Columns

IT security: Taking a bite out of development?

• By Tony Baer
• March 1, 2004

Security and freedom of movement have always been at odds with each other, and that is especially true when it comes to access control. The one-two punch of the Nimbda and Code Red viruses in the weeks after the 9-11 terrorist attacks reminded us of how fragile IT systems are to viruses, worms and hacker attacks. Just imagine the panic that could have ensued if a 9-11 event coincided with a lethal denial of service (DoS) onslaught that shut down Internet communications.

Not surprisingly, increased security and vigilance have become popular strategies, both in government and private industry. As the U.S. has adopted new measures to fingerprint foreign visitors, many in the IT community are calling for measures that would fingerprint any requests for passage through enterprise firewalls.

The evolution of information technology architectures from mainframe to PC, client/server and the Internet has obviously been in the direction of making systems more open. However, at the system admin level, the more gateways that open up to internal or external systems, the greater the need for antivirus tools, firewalls, identity management and other access control measures. The emergence of Web services, which could further expose enterprise applications, makes access control more important than ever.

But could the push for security crimp application development? In a perfect world, developers are antsy to expand rather than regulate access to the software they are creating. As system administrators grow leery about adding new functionality that could expose enterprise systems further, developers worry that new security measures might hamper their ability to innovate.

To business users, who fund the development of new systems, the situation could degenerate into a good cop/bad cop scenario where what one cop promises, the other threatens to restrict or take away.

With the goal of promoting world peace or its equivalent within the IT organization, wouldn't it be great if the technology that manages and secures assets could be more effectively linked to the services the infrastructure provides without raining on application development parades? And wouldn't it be even greater if there was a way to show that all this delivers tangible results on the bottom line -- which is what drives IT investments these days, anyway?

Vendors of systems management tools are taking the first step, recasting their consoles and capabilities to do more than simply make IT systems work better or lock bad people out. They are speaking of management tools that transform enterprise IT backbones into engines that can better respond to an organization's business needs by provisioning new capacity on demand, aligning system-level functions such as transaction processing to specific business functions or services, and managing service levels for business processes depending on how important they are to the company.

That still leaves open the question of access or identity management. Maybe, as part of a next-generation management console, an identity management solution could prioritize access to different classes of users based on their roles. That would fit nicely into the idea of making the IT infrastructure more responsive.

But what happens when developers deploy a new portal that seeks to make user access more intuitive? At first glance, there does not seem to be any problem with the notion of pairing more intuitive information gateways with even more vigilant access control.

The problem is who is doing the access control and where. While directory-based systems are usually the domain of systems administrators, portals are typically developer tools. The problem arises because many portals also sport their own user databases or rules engines for governing access, thereby trespassing into the domain of the enterprise directory.

As one of the few vendors offering directory, identity management and portal technologies, Novell is attempting to consolidate access control by adding Web services integration between the various pieces. It is a nice idea as far as it goes, but it does not solve the problem of directory proliferation. Under these conditions, the best that one could hope for is that both sides of the IT organization have regular meetings, and maybe even have mechanisms for replicating user profile data into app or Web-facing systems maintained by developers.

Jaded observers can only conclude that this is just another example of why single sign-on remains the Holy Grail of enterprise computing.