Latest News from Marc Chanliau

Externalizing Fine-Grained Authorization from Applications

Thu, 25 Aug 2011 10:15:00 EDT

The recent spike in insider threats, coupled with a rise in compliance considerations, has forced organizations to ensure only authorized users access sensitive application functionality and data. Historically, user entitlements or authorization logic has been embedded inside an application. For example, if the user of an application meets specific conditions, such as a specific role, access to that application function will be granted at runtime. But if the definition of specific authorization conditions changes over time, then the application developer needs to modify the application’s source code, test, and re-deploy the application. Suppose a homegrown portal application must present a sensitive piece of customer information such as a Social Security Number (SSN) when a service representative views a customer’s profile. It is determined that in order to ensure compliance with various privacy regulations, only directors and senior managers may be able to view a customer’s SSN. A decision has to be dynamically made whenever the application must show an SSN as to whether the current user may view the actual data or some default value (e.g., “XXX-XX-XXXX”). The decision must take into account the user’s job title. A dozen parts of the application that can display a customer’s SSN mean a dozen places for this business logic to be applied.

Identity Propagation in a SOA

Thu, 11 May 2006 10:00:00 EDT

One of the challenges IT organizations face is how to propagate identities in complex business processes that are commonly found in Service Oriented Architectures (SOAs). Identities, which are passed from one service invocation to the next in a business process, give the process a user context. Identities can be used to determine access rights to SOA services and for audit and compliance purposes.

Enterprise Web Services Security: A Reference Architecture, part II

Mon, 08 Mar 2004 00:00:00 EST

Last month (WSJ, Vol. 4, issue 2), we looked at how Web services should not depend on specific security environments and rules but should be managed as part of all of an enterprise's corporate data assets such as Web applications, ERP systems, and in-house applications.

Enterprise Web Services Security: A Reference Architecture

Thu, 05 Feb 2004 00:00:00 EST

Web services are past the initial marketing hype. Early Web services were part of experimental one-off projects within a single enterprise department. Now, larger Web services deployments are moving outside of the enterprise firewall to better leverage existing business partnerships and value chains.

The Security Challenge

Mon, 24 Feb 2003 00:00:00 EST

This article focuses on the value of Web services security. It is important to understand what Web services are and their challenges, particularly related to security. Traditionally, companies have relied on conventional, transport-level security but this approach has its limitations. The market now offers complementary XML-based solutions designed to secure documents used in Web services requests and responses. We will explore these solutions and outline 'typical case scenarios' to provide a comprehensive landscape on the current offering of Web services security solutions.