DCE: Focus on Security,
the Internet and the Future

By Joe Maloney
Director, Product Marketing
The Open Group

Much of the success of the Distributed Computing Environment (DCE) has been built on the technology's strong security model. DCE's unique ability to provide interoperable security services for distributed applications is the central reason these services are used by many companies in their enterprise environments. As these environments expand their use of the Internet and object technologies, it is clear that the interoperable services which DCE provides across platforms will become even more critical to the corporate enterprise.

Major organizations such as MCI, GM/EDS, New York Stock Exchange (NYSE), G. E. Capital, Caterpillar, Motorola, Goldman Sachs, U.S. WEST, Cummins Engine, SECOM, Schlumberger, the U.S. Army, NASA's Jet Propulsion Lab, along with several others, have moved to production usage of DCE. In many cases, the decision to choose DCE was influenced by the strong cross platform security that the technology provides and by the fact that DCE is offered and supported by most major system vendors as a product.

The market research firm, Input, has projected that the DCE market will grow from 50 million dollars by the end of 1994, to 1.6 billion dollars by 1999 - a 100% growth rate per year. This growth is influenced by strong distributed security needs across market segments such as telecommunications, financial, manufacturing, government and service. This growth will also be influenced by the expanding role DCE will play in providing interoperable services such as security within the areas of object oriented technology and the World Wide Web.

DCE Security is based on the following elements: authentication, authorization, data integrity, data privacy and audit. Simply put, these elements provide answers to the following security questions:

The DCE Security Service, like other DCE services, allows customers to rely on a common infrastructure when creating distributed applications, rather than reinventing this infrastructure for each application. By liminating the need to reinvent the wheel, customers do not waste time and concentrate on providing value to their applications.

As an integrated whole, DCE provides a security infrastructure which is useful across the enterprise in a wide range of applications. The companies taking advantage of DCE security are as diverse as the applications they use. For example, General Motors (GM) uses DCE in its order inventory application and had an initial roll out to 16,000 Cadillac dealerships. In addition, the company is using DCE to provide security between CAD systems at GM and their suppliers' systems. And, you can find SECOM, the largest security firm in Japan, makes use of DCE security within their 300,000+ node network.

J.P. Morgan's move to DCE is also highly indicative of the security needs filled by the technology. "Security is of paramount importance to us and we determined that DCE was the best current alternative to satisfy the security requirements ubiquitously across the firm," said Jeff Chittenden, Vice President and Chief Architect, Corporate Technology of J.P. Morgan. "Especially as we start to make our processes more synchronous with more information available in the network, we need to control access to that information in a very secure fashion. The promise of single sign-on, a single security environment and a global file system, is a tremendous business driver. DCE supplied these functions as a standard feature, rather than something that we needed to build into applications ourselves. It was very important to us that our vendors viewed DCE in the same light. DCE is a strategic technology in their interoperability plans so it was a natural choice for us."

DCE Security has been widely adopted by the major system vendors, not just in the groups responsible for shipping DCE, but in groups interested in providing interoperable security that works across a wide range of systems. For example, in the world of objects, IBM has committed to include DCE security as well as DCE naming and time services within its CORBA-based object model, DSOM.

Companies such as Digital Equipment Corporation are using DCE to provide security to their CORBA-based object request brokers.


In one of this insert's articles (see page 22), Digital describes why it uses DCE security in its ObjectBroker technology. "When it comes to robust, scalable security for distributed heterogeneous systems, DCE security is the only game in town."

Microsoft, in its DCE White Paper, recently stated that it will be compatible with DCE security servers available in the market and has independently implemented the DCE Remote Procedure Call (RPC) as MS-RPC, the basis for communications in Microsoft's object model COM/OLE.

In the world of messaging, IBM is using DCE security with its MQ series, which offers a high-level messaging queuing paradigm instead of RPC. Digital will also be making use of DCE security within its messaging-based technology. The Open Group has made the use of DCE security more accessible through the Generic Security Services Application Programmers Interface (GSS-API), allowing the various messaging-based systems in the market to take advantage of DCE security through a standard API.

Another huge area of interest to corporate customers and vendors alike is the use of DCE security within Web environments, especially intranets. The Open Group Research Institute's secure web technology is now shipping as an advanced technology offering, and takes advantage of DCE security and naming.

This project includes a multi-protocol Web/DCE server as well as a Secure Local Proxy that can be used with unmodified off-the shelf browsers to provide secure local access and a Secure Gateway. The goal of this project is to extend rather than replace existing Web-based technologies. One example use of augmenting the Web with DCE is supplying DCE authorization capabilities to an Intranet Web environment. This feature could be used to give authorization privileges to those personnel who may look at salary data and personnel files - files not necessarily available to everyone within the company.

Where is DCE heading in the near future in terms of security? There is an internal project underway to provide a Public Key infrastructure to DCE. The first step in that direction appears in the next release of DCE at the beginning of the new year. Another internal project will provide support for multiple cryptographic algorithms in addition to the DES lgorithm which is currently used by DCE. Our directions with DCE security are reflective of the needs of the security marketplace.

The articles that follow are contributions by organizations that either offer or use technologies based on DCE. These stories give a perspective on the range and flexibility of DCE security and its application in the world of client-server technology, object-oriented technology and the World Wide Web. The articles demonstrate several uses of DCE Security. For example:

Gradient Technology's WebCrusader uses DCE security as the key piece of its Web technology, providing among other things, for the use of DCE authorization in the form of Access Control lists.

Transarc, a subsidiary of IBM, de-scribes the Web security provided by the use of DFS, the Distributed File System, in both Intranet and Internet environments.

The Open Group Research Institute describes its use of DCE security and naming within their secure web technology that has been licensed as an Advanced Technology Offering (ATO), by both system vendors and software vendors.

IntelliSoft provides the DCE security infrastructure to TCP/IP-based applications through its DCE/Snare technology that provides the ability to encapsulate application data within the security of DCE Remote Procedure Calls (RPC).

Digital Equipment Corporation uses DCE to provide security to their ObjectBroker technology - an implementation of the Object Management Group's Common Object Request Broker Architecture (CORBA).

Open Horizon describes how the combination of DCE and Open Horizon's Connection offers a single sign-on by essentially using one user ID/password to access network resources without the need to sign on to multiple applications and databases on an individual basis.

Deloitte and Touche examines the issues of adding security to ORBs using the DCE technology.

Hewlett Packard provides a look at their Praesidium/Authorization Server, that takes advantage of DCE Security.

Schlumberger, in an interview with The Open Group, describes how they use DCE to meet their security needs as well as their planned use of DCE security within their Web environment.

The security that DCE provides for distributed applications continues to be a driving force in the growing adoption of this technology. Industry consultants have highlighted the fact that no current technology is available which matches DCE's interoperable, cross-platform security. As DCE security continues to evolve in response to customer needs, it has a very bright future ahead as a key element of distributed computing for the enterprise.