Middleware security

Posted on 2013-10-29
Medium Priority
Last Modified: 2013-10-31
Hi All,

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems. We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

Question by:ISS_Expert
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 35

Accepted Solution

Gary Patterson earned 2000 total points
ID: 39611425
Authentication overhead typically isn't that heavy, but encryption/decryption of high-volume data flows can have a significant performance impact - so I'll focus on the "encryption" side of the question.

When it comes to authentication and encryption, it usually isn't a "should we?" decision, but a "how do we do it?" question.  In my experience, security mandates usually come from executive management: sometimes as response to a security breach, or due to audit recommendations or regulatory requirements.  

You can probably imagine what happens if you were the person in the organization that said "it'll be too expensive" or "it'll slow things down too much" if there is ever a breach.

Assuming that encryption is appropriate, the basic implementation steps are:

1) Determine the type and level of encryption required;
2) Determine encryption volumes (peak and average);
3) Perform capacity analysis to determine potential impact to performance; and
4) Based on capacity analysis, determine the best mechanism for providing the required additional capacity.

Performance impact varies depending on a number of factors:

1) Volume and nature of data encrypted / decrypted.
2) Encryption technology and key strength used.
3) Current CPU / memory / network utilization on the endpoint systems.

When planning for encryption, you may have to add CPU and memory capacity.  Some CPUs (Intel Xeon E5 and E7 families, AMD Bulldozer/Piledriver/Jaguar, and IBM Power 7+, for example) have AES-NI encryption capabilities built in that can significantly improve crypto performance over software-only methods.  

Some servers and network appliances also support dedicated cryptographic coprocessors that can be a cost-effective way to add high-volume crypto capabilities.  


Encryption can also have a negative performance impact on data compression technologies used at the network level - payload compression needs to be done before encryption to be effective.

The best way to determine the potential performance cost is to do some testing in a test environment scaled to match your production environment.  

If you are in a high-volume, performance sensitive environment, you may want to get some expert help to determine the best way to implement crypto in your environment - it generally pays for itself in all but the smallest environments.

- Gary Patterson

Author Closing Comment

ID: 39613365
Great answer. Thanks. You were spot-on about audit observation :)
LVL 35

Expert Comment

by:Gary Patterson
ID: 39614043
Happy to help.  A couple of additional responses:

I would like to know if it is a good practice to implement security (authentication & encryption) for middleware (TIBCO, Websphere, etc) traffic in internal systems.

Yes, best practice is to secure all application and data flows, internally and externally.  Far more serious security breaches originate from inside organizations than from outside.

We keep hearing that the downsides (performance degradation, modifications required in applications, etc) outweigh the benefits.

There is a cost to implementing and maintaining good security.  Security is about mitigating risk.  

The potential costs of a serious breach can be huge.

Depending on the type of organization, costs can result from fines, contract penalties, customer dissatisfaction, legal costs, loss of reputation, loss of business, direct financial losses from theft or fraud, loss of trade secrets, loss of client account information, costs of investigations and forensic examination of compromised systems, costs of containing and mitigating a breach, breach-related crisis management, and more.  

You haven't mentioned what type of organization you represent, but in certain types of organizations the potential costs of a serious breach (from inside or from outside) are extremely high: banking, insurance, credit card processing, healthcare, defense contractors, etc.   I've seen cases where small businesses struggled to remain in business after a serious breach, and where large companies spent millions of dollars as a result of a breach.

Part of the job of any executive responsible for security is to determine the risks, determine the appropriate level of expenditure for risk mitigation, and determine the appropriate measures to take to mitigate those risks to an acceptable level.  It is always a balancing act, since there is no such thing as "complete security".  

Part of the role of auditors is to detect and document potential security vulnerabilities, so that management can evaluate the risks associated with each vulnerability and determine how to best mitigate them.

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For some reason Google Apps has decided to reserve 'www' for your new domain which results in an error when trying to map the web address 'www' to a certain site in your Google Sites. The error is 'this address is already being used' and after some …
The Confluence of Individual Knowledge and the Collective Intelligence At this writing (summer 2013) the term API (http://dictionary.reference.com/browse/API?s=t) has made its way into the popular lexicon of the English language.  A few years ago, …
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question