• Like

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Layer 7 SecureSpan Solution

  • 1,195 views
Published

Security and Monitoring for Services Inside the Enterprise and out to the Cloud

Security and Monitoring for Services Inside the Enterprise and out to the Cloud

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,195
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
33
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SecureSpan Solution   Security and Monitoring for Services Inside the Enterprise and out to the Cloud K. Scott Morrison CTO & Chief Architect Layer 7 Technologies
  • 2. About Layer 7   Layer 7 is the leading vendor of security and governance for: Cloud SOA Customers Revenue XML 2003 2006 2009 Layer 7 Confidential 2
  • 3. Why Governance? Governance is essential. Governance is needed for “ security, planned change and configuration “ management, testing, monitoring, and setting of quality-of-service requirements. Jess Thompson, Research Vice President As quoted by CyberMedia India Online Ltd (http://www.ciol.com/enterprise/biztech/news-reports/soa-evolving-beyond-traditional-roots/3409118003/0/) Layer 7 Confidential 3
  • 4. Layer 7’s Approach to Governance   Security   Compliance   Reliability   Policy Agility   Deployment Flexibility   Interoperability   SLAs   Quality of Service   Message Content Layer 7 Confidential 4
  • 5. Achieve Control through Policy Enforcement Enforce  Security   Ensure  Reliability     Centralized  policy  enforcement  point  deployed     Ensure  data  confiden1ality  over  the   in-­‐house  or  in  the  cloud   wire  and  at  rest     Policy-­‐driven  authen1ca1on  and  fine-­‐grained,     Ensure  services  remain  readily  available   service  level  authoriza1on     Verify  messages  to  ensure  integrity     Enforce  policies  according  to  risk   Facilitate  Compliance     Generate  log  and  audit  files  at  mul1ple  levels     Export  of  data  for  correla1on  and  forensic  analysis     Verify  messages  for  compliance  to  industry  or   government-­‐mandated  specifica1ons   Layer 7 Confidential 5
  • 6. Gain Visibility by Monitoring Services Ensure  SLA  Conformance   Assure  Quality  of  Service     Monitor  and  report  on  SLAs  using  an  agent-­‐less     Monitor  and  report  on  service   management  system   performance  in  real-­‐1me     Ensure  you  are  mee1ng  your  own  SLAs       Reroute  and  throFle  services  to       Ensure  you’re  geMng  the  value  you  expect     maintain  reach-­‐ability  and  availability   from  3rd-­‐party  service  providers     Alert  or  automate  ac1ons  based  on:     Throughput,  rou1ng  failures,   u1liza1on,  availability  rates,  etc   Track  Message  Content     Iden1fy  trends,  excep1ons  or  viola1ons  at  the  message  level     Report  on  user,  client  and  system  access  to  sensi1ve  data   Layer 7 Confidential 6
  • 7. React at the Pace of Business Change Gain  Policy  Agility   Gain  Deployment  Flexibility     Decouple  security,  SLA,  compliance  and  other     Deploy  in-­‐house  or  in  the  cloud   shared  code  from  services     Mul1ple  form  factors:       Modify  exis1ng  or  deploy  new  policies  on  the  fly     Hardware  appliance     Out-­‐of-­‐the-­‐box  asser1ons  facilitate  policy     SoRware  appliance   assembly  without  coding     SoRware     Custom  asser1ons  let  you  meet         Cross-­‐domain  client   specific  requirements   Facilitate  Interoperability     Out-­‐of-­‐the  box  integra1on  with  leading  SOA  solu1ons     Standards-­‐based,  open  APIs  facilitates  integra1on   Layer 7 Confidential 7
  • 8. Separation of Policy Enforcement Layer Using SecureSpan Gateways Service Hosts   Consistency   Reuse   Central Control Operator SecureSpan Gateway Cluster LDAP and/or IAM Service Requester Layer 7 Confidential 8
  • 9. Leverage of Existing Identity Assets ID, Access Mgmt & STS   LDAP   Sun OpenSSO   RSA Cleartrust Web Services Server   CA/Netegrity SiteMinder & TxMinder   IBM TAM, TFIM Security WS-Trust Token Service   MSAD, Infocard (on VPN client) (STS) XML LDAP(S)   Oracle Access Mgr Native   New instances are simple to add Web Services Client LDAP Access Mgmt Policy Decision Points (PDPs) Layer 7 Confidential 9
  • 10. Consistency and Scalability Cluster-wide Sharing   Cluster variables (user configurable)   Replay   Policy updates Horizontal Replay attack   SLA scalability prevention across the cluster HTTP Load Balancer Transparent replication of policy across the cluster Web Services Client Single point of management across cluster Layer 7 Confidential 10
  • 11. Edge-of-Network, DMZ-based Deployment Internal Applications Internal Firewall External Firewall SecureSpan Gateway Cluster SecureSpan Internet Management Console Message Internal Network DMZ Corporate Network Service May 2009 May 2009 Requester Layer 7 Confidential 11 SecureSpan™ Gateway Overview Proprietary and Confidential 11
  • 12. Rich Policy Language SecureSpan Gateway Cluster … SecureSpan Management Console Layer 7 Confidential 12
  • 13. Apache Message +PERL Consumers Policy Decision Point (PDP) (IAM, STS, etc) .NET J2EE Applications Message Pros   Consistent security for all systems   Centrally managed Centralized   High performance, hardware accelerated document Gateway PEP processing and cryptography Cluster Cons Message Producer   Need rudimentary last mile security  SSL typically, SAML, WS-S   Must cluster for high availability May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 13
  • 14. Centralized Gateway Co-   Accelerated XML transform processor Cluster   Accelerated XML schema val   Signing services (notary pattern) Virtual Loopback   Encryption services   Filtering for compliance   Threat detection Transformed XML document Input XML Apache document +PERL .NET J2EE ESB Message Producer/Consumers Applications May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 14
  • 15. WSDL WSDL + Security Web Services Changes Server Which API do you program to? Web Services Shift of burden to Client Administrative client changes to policy change API Security implemented in code is difficult to change Very programmer intensive May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 15
  • 16. WS-Policy Document SecureSpan XML VPN Client SOAP message “decorated” to current policy May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 16
  • 17. Gateway acts as certificate authority Web Services Server Secure CSR Secure Certificate Download Web Services Client May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 17
  • 18. Trusted Certificates Web Services Server LDAP or HTTP HTTP(S) Server LDAP(S) OCSP CRLs Administrative Web Services Client Secure Message Import  PKI System Certs May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 18
  • 19.   Protecting & monitoring your ? applications in the cloud   Giving your cloud apps access to on-premises data sources ?   Big picture view of the distributed application network Enterprise On- Premise IT
  • 20. Hardware PEP Virtual PEP ? Identical ? Functionality Application-Layer Isolation, Monitoring, & Control NetOps
  • 21. Virtual Application Instance Virtual SecureSpan Instance Separate Instances Protected Application Stack Combined Instance May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 21
  • 22. Some of our Partners Virtual SecureSpan Instance Layer 7 Confidential 22
  • 23. Some of our Customers Layer 7 Confidential 23
  • 24. Summary   Cloud should be viewed as a deployment pattern for SOA -  This means you should leverage SOA technology in the cloud -  Virtual SOA gateways, like SecureSpan, provide you with a means to secure cloud   SOA best practices for federation can be transferred into the cloud -  Avoid key material in the cloud -  Use distributable token validation strategy -  SAML, Kerberos -  Employ authorization based on attributes, not concrete identities -  These have persistence Layer 7 Confidential 24
  • 25. For further information: K. Scott Morrison Layer 7 Technologies 405 – 1100 Melville St. Vancouver, B.C. V6E 4A6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.com