Web portals pose security challenge

A growing number of companies are setting up Web portals to let employees and trading partners access critical business information and services, even though securing such systems presents a daunting challenge.

Many Web portal software vendors, including Plumtree Software Inc. and Epicentric Inc., acknowledge they don’t have sophisticated single sign-on (SSO) access-control capabilities. To provide better authentication and access-management controls, they have to work closely with SSO vendors such as Netegrity Inc.

For network executives, this can mean sorting through dozens of possible mix-and-match combinations to set up a portal with security.

“If you are trying to assemble your own best-of-breed architecture and pull products and suppliers together, you are assuming any risk of bumping into product incompatibilities,” says Phil Schaecter, an analyst with The Burton Group Corp.

Security access management “is not our specialty,” Plumtree’s marketing manager Nills Gillman says as he describes how the Plumtree Corporate Portal software shares HTTP-based “security tokens” with SSO server software from Netegrity, Entrust, Oblix, IBM and RSA Security.

Typically, the Web SSO software performs the authentication and access-rights management function before a user is allowed through the portal.

For its part, Epicentric leverages Netegrity’s SiteMinder and RSA’s ClearTrust by linking them into the “credentials vault” in its portal product, Foundation Server 4.0.

The alternative for users is to purchase security and portal components from one vendor, whose portals often have tighter coupling to security. Computer Associates, IBM, Novell and Oracle offer Web portal and security-access controls, and they promote the appeal of this single-source capability.

“We have it all,” says Barry Keyes, marketing vice-president at Computer Associates, a contender in the portal competition with its Jasmine software. “You don’t have to worry about the integration.”

The market leader of Web single sign-on products, Netegrity, thinks that argument has merit. Late last year, Netegrity bought portal vendor DataChannel to go into the portal business itself.

“We are creating an enterprise suite by combining SiteMinder access control and single sign-on with a portal,” says Deepak Taneja, Netegrity’s CTO.

The first version of this product, called InterAction, is scheduled to debut in March. By October, Netegrity plans a second version that will take on more complex security-management tasks, such as provisioning, an area in which CA, IBM and start-ups such as Access360 compete.

Netegrity claims it will continue the SiteMinder technical integration work with its portal competitors. But analysts say there is anxiety among portal vendors because corporations sometimes buy portals based on how well the portals work with the Web SSO product they have.

“They say, ‘Look, I already have a system. Just have the portal look out to that system instead of duplicating the configuration and the management, and so forth,'” says Gary Hein, an analyst with The Burton Group.

Buying it all from a single vendor works for some but not others.

The auto industry’s online supplier exchange, Covisint, uses Oracle Portal but installed a separate Web SSO product because Oracle authentication and access management worked only with Oracle applications, such as its database.

“The Oracle Portal has security, but it just doesn’t work with anyone else’s product,” says David Miller, information security officer at Covisint, which has more than 30,000 suppliers and manufacturers that access the portal using password and identification.

Covisint decided to use the RSA Security ClearTrust access-control product to centralize authentication in the U.S., Europe and Japan for the growing number of applications available through the portal.

Others find buying integrated portal and security software from one vendor a better approach. Financial planning firm J.P. Morgan American Century bases its portal on CA’s Jasmine 2.5.

“With the earlier version, Jasmine 2.0, we had to jury-rig single sign-on,” says Bruce Focht, data-mining analyst with the firm. “We put a layer up front where the user could sign on and then would pass that through to the portal. But that is now incorporated into the current version, Jasmine 2.5.”

Focht says the firm’s earlier effort to tie a portal to a separate Web SSO product had been “a lot more trouble than it was worth.”

The firm gives users access to personal financial data plus news feeds and other information.

Corporations are electing to set up Web portals to unify information access and security controls where once they had sprawling departmental intranets or first-generation e-commerce efforts that let trading partners into particular back-end servers. The cost to do this varies widely, according to Forrester Research, whose surveys indicate that it can range from US$20,000 to US$5 million.

“It is a multimillion-dollar project,” says Gail Smith, CIO at e-Scotia, Scotia Bank’s e-commerce division in Toronto. Scotia Bank selected Epicentric as the portal for what had been separate consumer banking and brokerage Web sites, while depending on the iPlanet LDAP Server and Entrust certificate management for security.

Integrating separate vendor products takes effort in terms of custom coding, Smith says, but she prefers this approach because doing it all with a single vendor “can get you locked in, to a certain extent.”

Choosing the mix-and-match approach, Smith says, makes it all the more important for organizations to demand “open architecture and open systems,” whether it be Java or security standards such as the XML-based Security Assertion Markup Language (SAML) being created by the Oasis technical group.

Other large organizations deploying portals agree.

“With Web portals and security vendors, their commitment to standards, such as SAML, is what matters most,” says Steve Devoti, manager of directory services at CUNA Mutual Group, which chose Oblix for Web SSO in part due to Oblix’s perceived commitment to SAML.

CUNA Mutual, which provides credit unions and their members with financial services through a portal, has to tie multiple applications, including PeopleSoft, Vignette and a hosted service from Yodele ASP, into a unified portal. SAML would make it easier to share authentication and access-management information among different Web SSO and portal software vendors that might support it.

But SAML is a year from completion as a standard, and in the meantime, portal buyers say they will pick products that vendors have tinkered with to work together.

The American Institute of Architects (AIA), which has had its Plumtree Version 3.51 portal up and running for about a year for 10,000 visitors weekly, has made do with Plumtree’s simple Web access control. But now that AIA is integrating more of its back-end systems into the portal to provide a wider range of interactive services, it needs a more advanced SSO function.

Giles Jacknain, AIA’s portal administrator, says the organization will likely use Netegrity or IBM because these vendors’ security products are offered by Plumtree.

“The cost of single sign-on is included in the upgrade to the new version [of Plumtree’s portal] so we probably wouldn’t look at outside vendors,” Jacknain says.