« August 23, 2006 | Main | September 6, 2006 »

August 30, 2006 Archives

August 30, 2006

An Application-Centric Approach to Security

By antony.reynolds on August 30, 2006 1:27 AM

An Application-Centric Approach to Security


or Security as a Service


I was discussing security with some of my colleagues last week and it suddenly struck us how different modern security approaches should be.  Traditionally application access control has been embedded within the application.  Within the J2EE world we are seeing this move from the application domain into the infrastructure domain.  This is a key change because it simplifies the provisioning problem, provisioning now becomes a job of mapping application roles onto user groups and identifying which groups and hence roles an individual should belong to.


It also simplifies the application developers life.  Now they don't have to provide a user administration module within their code, this is provided by the infrastructure and may be handled through simple flat files and editing XML files in a development environment through to a full access and user management environment in the deployed production environment.


This ties nicely into service oriented architecture as it now enables the concept of security as a service to become more concrete.  At the J2EE level this works well.  However the standards need to be developed further to enable seamless flowing of identity across services and through a service orchestration.


One area where standards are lacking is in the format of usernames.  For many apps this isn't a problem, but for some applications that manage individual user details this is a crucial detail that must be understood, and applications can end up being specific to a particular name format.


Generally however the standards are almost there and we are on the edge of a service oriented security environment.  All it requires now is for developers to embrace it, freeing them from the need to write their own provisioning and security code.


So developers of the world rise up and embrace service oriented security - you have nothing to lose but your provisioning code!


For a good explanation of application centric security check out the security corner blog.

| Comments (0) AddThis Social Bookmark Button

Search All Blogs

Google Search


Only search this blog

About August 2006

This page contains all entries posted to Antony Reynolds' Blog in August 2006. They are listed from oldest to newest.

August 23, 2006 is the previous archive.

September 6, 2006 is the next archive.

Many more can be found on the main index page or by looking through the archives.

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle