|
 Application Security Involves Many Complexities
As today's organizations strive to maximize the business value they obtain from IT, security is a key area in which leading solutions, deployed and managed through industry best practices, can yield significant returns. Complexities such as compliance regulations, the growing threat from insider abuse, and the potential business consequences of corruption or destruction of core business data all strongly encourage organizations to pursue a new, more effective approach to security.
Toward that end, one topic which must be considered as part of a holistic security strategy is application security. While enterprise-class applications play a critical role in the pursuit of business goals, they also introduce special challenges which must be anticipated and addressed. Proprietary security included with such applications, if any, will typically be too niche-specific to be effective; better yet would be a centralized, scalable approach, delivering proven features and robust security across all applications in accordance with SOA (Service Oriented Architecture) design goals.
Ideally, such a centralized implementation of application security would address three key areas: authentication (identity management to validate user identities), authorization (designed to convey appropriate access to users), and compliance (designed to fulfill compliance initiatives pertinent both to internal security policies and external government regulations, including reporting and auditing features).
IBM Delivers Application Security in Both the IBM Tivoli and IBM Rational Portfolios
Fortunately, IBM offers just such a suite of technologies in its best-in-class Tivoli system management portfolio (as supplemented with additional solutions from its IBM Rational development portfolio). Together, these solutions deliver a broad range of enterprise-grade security features, addressing the key domains of authentication, authorization, and compliance while simultaneously facilitating the scalability and flexibility associated with SOA architectures. Through IBM solutions, organizations can implement end-to-end application security in a way that will grow as the organization grows, and which can be adapted over time in accordance with changing business needs and goals.
User Identities and Access Are Key to Application Security
Managing user identities, for example, is a core element of any security strategy. Such information is constantly in a state of flux; passwords, for instance, must often be reset in accordance with security policies, and as employees are added to, or subtracted from the organizational staff, their user identities must be added or deleted in parallel. For large organizations, these tasks can represent a substantial potential drain on IT staff resources if handled manually.
IBM Tivoli Identity Manager is the ideal solution to this problem. Account management, including setup and initial passwords, is optimized for ease of use; furthermore, once information is in the system, the solution supports self-help functionality, so that users can reset their own passwords and attend to other tasks on an as-needed basis. Furthermore, through its role-based access control features, management review, automated auditing, and closed-loop provisioning, Tivoli Identity Manager facilitates security policies by confirming user information and permissions are correct.
Identity management must be paired with access management. For this reason, the IBM Tivoli Access Manager family helps by optimizing access management in several different business contexts. IBM Tivoli Access Manager for Operating Systems specifically targets particular operating system vulnerabilities in UNIX/Linux accounts. Its application auditing features, including intrusion prevention, deliver high-end security designed to help preclude abuse by trusted insiders while simultaneously facilitating compliance initiatives.
IBM Tivoli Access Manager for Single Sign-On, on the other hand, drives application security by reducing password clutter. This solution integrates with other Tivoli offerings to allow users to sign on only once for a given application, despite the fact that it may involve multiple systems and sources of business data. Several different types of authentication and business contexts, ranging from roaming laptops to multi-user kiosks, are supported via a lightweight, yet powerful design.
Finally, IBM Tivoli Access Manager for e-Business defines and manages authentication, access, and audit policies by collecting audit data from multiple sources, delivering single sign-on for Web applications, and extending its security support to other solutions as part of the overall application security strategy.
Perhaps the single most daunting threat to enterprise-class security today comes from the possibility that users with extra access privileges will abuse them maliciously by copying, modifying, or destroying core data. One solution specifically aimed at mitigating this form of business risk is IBM Tivoli Compliance Insight Manager, which includes a real-time dashboard that reflects user activity as it occurs on the network in relation to established security policies. The same solution can also generate dozens of customizable reports designed to address the specific requirements associated with different types of audits.
Furthermore, advance warning of possible security breaches can be achieved with IBM Tivoli Security Compliance Manager, which can scan both servers and end-user computers for violations of security policies, helping to ferret them out before they lead to undesirable business consequences.
Application Security Also Involves the Development Side
Of course, truly holistic application security should ideally be considered as part of the software development process as well. As in-house applications are created and move through their lifecycles, they may involve numerous potential attack surfaces which could be exploited by internal or external users; this is particularly true in the case of Web applications which are delivered outside company walls in order to generate business value through building or extending relationships with clients, customers, and business partners.
For this reason, IBM also offers application security solutions that target the development side as well as the operational side. One such is the IBM Rational AppScan family. This group of automated solutions works intelligently, mimicking on a continual basis the intelligent assessment that might be provided by a human specialist. Rational AppScan identifies, validates and reports on application security vulnerabilities. It not only finds problems, but helps resolve them by generating intelligent fix recommendations, pinpointing the issues and helping users to remediate the vulnerabilities.
Rational AppScan is available in three different versions: the Standard, which scans for many common vulnerabilities and across many different attack surfaces, including cross-site scripting and buffer overflow, and generates reports on demand; the Enterprise, which also boasts a more sophisticated, Web-based multi-user architecture aimed at more complex deployments; and the Tester Edition, which empowers quality assurance teams by verifying performance while simultaneously finding and mediating security shortcomings. Automated testing and execution spare staff the need to resort to complex scripting, thus accelerating time-to-deployment for applications.
Finally, the extent to which Web applications and content adhere to security and privacy policies can be determined quantitatively by the IBM Rational Policy Tester family of tools. This group of solutions helps organizations achieve compliance by assessing how Web sites handle compliance-centric concerns such as quality, privacy, and accessibility. Through its automated design, developers receive actionable intelligence with minimum manual effort, translating not just into superior sites but also more effortless compliance.
|
