Web service solution that incorporates appropriate standards. It provides a standard to enhance interoperability and provide a common validated approach to the security and privacy of secure Web services across government.
In October 2010 Cabinet agreed the “Directions and Priorities for Government ICT” to guide investment in, and the management of, information and communications technology (ICT) in order to:
- open up government information and data;
- establish foundations for improving service delivery; and
- deliver tangible savings
Later in March 2012 the “Better Public Services Programme” was created to enable public sector to respond even more effectively to the needs and expectations of New Zealanders. The Government has set 10 challenging results for the public sector to achieve over the next five years. Two of these 10 results are: Improving interaction with government
Result 9. New Zealand businesses have a one-stop online shop for all government advice and support they need to run and grow their business.
Result 10. New Zealanders can complete their transactions with the Government easily in a digital environment.
The “Government ICT Strategy and supporting work programme enables integrated digital service delivery, and delivers sustainable business savings. It sets out a plan to transform service delivery through digital self-service channels and to unlock the full economic potential of government’s information holdings.
The challenge will be to transform government through enabling technology, so that individuals and businesses have a better and more consistent experience in their dealings with government, agencies work more closely with their customers and with each other, and the cost of delivering services, both online and through other channels, is reduced. This will require agencies to move beyond one-way provision of information to two-way transactions.
The Government has recognised the importance and significance of interoperability. Web services are a foundation enabling technology for interoperability, and securing them in a reliable and interoperable manner is essential. Web services should not be confused with web sites; web services are a technical web based application integration mechanism that connects application services together and do not have a user interface. Web sites, as apposed to web services, provide direct user access to application services and are supported by a separate and dedicated set of New Zealand Government web site standards. Web services are the most prolific mechanism for application integration both within and across organisational boundaries. Web services facilitate platform neutral application integration avoiding the costs and complexities of multiple platform support. Web services bring with them security issues, security weaknesses, and security threats that must be countered to achieve reliable and secure services.
This standard is part of the GEA-NZ (Government Enterprise Architecture for New Zealand) Suite and the New Zealand e-gif (New Zealand e-Government Interoperability Framework). The standard is based on selected international standards and international standards profiles, primarily from OASIS WS*(security) standards and WS-I Profiles.
It is a required standard for developing web services in government agencies where security is a consideration. Secure web services should be considered for “public” networks, such as the Internet, and unencrypted networks within government agencies. Web services intended to be secure, which operate on internal segregated networks, may have differing security requirements.
This Standard is a technical document. It deals with the technical web service security standards and mechanisms used to implement technical interoperability of the security aspects of web services. It defines security related standards that are applied on top of foundation web service interoperability standards. Readers are expected to have experience of designing and developing web service solutions and be familiar with web service design concepts and development practice. It is noted that New Zealand Information Security Manual [NZISM] has few mandatory requirements which apply to transmission of data at “Unclassified”, “In Confidence” and “Sensitive” classifications. For example, [NZISM] does not mandate encryption of authentication credentials transmitted across an unsecured network. This Standard strengthens [NZISM] requirements in some areas.
A separate NZ Secure Web Service Standard Appendix document provides supporting definitions useful to the understanding of the Standard and a small number of supporting implementation patterns. The patterns provided describe common reoccurring problems rather than specific implementations and offer general design guidance and recommendations and are not part of the normative standard. The pattern set is not intended to be comprehensive as it addresses priority security scenarios only and its scope was limited by available resources. The pattern set includes a number of newly created security patterns along with a number of existing public domain patterns that are summarised into a consistent form. Numerous other secure web services patterns exist in the public domain that address other security problems and challenges and these should be investigated and utilised as they potentially offer an immediate insight to a problem and a solution design.