Who You Gonna Let In?

Software Magazine, Feb, 2000 by Paul Desmond

Authorization engines ensure only the right users get at your Web applications, while helping you serve up personalized content with less development time.

In September of last year, about 4,000 people were visiting Candle Corp.'s Web site each day. By the end of the year, the figure was about 100,000, a 25-fold increase.

No, the company wasn't giving away money. It was still doing what it always did, selling software. The big difference, according to Wendy Pfeiffer, director of Candle's Internet Business group, was new personalization engine.

All visitors to the candle Web site now receive content tailored to their known preferences, some of which Candle gathers during the registration process and others that the company picks up on over time. Do you prefer text-heavy product explanations to glitzy graphics and photos? Then chances are, it's text you'll get on Candle's site.

Candle, El Segundo, Calif., is employing a combination of technologies, including some of its own products, to pull off this personalization feat. One of the key products is an authorization engine from DASCOM, a security company that IBM acquired in September. DASCOM's IntraVerse software, now known as IBM PolicyDirector, makes it possible to give visitors to your site access to different applications and content, depending on who they are.

Other authorization product vendors include Netegrity, enCommerce, Gradient, and Securant (see chart, p. 60). In addition to supporting personalization, the products make it possible for companies to implement single sign-on schemes, delegate some security administration chores, and reduce application development time.

How They Work

Unlike most security products, the intent of any authorization product is to give users access to resources, not keep them out. The key is ensuring only those users you want to access a particular resource get to do so. That will vary dramatically depending on the situation. If you're building an extranet to support suppliers, you want only those suppliers to get in. A Web retailer, however, wants pretty much everyone to come to its site, although it may want customer experiences to vary.

Chris King, an analyst with the META Group in Burlingame, Calif., says there are two basic approaches to authorization products. The first, pioneered by DASCOM, is to use a gateway to provide access to applications. Client devices log on to the gateway. The gateway, after checking a database to determine whether the user is authorized, fetches the requested resource.

The other approach, used by vendors including Netegrity Securant, and Axent, is based on cookies. The user logs in to a security server, which places a cookie on the client machine that details what that user is authorized to see and do. The cookies are time-limited and encrypted.

Both approaches work, King says, but each has pros and cons. The gateway approach adds an additional layer of complexity and can pose scalability challenges, but it gives you centralized control over security. Cookies, on the other hand, are arguably less secure than gateways, but provide for a highly scalable implementation. For that reason, cookies are often favored by retail organizations that may have to deal with hundreds of thousands of users.

Another key differentiator is whether a product works only with Web-based applications or legacy apps as well, says Phil Schacter, director, network strategy service for The Burton Group in Midvale, Utah. That is largely a function of evolution, he says. Companies such as Gradient, DASCOM, and IntelliSoft came out of the Distributed Computing Environment (DCE) world with security tools based on Kerberos, and consequently have products that work with a variety of applications. Others, including Netegrity, enCommerce, and Securant, started with a Web focus and have been moving on from there, Schacter says.

Schacter says that vendors with a Kerberos history are more likely to be attractive to firms such as major financial companies where the technology is already entrenched, while those with a pure Web focus might be better positioned for mass market applications.

An important consideration for any implementation is how the authorization product ties in to legacy applications. Part of the beauty of authorization products is that they make it easier for application developers to deal with security. Rather than reinventing the wheel with each new application, developers can merely tie in to the authorization product and let it handle security chores. It's important, then, to look at what kind of application programming interface (API) each vendor provides, be it callable by C or C or a JavaScript-type language.

The Open Group in December ratified its Authorization Service API, which various security vendors will be able to implement to ease the application integration process. That API is based on one submitted to the group by DASCOM.

Easier Than Selling Whales

Leading-edge users are seeing big benefits from authorization products. In Candle's case, it's helping to drive new business. When visitors log on at Candle's site, they go through a sign-on server that allows the PolicyDirector product to identify the user, Pfeiffer says. The user's request for information is then passed to the DASCOM Webseal product, which ties in to Web-based applications, or to Netseal, for access to legacy apps.