Screen-access level security provides user ID and password gatekeeping for information transmitted to a user interface. So-called “mash-at-the-glass,” presentation-centric mashups deal with information sent to one screen (the enterprise application) and can be mashed together with information from other screens (Web applications).
The issue with screen access is that any information delivered to the user interface -- a GUI application, Web application, or even an old mainframe terminal app -- can be extracted as if you’re talking directly to the database, service, or API. Those who use the screen must and should be validated through user IDs and passwords. Again, you need to trust that the information process won’t fall into the wrong hands.
Identity management recognizes that services aren’t for internal use only. Mashups that leverage services and corporate data need to be known and authorized, or you open the door to malicious or incorrect behavior. The basic idea behind identity management is to monitor all services’ producers and consumers and ensure that the services invoked are indeed the services meant to be invoked. In other words, all consumers are known, identified, authorized, and tracked -- as are all producers.
This is clearly the best way to approach mashup security since you’re dealing with many services – and the mashups themselves -- each with their own identity information. Identity-based monitoring ensures the correct services and mashups are interacting and exchanging only authorized information, and that there are no shenanigans taking place (intentional or not). Since you can track things at the component level versus the system or data levels, there is much more granularity to this security approach and thus more flexibility for mashups.
Today, most enterprise mashups don’t use services or data controlled through an identity management infrastructure. The increased popularity of SOA will drive identity-based security, but for now, it’s not an option for most enterprises, due to cost and the newness of the technology.
Rolling out a secure platform
Moving from a security strategy to a real-world plan can be tough, thanks to the early-stage nature of the mashup trend. Nonetheless, a few best practices have already emerged:
Create a mashup development and operation policy for your enterprise, clearly defining what’s allowed and what’s not allowed when creating mashups. Follow up the policy with a mashup validation and verification process that’s equally clear, well-communicated, and (hopefully) followed to the letter. Make sure that all mashup development is known to the security team, and that they work with the mashup developers on guidelines and best practices to insure security is not an afterthought. The idea is to balance the need for security with the need for innovation.
Create a technology suite approach to mashup security, selecting key existing technology and standards for data-access level, service-access level, and access to information through user interfaces. Typically, you’ll deal with enabling technology already in place, such as security subsystems already bound to databases, APIs, and user interfaces. This is not optimum, but it’s the way security exists for mashups today. Both security professionals and mashup developers need to learn how to leverage it properly and enforce well-defined policies as previously outlined.
Create an identity management strategy around both SOA and mashups, which are really extensions to SOA in the first place. This means creating an identity management model for the architecture, including patterns of use within mashups. Then select the right identity management-based security technology, and develop a path to implementation. Typically, this is a long-term project, and it takes careful planning to get it right the first time.
Given the gestation period for identity management, most organizations will be forced into the policy and existing technology approaches first. But it’s worth it: Mashups offer a valuable new platform to quickly create enterprise applications that are practical and useful. And whether IT acknowledges it or not, increasingly sophisticated Web development is happening under the radar anyway. Properly implemented, a mashup strategy can provide a framework to bring all sorts of Web development into the fold.