Sophisticated middleware is making life a lot easier for many IT managers faced with multiple applications distributed across heterogeneous platforms. However, the industry is still grappling with the issue of security of applications running across these multiple platforms.
"There is not yet a common, cross-platform security standard for distributed software systems, so companies must choose middleware that integrates existing access monitoring procedures," says Joe Rios, Software AG business manager at SPL, a member of the Dimension Data Group. "The technology must ensure reliable, secure processing of operational business processes in a heterogeneous system landscape."
The problem is that applications on different platforms run under the control of different security systems.
Rios explains that there are two fundamental issues stemming from the myriad of security systems in operation. The first is authentication. The problem comes when a user legitimately logs onto Windows NT, for example, and initiates an application that subsequently accesses another application running on the mainframe. Somehow the mainframe has to know that the user is who he says he is - it must authenticate the user.
The other issue is one of authorisation. The mainframe must also determine just what that user is allowed to do.
"If a user remains on one platform where one security system has control, the process of authentication and authorisation is fairly straightforward and is usually accomplished with a single sign-on and user ID," says Rios. "But when a user application accesses multiple components across different platforms, the hurdle of remote authentication and authorisation must be overcome."
Most systems address this by passing the security information across the network but this is a potential security risk, even with encryption.
So what should you look for in a middleware system to ensure security?
"The solution must integrate existing access monitoring procedures," says Rios. "Security system interoperability should be non-invasive with no impact on the end user. Security administrators should not have to modify their security environments in any way and should be able to continue to use existing security rules. The method should also be able to be easily extended to support evolving security systems.
"Make sure that the solution does not use any proprietary APIs. It's also important that the method is truly secure and does not require the transfer of user passwords during normal operation, which is always a weak point in any distributed security system."
On the server side, a trusted software agent assumes the agent function between the actual middleware and the server security system. The existing access monitoring procedures remain unaffected, and the user administration continues as before. A significant advantage is that existing procedures remain valid, so the security policies in the company do not need to be changed.
Share