Job Portal Security the Objective

Job Portal Security

The objective of this work is to conduct a case study for the purpose of developing a job portal identification method or technique for authentication of the users. This is to be implemented by networking a job site with colleges across the world. The portal entry will begin from their student college web account and will connect securely with a job site. Such a system is described in the document entitled: "Oracle Open World" the design proposed herein is a system that would be compatible with the one instituted by Oracle for the Higher Education reported in the work of Matthew (2005) and reported in the document entitled: "Oracle Open World: An Enterprise Portal in 90 Days - Critical Factors Behind a Successful Portal Implementation in Higher Education."

INTRODUCTION

The work entitled: "Mechanics of Oracle Portal and Identity Management" (2003) written by Sanjeev Mohan states the fact portals are becoming "...one-stop shop for organizations wanting to share corporate information deep in a multitude of stovepipe applications. Portals provide a single point of access to the applications through a secure and highly customizable and personalizable user interface." (2003) Mohan additionally states that portals are a way of making the provision of "critical information and services to organization's employees, customers, partners and other stakeholders. Based on the roles o fend users, they have access to embedded applications or portlets, such as, self-service, HR apps, collaboration tools like web-based email and calendaring, financial data, etc." (2003) Mohan's work demonstrates the necessary steps in building an enterprise portal which include: (1) Designing the architecture of the portal; (2) evaluating and selecting the software layers needed to build the portal; (3) Understanding the LDAP concepts in order to set up authentication via the Directory architecture; (4) Setting up the Portal for users to customize and personalize their experience; (5) authenticating the users through a single sign on (SSO) mechanism; and (6) Extending the portal via mobile devices. (2003) Benefits of building a portal include: (1) Higher productivity for the employees by providing single point of access to integrated applications; (2) Better employee communication and collaboration; (3) More efficient business process and improvements; (4) Help make an organization more competitive. A well-designed portal could provide an organization with a differentiation over its competition; (5) Better customer satisfaction and retention; (6) Lower cost and better utilization of the staff e.g. It support, HR staff etc.; and (8) Lower cost by reducing the number of servers. (Mohan, 2003)

PORTAL OVERVIEW

The term, 'portal' is "often misused and many describe it an entry point into a single site. E.g a company's home page. The term is popular with sites like Yahoo, Excite, MSN, etc. Portal however is much more than a generic web site. They cater to a number of people..." (Mohan, 2003) the portal in actually may be classified as follows:

Enterprise Portal: Supports organization's customer's and employee's needs through provision of an integrated access to applications and services. The enterprise portal may be created as an internal corporate portal for corporate consumption or as an eBusiness portal for external users.

Public Internet Portals: Yahoo & other public sources

Appliance Portals: Through use of handhelds (PDAs, cellphones, etc.); and Vertical portals: Industries (insurance, law banking)

Portals are built to specifically provide services offering differentiation of features dependent upon the user and the user requirements. Therefore, the feature of the portal are varied in nature and include those as follows:

Application

These are tools that provide integration to packaged applications, such as legacy applications, ERP suites, CRM applications content and document management systems etc. Many of the applications mentioned here come with business intelligence components.

80% of the corporate data exists in files and other formats as unstructured data. This typically includes a full text indexing engine using innovative new products like Oracle's Internet File System (IFS) capable of navigating and indexing existing content. This feature also allows users to subscribe to external / syndicated content providers such a news, weather, sports and entertainment information etc.

Collaboration

One of the biggest benefits of portal is that it allows integration of collaboration tools to improve communication. These tools vary from email systems, calendar, chat, discussion boards etc. It allows end users to work together more effectively by establishing shared workspaces, shared document repositories, online meetings and real-time interaction. Notification of events and workflow are some other examples of collaboration.

Personal Organization tools

Tools used to personalize the content with end users' to-do lists, contacts / address books and other personal productivity tools.

Presentation

Most portal software segments the portal page into multiple sections or frames for each application. These applications either run within the section or may launch a new browser window when executed. Presentation tools allow end users to decide which applications they wish to see on their portal page and the layout and color schemes.

Search

Advance search capabilities that allow users to search structured as well as unstructured data. (Mohan, 2003)

From the view of the development and it support staff the portal features include the following aspects:

Identity Management and Security

User management is one of the biggest components of building a portal. The users need to be authenticated correctly and need to have their profiles available so that they can have access to the authorized set of applications and services (role management). Security issues become even more important when multiple applications are accessed from one place, the portal using the Single Sign on (SSO).

Content Management

Since portals may include structured and unstructured content from multiple internal as well as external sources being refreshed at varying intervals, content management becomes a critical component. Portals have adapters to extract data from the underlying systems. However, if there is no adapter out of the box for an application then the adapter must be written. Content management also includes taxonomy management.

Infrastructure well designed portal must be reliable, highly available and able to scale to the requirements of the ever-growing end user community. The infrastructure may include load balancing, caching, and other performance enhancements.

User Interface Services

Most portals today present their content as HTML pages. However, some of the sophisticated interfaces may require Java plug-ins, support for wireless and mobile users etc. (Mohan, 2003)

Mohan (2003) relates that organizations in today's world are working under "hetergenous systems. Each system may be working very efficiently to deliver the information needed by organizations but the systems are a world unto themselves. Most systems in the past were not built with the notion that one day they should be able to freely share information with other systems. Hence, what organizations have ended up with today are stovepipe applications." The following figure illustrates some consolidation techniques as cited in Mohan (2003)

Mohan (2003) states that the figure above demonstrates the fact that integration can take place any many levels in the organization and that each level of integration brings about a solution to a specific problem and has both negative and positive aspects as a result. Various solutions are stated by Mohan (2003) to include: (1) Integration of databases - This involves consolidating multiple smaller databases into an enterprise database. It allows organizations to retire multiple smaller ad hoc databases and maybe even legacy databases and the respective applications into a more stable and larger database but is only applicable for us in small applications; (2) Data warehouse - This has been one of the most common ways of creating a single view of disparate data. Enterprise-wide data warehousing projects are usually very large and time consuming. They involve extracting the data from multiple systems, transforming in to a data model for the data warehouse and then loading the data. The tool that is sued for this purpose is called Extraction, Transforming and Loading tool (ETL). Once the data warehouse is built, Online Analytical Processing (OLAP) reporting tools are used to derive the intelligence. Well-known ETL tool vendors are Informatica and Ascential. Major OLAP vendors are: Cognos, Business Objects, Brio, Hyperion and MicroStrategy; (3) EAI tools provide a bridge that allows data to be exchanged from one system to another in a transparent manner and made available to a client application. EAI layer is highly dependant on open standards so that the systems can communicate easily. Some of these stands are Java Message System (JMS) and Java Connector Architecture (JCA). Major EAI vendors include: IBM MQ Series, TIBCO, Vitria, Web Methods and SeeBeyond; (4) Application level integration has required the use of distributed computing technologies that integrate systems and application distributed over a network of systems using Remote Procedure Calls (RPC). Some of the common manifestations of RPC architectures are Object Management's Group's CORBA and Microsoft's COM/DCOM. While these technologies have been around for a long time they are limited because they don't use open standards. For instance, in the case of CORBA, all nodes would need to run the same Object Request Broker (ORB) product; (5) Web Services is the newest kid on the block. It is a distributed computing technology like CORBA and DCOM but with a difference that it uses the well-known Internet standards and specifications, such as HTTP and XML. XML is used not only to represent the data but also as a messaging protocol called SOAP; and (6) Portal Integration is another popular integration methodology in use today. It doesn't involve expensive and time consuming technologies and processes that EAI and data warehousing require. Also, it is the most customer-facing of all the methods described in this section. This means that it can be highly personalized and customized to the customer's requirements. In future, portals will present their functionality as web services so that multiple portals from different vendors can be integrated.

Architecture of Portals

The portal, when speaking technically, is "a framework that enables developers to plug various software components called portlets, and then deliver the aggregated content to multi-devices." (Mohan, 2003) Integration may be accomplished through using HRML, JSP, Java Beans, Java servlets, XSL that transforms XML through XSL transformation or even CGI. Sun Microsystems' Java Community Process is present reviewing Java Service request, JSR 168 in order to "define a set of API for aggregation, personalization, presentation and security. The specification will be based on the specification for Java Servlet. According to Mohan: "once the standard is in place, there could be a new third party portlet industry that could mushroom as portals will be able to integrate any portlet based on the standards using the Java architecture." (2003) Mohan additionally states that: "Taking the portlet even further is a standard called Web Services for Remote Portals (WSRP) from Organization for Advancement of Structured Information Standards (OASIS). This standard defines interfaces and behaviors to encapsulate portlets as web services so that any portal based on WSRP standard could bind to the portlets. This means that the local portal will only have the WSRP portlet proxy while the actually portlet will run on the remote server. The portal developers will be able to locate WSRP portlets in a public or private UDDI (universal description, discovery and integration) registry. WSRP will also interoperate with portlets developed using Microsoft.NET architecture." (2003)

Identity Management

Identity management works with infrastructure building in order to centralize both management of users and their privileges within the system. Centralizations of users have the benefits of: (1) Better control over security applications and servers through consolidation of the authentical and authorization; (2) reduction of the number of user accounts within the organization; (3) ease of managing a user life-cycle; (4) control auditing of user actions over the network; and (5) ability to integrate of federate with external networks using similar standards for identity management. (Mohan, 2003) the Lightweight Directory Access Protocol (LDAP) is the most predominantly used standard in managing identities.

Single Sign on (SSO)

The work of Mohan (2003) relates that a single sign on architecture is inclusive of a "centralized authentication hub that is used by all the users of the portal. Once the SSO server authenticates a user, the user is free to access all the applications available to the portal without having to login again. Also, when a user signs off, single sing off ensures that the user is logged off all the participation applications. The following figure illustrates how a SSO works.

Single Sign on (SSO)

Source: Mohan (2003)

The single sign on works on each application or webpage that needs authentication. When the client browser attempts to access the page the web server checks to see if the site has the proper cookie set or not and in cases it does not the browser is then redirected to the SSO service or the provider of identity. At this point the browser "will then receive one or more 'tokens' and will set a cookie. The web browser will once again be redirected to the web server but this time the URL has identifying information encoded in it." (Mohan, 2003) Mohan relates that there are presently two predominant SSO architectures:

1) Microsoft's NET Passport; and 2) Liberty Alliance's Liberty 1.1 specification with the largest being the Microsoft NET passport, which claims 200 million user accounts. (Mohan, 2003)

The primary difference between these two is the "SSO implementations of both the groups in how the tokens are generated. "Microsoft uses 3 DES-encrypted identifiers in a proprietary format. However, this makes the Passport network proprietary. Hence, Microsoft has committed to upgrading to Kerberos tickets. However, Liberty rejects Kerberos because of the overhead of the Kerberos ticket server and its inability to distinguish between authentication and authorization. Liberty Alliance has instead proposed an XML-based standard for exchanging authentication and authorization data called Security Assertion Markup language (SAML). The SAML data is embedded in the HTTP responses. Microsoft has also collaborated with IBM and VeriSign to enable passing authentication and authorization data in the SOAP header as a part of the WS-Security specification.

The work entitled: "Building a Portal? Vive La Difference" relates that portal servers are becoming more popular in providing users with "ready access to the information they need, when they need it through Web browsers. An intuitive jumping off point to content and applications from a variety of internal and external sources, portals consolidate access to information that used to require multiple interfaces. Businesses in every industry are turning to portals for faster, more efficient business-to-business and business-to-consumer communication. They see these tools as the key to delivering content that's timely and relevant to individual's roles and to promoting collaboration across geographic boundaries." (InformationWeek, 2001) a portal has the power to ": enhance knowledge sharing and improve productivity, and provide a unified and consistent view of the business to customers, suppliers, investors partners, and visitors. And it can reduce the costs of distributing and sharing content and applications."