With security risks increasing with Web 2.0 technologies such as mashups, IBM is rolling out a new technology known as SMash, short for “secure mashup.”
IBM announced SMash March 13 and contributed the technology to the OpenAjax Alliance. Mashups pull information from multiple sources, such as Web sites, enterprise databases or e-mails, to create a unified Web application. Mashups have caught on quickly for business use because they enable nontechnical users to gain insight on complex situations in minutes, and nondevelopers to quickly create “situational” applications. However, as with most Web-based initiatives, security is a concern.
“When we started a lot of this mashup work, the first thing enterprise customers asked was, ‘Have you thought about security?’ ” Rod Smith, IBM fellow and vice president of emerging technology, said in an interview with eWEEK.
With SMash, IBM is trying to reduce the risk. SMash allows information from different sources to talk to each other, but keeps them separate so malicious code can’t creep into enterprise systems, Smith said.
“IBM Research did the development in conjunction with some guidance from the OpenAjax security working group,” Smith said. “IBM Research did a reference implementation and wrote the code.”
Secure Component Model
According to an abstract of IBM’s researchers’ paper on SMash, the existing browser security model was not designed for supporting mashups. The paper presents “a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of security policy,” IBM researchers said. “We have developed an implementation of this model that works for all major current browsers, and addresses challenges of communication integrity and component phishing.”
Smith said the more IBM looked at mashups, the more requests for security from line-of-business users came in, with those requests primarily focusing on widget interoperabilitiy and security. “So we looked at it from the client side-of how to handle security without hampering the line-of-business user,” Smith said.
In addition, IBM’s researchers said they have tested Smash on Internet Explorer, Firefox and Opera3. “To the best of our knowledge, this is the first approach that works without browser modifications,” the researchers said. “There are multiple proposals for HTML and browser modifications to realize secure mashups, however the long timeline of adoption by standards committees, browser vendors, and eventually by users, makes these unviable for anyone wanting to build secure mashups in the near term.”
Smith said that to give consumer and business users the opportunity to take advantage of mashup technology, IBM contributed the SMash technology to the OpenAjax Alliance, which is an organization of vendors, open-source projects and companies using AJAX (Asynchronous JavaScript and XML). IBM is a founding member of the alliance.
“The requirement from customers was, ‘Don’t give me four different security models here; give me one that all companies agree on,'” Smith said.
Code, Data Kept Separate
In a mashup scenario, SMash addresses a key part of the browser mashup security issue by keeping code and data from each of the sources separated, while allowing controlled sharing of the data through a secure communication channel. IBM plans to include SMash technology in some of its WebSphere products as well as its commercial mashup maker, Lotus Mashups, which is expected to ship this summer. IBM Lotus Mashups is IBM’s first commercial mashup maker for business and will allow nontechnical users to create and share mashups in a secure way.
Performance evaluations have shown that SMash can be used in common enterprise mashup applications, IBM officials said.
However, Alex Russell, co-creator of the Dojo Toolkit and a member of the OpenAjax Alliance Security Task Force, said there are concerns about Smash, including data transmission rates that can be reached and forward compatibility with emerging standards.
Russell said SMash is important and is a generalization of Microsoft’s Subspaces research and previous work that James Burke had done in Dojo and that Joseph Smarr had done did inside of Plaxo. “And, as such, it provides some good properties for cooperating domains to share constrained sets of data inside a browser environment [i.e., without server proxies],” Russell said.
However, he said that “nothing is a clear ‘winner,’ nor is there a single API which wraps it all up and makes it easy to integrate and publish/advertise services for. My personal suspicion is that this will take longer than proponents expect for things to sort themselves out. I’m thinking at least 18 months.”
In related news, in February, IBM’s X-Force Security Team released the findings of a report, detailing a rise in the sophistication of attacks by cyber-criminals on Web browsers worldwide. According to the study, by attacking computer users’ browsers, cyber-criminals are able to steal their identities and control the computers without their knowledge.