The Application Security Manifesto – The Great App Re-Architecture
By Tanu Sood on Jan 22, 2014
Author: Greg Jensen, Senior Principal Product Director
In our previous post in this series, we touched on the “State” of our current Applications and how we have traditionally incorporated security models into these applications in the past. We also touched on how the next generation of application requirements are evolving to incorporate a number of ground-breaking changes in how we leverage security within the application, and how we use the applications themselves.
The Great Application Re-Architecture
It has always been the great give and take in IT. The lower IT product owner wants the most capable product, regardless of what the rest of the business is using, forgoing the possibility of cross pollination benefits. It’s about being able to do their job as well as one can. The other side is, the executive who wants an integrated approach where multiple products from one vendor are designed with integration in mind, to cross pollinate data and information across teams. Individual product capabilities may not be as strong but the greater benefits of a single vendor approach sit better with executive teams. This has been the struggle companies have been dealing with for decades and only recently is there a light at the end of the tunnel with the advent of an open framework based on an open standards approach for sharing information between “best of breed” products and vendors. This allows the individual IT product owners to get the best of breed product they want, while the executive teams who look for cross-pollination and integration, reap the benefits of a standards-based method of integrating across the stack.
So what is this gain? This has allowed us to now look at a new methodology for the application and development of our Applications and the services that support it. When we are able to de-bundle and share services such as security, rather than building security into every application, the benefit is obvious and immediate. It means applications can be brought up in near real time, with a simple hook into the security module, using a standards based (Service Oriented Architecture - SOA) connection, to pull Identity profiles and policies into new applications. This means one can now repeat this process again and again with new applications and services, without creating new security profiles and infrastructure. It’s all about repeatability, re-usability and the added benefit of centralizing all of your auditable data in one location for compliance-based reports.
The Five Transformational Principals
There are always drivers of transformation, and for applications, it can be summed up in five principals that are currently driving the transformation we are discussing: Fine-grained Entitlements, Identity Platform Services, Social Integration, Complete Access & Mobile/Cloud.
External Authorization & Fine Grained Entitlements
Today, access just isn’t about the managing passwords and user ID’s inside the enterprise anymore. We have to move beyond the old model of granting access privileges to specific repositories of information and for each application separately with the expectation that the role of the user never changes. The reality is…it does. Take the example of a group of users for a large investment bank. You would like to treat your junior traders with more limited privileges that are based around restricting trading limits and times in which they can initiate trades. However, as your junior traders grow in their careers within the organization, it is important that their access grows with them. This means their access needs to change over time, rather than just being layered and added upon to ensure “over provisioning” does not occur over the course of an employee’s career. At the same time, you’re most senior fund managers need to be given the authorization to perform larger transactions, day or night, without any daily limits, from any Geography, and from any device inside or outside the bank network. This is the kind of “context based” Identity Management that truly unlocks the potential of enforcing just what each employee role is capable of doing.
Identity Platform Services
Organizations are putting a major emphasis on cost reduction efforts, and there are many areas this is being accomplished throughout the enterprise. Common data repositories, common reporting systems, common event collection systems, common security information management tools and the next step is utilizing common security frameworks for externalizing the security from applications and platforms. This has the added benefits of cost savings from a licensing standpoint, ramp up time on projects, training and overhead, and ability to re-use. There are also secondary savings in reduced exposure to audits by centralizing all of the regulatory and compliance event data in one single location, one report, and one auditable database.
Criminals understand well that one of today’s fastest trends is the use of “social sign-on” or the use of Facebook credentials for authenticating and logging into other applications and services. We can create new accounts on a web site, or log in using our Facebook credentials. This is all in the name of making things more convenient. A form of “single sign-on” for the masses, called “social sign-on”. How often do we read about social credentials being stolen, compromised and being taken advantage of, so why are we putting so much faith in them without extra precautions? Imagine what one can do with these social credentials if one used them across a variety of services and offerings for authentication? This is why there needs to be an additional effort in securing these social credentials, by absorbing them within a broader Identity that is provisioned to you, that is more secure.
This takes us to how we can expand all of our digital identities, user identities, passwords and more into a single set of credentials that one has to remember and authenticate. Now to the average person, this sounds like a risk. In the world of Single Sign-on, we are more likely to change our master password every 30 days, than we are the 30-40 passwords that it manages underneath. Criminals understand that many users are likely using the same Gmail password today, that they did 1 year ago. Many also understand that many of these users also repurpose personal passwords into their work environment. So the idea being…if you can compromise their Flowers.com account, you can compromise their HR account at work, or their financial records database. This is simply because the human mind is unable to remember too many complex passwords, and if they are changed every 30 days, then we struggle even more often. Enter the world of Complete Access and offerings such as Single-Sign on. This allows one to set up a master user ID, and password, which you are required to reset the password on a frequent basis. For extra protection, companies may ask you to provide multi-factor authentication, such as 1) What you have (smartcard, key or biometrics) 2) What you know (pin #, passphrase). Once this Authentication takes place, the SSO client quickly unlocks access to a small database of all of your User ID and passwords for each of your applications and services. Now the idea here being, now each individual application and service you set up can now be a strongly cryptic password, and not a variation of the same password. Now you can set time limits of 30 days and expire your passwords. Now you can set up a provisioning process for your enterprise applications so that you provision only one User ID and password, and never share any of the unique User ID and passwords for the individual apps underneath it. This allows you to more easily de-provision applications and services at will. This doesn’t stop at just the desktop; this is what extends to mobile platforms now as well. So regardless if you are on a Windows, Mac, Android or iOS device, your Complete Access follows you.
Mobile & Cloud Security
With the mobile platform, enters a whole new category of applications underpinned by what we call the “Cloud”, and this brings into question how we address the security implications of both of these platforms. Five years ago, a 5,000 employee organization was struggling with how to manage the provisioning model for 5-7,000 user IDs for their employees. Today, that same company is dealing with 5 to 10 identities per device, per user. With each employee leveraging 2 to 3 devices, this could be as many as 200,000 identities in itself. Now businesses are facing the bigger dilemma with the cloud. How do we create, provision and manage credentials for all of our partners and customers who do business with us over the Internet? In a consumer oriented business, this could be millions of identities. What is needed is an architecture that can scale as the business needs transform to include new technologies, new services, and new avenues of sales and distribution.
Maturity of the Optimized Application
As with everything in technology, we are seeing maturity and capability grow in leaps and bounds in the areas of our Application Optimization. We have moved from the days of our first applications where our security focus was limited due to its complexity and high cost, as well as limits in regulatory reporting, to models where we started to consolidate our applications. Here, we started to see some degree of centralized security controls, but they were very limited in nature. Today, we are in a phase of what we call the “Optimized Platform��, where the main driver is Data Governance for Risk & Compliance. This is not where our maturity for applications will end. The future is a bright one, and we will see Optimized Processes where the drivers are automated auditing and compliance reporting, in the not too distant future. It doesn’t stop there. This maturity and capability has to take us to the point where we are including Self-Healing and Automation where some of the main security drivers are automated fraud management and automated IT & User provisioning. The key to this maturity is having an infrastructure in place today that is capable of growing with you, as the capability grows.
In Summary – The Platform Transformation
We have discussed where we are with our state of applications today. We have shared where we need to be and the transformation principals that will drive this Great Application Re-Architecture. All of this is supported by a platform transformation here at Oracle that we call Oracle AppAdvantage.
Oracle AppAdvantage for Security, is simply when we de-bundle from the application, and make it part of the platform, a sharable component that all applications can leverage. When you build a car, the car battery isn’t used for just the engine to start with. It’s used to power the radio. It’s used to power the lights, the horn, the seat warmers, and the fan. Everything. It’s a shared component within the car. It’s a platform approach to building an automobile, and we are now doing the same for security.