• contact@isoagroup.com
  • (707) 773-1198
  • Building a lasting foundation for the digital enterprise.
September 6, 2017 Cheryl Bertini

Security: Should You Code in Applications or Delegate to Gateways?


When you have a security Gateway, such as DataPower, should you continue to code security into applications?

Consider if this scenario fits your organization:

  • You have DataPower implemented in your trusted zone.
  • Your application teams are creating business services.
  • Your application teams are building in authentication and authorization into their software.
  • Developers are managing certificates.
  • Occasionally, certificates expire and the developer is no longer with the company.

If yes, don’t worry! this is a pretty common situation.

So, let’s point out where you can achieve some DataPower ROI:

Move authentication and authorization to DataPower

This can be done by adding a AAA action to your DataPower proxy service (Multiprotocol Gateway or WS-Proxy).  With some configuration to identify the user credentials (possibly a basic-auth header) and pointing to your IDP (i.e.,  Active Directory) with a few clicks you can have your user verified.

If you also need to verify that the user has access to your service, again, with a few clicks and some configuration of the LDAP group the user must be a member of, you can have authorization verified.

Allow DataPower to validate TLS

By configuring DataPower to handle the SSL you accomplish 5 benefits:

  1. Your certificates are managed by DataPower and therefore you will get notification of expirations 30 days in advance
  2. Certificates live in one place.
  3. The application teams don’t need to make code updates for security. Instead they can focus on business logic
  4. DataPower has a crypto chip that will process the SSL negotiation faster, thereby reducing cycles on your application servers
  5. Changes in security practices won’t impact your applications.

Allow DataPower to address future security changes

Security is only going to get tighter and tighter.  DataPower has the capabilities to perform encryptions/decryptions, create digital signatures and perform verifications.  By allowing DataPower to support the security needs of the application you are in a much better position to react to changes.

 Takeaway/Action Item
  • There are many ways to get more ROI out of your DataPower.
  • Have DataPower handle the security of the service so developers can spend time on business logic instead of security coding.
  • Reduce downtime by getting warned of expiring certificates in DataPower.
  • Separate security from business logic using DataPower so that security updates don’t impact your applications.
, , , , ,