Exchange Network Partners with data flows that use Query or Solicit web services should be aware of some special security considerations. On November 17, 2011, the Network Technology Group held an Open Conference Call to describe these security considerations. The Open Call Presentations, covered the following topics:
- New default security settings for Query and Solicit web services that use the Network Authentication and Authorization Service (NAAS);
- The impact of these changes to existing data flows;
- Special security considerations related to the EN Browser’s Guest access account; and
- Recommended actions for Node Administrators who need to secure sensitive data, including specific instructions for OpenNode2 and EN-Node users.
Background on Publishing and Data Access
Many Exchange Network data flows are powered by Submit web services. These data flows are not publishing-oriented since they have to be initiated by the owner of the data. Some data flows make use of Query or Solicit web services. These are often referred to as publishing data flows because, unlike Submit web services, Query and Solicit web services allow data owners to make data available through their Node for others to access—assuming the owner has give them permission to do so.
Network Governance has a long-standing policy of encouraging Partners to publish more data and make it as accessible as appropriate. In 2011, Governance made a change to the default security settings in the NAAS to support this policy. Previously, when a Node Administrator created a new web service for a data flow, the NAAS would, by default, create a security policy that completely restricted access to the service unless the Node Administrator specifically granted rights to a specific user. Now, new services are open by default and Node Administrators need to restrict access if necessary. Administrators will still have the same level of control over their data and who can see it.
If Administrators already have existing data flows with publishing web services and have placed restrictions on who can access them, those restrictions will remain unchanged. Any existing security policy on a Node supersedes this new default behavior. If a data flow is secured, it remains secured. If a data flow is unsecured, it will remain open to anyone with valid NAAS credentials.
Guest Access to the Exchange Network Browser
The Exchange Network Browser is a web-based tool that allows users to discover and access the different data flows and web services that are available on the Exchange Network. The EN Browser is powered by the Exchange Network Discovery Service (ENDS), so a data flow or web service is only visible and available if it is registered in ENDS. The EN Browser supports two types of access. First, it allows users to securely log-in with their NAAS user name and password to access any secure data flows for which they have been granted permission. Second, it allows has Guest access for public users that do not have NAAS credentials.
Guest access was enabled by embedding a set of special NAAS credentials into the EN Browser. The Guest account user name is: “firstname.lastname@example.org.” Node Administrators should consider the following three questions to determine whether to take any action to secure their data:
- Do you have Query or Solicit services set up on your Node?
- Are those services registered in ENDS?
- Is the data inappropriate for public access?
If Administrators answer YES to all three of these questions, then they should take steps to deny access to the EN Browser Guest account for the sensitive data flows. This can be accomplished by adjusting the security settings in the Node’s administration interface.
How to Adjust Security Settings to Enable or Restrict Access to Data Through the EN Browser
Many Node products offer the ability to adjust security settings directly in the administration interface. Specific instructions for users of OpenNode2 and the EN-Node were included in the November 17, 2011, Open Call Presentations. Additional information exists in the Node Administration manuals for OpenNode2 and EN-Node. Users of other Node product needing assistance should contact the software developer.