Portals eNewsletters Web Seminars dataWarehouse.com DM Review Magazine
DM Review | Covering Business Intelligence, Integration & Analytics
   Covering Business Intelligence, Integration & Analytics Advanced Search
advertisement

RESOURCE PORTALS
View all Portals

WEB SEMINARS
Scheduled Events

RESEARCH VAULT
White Paper Library
Research Papers

CAREERZONE
View Job Listings
Post a job

Advertisement

INFORMATION CENTER
DM Review Home
Newsletters
Current Magazine Issue
Magazine Archives
Online Columnists
Ask the Experts
Industry News
Search DM Review

GENERAL RESOURCES
Bookstore
Buyer's Guide
Glossary
Industry Events Calendar
Monthly Product Guides
Software Demo Lab
Vendor Listings

DM REVIEW
About Us
Press Releases
Awards
Advertising/Media Kit
Reprints
Magazine Subscriptions
Editorial Calendar
Contact Us
Customer Service

Thoughts from the Integration Consortium:
The Importance of Security to Mitigate Risk

online columnist  Integration Consortium     Column published in DMReview.com
February 3, 2005
 
  By Integration Consortium

DM Review would like to thank Matthew Polly, manager of product marketing for Informatica Corporation, for contributing this month's column.

As identity theft and malicious hackers grow in strength and numbers while regulatory mandates become increasingly rigorous, the security of sensitive information reaches critical status. Integration often involves the movement and manipulation of sensitive financial information, customer records (including Social Security numbers, addresses and credit cards) as well as transactional information. While the importance of security is unquestioned, it remains inadequate or elusive.

How do organizations avoid the compromised position of unsecure data when integrating data between systems during data warehousing, data migration, system consolidation or synchronization projects? There are four major components of security that an organization should consider when initiating a project to integrate sensitive information: authentication, authorization, auditability and data protection.

Authentication

Authentication determines a user's identity, as well as what data and services the user is authorized to access. The most common form of authentication is a user name and password. In many organizations, each application requires its own authentication. Because enterprises often have a large number of systems running different operating systems, database servers and other services, many users have multiple accounts on different systems. This diversity makes it difficult for users to remember their passwords and, more important, makes system administration more difficult and prone to errors that can cause security gaps.

The Lightweight Directory Access Protocol (LDAP) defines the interactions between the individual directories of users created by each operating system, application and so on to allow the organization to maintain a global directory service for all IT systems and centralize the management of the system security. The many commercially available LDAP services include Novell eDirectory Server, SunOne iPlanet Directory Server and Microsoft Active Directory. To provide the highest level of security, therefore, a data integration service needs to support LDAP.

Authorization

Once a user is authenticated, security solutions typically authorize that user to perform different types of operations within the application. Authorization is necessary because organizations do not want all users to have equal access privileges. For example, a CFO may need to access all aspects of the corporate financial system, while a line manager has more limited access requirements.

Yet in many systems today, privileges are not finely tuned; authorization is often very narrow or very broad. All systems provide a super user or administrator who has full access to the operating system structures and can alter file systems, change the priority of jobs, terminate other users' jobs and grant or revoke privileges of ordinary users. Ordinary users are authorized to a very narrow scope of operations, such as creating files, modifying files or reading another user's file if that user has granted access beforehand.

If an ordinary user requires an additional privilege - for example, altering the priority of all jobs currently running in the system - the only way of some systems to accommodate this requirement is by granting the super user privilege.

Fine-grained, privilege-based authorization allows organizations to tune permissions to specific access requirements by managing access control in terms of privileges and permissions. Privileges specify the operations a user can perform and permissions specify the objects a user can access.

Such a system should organize users into groups and allow administrators to assign privileges to individual users as well as to groups. A user's privileges consist of the privilege assigned to the user and the privileges assigned to the group. Thus, a data integration service with fine-grained access control can authorize certain users to perform only a certain set of actions and to access only certain objects.

Audit Trail

Many industries, such as financial services, are required to record and understand the operations performed in every IT system. Detailed recording and audit capabilities that automatically log all administrative and user operations allow organizations to detect and pinpoint unauthorized access and subsequent loss or fraud and to quickly address these intrusions.

Data Protection over the WAN

When a data integration solution moves data over a WAN, a malicious user can sniff the data and gain insight into the data - or even alter it. To protect against viewing and corruption of data as it passes over the WAN, the system must encrypt data, rendering it virtually unreadable without the appropriate decoding key.

Support for digital signing and digital certificates ensure the highest level of security. Digital signatures are a cryptographic method of communication that authenticates transactions taking place over the Internet. Digital certificates authenticate the sender, provide the sender with a means to send an encrypted message and provide the receiver with the means to encode a reply. If the data is altered outside the company firewall, the checks will automatically detect the violation and deny validation of the data.

The word secure comes from Latin words meaning "without care." Security once translated to mean "mistakenly overconfident." Unfortunately, that archaic meaning is still applicable to many so-called secure systems today. Because integration projects and integration software moves data both within and outside the corporate firewall, it can leave organizations vulnerable to unlawful or unintentional access. By requiring authentication, authorization, auditability and data protection in your projects, your systems, your processes and your software you can mitigate the risk of compromised data and help make your critical data assets safer and more valuable.

Matthew Polly is manager of product marketing for Informatica, where he leads the initiatives for various product solutions. Prior to joining Informatica in 2002, Polly was a strategy consultant for the systems integrator, Idea Integration, where he developed engagement, product and technology deployment strategies for customers in various verticals, including financial services, semiconductor, telecom and energy.

...............................................................................

For more information on related topics visit the following related portals...
Data Integration, Risk Management and Security.

The Integration Consortium is a non-profit, leading industry body responsible for influencing the direction of the integration industry. Its members champion Integration Acumen by establishing standards, guidelines, best practices, research and the articulation of strategic and measurable business benefits. The Integration Consortium's motto is "Forging Integration Value." The mission of the member-driven Integration Consortium is to establish universal seamless integration which engages industry stakeholders from the business and technology community. Among the sectors represented in the Integration Consortium membership are end-user corporations, independent software vendors (ISVs), hardware vendors, system integrators, academic institutions, non-profit institutions and individual members as well as various industry leaders. Information on the Integration Consortium is available at www.integrationconsortium.org or via e-mail at info@integrationconsortium.org.

Solutions Marketplace
Provided by IndustryBrains

Design Databases with ER/Studio: Free Trial
ER/Studio delivers next-generation data modeling. Multiple, distinct physical models based on a single logical model give you the tools you need to manage complex database environments and critical metadata in an intuitive user interface.

Data Quality Tools, Affordable and Accurate
Protect against fraud, waste and excess marketing costs by cleaning your customer database of inaccurate, incomplete or undeliverable addresses. Add on phone check, name parsing and geo-coding as needed. FREE trial of Data Quality dev tools here.

Free EII Buyer's Guide
Understand EII - Trends. Tech. Apps. Calculate ROI. Download Now.

cost-effective Web server security
dotDefender protects sites against DoS, SQL Injection, Cross-site Scripting, Cookie Tampering, Path Traversal and Session Hijacking. It is available for a 30-day evaluation period. It supports Apache, IIS and iPlanet Web servers and all Linux OS's.

Click here to advertise in this space


E-mail This Column E-Mail This Column
Printer Friendly Version Printer-Friendly Version
Related Content Related Content
Request Reprints Request Reprints
Advertisement
advertisement
Site Map Terms of Use Privacy Policy
SourceMedia (c) 2006 DM Review and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.