Summary

When you install business-critical applications, such as a BizTalk Server 2000 application, security becomes a high-priority issue, not only because BizTalk can link multiple business processes and applications of your company, but can have one or more links to trading partners in a supply-chain or e-procurement relationship. If you also use BizTalk Server for business-to-consumer relationships, you should definitely take care to protect your BizTalk Server environment. Since security is only as strong as the weakest link, you need a roadmap that guides you through the implementation of security measures.This is your company's security policy, written from a business point of view, to minimize the number of disruptions. In general, a security policy goes beyond the use of a single application, but a BizTalk Server application is a good reason to build one.

The first tier of security measures holds the physical considerations of the BizTalk Server environment, ranging from the use of firewalls and proxies, to keeping your environment running even if part of it fails, to keeping your servers under lock and key. The physical security measures are fairly easy to implement; however, the challenge is to maintain them and keep the security at the same level. One of the issues that should be viewed in line of the physical considerations is the securing of the XLANG schedules, since they form the engine of your BizTalk application. Additionally, you have the XLANG schedule drawings that are made and maintained in the development stage, and the compiled XLANG schedules that are needed to run in the test and production environments. Keeping the XLANG schedules coordinated and protected from uncontrolled changes is very important, even though the compile schedules are in XML format.

The next level involves securing applications at a system level.The first one is the security of the COM+ applications that form the program base of the BizTalk Server, especially the XLANG schedule engines. COM+ applications have various ways to tune the security and protect themselves from ill-fated use. Especially the possibility to limit the access of COM+ component has to the Windows 2000 environment access prevents the component from running havoc on your server. Assigning Windows 2000 users to the roles that you define at the component level does this. As important as it is to protect the components in the runtime environment, it is equally important to protect the data that drives your BizTalk application. Since the XLANG schedule engines handle a continuous and persistent flow of data, this data is stored in different databases. It is necessary to protect the data in the databases from being accessed by unauthorized users; therefore, the access control of the components needs to be extended to the SQL Server databases. In fact, the same role-based access control model of the components can be implemented at the database level, where you can control the access not only in tables, but also in fields. Of course, it is important to safeguard SQL Server databases from data loss by having an up-to-date copy of the databases at hand.

The last level of security concerns the security providers implemented in Windows 2000, and the way they assist you in creating a secure environment.The use of certificates is central to this, enabling users and applications to communicate in a safe way.Windows 2000 even lets you be your own certificate authority (CA) issuing certificates to your users and trading partners. Note that certificates are pivotal to the security of many applications, like Encryption File System (EFS), IP Security (IPSec), and Kerberos V5.The latter is used to enable COM+ components to allow the delegation of user credentials/identity.Windows 2000 comes with a CryptoAPI that enables you to have the applications you develop use certificates and cryptographic algorithms for encryption and hashing of data. Additionally you can use the Security Service Provider Interface (SSPI) to let your applications directly access the SSPs, such as Kerberos V5.

Was this article helpful?

0 0

Post a comment