On the day it opened for business, London-based Egg PLC expected 5,000 calls to its telephone banking operation. Egg, as in "nest egg," got 10 times that. And even before its first day of business two years ago, the company had already changed its mind on its delivery model. It wanted its banking services also delivered over the Web.
In the midst of this tumult, Egg executives hired consultant Lain Hunneybell to develop the bank's Internet strategy. Hunneybell needed a security mechanism that would scale to the company's rapid growth in customer volume, account changes and application offerings.
He decided on an authorization infrastructure, something so new at the time that he could find only one vendor qualified to offer it.
 | | | Authorization Management Tools SiteMinder Company: Netegrity Inc., Waltham, Mass. Pricing: $1 to $15 per user, based on volume getAccess Company: enCommerce Inc., now merged with Entrust Inc., McLean, Va. Pricing: 25 cents to $25 per user, based on volume ClearTrust SecureControl Version 4.2 Company: Securant Technologies, San Francisco Pricing: $20 per user, with volume discounts available www.securant.com |
| |||
"As we went to the Web, one of our first issues was fine-grained access controls," Hunneybell says. "It wasn't easy. We worked a lot of hours to build the authentication, protection of resources and access controls into the infrastructure."
Hunneybell made a wise choice. The new authorization infrastructure not only scales to 1.2 million users, but also accommodates new applications and access rules on the fly.
Key to Security
The authorization infrastructure - the directories to store user attributes and rules engines that implement policies - is fast becoming a key security element in electronic business deployment, according to John Pescatore, an analyst at Stamford, Conn.-based research firm Gartner Group Inc.
Authorization management systems go beyond traditional authentication mechanisms (passwords, smart cards and public or private keys) to authorize user access to information assets and to wrap those privileges around user sessions.
"It's one thing to know who you are [which you get with authentication], but we need to know what you're allowed to do [which you get with authorization]," Pescatore says. "This drags along with it other things, including a whole mix of authentication mechanisms, like access from wireless devices" [Technology, Sept. 4].
Until 1998, companies deploying any sort of authorization management systems were left to their own devices - mixing and matching access lists in Lightweight Directory Access Protocol (LDAP) directories, Oracle databases or SQL servers, and coding each application to talk to these directories.
But the problem lay in getting these systems to complete very granular authorizations that could distinguish, for example, whether or not Joe the purchasing agent could authorize a purchase of more than $1,000, or that Jane in accounting had access to accounts receivable but not payroll. In response, a few vendors have developed an emerging class of authorization management tools that automate many of these tasks. Each uses a different approach to solve the problem.
Egg used McLean, Va.-based Entrust Technologies Inc.'s getAccess to integrate corporatewide access rules into its Web server front end. The product encrypts Egg's customer sessions as high-strength tokens to go with the customer from page to page, allowing or disallowing access based on the rules drawn from the company's customer database.
But Egg stands among a small group of businesses that have bought into authorization management tools. Most say that these tools require too much recoding of their existing application-based access rules to make them talk to the products. Still, the tools hold promise, according to Pescatore, who adds that many of these problems will sort themselves out as the products mature and as enterprises Web-enable their applications.
Egg gives a living example of how far the tools have already come. During the project's planning stages in 1998, getAccess was the only shrink-wrapped authorization management tool around, says Hunneybell.
When the product actually made it to implementation late last year, getAccess was at Version 3.6, he says. That version of getAccess has simplified application coding and given his team "a lot of flexibility" to change access privileges on the fly, he adds.
To make it work, Egg developers define protected resources on the Web server. As a user requests access to information, getAccess retrieves the customer's roles from the company's customer database and attaches those roles, in the form of access rules, to the customer's session.
"Our whole goal was to separate security from the actual Web application for reasons of simplifying application coding and avoiding accidental security mistakes," Hunneybell says. "Now we can chop and change levels of customer access and [the] applications added to our customer portfolios."
The Web server portion of the authorization management application can be likened to a sentry checking everything at the front door and allowing only certain requests to come through, explains Eric Olden, chief technology officer and co-founder of Securant Technologies, a start-up authorization management vendor in San Francisco.
"It's all about managing relationships between users and resources," he says. "You could go through users and define their roles [in the database] or you could go to a resource and put a rule around it saying to get to this resource, the following conditions must be met."
These conditions hold the most promise of making fine-grained access rules a reality, Olden continues. Rules like, "Only allow access to a premium customer with $10,000 in our money-market accounts," he adds. "Our system kicks in and says that's a protected Web page and will check the user's profile to see if that's a platinum customer or not."
Like many dot-coms, Egg runs a browser-driven network. But organizations with mixed environments and legacy systems say these tools create an integration nightmare. To use these tools, integrators must first recode their applications to accept HTML. Then they need to recode customized access rules inside their applications in a standardized format fitting with their authorization management products. So once they choose a product, there's no going back.
Pescatore notes that most of the tools are no walk in the park. But he also says the work is worth it. "As enterprise applications become Web-enabled, these [authorization management] applications are pretty straightforward," Pescatore notes. "The benefit is that, with these tools, you can change an authentication mechanism from passwords to certificates or smart cards without having to reprogram. The other benefit is consistency of customer access to multiple applications, but that means writing your applications to accept the vendor APIs."
Buy vs. Build
One person who found these integration issues worth the hassle is John Voss, worldwide e-business operations manager at Philips Semiconductors in Sunnyvale, Calif.
Like Hunneybell, Voss was charged with building a flexible security infrastructure that would support extranets and customer-facing Web-based applications. One application, a reward program that gives credit to distributors for designing proprietary Philips parts, required very fine-grained rules. The goal was to allocate these resources using a single sign-on that would scale to support up to 10,000 users.
Voss chose Netegrity Inc.'s SiteMinder. The most complicated part of the process, he says, was designing his company's applications to pass information off to SiteMinder and vice versa. It also meant dumping some of Philips' marginal applications, like Delegated Admin, in Netscape's Unified User Management Suite.
"It's been a long process and required a lot of Java programming and re-engineering," he says. "We got rid of Delegated Admin and built our own similar application, integrated it with SiteMinder and used it to manage authentication and access controls."
Voss says he's happy with the new system, which went live in April, although he calls it a continuing work in progress. He adds, "I wish I could have spent more time with vendors up front, clarifying exactly how the hand-off will work between SiteMinder and the application code."
Fortunately, Voss didn't need to link SiteMinder into his legacy systems, which are currently being converted to SAP AG's human resources software by another development team. But this lack of legacy integration is the reason many firms won't consider buying vendor authorization products right now.
"Authorization management products can't be fine-grained enough without having intimate knowledge of the applications they're trying to control," says Steph Marr, vice president of information security at Predictive Systems Inc., an integration consulting services firm in New York. "[The vendors will] do this for some of the major interfaces to large applications like Oracle databases. But they know nothing about the custom workflow and other critical applications within the organization, because they've never seen them before."
Many systems integrators and users would rather build their own authorization systems to hook into self-developed application-based access rules. One such company is Anchor Sign Inc., a Charleston, S.C.-based maker of electronically lit signs. When Timothy Mullen, Anchor Sign's CIO, started his authorization system a year ago, he needed to provide different views of preplanning information to buyers, real estate and zoning commissions, not to mention Anchor Sign's salespeople, account managers, manufacturing workers and graphic artists.
Mullen says he didn't need a vendor application to accomplish this because he made his authorization system work "beautifully" with the NT domain model.
"When a customer logs into our Web site via [Secure Sockets Layer], that log-in is mapped to an NT account. Within that session, security credentials are maintained, allowing the user to retrieve only that data from our SQL Server he's been allowed to," Mullen explains. "That person lives within their Web security context, so that an individual coming from our client, like Blockbuster Video, can't see anyone else's data."
Like Voss, Mullen also standardized application development so that new objects come ready to plug into his access management program. This, he says, allows developers to distribute permissions to those objects in whatever manner the business requires.
Vendors blame some integration problems on a lack of standards for authorization development projects. About the closest that vendors can offer are the development hooks found in the Enterprise Java Beans framework, which some vendors (like Entrust and Netegrity) offer and others (like Securant) promise.
But even before these integration problems work themselves out, analysts and even naysayers recognize the potential of the authorization infrastructure. If done right, authorization management systems may finally solve the myriad complex user management problems surrounding public-key infrastructures and wireless access, according to Pescatore.
"We're seeing a real need for tracking of authentication for our e-commerce clients. When we do assessments, one of the most common problems is tracking and authentication from the Internet to the Web server to the middleware to the databases because each server has a different authentication mechanism," says Tim Belcher, chief technology officer at information security consulting firm RIPTech Inc. in Alexandria, Va.
"There is no clear-cut solution available today," he adds. "So I would advise people to select their components carefully and standardize wherever possible."
Belcher also cautions against throwing other security tools to the wind, no matter how well authorization tools develop in the future. "Authorization systems will never stand alone as a security solution," he says. "They're only one component of an entire security infrastructure."
Click to see
chart in PDF Format