Trust Management for Web Services

Scott D. Stoller

Service-Oriented Architecture (SOA) is increasingly used in enterprise information systems, particularly in the form of Web Services. However, access control mechanisms provided by current Web Service frameworks cannot express the complex security policies of large organizations. As a result, access control is typically handled in application code. Writing and validating that code increases development time and cost. Trust management frameworks support the complex policies needed in enterprise information systems. Previous trust management frameworks are not designed to integrate conveniently with common software infrastructure, notably Web Services and databases. This paper describes a practical trust management system for Web Services that allows information in databases to be used seamlessly and efficiently in policies. A realistic trust management policy for electronic health records is used as a case study.