Call 0871 871 5225 Email info@versent.co.uk
HomeAbout VersentServicesBusiness DashboardsiDashboardsWebOfficeSector ExperienceHelpContact Us
Home
About Versent
  Why Choose Versent?
  Our Approach
Services
  Business Intelligence
  Business Portals
  Collaboration
Business Dashboards
iDashboards
WebOffice
Sector Experience
  Case Studies
Help
  Frequently Asked Questions
Contact Us

Help and Support

Jargon Buster

7. Portals and Security
Portals aggregate services from multiple providers and place them into organized presentations that are appropriate to their customers' workflows. The providers use multiple systems, which all have different hardware, different operating systems, and different application paradigms for managing security.

  • Single Sign On - Single Sign-On technologies are critical to portals. In short, a portal may need to coordinate information from several web sites, Data Stores, XML Feeds, and other transactional systems. All of these have different security paradigms that single-sign-on solutions will address. Single Sign-On (SS0) technology alleviates this. Examples of vendors in this arena are Netegrity, Oblix, IBM, and Entrust.
  • Delegated Management - An evolution of single-sign-on technologies. Where SSO attempts to facilitate activity, Delegated Management Systems attempt to act as a single point for managing all application and operating system level security issues. Delegate Management systems will eventually replace Single-Sign-On systems as they mature. Examples of vendors in this arena are Netegrity and IBM.
  • Firewalls - Firewalls are computers that run software that analyzes and filters network packets and makes security decisions based upon them.
  • Intrusion Detection - Intrusion Detection software also analyzes patterns of activity within a network to determine if it is under "attack".
  • Cryptography - The science of Cryptography provides for a mathematically rigorous means of authentication, encryption, and non-repudiation. Highly secure portals all implement cryptography for all of these capabilities.
  • Access Controls - Access control systems enforce rules upon lists of identity to determine whether an identity, which is part of a role or a group, may have an appropriate level of access to perform an operation against a resource. The science of Computer Security is a combination of access control and cryptographic technologies. All portals use Access Controls.
  • Authentication - Authentication has both a cryptographic form and an access control form. Cryptographic forms of authentication use a certificate-based schema for ensuring identity. Access control forms are simpler; they generally use credentials such as user-id/password.
  • Non-Repudiation - The act of proving that the data has not been tampered with is called non-repudiation. The science of cryptography provides an elegant and efficient means of non-repudiation through the use of public key technologies and cryptographic hash functions. Financial Portals, Health Care Portals will benefit most from this technology.
  • Authorization - This is essentially an access control function. Essentially, a portal will maintain an authorization list, (a.k.a., access control list,) to determine the appropriate level of access that each identity will have to a resource. Such a system will determine if a user is authorized to act upon that resource.
  • Policy - Prior to implementing a security paradigm, a security policy needs to be established for any organization. This security policy outlines the business needs for security and the organizational procedures for meeting these business needs. Such a policy is used to define access control and certificate policies.
  • Certificates -Digital Certificates are part of the X.509 standard. They are public documents, based upon Public Key Infrastructures that provide security services such as authentication, encryption, and non-repudiation. Portals can use these to secure transaction and provide non-repudiations. From a technical standpoint, a Digital Certificate contains identity information, at least one public key from a Certificate Authority, and a public key representing the identity in questions.
  • Groups - Groups are organized collections of identities. They are configured by administrative personnel and maintained on a day-to-day basis. Portals always need to manage groups as an economic convenience to manage the privacy, integrity, and appropriate accessibility of the data.
  • Roles - Roles are organized collections of capabilities. The collections of capabilities tend to be maintained by developers. Roles may have groups and/or users as members who have access to the capabilities defined by the developers. The memberships of the roles tend to be maintained by administrators.
  • LDAP - The Lightweight Directory Access Protocol. A common directory structure accepted through most of the industry. Portals use these to maintain user information, organizational information, as well as access control and cryptographic certificate information.
  • Certificate Authorities - Certificate Authorities are arbitrators of proofs of digital identity, although they tend not to stand liable for their work. Due to this, and the broadly based Digital Signatures Act, they have not been widely adopted. Certificate Authorities can generate certificates. While there are public CA's, such as Valicert and Verisign, companies are generating their own certificates. CA's are useful to Portals which provide high-value trade services or health care services, however, as they provide a third party mechanism for validating identity. Smaller portal applications may generate their own certificates. The Digital Signature Act allows for Self-Certification. These Self-Certified certificates are legally valid for transactions.
  • Validation Authorities - The X.509 standard is vague, and not all certificates generated from all vendors are alike. In addition, when companies exchange certificates prior to performing e-Business, the "source" company generating the certificate would be in control of the certificate maintenance. In other words, if a source user "goes-bad", the source user's company would need to revoke the certificate. A validation authority allows a destination company to perform a "local certificate revocation" operation, thus alleviating the need for strong organization communication between two companies performing cryptographically certified transactions. In addition, VA's have real-time validation capabilities, making them suited for extremely high-end, highly secure environments. Validation Authorities will be highly useful to portals that wish to provide cryptographic protections to their customers, yet maintain the highest levels of both interoperability and control over their certificates.
  • Public Key Infrastructure - Public Key Cryptography provides elegant implementations of Encryption, Non-Repudiation, and Authentication that require a minimum of key management activity. This makes Public Key Infrastructures more efficient to manage than traditional Symmetric Key Infrastructures. Portals needing cryptographic security will use PKI's.
  • Secure Sockets Layer - A standard for securing transactions through the use of public key cryptography and X.509. It specifically provides for Authentication (two-way) and encryption of information sent over a TCP/IP socket. Portals that require financial or Health-Care transactions will all use SSL.
  • Secure Access Markup Language - Inspired by Netegrity, this language has been developed to facilitate a Delegated Management strategy. It contains non-reputable transactions for managing access controls. It is expected that software vendors will embrace SAML to facilitate their own SSO (soon to be known as Delegate Management) strategies. Portals will reduce their costs in the mid-term by adopting SAML, as their integration with other security paradigms will be simpler.
  • Digital Signatures - Digital Signatures exploit the non-repudiation capabilities of PKI's to provide a cryptographic means of ensuring that data has maintained its integrity.

Back to Index

Want to find out more?
Contact us to see how we can optimise your business
T: 0871 871 5225 E:info@versent.co.uk