The problem of enforcing security and access control on geospatial Web services is a thorny one, and one which has not been traditionally well-addressed by the industry. Spatial data presents unique challenges that are not easily handled by the same methods used to secure other types of Web content. Access may need to be granted or restricted based on geographic regions, imagery resolutions, scale, etc. These types of conditions cannot be easily described by most existing access control technologies. Because a request for spatial data may be framed in a variety of ways, and includes complex geographic components, it is very difficult to understand exactly what is being requested without a thorough comprehension of the geospatial elements of the request. Any software that acts as a gate-keeper needs to be nearly as complex and intelligent as the services it is protecting.
Spatially-aware, intelligent access control
CubeWerx solves these problems by leveraging our powerful geospatial technology to implement a spatially-aware access control mechanism. Completely integrated with our Web services, the software analyzes each request and matches it against a set of pre-determined rules to decide whether or not to allow access. Since it is integrated with the same services that it is protecting, it operates with full knowledge of the nature of each request.
Security at the Web service level
Because security is implemented at the Web service level, it is automatically available to all clients, from desktop to mobile. A simple set of credentials accompanies all requests, and one set of rules applies to all access. There is no way to bypass access control by going directly to the underlying services because it is part of those services. Indeed, many users will not even realize that security is in place. They will simply see a different set of data or geographic regions depending on their identity.
A powerful, flexible rule grammar
Access control rules are of course highly variable. A flexible grammar is required to describe all situations that may be necessary. Our technology allows rules to be applied to individual users, roles, IP addresses, or any combination of the above. Access may be granted based on Web service types, map layers, feature types, map scales, image resolutions, geospatial regions, and more. Rules may be set to expire at a given time.
Single sign-on/distributed Web services
The credentials provided by the authentication service may be set up to provide Single Sign-On (SSO) capability. This allows access control to be enforced on distributed Web services. An organization can share its data with other stakeholders while maintaining complete control over it.