Sunday, March 23, 2008

Passportgate: what would you do about it?

The current Passportgate scandal in the US involving the unauthorized access to the passport files of the three presidential candidates got me thinking about information security in enterprise applications particularly records and content management systems.

Ensuring information security requires a multidimensional approach based on technology, process, policy, and governance. Technology alone is not the answer. However, since this is a technology-oriented blog, I will focus only on the state of the art in securing Java EE applications particularly in the open source space.

From a technology standpoint, I see at least four potential issues: authentication, authorization/access control, audit trail, and business process.

Spring Security (formally Acegi) has demonstrated its strength for both authentication and authorization in Spring-based portal and content/record management applications. Spring AOP (Aspect-Oriented Programming) provides an elegant and simple solution for audit trails in such systems.

JBoss jBPM is a robust BPM engine that meets the requirements for workflow and enterprise business process orchestration between applications, services, and people.

The eXtensible Access Control Markup Language (XACML) is an OASIS standard for specifying access control policies in XML. XACML is not currently widely used in content/record management systems. One explanation is that XACML has been designed to provide access control for new services such as web services in service-oriented architectures (SOA). XACML would be challenging to use for document-level security in content repositories that have a hierarchical structure (e.g. JSR 170/283 repository model) and demand sophisticated caching for scalable and rapid access to massive amounts of content.

However, my favorite XML database (eXist) has an elegant implementation of XACML for controlling access to resources such as XQuery modules and Java methods, proving once again that Open Source is ahead in terms of innovation in the software industry.

No comments: