|
Building a Secure Environment
Security isn't just about firewalls anymore. Paul Patrick, BEA Systems' chief security architect, talks about maintaining security in complex infrastructures
by Steve Gillmor
December 17, 2004
We've all seen the headlines and experienced the pain: virus and denial of service attacks, worm intrusions, data unavailable, changed, deleted, and stolen. How have the needs for Java security changed, and what can be done to make sure that our mission-critical, even life-saving, applications keep their integrity? Find out what Paul Patrick, BEA Systems' chief security architect, thinks and what he's doing to protect your applications, your companies, and your government.
Weblogic Pro: What was the basic message of your keynote for the Java Pro Live! conference?
Paul Patrick: I focused on the "Changing Faces of Security in Java Application." At the big-picture level, we have seen Java move from being a developer-driven kind of adoption process into mainstream applications, so we now have core applications running business, running proportions of our government, involved in intelligence gathering, and things like that—functions that are now mainstream and based on this stuff.
But if you look at these environments, one of the key issues that starts to come up in these environments is that going mainstream means a shift from just focusing on how to make developers productive to focusing on the operational aspects. Those operational aspects include things like diagnostics and monitoring, configuration, scalability, and in particular, security. This is becoming more prevalent especially as we find more applications having to be in compliance with regulations such as HIPAA, Sarbanes-Oxley, and accreditations such as NIAP Common Criteria and DCID 6/3.
We find that people are beginning to understand the issues associated with insider attacks. The old approach—just placing the application behind a firewall—is changing. The other big issue is really that these applications are no longer just about e-commerce. We are now putting these applications in highly sensitive environments, and therefore they need to be prepared to live in these kinds of environments and deal with the kind of security requirements that come from those environments. We are finding that there is a growing synergy rather than conflict around security requirements, between applications in the federal government and some of those found in several commercial markets, especially those with a focus on privacy.
Java Moves Forward
Weblogic Pro: What is the impact for a developer who has been along for the Java ride since the beginning? Is this a real stepping-off point into a different ecology, or is this an iterative process of building robustness into an architecture that developers are already familiar with?
Patrick: I think it is a little bit of both. In the first case, if you think about Java, the J2EE model went down a really good path with regard to getting the application developer out of writing security code in the middle of business logic. That was a key concept that they realized—the idea of getting policy out of the application code itself and into the deployment descriptors so that an assembler and an administrator can begin to manipulate this. So the impact on the developer is rather minimal, but the problem is that we start looking at these environments and we start looking at some of the requirements.
Back to top
|