Your SlideShare is downloading. ×

Layer 7: Managing SOA Security and Operations with SecureSpan

902

Published on

Francois Lascelles presents Managing SOA Security and Operations with Layer 7's SecureSpan.

Francois Lascelles presents Managing SOA Security and Operations with Layer 7's SecureSpan.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
902
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Managing SOA Security and Operations with SecureSpan Francois Lascelles Technical Director, Layer 7 Technologies
  • 2. About Layer 7
    • Layer 7 is the leading vendor of security and governance for:
    2003 2006 2009 Customers Revenue XML SOA Cloud
  • 3. Why Layer 7 SecureSpan?
    • Faster time to market
          • Reduce development, deployment and management efforts
          • JBossESB infrastructure service, delegate business logic
          • Faster additions, changes
    • Governance
          • Enterprise-wide view of services
          • Real time monitoring, reporting
    • Agility
          • Service virtualization
          • Decoupled policy enforcement
    • Security
          • Threat protection, access control, trust management, …
  • 4. SecureSpan XML Gateway  secure ws transit point  ws-security implementation  trust management  mediation, integration  threat protection  auditing, sla  monitoring, reporting
  • 5. Hardware or software appliance form factor
    • Hardware Appliance
    • Military grade, hardened device
    • Telecom grade performance
    • FIPS 140-2 certified crypto
    • Hard and soft XML acceleration
    • Virtual Appliance
    • Pre-installed, hardened RHEL image
    • ESX certified, Amazon, private clouds
    • FIPS 140-2 certified crypto (soft mode)
    • Soft (native) XML acceleration
    COTS appliance form factor enables ‘drop-in’ solution with minimal deployment time and instant value. No agents to deploy, no dependencies.
  • 6. Policy Studio Policies are created by organizing assertions in logical tree structures. Policies are changed on the fly, without service interruptions. Rich palette, extensible through JAVA API. Design, implementation and deployment in hours, not months or years. Automated, scripted provisioning and management through API.
  • 7. Message level aware intermediary Web Services Delegate common or expensive XML related tasks from your endpoints to your infrastructure. Cut development costs and increase governance by implementing more business logic at infrastructure level.
  • 8. How to implement security in the Enterprise SOA?
    • Authentication
    • Authorization
    • Integrity
    • Confidentiality
    • Key management
    • Threat protection
    • Non-repudiation
    • Audit
    Security implemented in the service endpoints? endpoints applications IAM
    • Less governance
    • Expensive development task
    • An obstacle to loose coupling
    • Resources not used effectively
    • ESB and WS stacks not appropriate for edge security
  • 9. Delegating endpoint security XML Gateway enforces security for incoming traffic on behalf of protected services. XML Gateway secures outgoing traffic on behalf of protected services. protected services
  • 10. Identity Federation, Trust Management
    • Identity and Access Management interfacing
        • Runtime access control rules enforcement
        • LDAP, SUN OpenSSO, Novell AM, Oracle AM, Netegrity, Tivoli, MSAD
    • STS, SSO
        • SAML issuing, validation
        • WS-Trust, SAML-P
        • WS-SecureConversation
        • WS Federation
    • Fined grain trust management
  • 11. Threat Protection
    • Network/OS level threats
    • Message level threats
    • Consistent security policies for heterogeneous environment
    Schema poisoning Recursive entity attacks Code injections WSDL fishing Parser attacks …
  • 12. Service level monitoring, enforcement
    • Real time contract lookup and enforcement (SLA)
    • Throughput quotas
        • Per identity, per operation
    • Throttling
        • Protect service endpoints
    • Monitoring of response times
        • Custom alert triggers
        • Custom reporting
    • Priority routing rules
  • 13. Loose coupling, late binding Who does that? Route message to appropriate endpoint
    • Routing based on
    • remote IP
    • content
    • identity, identity attribute
    • pattern
    New type of request
    • Last minute binding involving consultation of resource
    • LDAP
    • UDDI
    • database
    • external WS
  • 14. ESB co-processing
    • SecureSpan Infrastructure Service
      • Accelerated XSLT
      • Accelerated XSD
      • Accelerated pattern detection
      • WSS Processing
      • SLA Enforcement
    JBossESB
  • 15. Enterprise Service Manager Agent-less WS Management  Enterprise wide view of services  Performance and usage reports  Service and policy migration  Remote gateway start/stop  Custom reports  Remote gateway upgrade, upload modules*
  • 16. Assisted migration across environments
  • 17. Enterprise services in the cloud Enterprise deploys own services on cloud provider Monitoring? Msg level security? Quality of service? Reports? Enterprise subscriber Lack of in-house service governance is a barrier to adoption
  • 18. SecureSpan on public/enterprise cloud
  • 19. Customer case: air traffic scheduling service provider Hosted service Data agglomeration Fixed file length proprietary format LHR AMS FRA YYZ Runway information fed from airports Repurposed data sent to airlines and outsourced systems EDS flight planner Lufthansa systems Swiss airline
    • Edge security, threat protection
    • Trust management
    • Transformation
    • Service virtualization
  • 20. Customer case: insurance cross platform integration
    • Central access point to all services
    • Transport mediation (e.g. http to mq)
    • WS mediation (e.g. addressing, security)
    • Identity mapping
    • Centralized transaction platform
    • Mainframe
      • - consumers
      • - providers
    • Enterprise resource planning
    • SAP (XI/PI)
      • - consumers
      • - providers
    • Distributed transaction platform
    • JBoss
      • - consumers
      • - providers
    • Office Automation
    • . NET , Office
      • - consumers
      • - providers
  • 21. Customer case: healthcare electronic exchange - Health records - Prescriptions - Provider services National PKI infrastructure …
    • Service virtualization for simulation projects
    • Complex security validation
      • SHA256 based signatures
      • Custom token extensions
    • Full PKI integration, revocation checking
    • Sophisticated validation (XSD, Schematron)
    Hospital and emergency applications
  • 22. Customer case: military CDS
    • Guard pattern
    • Federation/Trust Management/SAML
    • Data screening
    • FIPS 140-2 level 3 compliancy
    • Common criteria EAL4+
    AIR FORCE Others ARMY NAVY
  • 23. For more information about SecureSpan: http://www.layer7tech.com

×