Solved

Middleware security

Posted on 2013-10-29
3
162 Views
Last Modified: 2013-10-31
Hi All,

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

Thanks.
0
Comment
Question by:ISS_Expert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 500 total points
ID: 39611425
Authentication overhead typically isn't that heavy, but encryption/decryption of high-volume data flows can have a significant performance impact - so I'll focus on the "encryption" side of the question.

When it comes to authentication and encryption, it usually isn't a "should we?" decision, but a "how do we do it?" question.  In my experience, security mandates usually come from executive management: sometimes as response to a security breach, or due to audit recommendations or regulatory requirements.  

You can probably imagine what happens if you were the person in the organization that said "it'll be too expensive" or "it'll slow things down too much" if there is ever a breach.

Assuming that encryption is appropriate, the basic implementation steps are:

1) Determine the type and level of encryption required;
2) Determine encryption volumes (peak and average);
3) Perform capacity analysis to determine potential impact to performance; and
4) Based on capacity analysis, determine the best mechanism for providing the required additional capacity.

Performance impact varies depending on a number of factors:

1) Volume and nature of data encrypted / decrypted.
2) Encryption technology and key strength used.
3) Current CPU / memory / network utilization on the endpoint systems.

When planning for encryption, you may have to add CPU and memory capacity.  Some CPUs (Intel Xeon E5 and E7 families, AMD Bulldozer/Piledriver/Jaguar, and IBM Power 7+, for example) have AES-NI encryption capabilities built in that can significantly improve crypto performance over software-only methods.  

Some servers and network appliances also support dedicated cryptographic coprocessors that can be a cost-effective way to add high-volume crypto capabilities.  

http://www-03.ibm.com/security/cryptocards/

Encryption can also have a negative performance impact on data compression technologies used at the network level - payload compression needs to be done before encryption to be effective.

The best way to determine the potential performance cost is to do some testing in a test environment scaled to match your production environment.  

If you are in a high-volume, performance sensitive environment, you may want to get some expert help to determine the best way to implement crypto in your environment - it generally pays for itself in all but the smallest environments.

- Gary Patterson
0
 
LVL 1

Author Closing Comment

by:ISS_Expert
ID: 39613365
Great answer. Thanks. You were spot-on about audit observation :)
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 39614043
Happy to help.  A couple of additional responses:

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.

Yes, best practice is to secure all application and data flows, internally and externally.  Far more serious security breaches originate from inside organizations than from outside.

We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

There is a cost to implementing and maintaining good security.  Security is about mitigating risk.  

The potential costs of a serious breach can be huge.

Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.  

You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc.   I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.

Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level.  It is always a balancing act, since there is no such thing as "complete security".  

Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When coding a Webservice to provide data, the normal way is to create a method that returns a Dataset object.   But a Dataset cannot be used easily from another platform, such as PHP,  FLAS (FLEX) , etc. Solution : Return a XML Document instea…
Online collaboration is quickly becoming embedded in the workplace, and its benefits are tangible. See what the current landscape looks like and what the future holds for collaboration tools and the future of work.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question