ISS_Expert
asked on
Middleware security
Hi All,
I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.
Thanks.
I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Happy to help. A couple of additional responses:
I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.
Yes, best practice is to secure all application and data flows, internally and externally. Far more serious security breaches originate from inside organizations than from outside.
We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.
There is a cost to implementing and maintaining good security. Security is about mitigating risk.
The potential costs of a serious breach can be huge.
Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.
You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc. I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.
Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level. It is always a balancing act, since there is no such thing as "complete security".
Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.
I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.
Yes, best practice is to secure all application and data flows, internally and externally. Far more serious security breaches originate from inside organizations than from outside.
We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.
There is a cost to implementing and maintaining good security. Security is about mitigating risk.
The potential costs of a serious breach can be huge.
Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.
You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc. I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.
Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level. It is always a balancing act, since there is no such thing as "complete security".
Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.
ASKER