Middleware security

Hi All,

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

Who is Participating?
Gary PattersonConnect With a Mentor VP Technology / Senior Consultant Commented:
Authentication overhead typically isn't that heavy, but encryption/decryption of high-volume data flows can have a significant performance impact - so I'll focus on the "encryption" side of the question.

When it comes to authentication and encryption, it usually isn't a "should we?" decision, but a "how do we do it?" question.  In my experience, security mandates usually come from executive management: sometimes as response to a security breach, or due to audit recommendations or regulatory requirements.  

You can probably imagine what happens if you were the person in the organization that said "it'll be too expensive" or "it'll slow things down too much" if there is ever a breach.

Assuming that encryption is appropriate, the basic implementation steps are:

1) Determine the type and level of encryption required;
2) Determine encryption volumes (peak and average);
3) Perform capacity analysis to determine potential impact to performance; and
4) Based on capacity analysis, determine the best mechanism for providing the required additional capacity.

Performance impact varies depending on a number of factors:

1) Volume and nature of data encrypted / decrypted.
2) Encryption technology and key strength used.
3) Current CPU / memory / network utilization on the endpoint systems.

When planning for encryption, you may have to add CPU and memory capacity.  Some CPUs (Intel Xeon E5 and E7 families, AMD Bulldozer/Piledriver/Jaguar, and IBM Power 7+, for example) have AES-NI encryption capabilities built in that can significantly improve crypto performance over software-only methods.  

Some servers and network appliances also support dedicated cryptographic coprocessors that can be a cost-effective way to add high-volume crypto capabilities.  


Encryption can also have a negative performance impact on data compression technologies used at the network level - payload compression needs to be done before encryption to be effective.

The best way to determine the potential performance cost is to do some testing in a test environment scaled to match your production environment.  

If you are in a high-volume, performance sensitive environment, you may want to get some expert help to determine the best way to implement crypto in your environment - it generally pays for itself in all but the smallest environments.

- Gary Patterson
ISS_ExpertAuthor Commented:
Great answer. Thanks. You were spot-on about audit observation :)
Gary PattersonVP Technology / Senior Consultant Commented:
Happy to help.  A couple of additional responses:

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.

Yes, best practice is to secure all application and data flows, internally and externally.  Far more serious security breaches originate from inside organizations than from outside.

We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

There is a cost to implementing and maintaining good security.  Security is about mitigating risk.  

The potential costs of a serious breach can be huge.

Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.  

You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc.   I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.

Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level.  It is always a balancing act, since there is no such thing as "complete security".  

Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.