ACORD Security Profiles: Securing Insurance Web Services

Track: Vertical Industries, Case Studies, Core Technologies

Audience Level: Technical view

Time: Wednesday, November 16 14:45

Author: Rima Patel, Sun Microsystems, Inc.

Keywords: ACORD, Insurance Web Services, Security, Web Services Security, WS-I Basic Security Profile, Financial Services Technology


ACORD Web services security profiles work identifies the security requirements for the insurance industry Web services implementations and addresses them by defining multiple security profiles providing varying degrees of message integrity, confidentiality, and authentication by profiling SSL, OASIS Web Services Security and WS-I Basic Security Profile technologies. The security work also provides guidelines for protecting SOAP messages with MIME attachments. This session will provide an in-depth technical overview of the approach that ACORD has taken towards defining security solutions for an entire industry.

Specifically, the session will cover the following topics:

- Overview ACORD SOAP Messaging service

- ACORD Web services security requirements as applicable to ACORD SOAP Messaging Service

- ACORD Security Profiles

- Initial

- Basic

- Medium

- Maximal

- Lessons learned

- Attachment security

- Authentication

- Insurance specific requirement handling

- Implementation examples

- How would we like to evolve this work going forward

This session would be very helpful in addressing the concerns/dilemma pertaining to how to design security of Web services applications for architects working in financial services as well as other industries.

Note - Author was closely involved as a standards representative with the ACORD Joint Architecture Group - Framework working group throughout the lifecycle of this work.