Thursday, January 21, 2010

Topic of 2010: Policy Lifecycle Management

2009 was the year of “security for the cloud”. No doubt people will keep beating that horse well into this decade. If you are looking for some very good and practical thoughts on the subject, Josh wrote a very good post on Fusion Middleware Security, multi-tenancy, and a WLS based platform as a service. You can find it here: http://fusionsecurity.blogspot.com/2009/11/cloud-security-for-paas-and-saas-use.html.

So, with that being said I’m here to declare to you that “Policy Lifecycle Management” is the security topic for 2010. So, what exactly do I mean?

Application are increasingly externalizing more and more of their security related functionality away from application code and into specialized tools and the middleware platforms they are built on. In general this is a great trend with many benefits. However, this has led to the proliferation of a whole set of various security policies in an applications platform that have to be maintained and kept in sync with the application itself as the application changes and migrates through its own lifecycle.

For applications built on Fusion Middleware you potentially have:

1) JSF Policies (JAVA security)
2) OAM Policies (web access)
3) OWSM and/or WLS WS Policies (web services security)
4) OES Policies (entitlements and authorization)
5) OAAM Policies (authentication and fraud detection)

This is just off the top of my head, I’m sure there might be more.

All these policies have to stay in sync with the applications they are supporting as the applications move through their own lifecycle of being built, being changed, being tested, moving through different deployment environments (Dev, QA, staging, production) etc.
Increasingly this is an area of challenge that the largest and best shops are dealing with. So, if that includes you, don’t feel bad, you’re in good company :)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.