Middleware security

Posted on 2013-10-29
Last Modified: 2013-10-31
Hi All,

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

Question by:ISS_Expert
  • 2
LVL 35

Accepted Solution

Gary Patterson earned 500 total points
ID: 39611425
Authentication overhead typically isn't that heavy, but encryption/decryption of high-volume data flows can have a significant performance impact - so I'll focus on the "encryption" side of the question.

When it comes to authentication and encryption, it usually isn't a "should we?" decision, but a "how do we do it?" question.  In my experience, security mandates usually come from executive management: sometimes as response to a security breach, or due to audit recommendations or regulatory requirements.  

You can probably imagine what happens if you were the person in the organization that said "it'll be too expensive" or "it'll slow things down too much" if there is ever a breach.

Assuming that encryption is appropriate, the basic implementation steps are:

1) Determine the type and level of encryption required;
2) Determine encryption volumes (peak and average);
3) Perform capacity analysis to determine potential impact to performance; and
4) Based on capacity analysis, determine the best mechanism for providing the required additional capacity.

Performance impact varies depending on a number of factors:

1) Volume and nature of data encrypted / decrypted.
2) Encryption technology and key strength used.
3) Current CPU / memory / network utilization on the endpoint systems.

When planning for encryption, you may have to add CPU and memory capacity.  Some CPUs (Intel Xeon E5 and E7 families, AMD Bulldozer/Piledriver/Jaguar, and IBM Power 7+, for example) have AES-NI encryption capabilities built in that can significantly improve crypto performance over software-only methods.  

Some servers and network appliances also support dedicated cryptographic coprocessors that can be a cost-effective way to add high-volume crypto capabilities.

Encryption can also have a negative performance impact on data compression technologies used at the network level - payload compression needs to be done before encryption to be effective.

The best way to determine the potential performance cost is to do some testing in a test environment scaled to match your production environment.  

If you are in a high-volume, performance sensitive environment, you may want to get some expert help to determine the best way to implement crypto in your environment - it generally pays for itself in all but the smallest environments.

- Gary Patterson

Author Closing Comment

ID: 39613365
Great answer. Thanks. You were spot-on about audit observation :)
LVL 35

Expert Comment

by:Gary Patterson
ID: 39614043
Happy to help.  A couple of additional responses:

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.

Yes, best practice is to secure all application and data flows, internally and externally.  Far more serious security breaches originate from inside organizations than from outside.

We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

There is a cost to implementing and maintaining good security.  Security is about mitigating risk.  

The potential costs of a serious breach can be huge.

Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.  

You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc.   I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.

Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level.  It is always a balancing act, since there is no such thing as "complete security".  

Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These instructions are based on installing Owncloud on your new raspberry pi connected with a usb HDD. What do you need Part A? A Raspberry Pi, model B. A boot SD card for the Raspberry Pi. A usb HDD An Ethernet cable to connect to the lo…
New Relic recently released its Synthetics product that allows for the creation of performance monitors that periodically test a site's performance. If you wish to test an interactive workflow New Relic employs Selenium WebDriverJS to run those test…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question