Business process management is going through a kind of revolution. Yes it’s about improving and re-imagining existing processes to support business transformation to an increasingly digital world. But it’s also about something even bigger; it’s about creating entirely new services that not only support the current way of working, but enable innovative approaches to improving customer experience. The thing is, with this revolution comes a critical look at how secure these business processes are and that’s been a key focus on Everteam’s Intelligent Business Process Management system (iBPMs).
How Secure are Your Business Processes?
Authentication, authorization, and protection of sensitive data are all critical topics when designing and implementing business processes. You have to consider these things up front and design your services with an eye to ensuring no one has access to any information or functionality they shouldn’t.
But the interesting thing about many business process management systems today is that they don’t manage security out of the box. Instead, most rely on a third-party solution to secure processes appropriately. That means you have two different layers to set up and maintain to support your business processes. For many that’s more effort, time and cost than they really have to put into it. But they know they need to keep their processes secure.
The answer is building security management into the BPM system directly. That’s what Everteam iBPM 8.1 does, and it’s done using traditional and modern approaches to webapp security.
Everteam iBPMs 8.1 provides several types of security within the software itself. First, it uses traditional Everteam token session technology which supports web services. With the latest release, it also supports JWT – JSON web tokens – a self-contained, digitally signed, stateless system to system authentication approach. Why JWT?
Everteam is a huge proponent of open standards. It’s critical to support the ability for applications and services to interoperate, and open standards support that ability.
JWT is an open standard (RFC 7519) that is:
- Self-contained: you can package up your security information and transmit it as a JSON object. You don’t have make any other requests back to the database on the server for additional information, which makes the process fast (and stateless). And because it’s so compact, you can send it in the URL, inside the HTTP header, or as POST parameter.
- Digitally signed: Signed using either an HMAC algorithm, or a public/private key pair using RSA, you know the information the object is verified and can be trusted.
Authentication is the most common use of JWT today; you can include things such as networks, services and resources that can be accessed with the JWT token.
Here’s a high-level view of how JWT works:
Providing Security though JWT in iBPMs
In our latest release – iBPMs 8.1 – we implement support for JWT to support modern services used in a wide variety of applications – including desktop and mobile apps.
Implementing JWT means our out of the box API and all business processes are secure by default. Our customers are actively building process services that integrate many business applications and it’s critical these services have a secure approach for authentication and authorization between these systems.
Using the administration interface in iBPMs, administrations indicated which services are available to external callers (other services or applications), what networks those services are accessible from and who is authorized to access the services.
The great thing about supporting JWT for authentication, other than that it provides security directly within the services themselves, is that there is no disruption to current development and deployment strategies. There’s nothing extra the developer needs to do, and no extra steps to deploy the service. The administration of security policies are applied on the backend, after the service is deployed.
How Secure are Your Business Processes?
I know I asked this at the beginning, but I think it’s really important to ask it again. Security should not be an afterthought. Think about how your services will be used and who, or what application, will be using them and how. Identify those security policies early.
Once you have those policies clearly defined, then using iBPMs and JWT, apply them when your service gets deployed. This approach to security administration enables you to quickly change policies when a new application is added, or one is removed from your environment, or when network configurations get changed. You don’t need a second policy management layer to work with, but you don’t need to modify your services either. It’s a win – win.
I’d love to show you more of the innovative things we are building into everteam.ibpms, so feel free to reach out and chat.