|
Approach to eBusiness Security
Once the organization has defined a clear list
of security requirements, it can begin to identify technology that meets its
needs. By combining authentication and authorization with monitoring technology
a comprehensive e-business security solution can be built. First,
authentication and authorization technology is used to control access to
e-business applications. This technology is valuable for any organization
building e-business applications. Businesses should evaluate the technology’s
capabilities in multiple areas:
- Core authentication and authorization functions, including single sign on
- The ability to set policies for security
- Support for existing enterprise software
- Manageability
- Scalability and reliability
- Privacy
- Software quality
Second, monitoring technology minimizes the business risk associated with potential network
intrusions. This technology is particularly useful for organizations with
large, complex networks. Key features to consider are the technology’s ability
to correlate information from a wide range of data sources; its ability to
automate responses to routine problems; and its manageability.
|
|
Authentication and Authorization Technology:
To date, Web application developers have generally coded security logic into each
of their applications. Each application had to maintain its own access control
list of users, resources and the rights granted to each user. As the e-business
environment grows, this approach rapidly becomes problematic for several
reasons:
- It is expensive because of the need to replicate development and maintenance work across multiple systems.
- It requires time-consuming development when there is often corporate pressure to get online as quickly as possible.
- Maintenance is time-consuming and error prone.
Once the applications are online, it is vital to ensure that access control lists are kept up to date and in step across
multiple applications, and to make sure that as security policies change, those changes are simultaneously reflected across
the whole e-business environment. Each of these steps is an opportunity for error, inconsistency or delay, and can result in
security loopholes. An alternative approach is now possible. Technology is available that provides a security infrastructure
for all of an enterprise’s Web-based applications, eliminating the need to code and maintain security logic for each
application. This approach has been accepted as a standard method for developing mainframe applications for years, but the
technique is only now being extended to Web applications.
To be capable of managing access to the entire environment, this software should
handle a broad range of functions.
|
|
Authentication and Authorization:
The fundamental requirement is for technology that handles the authentication and
authorization of all users (whether inside or outside the enterprise) accessing
all e-business applications. All user attempts to access an e-business system
are handled by the security infrastructure technology, which authenticates the user and grants the
appropriate access to the requested system or systems. Many authentication methods exist, ranging from
simple usernames and passwords to stronger methods such as tokens or digital
certificates. Different types of authentication methods may suit different
organizations. Applications and access methods tend to become less convenient
for users and become more expensive as they increase in security. Passwords and
usernames encrypted on transmission may be adequate for some resources, and may
be the most practical approach for access via mobile devices that have limited
computing power. For access to sensitive business information, token-based
products or digital certificates may be more appropriate. An additional factor
is that organizations may have already installed one of these authentication
technologies and want to extend use of the technology for new e- business
applications as well. A solution should be able to support all of these
techniques, which implies that it must be able to interface to the leading
specialized authentication technologies, such as Tokens from RSA, or PKI
systems from Entrust or IBM. A major advantage of a security infrastructure is
that organizations should not have to change their application logic in order
to change or add new authentication technologies. Further, they should be able
to implement changes at the security infrastructure level and have applications
evolve transparently.
|
|
In many cases, centralizing security into an infrastructure product has the
additional security benefit that of removing the need to hold authorization
information in multiple places, such as application servers and desktops.
Adopting a security infrastructure also means it should not be necessary to
change the security logic in applications in order to take advantage of new
devices—a major consideration when organizations are looking at supporting
access from thousands of handheld wireless devices during the next few years.
The infrastructure should be able to handle access via wireless networks and
handheld devices, so users can access applications whether at home, in the
office, or on the road. This means that it must interface to the gateways that
handle traffic from wireless networks.
|
|
Single Sign-On:
A related and extremely useful benefit in some technology is the ability to
provide single sign-on to all corporate applications. When security logic is
coded into each application, the number of passwords and logins that users have
to remember and enter grows along with the number of e-business applications.
This also imposes a considerable management burden. Administrators have to add
users to each system they will use, and delete them from each system if they no
longer have access. Because the security infrastructure maintains authorization
information for each user and resource, it is able to authenticate the user
once, and then seamlessly provide access to each system the user is authorized
to use.
|
|
Policy Setting:
An infrastructure product provides a central point for implementing security
policy across the organization. Ideally, a product will allow the establishment
of security policies that reflect the structure of the organization, yet are
flexible enough to fit the needs of specific groups or applications.
The default policy for employees could be to provide access to human resources
and other general corporate information. Specific needs of different groups can
be met simply by creating new group profiles where needed. For instance,
marketing people might get access to the default systems plus specific sales
information. This approach avoids the need to define and maintain separate sets
of access rights for each user.
|
|
Support for existing Enterprise Software:
The solution should integrate with existing enterprise applications, so that an organization does not have to build and
maintain two independent security infrastructures. This means that the solution should support standard interface
technologies used by other applications. In addition, provide integration with specific products that are widely in use.
The infrastructure should also be able to take on security tasks for other applications. Finally, it should be able to make
use of existing authorization policies by accessing security technology that is already in place. One key interface is the
Authorization API (aznAPI), an industry standard supporting a full set of authorization services. AznAPI can be accessed
from applications based on standard technologies such as C, CORBA, and Java. AznAPI support also enables other applications
to use the e-business security infrastructure for authentication and authorization, making it easier to extend existing
applications to the Web. In addition, custom interfaces to specific industry-standard products speed the process of
integrating with existing applications. An example of such a product is IBM’s MQSeries, a message-passing technology that
is widely used for application to- application communications. Another key standard is Lightweight Directory Access Protocol
(LDAP), a standard directory interface. LDAP-compliant directories are used by many organizations and applications to store
user and other information. An LDAP interface enables a security infrastructure to accommodate and integrate with LDAP-compliant
products.
|
|
Manageability:
The security solution occupies a central role in the e-business environment, and will be heavily used by
administrators to maintain the access rights for all e-business applications. Manageability is key in keeping administrator
workload to a minimum. The solution should let administrators define access rights for all users and applications from a
central console. A role-based approach reduces the everyday workload by minimizing the need to set up access rights for
individual users. An additional useful feature, particularly in large organizations, is the ability to delegate subsets of
management authority to different groups. This means that a business unit can be given responsibility to make changes for its
own users, or that management tasks can be delegated to specific administrators.
|
|
Scalability and Reliability:
E-business involves being available 24 hours a day, seven days a week. The solution must
be offered on well-supported, highly scalable server platforms and capable of
operating in redundant configurations for increased reliability. It should also
be able to operate in replicated, load-balanced configurations across multiple
servers so that organizations can be confident that the software will scale to
meet demands. The security infrastructure can play a further role in improving
resource use across the e-business environment. Because it processes all access
requests, the infrastructure is in a position to direct requests to the least
heavily used resources. In an environment where replicated e-business
application servers are used to meet demand, the security structure can play a
load-balancing role by monitoring server use and directing incoming requests
accordingly.
Monitoring technology is equally important as compared to authentiction and authorization.
Read more on Monitoring technology
|
|
Back |
|
|
|