Solved

Middleware security

Posted on 2013-10-29
3
157 Views
Last Modified: 2013-10-31
Hi All,

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

Thanks.
0
Comment
Question by:ISS_Expert
  • 2
3 Comments
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 500 total points
ID: 39611425
Authentication overhead typically isn't that heavy, but encryption/decryption of high-volume data flows can have a significant performance impact - so I'll focus on the "encryption" side of the question.

When it comes to authentication and encryption, it usually isn't a "should we?" decision, but a "how do we do it?" question.  In my experience, security mandates usually come from executive management: sometimes as response to a security breach, or due to audit recommendations or regulatory requirements.  

You can probably imagine what happens if you were the person in the organization that said "it'll be too expensive" or "it'll slow things down too much" if there is ever a breach.

Assuming that encryption is appropriate, the basic implementation steps are:

1) Determine the type and level of encryption required;
2) Determine encryption volumes (peak and average);
3) Perform capacity analysis to determine potential impact to performance; and
4) Based on capacity analysis, determine the best mechanism for providing the required additional capacity.

Performance impact varies depending on a number of factors:

1) Volume and nature of data encrypted / decrypted.
2) Encryption technology and key strength used.
3) Current CPU / memory / network utilization on the endpoint systems.

When planning for encryption, you may have to add CPU and memory capacity.  Some CPUs (Intel Xeon E5 and E7 families, AMD Bulldozer/Piledriver/Jaguar, and IBM Power 7+, for example) have AES-NI encryption capabilities built in that can significantly improve crypto performance over software-only methods.  

Some servers and network appliances also support dedicated cryptographic coprocessors that can be a cost-effective way to add high-volume crypto capabilities.  

http://www-03.ibm.com/security/cryptocards/

Encryption can also have a negative performance impact on data compression technologies used at the network level - payload compression needs to be done before encryption to be effective.

The best way to determine the potential performance cost is to do some testing in a test environment scaled to match your production environment.  

If you are in a high-volume, performance sensitive environment, you may want to get some expert help to determine the best way to implement crypto in your environment - it generally pays for itself in all but the smallest environments.

- Gary Patterson
0
 
LVL 1

Author Closing Comment

by:ISS_Expert
ID: 39613365
Great answer. Thanks. You were spot-on about audit observation :)
0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 39614043
Happy to help.  A couple of additional responses:

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.

Yes, best practice is to secure all application and data flows, internally and externally.  Far more serious security breaches originate from inside organizations than from outside.

We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

There is a cost to implementing and maintaining good security.  Security is about mitigating risk.  

The potential costs of a serious breach can be huge.

Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.  

You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc.   I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.

Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level.  It is always a balancing act, since there is no such thing as "complete security".  

Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Suggested Solutions

The Confluence of Individual Knowledge and the Collective Intelligence At this writing (summer 2013) the term API (http://dictionary.reference.com/browse/API?s=t) has made its way into the popular lexicon of the English language.  A few years ago, …
To properly understand GitHub, let’s divide it into two words ‘Git’ and ‘Hub’. Git is basically a ‘Distribution Version Control’ (DVC) and ‘Source Code Management’ (SCM) system widely used by software programmers while Hub means the efficient centre…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now