Computer Internet network security News

hick client-based business applications require rigid security regulations where different classes of users receive a predetermined set of access rights. This article explains how to build a flexible security model for Rich-Client Platform (RCP) applications by leveraging features provided by the Eclipse platform.

Importance of RCP in applications

Controlling access to workbench contributions and SWT controls are important in RCP applications. Developers must hide workbench contributions and user controls based on the user’s role. However, Eclipse provides relatively little support for security features developers often need. This security framework example will control the functions presented to the user.

Role of eclipse

Eclipse provides the org.eclipse.ui.activities extension point as a mechanism to control group-related UI functions. An Activity is a logical set of identifiers. Identifiers represent functionality and could represent, for example, a view or editor preference page, among other things. An activity is enabled when its functionality is available to the user. Conversely, an activity is hidden when an identifier is disabled. An activity can require one or more other activities, which means that enabling one activity enables all the activities it depends on. An activity can also be grouped into one or more categories for presentation to the user.

Computer security Systems Computer security Systems

hick client-based business applications require rigid security regulations where different classes of users receive a predetermined set of access rights. This article explains how to build a flexible security model for Rich-Client Platform (RCP) applications by leveraging features provided by the Eclipse platform.

Importance of RCP in applications

Controlling access to workbench contributions and SWT controls are important in RCP applications. Developers must hide workbench contributions and user controls based on the user’s role. However, Eclipse provides relatively little support for security features developers often need. This security framework example will control the functions presented to the user.

Role of eclipse

Eclipse provides the org.eclipse.ui.activities extension point as a mechanism to control group-related UI functions. An Activity is a logical set of identifiers. Identifiers represent functionality and could represent, for example, a view or editor preference page, among other things. An activity is enabled when its functionality is available to the user. Conversely, an activity is hidden when an identifier is disabled. An activity can require one or more other activities, which means that enabling one activity enables all the activities it depends on. An activity can also be grouped into one or more categories for presentation to the user.

Business security Business security

Sun believes in security through openness. Security standards should be open to being created, tested, analyzed and challenged by a huge community of intelligent programmers, developers and security experts.

Sun  announced support for leading security and identity open standards efforts, demonstrating its continued commitment to building security into the underlying standards defining the Network.

• OASIS PKI Action Plan: Today, with Sun’s strong participation and endorsement, the OASIS Public Key Infrastructure (PKI) Technical Committee released its PKI Action Plan. The OASIS PKI Action Plan calls for clear and specific guidelines for using PKI in the most relevant application types (document signing, secure email, and electronic commerce); interoperability testing; improved educational materials; best practices and other measures to reduce cost; and outreach to software application vendors to increase PKI implementation. Sun is proud to support expansion of PKI, an important security technology used in many widely deployed standards (such as SSL and IPSEC) to secure network connections.
• Liberty Alliance: Sun strongly endorses the Liberty Alliance announcement of its mobile business guidelines, the first set of vertically oriented business guidelines, outlining near-term market opportunities and business requirements for federated identity deployments in the mobile space. Federated identity, which securely links and manages identity information among different systems, has particular application to the mobile industry.

Networking security Networking security

Java Card technology is one of the best secure authentication technologies for trust, privacy and verification of identity on the network, deployed in over 500 million smart card and mobile phone environments around the world. Sun is building on this success and applying its expertise to the Windows environment though inclusion of Java Card technology support in its Java Desktop System and Java software systems. This model will not only secure access to the device (mobile handset, desktop or infrastructure), but access to network services, and ultimately access to and distribution of content. This guarantees authentication of the device, of the sender, and of content represented, helping reduce victimization through fraudulent Web sites, and e-mail spam and viruses.

In addition to Java Card multi-factor authentication support, the next version of Java Desktop System will include the Java Desktop System Configuration Manager, a tool for central management of user settings. This enables systems administrators to set security preferences and easily and effectively manage them across the entire enterprise.

Networking security ID-theft, Networking security

Three architectural pillars underscore Sun’s infinite access security model: strong authentication, identity management, and risk management through containment.

• Strong Authentication: multi-factor authentication assigns a verifiable identity to a user, data, application or service. Once authentication occurs, the identity management infrastructure can authorize or refuse entry to or communication with the next tier of access. Authentication opens the doors to services across many different devices and ends the need for multiple passwords and token cards.
• Identity Management: the management of authenticated identities delivers authorization control over role-based access to data, and centralized provisioning and de-provisioning capabilities over user access to data or applications. It also enables authorization escalation, allowing the enterprise to set and enforce policy authorizing what levels of access are allowed under pre-defined levels of authentication, including federation. Federation of authentication allows single-sign-on across services and allows seamless access to multiple capabilities.
• Containment: Strong containment and partitioning capabilities manage the risk of infinite access, allowing authenticated and centrally managed users or data to only interact with the data or application contained within a specific partition. Even if unauthorized access is achieved, the violation is restricted to a limited area of the network. Sun’s N1(tm) Grid Containers will deliver this functionality to the next version of the Solaris Operating System.

Business security Business security

Sun’s new infinite access security model is designed to make security integrated, invisible and infinite for customers. It helps create a managed risk environment that allows access to be appropriate and acceptable to the service providers in enterprises, consumer and governmental organizations.

• Integrated: Systems integration across physical and virtual access, infrastructure integration between enterprise and consumer services (employee lifecycle management, single-sign-on), and business integration between partners, and suppliers make the experience as seamless as possible for users, and as cost-effective and scalable as possible for providers.
• Invisible: Security should deliver convenience with confidence. An infinite access system lets users get what they want, when they want it. It is visible enough to be comforting and allow individuals confidence in privacy, regulatory confidence in compliance, and business confidence in risk mitigation. It is invisible as much as possible so that user experience does not disrupt security policy.
• Infinite: Everything of value is connecting to the network. And as more and more objects connect to the network, the world is accessing more resources. Sun, along with the Java community and its open standards and open source partners, is working to reveal the potential of the infinite network while enabling the up-time and social mores that protect business values. Collectively the doors to opportunity can be opened, and the windows that create risk and fear can be closed.

Business security Business security

Enterprise Security Architecture addresses a wide-range of issues in addition to the benefits provided by a general IT Architecture, including:

Risk-Based Cost/Benefit Effectiveness

The reduction of risk (the benefit) should be appropriate to the costs of acquisition, development, installation, administration and operation.

Enabling Business

Information security is the enabling technology of digital business.  The most valuable assets of any business are its reputation and customer confidence, assets that cannot be protected in the digital world without effective security.  Security must enable and support the fundamental business need to migrate the point of sale and the point of service into the customer premises or into their personal electronic devices.

Adding Value to Core Business

Rapid advances in Information and Communications Technology (ICT) are impacting business in very different ways, all of which require security to take a forward-thinking strategic approach:

• Products are incorporating more and more embedded ICT systems;
• The support of these products is very information intensive, and the supply of this support information is becoming more and more automated;
• In many cases the exchange of information between business and customer or partner has in itself become the product.

Empowering Customers

Customer empowerment means giving the customer choices.  Understanding the concept of ‘customer service’ is critical to business success in the new economy and service quality and information security are closely linked.  Information security practices can deeply affect perceptions of customer service

Protecting Relationship & Leveraging Trust

Business relationships are based upon trust.  Trust is a business relationship attribute, not a technical attribute but sound technical security systems are needed to protect the trust that exists in a relationship.

A Sound Management and Assurance Framework

The new generation of Information Systems has enormous complexity and power but with that comes a new generation of business risk.  Management of that new environment requires a sound framework of assurance throughout the lifecycle of the business system.

Governance

Recent years have seen a dramatic increase in Governance requirements for all organisations and the burden of personal liability for failure is now placed upon executives who must be able to demonstrate to legislators, regulators, and auditors that they are performing due-diligence and doing the right thing.

Compliance

A framework is required to demonstrate compliance with technical standards, government directives, and legislation.

Business security Business security

Security Architecture addresses the issues and provides all of the benefits of IT Architecture as described in the “Benefits of Architecture” section together with a broad spectrum of security and risk-specific business issues.

An Holistic Approach

“Security is only as strong as the weakest link” is a commonly-used adage when discussing information security.  Many organisations address this issue from the point of view of ensuring that no links are missing by performing check-lists of technical components: “Do we have passwords, access control, firewalls, door locks, encryption technologies, and a policy?  Oh good, then we must be secure!”

This piecemeal technically-led approach provides executive management with neither “security” nor the benefits of architecture.

Architecture takes a wider more holistic approach to solving the business problem of security by ensuring that all of the components are specifically designed, procured, engineered, and managed to work together for the benefit of the business.  It considers:

• Do we have all of the components?
• Do these components work together?
• Do they form an integrated system?
• Does the system run smoothly?
• Are we assured that it is properly assembled?
• Is the system properly tuned?
• Do we operate the system correctly?
• Do we maintain the system?

Measurable, Fit-For-Purpose Solutions

Security Architecture recognises that technological components will change over time, that business needs are dynamic, and that risk appetite varies from organisation to organisation and business unit to business unit.  Security can only be defined relative to the value and risk propositions of the business.

Security Architecture ensures that when an organisation makes a claim to be “secure” that it has understood its business needs and delivered solutions that:

• Meet the needs of the business
• Are fit for purpose
• Provide measurable levels of security
• Ensure security can be, and is being, properly managed
• Provide demonstrable Return On Investment

Return on Investment & Return of Value

The Return on Investment for Information Security is often mistakenly described in terms of Insurance: a necessary cost required in case things go wrong.  However, just as a life insurance policy will not enable the policy-holder to live forever, designing security as an insurance-like recovery measure will not prevent security problems from occuring.  To provide a business with an effective return from security, Architecture should be designed to ensure proactive defence-in-depth coverage through resolution of vulnerabilities and reduction in potential impact across the wider spectrum of:-

• Prevention
• Detection
• Containment
• Recovery

The SABSA Business Attributes taxonomy is the basis for providing users with a unique set of tools and techniques for normalising, communicating and measuring ROI and Return of Value in a meaningful and motivational  manner.

Business security Business security

Managing Complexity

One of the key functions of ‘architecture’ as a tool of the modern business is to provide a framework within which complexity can be managed successfully.  As the size and complexity of a project grows, many designers and design influences must all work as a team to create something that has the appearance of being designed by a single ‘design authority’.

As the complexity of the business environment grows so many business processes and support functions must all integrate seamlessly to provide effective services and management to the business, its customers and its partners.

Architecture provides a means to manage that complexity.

Providing a Framework & Road Map

Architecture also acts as a road map for a collection of smaller projects and services that must be integrated into a single homogenous whole.  It provides a framework within which many members of large design, delivery, and support teams can work harmoniously, and toward which tactical projects can be migrated.

Simplicity & Clarity through Layering & Modularisation

In the same way that conventional architecture defines the rules and standards for the design and construction of buildings, information systems architecture addresses these same issues for the design and construction of computers, communications networks and the distributed business systems that are required for the delivery of business services.

As with the conventional architecture of buildings, towns and cities, information systems architecture must therefore take account of:

• The goals that are to be achieved through the systems;
• The environment in which the systems will be built and used;
• The technical capabilities of the people to construct and operate the systems and their component sub-systems.

Business Focus beyond the Technical Domain

Information systems architecture is concerned with much more than mere technical factors.  It is concerned with what the enterprise wants to achieve and with the environmental factors that will influence those achievements.

In some organisations this broad view of information systems architecture is not well understood.  Technical factors are often the main ones that influence the architecture, and under these conditions the architecture can fail to deliver what the business expects and needs.

Business security Business security

IBM will also join the Cisco Network Admission Control (NAC) program and plans to integrate certain IBM Tivoli security management software with Cisco infrastructure products that are involved in the program. The Cisco NAC program fosters enhanced security within the network by allowing customers to examine the security status of endpoints such as PCs and servers, and automatically permit or deny endpoint access to critical network and system resources based on customers’ pre-defined corporate IT security policies. IBM’s participation in the Cisco NAC program will extend its capability to automatically examine system and application credentials and provide more effective remediation strategies for non-compliant endpoints that could otherwise pose a security threat to businesses.

Networking security Networking security

Businesses can now use the embedded security chip, an IBM ThinkVantage Technology used in IBM ThinkPad notebooks and ThinkCentre desktops, to connect seamlessly and with enhanced security to both wired and wireless networks by using new Cisco virtual private network (VPN) solutions. By using encrypted authentication information stored inside computer hardware, coupled with the secure connectivity provided by VPNs, companies can help prevent unauthorized remote network access. The Cisco Security Agent will also be integrated with IBM clients and servers to help provide dynamic “day zero” network attack protection from worms and viruses that have no defined signature or defense along with the reduced need to constantly update endpoint security software.  IBM also plans to offer the Cisco Security Agent through www.ibm.com when customers purchase IBM eServer xSeries products from IBM. Together these new capabilities and availability options can cost-effectively deliver enhanced protection across networked business-critical services and resources

Business security, Networking security Business security, Networking security

 New integration between the Cisco Secure Access Control Server (ACS) and IBM Tivoli® Identity Manager software can help customers reduce the costs of managing a large number of employee, business partner and customer identities, across a broad array of networked business applications.  This can reduce common security risks, such as invalid user accounts that plague an estimated 60 percent of large organizations and can lead to identity theft or intellectual capital theft.  The new integration can also decrease the time it takes to enable new employees to be productive with full access to all the appropriate applications and network infrastructure.

Business security Business security