Web services gateway solution offers security, compliance benefits

By Linda Tucci, Senior News Writer 09 Jan 2008 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

The same can be said about the traditional border model of security.

More on Web services How to make Web services secure Panel taps Web services, Linux, RFID as emerging technologies

"Because of the way people are doing business, the traditional perimeter security concept is losing efficiency," said Michel Emelianoff, vice president of enterprise security activities at Alcatel-Lucent, which provides hardware, software and services to the telecommunications industry.

While readily acknowledging its newcomer status as a security player, Alcatel-Lucent is hoping to leverage its expertise in providing secure IP telephony products as well as its combined research operations to exploit the enterprise trend toward deperimeterization security. Alcatel bought out Lucent in December 2006.

The Paris-based company recently debuted its Alcatel-Lucent OmniAccess 8550 Web Services Gateway. The product is billed as the industry's first network appliance that allows controlled access to sensitive information across multiple IT systems. The network solution can support and secure automated business processes while ensuring regulatory compliance, the company promises. Thus, it secures sensitive corporate information from misuse and ensures its availability when and where it's needed.

"We have seen a shift in the type of concerns that CIOs have. It used to be about keeping the bad stuff out of the network -- trying to prevent threats and malware from getting into the network," Emelianoff said. "Now it is evolving to getting more control over what a user can and cannot do over the network, from traditional security to proactive security."

The OmniAccess 8550, which starts at $125,000, sits in the network and inspects every message coming out of a very small pinhole that is created in the private data store to determine if that information can go out. A company looking to secure internal business processes would put this appliance in its data center. Another appliance would be added to the network's demilitarized zone to securely automate business partners.

Security blanket

Advocate Health Care in Oak Brook, Ill., agreed to test the 8550 product. The organization is moving toward allowing some 40,000 users in its identity management system access to information through Web services, said Eric Kinzle, technical specialist at Advocate Health Care.

The fact that many applications of many stripes can talk to one another without a great amount of trouble is "a great thing and very bad thing," in Kinzle's view. That's especially true in health care, where the need to both protect and share data is of paramount importance.

"The great thing is that you can get data from all these applications that you couldn't get before. But you also open up the security nightmare that other people can get all that data," Kinzle said.

The concept of a single network gateway for authenticating roles fit nicely with Advocate's infrastructure. The health care organization, which includes more than a dozen hospitals, uses Sun Microsystems Inc.'s Portal Server for all its Web-based traffic. "Everyone is funneled through the one gateway, gets authenticated and passed through to the application they are allowed to use," Kinzle said.

We're removing the weak link. Eric Kinzle technical specialist, Advocate Health Care

The appeal of the 8550 is the potential for a single gateway in a Web services environment, he said. Kinzle likens the setup to the difference between a collection of houses, each with its own access point and individual security standard, and a condo development with a guard at the front gate. "What this does is put a security code at the front gate, so when you walk in you have to tell the guard who you are there to see," Kinzle said.

The system can instantaneously stop unauthorized visitors from reaching applications. A visitor may still be refused access to the application of choice because he or she doesn't have the right credentials, but now the system has a record of that person trying to access it. "It allows one blanket of security, regardless of how everybody else does it," Kinzle said. "All it takes is one weak link to make your corporate environment vulnerable. We're removing the weak link."

The automated device also eliminates other kinds of back and forth. Doctors trying to access data talk only to the gateway. When they log in, they see only the applications they're allowed to see. Authorization to access other applications can be added, but the old way of calling the hospital or faxing for permission is handled automatically through the 8550, Kinzle said.

Kinzle stressed that Advocate Health Care is not endorsing the product or yet chosen it for use, but the organization is pretty much set on adopting this type of technology as it moves to Web services. "Right now our Web services is small, but we have had a large influx of different departments wanting to go that way, and we want to be ahead of the curve in getting the security under control."

Nascent market

Andrew Jaquith, program manager of security research at Boston-based Yankee Group Research Inc., said Alcatel-Lucent's 8550 product is an "important foray" for a company not known as a security vendor. "This plays to some of their strengths, in terms of high throughput and Web services and the things they have had experience with," Jaquith said.

The challenge is not the viability of the product, which Jaquith said he likes, but how effectively Alcatel-Lucent can persuade buyers to use it.

"This is a something of a nascent market, so they will have to make the return on investment case, rather than just the architectural argument they seem to be making," he said.

Nascent though it is, the market also has competitors, including DataPower, now owned by IBM, and Dublin, Ireland-based Vordel Ltd., both of which have more experience in the field. Vordel's product also offers two styles of Web services -- Simple Object Access Protocol, the "expensive and elegant" standard driven by companies like IBM and Microsoft, and representational state transfer, the "cheap and cheerful" stripped-down style espoused by people like Tim Bray, director of Web technologies at Sun.

But Jaquith said he generally views the product as a "positive step" for Alcatel-Lucent. "They have clients that are clearly asking for it," he said. "They are looking to make a mark with it in the health care space, and clearly there is a market for it. The more the merrier."

Tags: Enterprise SOA and Web services,  Enterprise information security management,  Enterprise network management,  Tools and Technologies: Keep risks at bay,  Tools and Technologies: Data protection software and systems,  Compliance strategies and best practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise SOA and Web services The art of a SOA implementation: Design for the future SOA implementation evolves from open source to Oracle SOA suite Six ways to fail with your SOA implementation Wary of public cloud, CIO builds private cloud and transition plan BPM guide: Business process management best practices for CIOs A move to cloud computing should involve SOA and BPM BPM software: How to find fast ROI on smaller projects How BPM and SOA work together for business process improvement SOA governance: How and why to build it into your SOA initiative SOA success stories involve business process management Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Enterprise network management Data recovery solutions must address a range of concerns Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Network access control now addresses multiple needs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options Network access control: A hybrid approach Appliance-based network access control keeps university network secure Network access control evaluation tips: NAC systems insights for CIOs More CIOs consider IT managed services to deal with new technologies

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary