BEA | Arch2Arch

Arch2Arch Advisor
by architects, for architects

Externalizing application security: what does it mean?

Application security has evolved dramatically over the last few years, from perimeter security focused on keeping the bad guys out to fine-grained control over what people are allowed to do in enterprise applications. Web single sign-on products have centralized authentication and management of identity across the Web tier and revealed the next layer of vulnerability in the application tier.

In addition, regulatory and privacy requirements have mandated new levels of control over company and customer information. A rapid rise in outsourcing of application development means that security logic embedded in the application tier is no longer directly controlled by the enterprise. These changes in the regulatory and development environments mandate a change in how access to the application tier is managed.

To explore what this means for your organization, let's start with a couple of definitions. We'll define entitlements as the set of privileges that governs what an user can do in an application. An entitlements system is used to create and manage those privileges and to make and record access decisions that are made at run time. Then the next wave of application security technology is the management of user entitlements and the externalization of application security logic from the application tier.

What does it mean to externalize security logic from an application? The picture below shows an example trading application. This application may be used by many different types of users. However, only those users who are traders are allowed to make trades in the application. Furthermore, traders can trade only for those client accounts for which they are authorized, and only up to a specified limit set for each account.

The panel on the left shows the traditional way to control access in the application. In this case, the access control logic is embedded as code in the application. The application has to know how to go out to other systems in the infrastructure to get information about the user and the account. This makes the application brittle and difficult to change. It also means security logic is visible only by inspecting the code. Finally, this structure makes it impossible to audit the access decision.

The panel on the right shows how the application would look when the security decision has been externalized. Instead of complex logic coded as part of the application, the developer uses a call to the entitlements system to get an access decision. The call to the entitlements system ("IsAccessAllowed") would typically contain following information

the requested action ("Trade")
the resource (the "Account" for which this trade will be made)
the subject (the person requesting authorization to do this, the "User")
application context required to make the authorization decision (for example, the "Amount" of the trade).

In this case, the entitlements system would go out into the enterprise and get the required information about the user and the account. When called by the application, the entitlements system gathers the required information, evaluates the policies that apply to accounts in the application, and returns an access decision. It also audits all the information about that decision. This has a number of benefits including:

Flexibility: applications do not have to change if the security or business requirements that govern access control change
Visibility: all security and access logic can be seen and managed from a single place
Traceability: the entitlements system audits all access control decisions and can report on who has access to what
Efficiency: developers don’t write security logic, leaving them free to concentrate on new value-added capabilities for their customers.

BEA is leading this new wave of entitlements management. BEA AquaLogic Enterprise Security (ALES) is an entitlements system that supports the centralized definition of complex application entitlements and the distributed runtime enforcement of those entitlements. ALES allows you to externalize entitlements, removing security decisions from the application. It provides the means to define application resources and application business objects, represent those objects in hierarchical relationships, and write policies that describe which users, groups, and roles can access those objects.