Wachovia banks on entitlement management for fine-grained application security

By Colleen Frye 15 Oct 2007 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

To Wachovia's Ryan Bagnulo, business rules are application security policies, and in the big picture he sees, security lies at the heart of governance for both applications and IT systems.

Bagnulo, who is head of architecture and innovation for Wachovia Corp.'s Corporate Investment Bank Technology (CIBT) area in the CTO Group, has taken some first steps toward that vision with the deployment of an Entitlement Management Solution (EMS) from Securent Inc. for enforcing fine-grained application security.

The ability to write a single security policy that goes across heterogeneous platforms saves time and complexity. Ryan Bagnulo Head of architecture and innovation, Wachovia Corp.

"Authentication, who you are, is coarse-grained -- what role or group are you, or what application are you allowed to use. The tricky part is fine-grained -- when you're in the application, what are you allowed to do?" explained Bagnulo.

For example, he said, in a trading application, there maybe be certain traders who are authorized to execute particular types of trades, say oil and gas, but no others. "If he tries another type of trade, it should be denied. That's what I mean when I say fine-grained authorization for the execution of transactions."

To get that kind of fine-grained security, developers have been developing and deploying custom code for individual applications, and as a result, access polices have been managed in silos.

"The problem with that model is it's very costly, and it leads to inconsistency in the application of security policy," said Howard Ting, senior director of product management and marketing at Securent in Mountain View, Calif. "And when you need to change a policy, you have to change it across all resources."

Ting added, "It's also time consuming. The way most applications have access control policy enforced today is to write it into the code, so developers are writing thousands of lines of codes. That leads to a lot of potential problems. By externalizing the security policies from the application and managing them centrally, ROI becomes a strong message," he said.

"The issue isn't that we haven't done this in the past," Bagnulo said. "Every application has a fine-grained authorization system in it, but it's custom coded. That's why Securent is attractive. We looked at BEA [AquaLogic Enterprise Security, a fine-grained entitlements solution] and it works great for WebLogic, but we've also got JBoss and a lot of SharePoint servers, WebSphere, Documentum, Oracle database. Securent has plug-ins for all those application environments."

The ability to write a single security policy that goes across heterogeneous platforms saves time and complexity, Bagnulo said.

Ting said that while the function of entitlement management, or access entitlement, is not new, the term itself is. Entitlement management is one of several new categories, including identity audit and regulatory compliance tools, user-centric identity applications, consumer authentication products, role discovery tools, enterprise application controls management, and identity-aware appliances, that have emerged under the identity management umbrella over the past few years, according to the Burton Group report, The Identity Management Market 2007: An Expanding Universe.

Open standards important
Securent's EMS is based on the eXtensible Access Control Markup Language (XACML). According to the Burton report, support for Version 2.0 of XACML is growing, "riding the wave of interest in entitlement management solutions that rely on the XACML authorization standard."

More information on access control and authentication Access control and JSPs SPML and SAML enhance application security in different ways Authentication and authorization for Web applications

"I've been following XACML for a while, which is what drew me to Securent," Bagnulo said. "I want open standards so other technologies can plug in. For example, I use DataPower [the XML appliance] from IBM because it natively speaks XACML. I didn't have to do custom development to get my security infrastructure powered by Securent to integrate. And if Securent goes out of business, I can find a replacement that speaks XACML; it's a way of hedging. The point is you have to think about the long term and not lock in."

Bagnulo said his group is just getting started with Securent for its business applications. "If we're building a new application, the application team shouldn't take on the work to build in entitlement management, they'll plug into Securent," he said. An example of a new rich Internet application that Bagnulo's group is building with Adobe Flex and that will utilize the EMS is an external letter of credit for clients to use.

"As legacy applications change, we'll refresh the security infrastructure," Bagnulo added. "Say with WebLogic, as we upgrade from 8.1 to 9.2, that's where we're inserting Securent. We don't do broad rip and replace."

Using an entitlement management solution takes a lot of work off the plates of application developers, Bagnulo said, and we "have less risk that someone did something that was not a best practice."

Entitlement management throughout the enterprise
Bagnulo's broader vision for entitlement management is that it's just as applicable for technology systems as it is for business systems. For example, he said, an entitlement policy could be that an IT administrator is not allowed to execute a change to a mission-critical system during working hours.

While an organization may have a policy in place, "in data centers today it's mostly an honor system," he said. "The only way to enforce policy is with security; you need something in the middle governing what the user is trying to do. Unapproved changes happen, in reality, because something like this isn't in place."

"Long term, customers want to use [EMS] through the enterprise," Ting said. Although custom applications and portals are Securent's core business, "We've spent a lot of time building agents, like for SharePoint and databases. This is Ryan's vision, to use this across the infrastructure. The need for policy-based management is relevant across every resource."

For now, though, Wachovia's CIBT group is in the process of testing applications utilizing Securent that run on SharePoint and JBoss.

But Bagnulo is excited about the possibilities. "In conversations I've had with Securent, I tell them they're missing an opportunity. I tell them to market that the business rule is security policy. I think you will see a sea change -- that XACML will emerge as an alternative to ILOG and Drools [business rules management systems]." For example, he said, a business rule says a trader can execute only so many transactions per day above a certain value.

"The only way to enforce that is through security policy," he said. "Otherwise it's wishful thinking, and good luck."

Tags: Building security into the SDLC (Software development life cycle),  Software security testing and techniques,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Building security into the SDLC (Software development life cycle) Top software testing and quality assurance news stories from 2009 Aligning business goals with Focus Stories Which requirements have the greatest effect on quality in software development? How to write an SRS document for three different databases Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Software security testing and techniques Old problems persist in Web 2.0 security practices Are SQL injection attacks really a big software security risk? Managing software testing: Five focus-improvement tips Web server weaknesses you don't want to overlook Using firewalls for software testing: Pros and cons Beating software's cross-site scripting, authentication problems Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary SQL injection  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary