Data protection services and strategies for enterprise CIOsTools and Technologies: Data protection software and systems <<previous|next>>
Web services gateway solution offers security, compliance benefits
By Linda Tucci, Senior News Writer
09 Jan 2008 | SearchCIO.com
In a marketplace where the workforce is mobile and workplaces are distributed, the traditional boundaries of the corporation are evolving -- if not already obsolete.
The same can be said about the traditional border model of security.
"Because of the way people are doing business, the traditional perimeter security concept is losing efficiency," said Michel Emelianoff, vice president of enterprise security activities at Alcatel-Lucent, which provides hardware, software and services to the telecommunications industry.
While readily acknowledging its newcomer status as a security player, Alcatel-Lucent is hoping to leverage its expertise in providing secure IP telephony products as well as its combined research operations to exploit the enterprise trend toward deperimeterization security. Alcatel bought out Lucent in December 2006.
The Paris-based company recently debuted its Alcatel-Lucent OmniAccess 8550 Web Services Gateway. The product is billed as the industry's first network appliance that allows controlled access to sensitive information across multiple IT systems. The network solution can support and secure automated business processes while ensuring regulatory compliance, the company promises. Thus, it secures sensitive corporate information from misuse and ensures its availability when and where it's needed.
"We have seen a shift in the type of concerns that CIOs have. It used to be about keeping the bad stuff out of the network -- trying to prevent threats and malware from getting into the network," Emelianoff said. "Now it is evolving to getting more control over what a user can and cannot do over the network, from traditional security to proactive security."
The OmniAccess 8550, which starts at $125,000, sits in the network and inspects every message coming out of a very small pinhole that is created in the private data store to determine if that information can go out. A company looking to secure internal business processes would put this appliance in its data center. Another appliance would be added to the network's demilitarized zone to securely automate business partners.
Advocate Health Care in Oak Brook, Ill., agreed to test the 8550 product. The organization is moving toward allowing some 40,000 users in its identity management system access to information through Web services, said Eric Kinzle, technical specialist at Advocate Health Care.
The fact that many applications of many stripes can talk to one another without a great amount of trouble is "a great thing and very bad thing," in Kinzle's view. That's especially true in health care, where the need to both protect and share data is of paramount importance.
"The great thing is that you can get data from all these applications that you couldn't get before. But you also open up the security nightmare that other people can get all that data," Kinzle said.
The concept of a single network gateway for authenticating roles fit nicely with Advocate's infrastructure. The health care organization, which includes more than a dozen hospitals, uses Sun Microsystems Inc.'s Portal Server for all its Web-based traffic. "Everyone is funneled through the one gateway, gets authenticated and passed through to the application they are allowed to use," Kinzle said.
We're removing the weak link.
Eric Kinzle, technical specialist, Advocate Health Care
The appeal of the 8550 is the potential for a single gateway in a Web services environment, he said. Kinzle likens the setup to the difference between a collection of houses, each with its own access point and individual security standard, and a condo development with a guard at the front gate. "What this does is put a security code at the front gate, so when you walk in you have to tell the guard who you are there to see," Kinzle said.
The system can instantaneously stop unauthorized visitors from reaching applications. A visitor may still be refused access to the application of choice because he or she doesn't have the right credentials, but now the system has a record of that person trying to access it. "It allows one blanket of security, regardless of how everybody else does it," Kinzle said. "All it takes is one weak link to make your corporate environment vulnerable. We're removing the weak link."
The automated device also eliminates other kinds of back and forth. Doctors trying to access data talk only to the gateway. When they log in, they see only the applications they're allowed to see. Authorization to access other applications can be added, but the old way of calling the hospital or faxing for permission is handled automatically through the 8550, Kinzle said.
Kinzle stressed that Advocate Health Care is not endorsing the product or yet chosen it for use, but the organization is pretty much set on adopting this type of technology as it moves to Web services. "Right now our Web services is small, but we have had a large influx of different departments wanting to go that way, and we want to be ahead of the curve in getting the security under control."
Andrew Jaquith, program manager of security research at Boston-based Yankee Group Research Inc., said Alcatel-Lucent's 8550 product is an "important foray" for a company not known as a security vendor. "This plays to some of their strengths, in terms of high throughput and Web services and the things they have had experience with," Jaquith said.
The challenge is not the viability of the product, which Jaquith said he likes, but how effectively Alcatel-Lucent can persuade buyers to use it.
"This is a something of a nascent market, so they will have to make the return on investment case, rather than just the architectural argument they seem to be making," he said.
Nascent though it is, the market also has competitors, including DataPower, now owned by IBM, and Dublin, Ireland-based Vordel Ltd., both of which have more experience in the field. Vordel's product also offers two styles of Web services -- Simple Object Access Protocol, the "expensive and elegant" standard driven by companies like IBM and Microsoft, and representational state transfer, the "cheap and cheerful" stripped-down style espoused by people like Tim Bray, director of Web technologies at Sun.
But Jaquith said he generally views the product as a "positive step" for Alcatel-Lucent. "They have clients that are clearly asking for it," he said. "They are looking to make a mark with it in the health care space, and clearly there is a market for it. The more the merrier."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.