Technical Case Study

Published: November 15, 2006

Microsoft needed to deploy a company-wide solution that would centralize security-enhanced access to enterprise data. To accomplish these goals, the Enterprise Application Services IT group created the Digital Asset Web Services by using Microsoft® .NET Framework version 3.0 technologies such as Microsoft Windows® Communication Foundation and Windows Workflow Foundation. Microsoft now enjoys more centralized control over its enterprise data, improved auditing and transaction logging, and enhanced security in its IT infrastructure.

All businesses must maintain databases that contain information. This information may include employee data, customer data, and other mission-critical information. There are frequently multiple users and client applications that access the data, and multiple locations where the data is stored. These locations may sometimes be outside the corporate network, adding to potential security risks. Managing all this data in accordance with security guidelines at a companywide level can be difficult for IT personnel, requiring administration of multiple systems and user accounts. Generating timely audits and useful transaction logs for these systems can also be a challenge.

An efficient and security-enhanced IT infrastructure is no longer merely an internal company matter. Providing security for enterprise data is now a regulatory requirement in many countries. To meet these requirements, companies must implement technologies that enable access to enterprise data in an integrated, centralized, and more secure manner.

At Microsoft, the Enterprise Application Services IT group within Microsoft Information Technology (Microsoft IT) created the Digital Asset Web Services to address these issues. By using new technologies in the Microsoft .NET Framework 3.0, such as Windows Communication Foundation and Windows Workflow Foundation, the Digital Asset Web Services work together with existing enterprise data stores to create a centralized and more secure way for users to access enterprise data, and for IT administrators to complete audits.

This technical case study describes how Microsoft implemented the Digital Asset Web Services. This paper can serve as a model for an organization that intends to implement security-enhanced Web services by using .NET Framework 3.0 technologies. This paper is intended for chief information officers, IT directors, software development executives and managers, solution architects, and technical decision makers.

Situation

Business groups in Microsoft must access enterprise data daily to operate effectively. This data includes customer information, employee information, business partner information, and other mission-critical information. Usually, the enterprise data is retrieved from SAP, the corporate enterprise resource planning system.

In the past, after the data was retrieved, it might be replicated in another data store (usually a Microsoft SQL Server installation) that the business group owned. Then, client applications accessed the enterprise data. This data propagation had two main disadvantages:

• The data retrieval process was not centralized. Because there was no single point of entry for obtaining enterprise data, copies of the data might exist in multiple locations. Besides being an inefficient use of storage space, this duplication made it difficult to control access to the data.

• Comprehensive auditing and transaction logging was difficult. Because multiple systems accessed the data, it could be difficult to determine who was accessing the data, what data was being requested, and when the data was requested. This decentralization increased the cost and complexity of auditing numerous applications.

In addition to these disadvantages, recent internal policies regarding data handling and external regulatory requirements have mandated stricter controls for enterprise data, particularly with respect to information access and auditing.

To address these issues, the Enterprise Application Services IT group realized that it required a more centralized and scalable solution. The new solution would have to integrate with existing systems at Microsoft. Additionally, it would have to centralize access to enterprise data, enable simplified auditing and transaction logging, and provide a robust and fault-tolerant transport mechanism. Finally, the solution had to handle future changes in the IT infrastructure, and accommodate company growth and expansion.

Solution

The Enterprise Application Services IT group created and deployed the Digital Asset Web Services. The Digital Asset Web Services enable client applications to obtain enterprise data at run time in a more secure, centralized, and fault-tolerant manner. The Digital Asset Web Services enable IT administrators and enterprise data owners to maintain strict controls over who accesses the data, and to retrieve detailed audit and transaction information.

Note: The Digital Asset Web Services were initially deployed in a limited rollout. The long-term goal for the future is to migrate as many client applications as possible to the Digital Asset Web Services.

The Digital Asset Web Services contains two components, each of which uses a new technology in the .NET Framework 3.0:

• A Microsoft ASP.NET version 2.0 Web application for managing the data subscription process. Users must complete an online subscription process before they can use client applications to access enterprise data. The ASP.NET Web application uses Windows Workflow Foundation in the .NET Framework 3.0 to streamline human-system interaction during the subscription process, automating it as much as possible.

• A Web service that provides centralized, run-time access to enterprise data. The Web service uses Windows Communication Foundation in the .NET Framework 3.0 to provide more secure, fault-tolerant, and centralized access to enterprise data. After the subscription process is complete, client applications can use the Web service to obtain enterprise data at run time.

The Enterprise Application Services IT group created the Digital Asset Web Services by using Microsoft Visual Studio® 2005, an integrated development system that is already familiar to many software developers.

Subscription Process

Before client applications can retrieve enterprise data, they must be explicitly approved for access. An online subscription process manages this approval process. By using an ASP.NET Web application, data users apply for a subscription. During the application process, data users can view available data offerings and request access to specific Web methods.

Data owners use the ASP.NET Web application to manage subscriptions. Data owners can add new data offerings, manage subscription approvals and denials, and designate additional owners who can review subscription requests. They can also limit subscriptions to particular data on a need-to-know basis. For example, a subscription for a human resources team in France could be limited to allow only access to data for French employees.

The subscription process contains tasks that must be completed at the human level (for example, approving a subscription request) and tasks that must be completed at the system level (for example, adding authorization credentials to a SQL Server database). Tasks at the human level are often subject to human error during the subscription process.

To reduce the potential for human error, the Enterprise Application Services IT group used Windows Workflow Foundation. Windows Workflow Foundation is a new subsystem in the .NET Framework 3.0 that unifies the human-level and system-level components of a workflow model. Previously, separate stand-alone products managed workflow models. With Windows Workflow Foundation, a workflow model is a fundamental part of Microsoft .NET that can be integrated into new products or Web services.

Windows Workflow Foundation enabled the Enterprise Application Services IT group to streamline and automate the subscription process. Windows Workflow Foundation monitors all stages of the subscription process at the human level and takes appropriate action when notification or action is required. For example, it sends notification e-mail messages automatically at important stages of the subscription process, or when an item needs action or further input by a user. Windows Workflow Foundation also monitors timelines to ensure that the subscription process proceeds in a timely manner.

Figure 1 is a workflow diagram that shows the main steps that occur during the Digital Asset Web Services subscription process.

Figure 1. Digital Asset Web Services subscription process

After the subscription process is complete and approval has been granted, client applications can use the Web service component of the Digital Asset Web Services to access enterprise data.

Data Retrieval Process

The Digital Asset Web Services provide a central run-time source for client applications to retrieve enterprise data. Although data can be stored locally, this practice is not encouraged. Whenever possible, data is retrieved through run-time calls in order to limit the propagation of enterprise data.

To ensure that communication between the client application and the Digital Asset Web Services is fault tolerant and more secure, the Enterprise Application Services IT group used Windows Communication Foundation. Windows Communication Foundation is a new subsystem in the .NET Framework 3.0 that unifies Web services and other distributed computing technologies into a single framework. The Digital Asset Web Services take advantage of this unified communication model and other enhancements in Windows Communication Foundation to provide the following features:

• Global access. The Web service handles requests from client applications that are running internally on the corporate network, or that are running externally beyond the firewall in a trusted partner domain (extranet). This is accomplished through a Secure Sockets Layer (SSL) TCP duplex channel between two instances of the Web service. One instance handles internal requests, and the other instance handles external requests. Both instances are hosted inside Windows services that run on the Digital Asset Web Services server.

• Certificate authentication. X.509 certificates are used to authenticate client applications before they call Web methods. The Web service sends and receives enterprise data only after the client application credentials have been verified.

• Parallel processing. A centralized thread pool is used to handle large client requests of enterprise data. Large client requests are split into separate user work items in the thread pool, and then reassembled before the data is returned to the client application. This enables parallel processing and decreases Web service response times.

• Tracing, message logging, and performance counters. Windows Communication Foundation logs all operations for performance and error analysis. Windows Communication Foundation includes a large set of performance counters that are used to evaluate application performance. Detailed tracing and message logging provide additional diagnostics that can be used for troubleshooting purposes.

• Interoperability. Windows Communication Foundation is completely interoperable with existing client applications, even though the Web service includes technologies that are new in the .NET Framework 3.0. Client applications can use familiar .NET Web service methodologies to access the Web service. For example, client applications can create a Web service proxy class by reading a Web Services Description Language (WSDL) file. Additionally, client applications can call the Web service synchronously or asynchronously by using the standard Begin<WebMethodName> and End<WebMethodName> methods that are generated from a WSDL file.

Client applications can call the Web service within the corporate network or outside the corporate network. The process of retrieving data is as follows:

1. The client application is authenticated in a two-step process:

   1. Authentication is established between the client application and the Web service component of the Digital Asset Web Services through X.509 certificate authentication.

   2. The Web service accesses a Microsoft SQL Server 2005 database to verify that the calling application has a current and valid subscription to access and retrieve data.

2. The client application uses an encrypted SSL connection to retrieve enterprise data from the Web service component of the Digital Asset Web Services as follows:

   1. The client application calls a supported Web method.

   2. Each Web method returns a particular set of enterprise data.

   3. The Web service component of the Digital Asset Web Services calls a SAP Web service.

   4. The SAP Web service retrieves enterprise data from the SAP data store by using a remote procedure call (RPC), and then returns the data to the Web service component of the Digital Asset Web Services.

   5. The Web service component of the Digital Asset Web Services reassembles the data into the requested order and returns the data to the client application.

Any errors that occur are logged in the event log on the Digital Asset Web Services server. A Microsoft Operations Manager (MOM) server is used to monitor the event log and send alerts if the Web service is unavailable.

Client applications that use the Web service to retrieve enterprise data must have the following components installed on the computer:

• The .NET Framework version 2.0

• Web Services Enhancements version 3.0

Note: The Digital Asset Web Services were developed during the beta phase of the .NET Framework 3.0. Therefore, no existing client applications were able to use the Windows Communication Foundation application programming interface (API) natively. As more applications are developed that target the .NET Framework 3.0, Web Services Enhancements will no longer be required to access the Web service. However, the .NET Framework 2.0 is a prerequisite for the .NET Framework 3.0 and will still be required.

Auditing and Transaction Logging

To maintain control over access to enterprise data, the Digital Asset Web Services use auditing and transaction logging. Rigorous auditing ensures that subscriptions for enterprise data stay up to date. Transaction logging ensures that data owners can closely monitor who accesses their data and when.

Auditing is accomplished through scheduled jobs on SQL Server 2005. Three primary audit functions are used to restrict access to enterprise data through the Digital Asset Web Services:

• Subscription validation. After subscription setup is complete, the subscription information is validated every 90 days. When this occurs, the subscription owner automatically receives an e-mail message. If substantial changes to the subscription information have occurred, the subscription owner must complete the subscription approval process again to obtain a new subscription approval. The subscription owner must act on the validation request within five days, or the subscription is automatically revoked. If this revocation occurs, client applications can no longer access the Digital Asset Web Services to obtain enterprise data.

• Certificate renewal. Certificates expire every 365 days. E-mail warning messages are automatically sent to the subscription owner 90 days before the certificate expires. The e-mail warning messages include instructions about how to renew the certificate. If the certificate expires, client applications can no longer access the Digital Asset Web Services to obtain enterprise data.

• Unused subscriptions. If a subscription is not used for 135 days, an e-mail message is automatically sent to the subscription owner. The subscription owner must use the Digital Asset Web Services ASP.NET Web application to justify why the subscription is still needed. If there is no valid reason for why the subscription has not been used for 135 days, the subscription becomes inactive and client applications can no longer access the Digital Asset Web Services to obtain enterprise data.

Transaction logging is accomplished through SQL Server 2005. Because the Digital Asset Web Services centralize access to enterprise data, monitoring data usage is much easier than it was in the past. All client application calls to the Digital Asset Web Services are logged by recording what data was requested, when it was requested, and who requested it. Data owners can use SQL Server Reporting Services to obtain this information and run detailed reports.

Architecture

Figure 2 is an architectural diagram that shows how the Digital Asset Web Services interact with other components in the IT infrastructure.

Figure 2. Digital Asset Web Services architecture

In Figure 2:

• SSL represents a Secure Sockets Layer connection between a client computer and the Digital Asset Web Services server.

• MOM represents a Microsoft Operations Manager 2005 server. This server monitors the status of the Digital Asset Web Services server.

• IIS represents an Internet Information Services version 6.0 server. One IIS 6.0 server hosts the Digital Asset Web Services, and one IIS 6.0 server hosts the SAP Web service.

• SQL Server represents a SQL Server 2005 server. This server contains authentication and subscription information that is used to authenticate client computers.

• RPC represents a remote procedure call that the SAP Web service makes to the SAP server to obtain enterprise data.

• Future data stores represent enterprise data stores that the Digital Asset Web Services will access in the future.

Best Practices

During development of the Digital Asset Web Services, the Enterprise Application Services IT group identified the following best practices that may assist an organization that is planning a similar project.

Develop the Web Service First, and Then Develop the Workflow Model

It is easier to develop the workflow model after development of the Web service is complete. When the Web service is complete, an organization has a complete list of the Web methods, subscription criteria, and other data that shape the workflow model. Designing a workflow model before the Web service is complete may require substantial design modifications to the workflow later.

Maintain a Flexible Project Schedule

Software developers may need extra time to familiarize themselves with new technologies in the .NET Framework 3.0, such as Windows Communication Foundation and Windows Workflow Foundation. The organization should account for that possibility in the project schedule.

During the workflow implementation phase at Microsoft, developers who had previous experience with Microsoft BizTalk® Server were able to familiarize themselves with Windows Workflow Foundation more quickly. Most likely, this is because BizTalk Server uses similar workflow models and terminology in the Visual Studio environment.

Benefits

The Digital Asset Web Services deliver the following key benefits to Microsoft:

• Centralized access and storage of enterprise data

  Client applications go through one central access point to retrieve enterprise data. This configuration limits the number of data stores and applications that save enterprise data, and it facilitates greater IT control over the data.

• Enhanced security

  Because access to enterprise data is centralized, security has to be administered for only one system, instead of multiple systems across the organization. Security-enhanced transport mechanisms, such as SSL connections and X.509 certificates, provide additional levels of security that help ensure that enterprise data is viewed only by users who have the proper credentials.

• Detailed auditing and transaction logging

  Enterprise data is provided on a need-to-know basis. Data subscriptions must be verified periodically, and X.509 certificates must be renewed once a year. Additional auditing controls ensure that subscriptions stay up to date. Detailed transaction logging ensures that data owners can easily determine which business groups are accessing their data.

• Scalability and modular design

  The Digital Asset Web Services function as an intermediary abstraction layer between client applications and enterprise data stores. This service-oriented architecture promotes a scalable and modular environment that will allow easy connections to additional data stores in the future.

• Alignment with corporate data-handling policies and regulatory requirements

  Because of their centralized architecture, the Digital Asset Web Services reduce liability and costs that are associated with audits and proving regulatory compliance.

• Risk-avoidance savings

  The potential costs of not providing security-enhanced centralized data access are significant, in terms of financial loss and intellectual property, and in terms of potential harm to the company's reputation. The Digital Asset Web Services mitigate these risks.

• Automation of data access processes

  The subscription and auditing processes are automated as much as possible. This automation improves overall reliability and reduces the chance of human error.

• Simplified support

  Instead of maintaining support for multiple systems, the IT group can manage all data subscriptions in one location. This capability greatly simplifies and reduces the amount of support that is required.

• Compatibility with existing applications

  The Digital Asset Web Services use technologies that enable interoperability with existing client applications. This interoperability eliminates the need to redesign existing applications to take advantage of the Digital Asset Web Services.

Conclusion

The Digital Asset Web Services provide a central point for accessing and controlling the propagation of enterprise data. The Enterprise Application Services IT group based the Digital Asset Web Services on two new technologies in the .NET Framework 3.0, Windows Communication Foundation and Windows Workflow Foundation.

Windows Communication Foundation enabled the Enterprise Application Services IT group to create a robust Web service that is able to handle requests for enterprise data in a more secure manner. Propagation of enterprise data, which is inefficient and a potential security risk, stays to a minimum.

Windows Workflow Foundation enabled the Enterprise Application Services IT group to create a streamlined subscription process that is automated as much as possible. Stages of the subscription process that require human intervention are fully monitored to reduce the chance of human error and delays.

By implementing the Digital Asset Web Services, Microsoft IT has been able to centralize access to enterprise data and exercise much greater control over who accesses the data. This has resulted in greater efficiency and enhanced security in the IT infrastructure. Because the Digital Asset Web Services are scalable and modular, Microsoft IT is well positioned to be able to respond quickly to future needs and demands for enterprise data.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

http://msdn.microsoft.com/NETFramework

http://wcf.netfx3.com/

http://wf.netfx3.com/