The Security Middleware Solution

Security middleware comes in many forms. What can it do, and how can it be used?


As I wrote this article I found that many of the people who discussed middleware had different interpretations of what it means. This lack of cohesion impacts a discussion not only of middleware, but also of security middleware, which is a new subcategory of middleware some companies have begun to tout. To sort through the muddle, we can consider some different definitions of middleware and security middleware to determine their most accurate meanings, and we can look at some product offerings and their relevant uses today.

What Is Middleware?
"Middleware is hard to define," said Jon Callas, CTO, CSO of the PGP Corporation, "and I'm sure that there are people who would gladly describe one system as middleware, while other people would bristle at the same system being described as it. However, I view middleware as a software system that does not touch either the end user or the backend system. Companies like Tibco, BEA, SAP, and Peoplesoft all usually count as middleware."

IWay Software recently announced a partnership with Software House, part of Tyco Fire & Security's Access Control and Video System business. The companies are providing a solution that links enterprise applications with access control systems. The integration is called C*CURE Enterprise Adapter and will integrate business data into Software House's C*CURE 800 access control and integrated security management system.

IWay spokesman Gregory McGrath emphasized that iWay's products are middleware, but not security middleware. "[IWay's] approach is to be agnostic in regards to security. IWay supports and complements the security provided at any middleware layer. IWay provides a flexible security infrastructure that integrates and leverages existing sub-systems-including the operating system, DBMS, and Web-level security-provides application-level security, and supports custom security implementation."

The simple definition: Middleware is software that connects two or more separate applications across local area networks (LANs) or the Internet.

Bearing in mind these various definitions we have to conclude that to some extent, middleware is found in every client/server environment and is used with all sizes of applications. Some form of middleware is involved whenever a client sends a request to a server or an application to download data from a database. Middleware mediates the client/server link and smooths out the incompatibilities between communications protocols, applications logic, database query languages and hardware operating systems.

Existing middleware can be divided into seven service categories: data management services, communications services, distribution services, object management services, application co-operation services, presentation services and system management services.

Security Considerations
Initially, within all of these categories of middleware, developers needed to build in security that included authentication, authorization and encryption.

Modern networked environments are much more complicated than the old data center, where putting a lock or a keypad on the doors was sufficient to safeguard the equipment and the data. Present-day users need to be concerned about access management, virus attacks, data integrity and transaction security. There's an obvious trend towards central control geared at introducing security procedures covering the enterprise. This trend is the result of such factors as the growth of inter-enterprise communication, the explosive growth of the Internet and the increased use of single sign-on procedures.

Middleware developers need to be aware of the scope of security within the evolving network infrastructure and the emerging structure of network security standards. They need to understand where middleware and security overlap. To gain this awareness, developers must monitor security strategies to assess their impact on the performance of middleware and ensure that enterprise-wide security strategies encompass middleware.

This content continues onto the next page...