The Security Middleware Solution

As I wrote this article I found that many of the people who discussed middleware had different interpretations of what it means. This lack of cohesion impacts a discussion not only of middleware, but also of security middleware, which is a new subcategory of middleware some companies have begun to tout. To sort through the muddle, we can consider some different definitions of middleware and security middleware to determine their most accurate meanings, and we can look at some product offerings and their relevant uses today.

What Is Middleware?
"Middleware is hard to define," said Jon Callas, CTO, CSO of the PGP Corporation, "and I'm sure that there are people who would gladly describe one system as middleware, while other people would bristle at the same system being described as it. However, I view middleware as a software system that does not touch either the end user or the backend system. Companies like Tibco, BEA, SAP, and Peoplesoft all usually count as middleware."

IWay Software recently announced a partnership with Software House, part of Tyco Fire & Security's Access Control and Video System business. The companies are providing a solution that links enterprise applications with access control systems. The integration is called C*CURE Enterprise Adapter and will integrate business data into Software House's C*CURE 800 access control and integrated security management system.

IWay spokesman Gregory McGrath emphasized that iWay's products are middleware, but not security middleware. "[IWay's] approach is to be agnostic in regards to security. IWay supports and complements the security provided at any middleware layer. IWay provides a flexible security infrastructure that integrates and leverages existing sub-systems-including the operating system, DBMS, and Web-level security-provides application-level security, and supports custom security implementation."

The simple definition: Middleware is software that connects two or more separate applications across local area networks (LANs) or the Internet.

Bearing in mind these various definitions we have to conclude that to some extent, middleware is found in every client/server environment and is used with all sizes of applications. Some form of middleware is involved whenever a client sends a request to a server or an application to download data from a database. Middleware mediates the client/server link and smooths out the incompatibilities between communications protocols, applications logic, database query languages and hardware operating systems.

Existing middleware can be divided into seven service categories: data management services, communications services, distribution services, object management services, application co-operation services, presentation services and system management services.

Security Considerations
Initially, within all of these categories of middleware, developers needed to build in security that included authentication, authorization and encryption.

Modern networked environments are much more complicated than the old data center, where putting a lock or a keypad on the doors was sufficient to safeguard the equipment and the data. Present-day users need to be concerned about access management, virus attacks, data integrity and transaction security. There's an obvious trend towards central control geared at introducing security procedures covering the enterprise. This trend is the result of such factors as the growth of inter-enterprise communication, the explosive growth of the Internet and the increased use of single sign-on procedures.

Middleware developers need to be aware of the scope of security within the evolving network infrastructure and the emerging structure of network security standards. They need to understand where middleware and security overlap. To gain this awareness, developers must monitor security strategies to assess their impact on the performance of middleware and ensure that enterprise-wide security strategies encompass middleware.

The increased recognition of security concerns regarding middleware has spawned a specialized type of product known as security middleware. A growing number of vendors are getting actively involved in this software market.

Security Middleware Providers

  • V-ONE Corporation coined the term security middleware when it first introduced its SmartGATE product in 1996. SmartGATE uses RSA encryption to provide application-level security for Internet and IP communications over intranets and extranets. It works well with all major firewalls and offers users mutual and two-factor authentication, strong data encryption, server-driven access control, audit logging, and on-line registration. Flexible and easy to manage, this VPN application-level security is partnered with IBM and has been extremely successful over the past eight years.
  • IBM has achieved significant brand recognition with its Tivoli suite, a comprehensive line of products for performance and availability management, configuration and operations management, storage management, z/OS and OS/390 management, and security management that includes security for access management, identity management, single sign-on, and user administration. Customers rate the Tivoli products highly for convenience, scalability, reliability and application transparency, and average for deployment and maintenance.
  • Funk Software uses RADIUS, the Remote Authentication Dial-in User Service, in its RADIUS/AAA Server. RADIUS, a de facto industry standard, is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or server. Since RADIUS allows a company to maintain user profiles in a central database that all remote servers can share, it allows a company to set up a policy that can be applied at a single administered network point. It also provides ease of tracking for network statistics and billing purposes.
  • SSH Security Communications calls its Tectia solution Managed Security Middleware. It defines MSM as managing the SSH Tectia and Secure Shell environment, providing strong encryption and authentication, and lying between applications and infrastructure. According to Byron Rashed, senior marketing manager for SSH, "It's still a challenge to have a security system that is truly manageable, scalable and easy to deploy. However, at SSH we feel that we have come up with software that does these things relatively easily ... there's no need to modify the existing infrastructure or the application. Since SSH Tectia is a standards-based solution that lies on the application layer, supports almost every popular OS and is a de-facto standard in the industry, it has been designed to be placed into almost any infrastructure with ease."
  • Daniel Schrader, director of product marketing and security strategy for FaceTime Communications, said, "We enable safe, compliant use of instant messaging. IM is big, insecure, and requires a specialized layer to ensure that it is not opening a huge backdoor into your corporate network. So, one could say that we provide a 'middle' layer between the desktop and the network egress point that maps IDs to buddy names, applies policies, blocks/records/logs IM and P2P use as policy dictates and scans traffic for malicious code."
  • PocketServer International, LLC is a developer of secure middleware, data management and personal identity protection technology for banks, retailers and other institutions that issue smart cards. In 2004 PocketServer announced it would integrate Siber Systems RoboForm Web form-filling technology into the PocketServer smart card digital wallet, which carries an individual's digital identity. This will allow seamless integration of high-security smart card data with fully automated Web-based transactions. According to Dan Wright, CEO of PocketServer, the combination of PocketServer and RoboForm will "make online transactions more secure and more convenient at the same time. It allows smart card issuers to further enhance e-commerce automation and security, and increase their brand market value."

Many vendors that develop and market biometric products now refer to and/or list their software as secure middleware because it allows for the integration of various authentication technologies with smart cards, PKI and other security infrastructures, but this definition of their products is still open to interpretation.

Justifying the Buy
Functionally, middleware is software that eases the step-by-step process of migrating from a centralized legacy system to a client/server system; offers tools to help an incremental evolution process; and allows small parts of the system to be re-engineered and rewritten without affecting the rest of the system. Middleware offers the possibility to develop or implement the client applications in a client/server environment independent from the server applications. Using this method it's possible to avoid critical downtime of systems during the development of new client applications.

Using middleware allows client/server applications to sit on different hardware and software platforms. This allows old hardware and software to be reused and combined with new technologies. In many cases, though, either the middleware, the applications or the infrastructure would need some modification.

Can security middleware be cost effective and cost justified? According to SSH's Rashed, "Middleware is definitely cost effective. Deploying, updating, patching and maintaining can be a heavy burden on IT resources. Middleware reduces that burden by making any deployments, updates, etc. fairly easy. This saves valuable resources and other deployment costs while being able to service clients in an efficient and transparent manner."

Dan Schrader from FaceTime Communications stated, "The Wall Street Journal says that IM is the fastest-growing form of IP communications ever. According to Osterman Research, over 90 percent of enterprises have users accessing IM, and according to the Yankee Group there will be 350 million Enterprise IM users on a WW basis by 2005. The Gartner Group even says that by 2006 IM will usurp e-mail as the preferred method of communication." If any and/or all of these statements prove true, then security middleware takes on an increasingly important role in industry and society.

Security Middleware's Future
What will the future hold? The optimum vision for middleware is that it will allow applications, services and information to flow over the network and be transparent to the user. With secure/security middleware, in addition to facilitating the information flow, the user will be authenticated, the data integrity maintained, there will be ease of deployment, and there will be a reasonable ability to audit network security events in a centralized and standardized manner. The reality is that many problems still exist in regard to security middleware and its use.

While distributed computing may work well intra-company, due to intellectual property considerations, many companies will not share inter-application communications. Also, although middleware services deployed across industry and educational institutions verify students' electronic identities, permit remote access to libraries, and deliver streamed-video classroom content, there have been security problems. Trusting open standards for authentication, information sharing and privacy management has allowed unwanted intrusions and virus contamination that have resulted in serious downtime of systems and networks with contamination and loss of data.

Additionally, while secure middleware makes it much easier and more cost effective to maintain a single system in a large corporation where they conference their suppliers and distributors onto a common platform, this doesn't always successfully apply to smaller distributors and suppliers. Although the smaller suppliers and distributors do frequently invest in the necessary infrastructure on their end, because of the need for modifications to existing infrastructure or applications, they end up maintaining multiple expensive systems, which is costly and time-consuming.

Just as definitions of middleware and security middleware differ among industry experts, there is room for standardization of the definition and refinement of the products. According to SSH's Rashed, "Middleware is still being defined, and more vendors are moving to resolve application/system management issues, so it is a growing product group." How fast and large the security middleware product group will grow is yet to be determined and will surely be influenced by specific security needs.

D.E. Levine, CISSP, CFE, FBCI, CPS is a regular contributor to ST&D and co-author of several security books. She can be can be reached by e-mail at