X

Stay up to date on Oracle's Cloud Platform solutions. Get news, tips and tricks to help you on your cloud journey.

  • January 22, 2014

The Application Security Manifesto – The Great App Re-Architecture

Author: Greg Jensen, Senior Principal Product Director

In our previous post in this series, we touched on the
“State” of our current Applications and how we have traditionally incorporated
security models into these applications in the past. We also touched on how the
next generation of application requirements are evolving to incorporate a
number of ground-breaking changes in how we leverage security within the
application, and how we use the applications themselves.

The
Great Application Re-Architecture

It has always been the great give and take in IT.  The lower IT product owner wants the most
capable product, regardless of what the rest of the business is using, forgoing
the possibility of cross pollination benefits. It’s about being able to do
their job as well as one can.  The other
side is, the executive who wants an integrated approach where multiple products
from one vendor are designed with integration in mind, to cross pollinate data
and information across teams. Individual product capabilities may not be as
strong but the greater benefits of a single vendor approach sit better with
executive teams.  This has been the
struggle companies have been dealing with for decades and only recently is
there a light at the end of the tunnel with the advent of an open framework
based on an open standards approach for sharing information between “best of breed”
products and vendors.  This allows the
individual IT product owners to get the best of breed product they want, while
the executive teams who look for cross-pollination and integration, reap the
benefits of a standards-based method of integrating across the stack. 

So what is this gain? 
This has allowed us to now look at a new methodology for the application
and development of our Applications and the services that support it.  When we are able to de-bundle and share
services such as security, rather than building security into every
application, the benefit is obvious and immediate.  It means applications can be brought up in
near real time, with a simple hook into the security
module
, using a standards based (Service
Oriented Architecture - SOA
) connection, to pull Identity profiles and
policies into new applications.  This
means one can now repeat this process again and again with new applications and
services, without creating new security profiles and infrastructure. It’s all
about repeatability, re-usability and the added benefit of centralizing all of
your auditable data in one location for compliance-based reports.

The Five
Transformational Principals

There are always drivers of transformation, and
for applications, it can be summed up in five principals that are currently
driving the transformation we are discussing: Fine-grained Entitlements, Identity
Platform Services, Social Integration, Complete Access & Mobile/Cloud.

External Authorization & Fine
Grained Entitlements

Today, access just isn’t about the managing passwords and
user ID’s inside the enterprise anymore. We have to move beyond the old model
of granting access privileges to specific repositories of information and for
each application separately with the expectation that the role of the user
never changes.  The reality is…it
does.  Take the example of a group of
users for a large investment bank.  You
would like to treat your junior traders with more limited privileges that are
based around restricting trading limits and times in which they can initiate
trades.  However, as your junior traders
grow in their careers within the organization, it is important that their
access grows with them.  This means their
access needs to change over time, rather than just being layered and added upon
to ensure “over provisioning” does not occur over the course of an employee’s
career.  At the same time, you’re most
senior fund managers need to be given the authorization to perform larger
transactions, day or night, without any daily limits, from any Geography, and
from any device inside or outside the bank network. This is the kind of
“context based” Identity Management that truly unlocks the potential of
enforcing just what each employee role is capable of doing.

Identity Platform Services

Organizations are putting a major emphasis on cost reduction
efforts, and there are many areas this is being accomplished throughout the
enterprise. Common data repositories, common reporting systems, common event
collection systems, common security information management tools and the next
step is utilizing common security frameworks for externalizing the security
from applications and platforms.  This
has the added benefits of cost savings from a licensing standpoint, ramp up
time on projects, training and overhead, and ability to re-use.  There are also secondary savings in reduced
exposure to audits by centralizing all of the regulatory and compliance event
data in one single location, one report, and one auditable database. 

Social Integration

Criminals understand well that one of today’s fastest trends
is the use of “social sign-on” or the use of Facebook credentials for
authenticating and logging into other applications and services.  We can create new accounts on a web site, or
log in using our Facebook credentials. 
This is all in the name of making things more convenient. A form of
“single sign-on” for the masses, called “social sign-on”.  How often do we read about social credentials
being stolen, compromised and being taken advantage of, so why are we putting
so much faith in them without extra precautions?  Imagine what one can do with these social
credentials if one used them across a variety of services and offerings for
authentication?  This is why there needs
to be an additional effort in securing these social credentials, by absorbing
them within a broader Identity that is provisioned to you, that is more secure.

Complete Access

This takes us to how we can expand all of our digital
identities, user identities, passwords and more into a single set of
credentials that one has to remember and authenticate.  Now to the average person, this sounds like a
risk.  In the world of Single Sign-on, we
are more likely to change our master password every 30 days, than we are the
30-40 passwords that it manages underneath. 
Criminals understand that many users are likely using the same Gmail
password today, that they did 1 year ago. 
Many also understand that many of these users also repurpose personal
passwords into their work environment. 
So the idea being…if you can compromise their Flowers.com account, you
can compromise their HR account at work, or their financial records
database.  This is simply because the
human mind is unable to remember too many complex passwords, and if they are changed
every 30 days, then we struggle even more often.  Enter the world of Complete Access and
offerings such as Single-Sign on.  This
allows one to set up a master user ID, and password, which you are required to
reset the password on a frequent basis. For extra protection, companies may ask
you to provide multi-factor authentication, such as 1) What you have
(smartcard, key or biometrics) 2) What you know (pin #, passphrase).  Once this Authentication takes place, the SSO
client quickly unlocks access to a small database of all of your User ID and
passwords for each of your applications and services.  Now the idea here being, now each individual
application and service you set up can now be a strongly cryptic password, and
not a variation of the same password. Now you can set time limits of 30 days
and expire your passwords.  Now you can
set up a provisioning process for your enterprise applications so that you
provision only one User ID and password, and never share any of the unique User
ID and passwords for the individual apps underneath it.  This allows you to more easily de-provision
applications and services at will.   This
doesn’t stop at just the desktop; this is what extends to mobile platforms now
as well. So regardless if you are on a Windows, Mac, Android or iOS device,
your Complete Access follows you.

Mobile & Cloud Security

With the mobile platform, enters a whole new category of
applications underpinned by what we call the “Cloud”, and this brings into
question how we address the security implications of both of these platforms.
Five years ago, a 5,000 employee organization was struggling with how to manage
the provisioning model for 5-7,000 user IDs for their employees.  Today, that same company is dealing with 5 to
10 identities per device, per user.  With
each employee leveraging 2 to 3 devices, this could be as many as 200,000
identities in itself.   Now businesses
are facing the bigger dilemma with the cloud. 
How do we create, provision and manage credentials for all of our
partners and customers who do business with us over the Internet?   In a consumer oriented business, this could
be millions of identities. What is needed is an architecture that can scale as
the business needs transform to include new technologies, new services, and new
avenues of sales and distribution.

Maturity of
the Optimized Application

As with everything in technology, we are seeing maturity and
capability grow in leaps and bounds in the areas of our Application
Optimization.  We have moved from the
days of our first applications where our security focus was limited due to its
complexity and high cost, as well as limits in regulatory reporting, to models
where we started to consolidate our applications. Here, we started to see some
degree of centralized security controls, but they were very limited in
nature.  Today, we are in a phase of what
we call the “Optimized Platform��, where the main driver is Data Governance for
Risk & Compliance.  This is not where
our maturity for applications will end. 
The future is a bright one, and we will see Optimized Processes where
the drivers are automated auditing and compliance reporting, in the not too
distant future.  It doesn’t stop
there.  This maturity and capability has
to take us to the point where we are including Self-Healing and Automation
where some of the main security drivers are automated fraud management and automated
IT & User provisioning.  The key to
this maturity is having an infrastructure in place today that is capable of
growing with you, as the capability grows.

In Summary –
The Platform Transformation

We have discussed where we are with our state of applications
today.  We have shared where we need to
be and the transformation principals that will drive this Great Application
Re-Architecture.  All of this is
supported by a platform transformation here at Oracle that we call
Oracle AppAdvantage.

Oracle AppAdvantage for Security, is simply when we de-bundle from
the application, and make it part of the platform, a sharable component that
all applications can leverage.  When you
build a car, the car battery isn’t used for just the engine to start with.  It’s used to power the radio. It’s used to
power the lights, the horn, the seat warmers, and the fan. Everything.  It’s a shared component within the car.  It’s a platform approach to building an
automobile, and we are now doing the same for security. 

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.