Prioritized policy routing needed

Policy infrastructure is the “control bus” that harnesses distributed systems to enterprise requirements. Policies, administered centrally, must propagate promptly, consistently and reliably to the target nodes and services where they’ll be enforced.

Real-time policy propagation is a critical requirement of dynamic network and application environments. Companies expose themselves to unacceptable security risks when policy updates don’t flow immediately from administration tools to firewalls, proxies and other policy-enforcement points.

Distributed environments can’t become self-policing and self-optimizing if policy traffic lags behind the traffic it’s supposed to control. From a security standpoint, the objective must be to ensure that terminated employees can’t access distributed resources before their permissions are revoked, or that viruses don’t reach their targets before new virus patterns propagate to those nodes. From a performance standpoint, service-level agreements must govern run-time interactions among distributed application components, thus ensuring that end-to-end latencies and response times don’t stretch beyond acceptable thresholds.

However, expedited policy propagation isn’t always easy to guarantee in complex networks. Usually, policies and policy-relevant data such as user identities and permissions propagate like most other information on enterprise networks: via routed IP networks. As the number of managed resources grows, so does the volume of traffic associated with managing those resources and enabling basic security operations such as authentication, authorization and content filtering. This traffic can choke networks that haven’t been optimized to prioritize delivery of policy updates to distributed nodes, such as firewalls, proxy servers, intrusion-detection devices, anti-spam gateways and desktops.

Companies should be able to run policy, identity and security administration traffic over message-oriented middleware (MOM) environments. MOM services can ensure reliable, guaranteed, end-to-end delivery between applications. But sadly, no MOM protocol standard has ever been implemented on all operating platforms and applications environments, so the necessary middleware fabric for accelerated policy traffic doesn’t exist.

Expediting policy propagation is especially difficult in Web services environments. No MOM protocol has yet been implemented in production mode in the fast-developing Web services arena. Simple Object Access Protocol (SOAP), with its long latencies and lack of delivery guarantees, is not the ideal transport for pushing policy, identity and permission updates across Web services environments in real time. The Web services world won’t have a reliable, deterministic messaging protocol until vendors implement proposed standards such as Web Services Reliable Messaging, which leverages and extends SOAP.

The Web services control bus will become congested and in need of prioritized policy routing. The volume of SOAP-encapsulated policy traffic will keep expanding. Just look at the range of SOAP-oriented identity, security and policy standards that have been developed. If you want to see the emerging outlines of the Web services control bus, consider specifications such as Security Assertion Markup Language, Web Services Security and Service Provisioning Markup Language.

Network planners should factor requirements for prioritized policy routing into their Web services middleware planning. To accelerate policy traffic, companies will rely on content-based SOAP routers from various vendors, including Actional, AmberPoint, Blue Titan and DataPower Technology. Most of these vendors’ application-layer routers are deployed as proxies to various enterprise application servers.

Ask your identity, security and policy management vendors whether they plan to integrate with any of these third-party application-layer routers or implement prioritized SOAP routing functionality into their products. Unfortunately, few security vendors have considered this issue in a coordinated fashion. But they will need to do so soon. Prioritized policy routing is essential to the governance, effectiveness and scalability of complex Web services security environments. Without it, networks will become riddled with vulnerabilities caused by inconsistent, lagged application of policy updates across diverse, dispersed nodes.