As companies migrate from a centralized to a distributed computing environment, security issues multiply beyond easy comprehension or control. Application developers spend more and more time implementing security-related code, and security administrators have an increasingly difficult time keeping a variety of often incompatible security mechanisms synchronized across the enterprise.

Building on DCE security

OSF DCE lays the basis for taming this complexity with a feature-rich security architecture that addresses several key requirements for distributed system security in a multi-vendor environment: tamper-proof user credentials that can be securely passed across the network and used for mutual authentication of clients and servers on a per-session basis, an authorization framework that includes a full-featured delegation capability, and tamper-proof network communications and data privacy. Riding on top of the DCE Remote Procedure Call (RPC), all this is delivered in a package that enables secure single sign-on to the full range of distributed resources. A Generic Security Service API (GSS-API) is provided for integration of applications that do not utilize the DCE RPC.

HP's Praesidium/Authorization Server is a rule-based authorization server that adds value to OSF DCE by combining the centralized security administration and end-user consistency found in mainframe-based environments with the flexibility and end-user functionality found in distributed computing environments.

By directly leveraging HP DCE/9000, the Authorization Server is highly portable to and interoperable with any platform and environment that provides DCE. The Authorization Server inherits all the advantages of a high-quality, comprehensive, standards-based framework that HP DCE/9000 offers.

Playing a key role in
HP's security strategy

Praesidium, the HP security framework, consists of three main components: system, network and application. System security mechanisms address the operating system, databases and computer hardware components. Network security techniques address the integrity and confidentiality of data on the wire. OSF DCE plays a major role in HP's approach to network security. Application security addresses the issue of user entitlement to perform particular actions on specific data. This involves both mutual authentication between client and server by DCE/Security Service, and authorization decisions by the Authorization Server on whether to grant a specific request.

Authorization Server plays a key role in HP's vision of flexible and manageable application security. Authorization Server leverages all of DCE's basic security features and adds value by delivering a logically centralized repository of fine-grained access rules that provides the ability to model the enterprise business environment in a succinct, intelligible format. A typical rule in a banking environment might stipulate restrictions on the hours and days in which a particular set of bank officers is authorized to adjust a precise set of accounts up to a specific dollar limit.

Summary

Praesidium/Authorization Server provides a powerful access control engine that simplifies security administration, promotes policy consistency and auditability, and, most importantly, takes into account the business needs of those charged with managing enterprise security. Authorization Server leverages the strengths of the DCE security framework, while adding value in a way that allows for seamless integration of existing DCE applications and non-DCE legacy environments. By reducing the amount of coding required of an application developer, Authorization Server improves productivity and speeds time-to-market, offering a positive return on investment early in its deployment cycle.