ID and the triple-A challenge of mashup security

The loose coupling of data drawn from different systems is one of the enduring appeals of mashups. However, what if some of that data needs to be handled securely, or it is necessary to log in to some or all of the data feeds? What if the mashup as a whole represents some form of sensitive system - now security is an issue.

Last time I looked at the technical challenges facing development of mashups. Now, it's time to turn to the security issues you'll need to consider when building enterprise-oriented mashups.

The most important questions the enterprise-based mashup developer must consider are:

• Security of the communications medium
• User identity and authentication
• Authorization
• Auditing

Let's take these individually.

Secure communications

Sensitive data is likely to require confidentiality (that is, encryption) in any application, and you must take care not put it at risk when you mash it with other sources. Of course there are protocols available that allow for encryption of data from SSL and HTTPS through to custom encryption implementations.

Mashups are complicated because data is provided by different sources using different technologies, meaning a single encryption method is unlikely to be suitable. For example, many mashups rely on the use of web-service standards, but these could be augmented by other protocols such as RSS data feeds, RMI and REST. In a further twist to the complexity, web services have an emerging set of security standards such as WS-Security, WS-SecureConversation and WS-Trust that are at varying degrees of completion and commercialization. The WS-* family are also increasingly seen as a rather inflexible way of building web services compared to architectures like REST.

User identity and authentication

The concept of identity and the authentication of that identity are typical concerns for enterprise systems. For distributed applications a common approach is to adopt some form of single sign-on model. In this model a user logs in once to a system and then each system they access beyond this can confirm that the user is already logged in. This is usually achieved via some form of ticket provided to the user session on initial log in and this ticket can then be checked with a central server by each subsequent system. There are numerous single sign-on systems available (such as CA's SiteMinder) and APIs to access them (such as the Java Authentication and Authorization Service).

In such scenarios all the systems that need authentication work together to represent a single security domain - in the mashup world, this may or may not be the situation. Of course, developers will (and have) found ways around this but if the mashup holds appropriate (possibly hard coded) security details for each system accessed then this in itself represents a security concern.

Authorization

Authentication is one thing, but what about authorization? This relates to the confirmation that a user of a service has the right to perform the operation being selected. Such access control rights information may be held in a repository like an LDAP-based directory or in a priority system that, once the application has authenticated the user, can check to see they are allowed to access the specific data they have requested. This may be an issue for enterprise mashups as the data source could come from outside.

Auditing

Finally, in many enterprise systems you will find people talk about the triple As of security - AAA. The first two - authentication and authorization - we have covered. Equally important and challenging in the mashup is the third - auditing. Auditing comes when the enterprise wants to know who did what to what, and what information they used. Again, as the systems being used may come from outside the control of the enterprise, auditing may not be possible.

Think first, then mash

Mashups are already moving into the corporate domain particularly within the information worker arena, thanks to applications and middleware from BEA Systems, IBM, Microsoft and Oracle among others. However, if corporates adopt mashup technologies for a wider range of applications then security will be an issue at some point. The key take away here is not that the issues I've raised can't be resolved, but they need to be considered right at the start of any mashup development, and not assumed or tacked on as the application progresses.®