Feeds

ID and the triple-A challenge of mashup security

Sources unknown

Next gen security for virtualised datacentres

The loose coupling of data drawn from different systems is one of the enduring appeals of mashups. However, what if some of that data needs to be handled securely, or it is necessary to log in to some or all of the data feeds? What if the mashup as a whole represents some form of sensitive system - now security is an issue.

Last time I looked at the technical challenges facing development of mashups. Now, it's time to turn to the security issues you'll need to consider when building enterprise-oriented mashups.

The most important questions the enterprise-based mashup developer must consider are:

  • Security of the communications medium
  • User identity and authentication
  • Authorization
  • Auditing

Let's take these individually.

Secure communications

Sensitive data is likely to require confidentiality (that is, encryption) in any application, and you must take care not put it at risk when you mash it with other sources. Of course there are protocols available that allow for encryption of data from SSL and HTTPS through to custom encryption implementations.

Mashups are complicated because data is provided by different sources using different technologies, meaning a single encryption method is unlikely to be suitable. For example, many mashups rely on the use of web-service standards, but these could be augmented by other protocols such as RSS data feeds, RMI and REST. In a further twist to the complexity, web services have an emerging set of security standards such as WS-Security, WS-SecureConversation and WS-Trust that are at varying degrees of completion and commercialization. The WS-* family are also increasingly seen as a rather inflexible way of building web services compared to architectures like REST.

User identity and authentication

The concept of identity and the authentication of that identity are typical concerns for enterprise systems. For distributed applications a common approach is to adopt some form of single sign-on model. In this model a user logs in once to a system and then each system they access beyond this can confirm that the user is already logged in. This is usually achieved via some form of ticket provided to the user session on initial log in and this ticket can then be checked with a central server by each subsequent system. There are numerous single sign-on systems available (such as CA's SiteMinder) and APIs to access them (such as the Java Authentication and Authorization Service).

In such scenarios all the systems that need authentication work together to represent a single security domain - in the mashup world, this may or may not be the situation. Of course, developers will (and have) found ways around this but if the mashup holds appropriate (possibly hard coded) security details for each system accessed then this in itself represents a security concern.

Authorization

Authentication is one thing, but what about authorization? This relates to the confirmation that a user of a service has the right to perform the operation being selected. Such access control rights information may be held in a repository like an LDAP-based directory or in a priority system that, once the application has authenticated the user, can check to see they are allowed to access the specific data they have requested. This may be an issue for enterprise mashups as the data source could come from outside.

Auditing

Finally, in many enterprise systems you will find people talk about the triple As of security - AAA. The first two - authentication and authorization - we have covered. Equally important and challenging in the mashup is the third - auditing. Auditing comes when the enterprise wants to know who did what to what, and what information they used. Again, as the systems being used may come from outside the control of the enterprise, auditing may not be possible.

Think first, then mash

Mashups are already moving into the corporate domain particularly within the information worker arena, thanks to applications and middleware from BEA Systems, IBM, Microsoft and Oracle among others. However, if corporates adopt mashup technologies for a wider range of applications then security will be an issue at some point. The key take away here is not that the issues I've raised can't be resolved, but they need to be considered right at the start of any mashup development, and not assumed or tacked on as the application progresses.®

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
HANA has SAP cuddling up to 'smaller partners'
Wanted: algorithm wranglers, not systems giants
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.