Topic: securing your external offerings with identity architecture.
This may be old hat, but it is missed on many of the architectures that we see.
The next generation of coporate websites (not going to use Web 2.0; not sure exactly where this is) will be more interactive with customers, vendors, and partners. To date, online company external portals have to be controlled on who has access to what. You certainly don’t want to show two customers each others data. Compliance officers are looking carefully how outsiders get a look at internal system data. The better your control around this, the more you can expose through the website, the closer you can get to your customers.
However, one of the ground rules for external access is to use a DMZ and never put any type of user data in the DMZ. So how to increase personalization and security when you cannot put this type of information at the edge of the IT infrastructure.
Well, as anyone worth their salt should know is to use proxies, both web and directory proxies. These can sit inside the DMZ and funnel requests to web servers and directories inside the DMZ backwall, where they are safe and sound. Should anyone pentrate into the DMZ, all they will find are servers that are routing requests. They would have to be sophisticated enought to get through NAT’d addresses (tell me you have translated your DMZ IP addresses) and another firewall before they ever got near the company data jewels.
Many architectures don’t include proxies because, hey, we already have a load balancer that provides this funtion. Proxies are more than load balancers. Web proxies can cache static web pages and increase overall system performance. Directory proxies can control the bind load to a field of LDAP servers and permit you to “dial out” a server from the group for back up and maintenance purposes.
In a future entry, I will discuss how proxies are going to play an even more important role in your architecture. Don’t go cheap now on the initial installation; put the proxies in there. When you need them, they are ready to go.
Leave a Reply