point
Menu
Magazines
Browse by year:
Trends In Application Security
Nand Mulchandani
Thursday, June 26, 2008
AT UNPRECEDENTED SPEED, Internet technology has permanently transformed business processes. The most agile enterprises have rapidly found that they can do more with less by rebuilding their business models around Web-based commerce and network-centered applications. Moreover, they have revamped their once closely guarded business networks as new, collaborative environments connecting their employees, customers, partners, and suppliers.

By linking everyone involved in their e-business initiatives, these innovators have harnessed the potential to increase revenue, reduce costs, and improve productivity. But to realize this competitive advantage, companies must overcome a technological challenge at the core of e-business: how to securely and cost-effectively manage the expanding numbers of people, in a wide variety of roles, requesting network information.

As enterprises have raced to build and implement new Internet applications, this issue of application security is an important one that needs to be addressed. Typically, each new application has been independently deployed with its own security system, its own set of information about authorized users, and its own management interface. The result is an IT nightmare that threatens to cancel out the essential benefits of e-business. Disjointed information systems about network users and their access privileges slow application deployment, raise network ownership costs, drain expensive IT resources, and threaten enterprise security. The security architecture of a large enterprise is extremely complex, with multiple layers of security enforcing different policies at different layers of the network and application stack. Over time, this complexity has driven up the cost of operating and securing a company's infrastructure, in addition to opening up new security vulnerabilities that can be exploited.

The need for Identity-based security
The ubiquitous HTTP port has become a huge hole that is being exploited directly as more and more traffic is being tunneled through it. Traditional perimeter security systems such as firewalls, intrusion detection, and to some extent, VPN's and remote connectivity systems, are mainly focused on perimeter security that is intended to keep the "wrong" people out of the enterprise. Perimeter security tends to work at the network layer and is typically anonymous, in that it enforces security based on policies but does not take into account who the user is or what he or she is allowed to do. Also, perimeter security tends to be enforced in an "all or nothing" fashion instead of a granular, resource-specific way. As the perimeter becomes more porous and allows more traffic through, to do the most effective job of securing enterprise resources, it becomes increasingly important to enforce security based on the identity of a user. What this allows is the enforcement of security at a resource level, and can be as general or as specific as an enterprise would like it to be.

Defining Identity-based Security
Identity-based security has three important parts. The first part is the data stores that hold the identities of users which are used for enforcing security. Typically, but not always, this information is stored in LDAP-based directory servers. The second part, sometimes called “web access management,” is about enforcing security based on these identities. The primary components of this are web single sign-on, authentication, authorization, and auditing. The third, and most often overlooked part of the equation, is Identity Management. It is well known that the richer the identity information, the better enforcement of security can be done. This typically encompasses a number of different things such as Identity administration, account provisioning, and password synchronization.

The Impact Of Web Services
Currently, most of the application traffic flowing in and out of an enterprise is between users and applications. As customers deploy web-services based applications to integrate their business processes with partners, the same set of security issues such as authentication and authorization apply to these web services as well.

There are a number of interesting issues which arise when dealing with web services. First, most connections between applications are done at the organization to organization level, and not at the user to organization level. Therefore, the context of who the user is who is initiating the transaction is an important one which is generally lost in the integration. In addition, the type of data (structured XML versus unstructured HTML) and the fact that XML-based transactions could go through third-parties adds to the security concerns for web services.

The reality today is that most customers have not deployed any substantial cross-firewall web services based systems. It is believed that it is a matter of time before this changes, and when it does, it will definitely redefine the scope of Identity-based security systems to include applications and transactions as well as force changes in the security infrastructure to handle these new systems. Also, the rise of standards such as WS-Security (currently being worked on in OASIS) will also help solve many of the interoperability issues facing web services.

Security Federation
As organizations are becoming more closely linked together through the internet and internet-based systems, the need for cross-organization security becomes more important. "Federated Security" is the act of closely linking the security systems for different organizations together. These can be divisions within a large enterprise or different companies that are doing business together.

There are numerous examples of federations between different companies and systems - companies interact electronically all the time, whether it be for partners, suppliers, but also customers with deep and long-standing relationships to each other. Customers deploy B2C sites, and the need for single sign-on among different sites is important. As customers deploy B2B sites (extranets), the partners that use those sites on a regular basis are ones that will require tight integration through federation.

There are many well-publicized "Security Federation" systems and standards in place today. Systems like Microsoft Passport, the Liberty Alliance specifications, as well as standards such as SAML are all aimed at providing services and standards that enable federation between multiple security systems. This is clearly an area that will grow in significance as more companies attempt to reduce operating costs while increasing security of their links with other organizations.

Opportunities
Today, there are still too many systems and components that need to be integrated together to give a customer a complete system for application security. This drives up costs of deployment and the overall efficiency of the system. This obviously presents an opportunity to create an integrated, end-to-end system that will handle this for customers with complex requirements. Even within that, there are many unmet customer needs in the area of application authorization, account provisioning, and even application content security.

One of the benefits of having a ubiquitous IP-based network has been the ability to create layers in the network that are independent of each other. Therefore, how a lower-level service is provided is insulated from the higher-level services that depend on it. Examples are being able to use your web browser regardless of how your computer is connected to the internet—whether it be dialup, wireless, or a LAN.

These layers, however, have brought a level of independence that has also increased security risks. Therefore, when a user logs into his computer, then dials up using their system, then connects to the network using VPN, and then logs into an enterprise application, there are a number of authentications and authorizations happening across the network. While this is not necessarily an issue in itself, as authorization at different layers and points is important, the fact that the context of the user is not carried through is an issue. This defeats the overall auditability of the transaction, and there is an inability to setup a larger policy that is enforced on an end-to-end basis.

Another interesting, long-term opportunity is to drive the identity of a user deeper into the network. A lot of attacks and problems in today's environment can be avoided by having the context of the user being carried along with every specific request. It then becomes harder for a hacker or attacker to remain anonymous and not be subject to specific, identity-based security. While this will not eliminate some types of attacks, it can potentially be a way of delivering better security to the enterprise network.

Identity-based security is a growth area today, with most enterprises recognizing the need to implement and deploy these systems to increase security and drive down operational costs. As traffic increases through the firewall and as web-based systems become more prevalent, and the level of security and granularity of applying them increases, it becomes more important to focus on how to add in more security that will enforce security at a more granular level. As in any growing market, there will be many interesting developments in this space over the next few years that should give existing and new players a number of opportunities to take advantage of.

Nand Mulchandani is Chief Technology Officer and has been with Oblix since he co-founded the company in June 1996. Prior to Oblix, Mulchandani worked in the Developer Products Group at Sun Microsystems on compiler code-generation and optimization, and helped develop the JIT compilers for Java.

Twitter
Share on LinkedIn
facebook