Your SlideShare is downloading. ×
  • Like
  • Save

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Layer 7: Managing SOA Security and Operations with SecureSpan


Francois Lascelles presents Managing SOA Security and Operations with Layer 7's SecureSpan.

Francois Lascelles presents Managing SOA Security and Operations with Layer 7's SecureSpan.

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Managing SOA Security and Operations with SecureSpan Francois Lascelles Technical Director, Layer 7 Technologies
  • 2. About Layer 7
    • Layer 7 is the leading vendor of security and governance for:
    2003 2006 2009 Customers Revenue XML SOA Cloud
  • 3. Why Layer 7 SecureSpan?
    • Faster time to market
          • Reduce development, deployment and management efforts
          • JBossESB infrastructure service, delegate business logic
          • Faster additions, changes
    • Governance
          • Enterprise-wide view of services
          • Real time monitoring, reporting
    • Agility
          • Service virtualization
          • Decoupled policy enforcement
    • Security
          • Threat protection, access control, trust management, …
  • 4. SecureSpan XML Gateway  secure ws transit point  ws-security implementation  trust management  mediation, integration  threat protection  auditing, sla  monitoring, reporting
  • 5. Hardware or software appliance form factor
    • Hardware Appliance
    • Military grade, hardened device
    • Telecom grade performance
    • FIPS 140-2 certified crypto
    • Hard and soft XML acceleration
    • Virtual Appliance
    • Pre-installed, hardened RHEL image
    • ESX certified, Amazon, private clouds
    • FIPS 140-2 certified crypto (soft mode)
    • Soft (native) XML acceleration
    COTS appliance form factor enables ‘drop-in’ solution with minimal deployment time and instant value. No agents to deploy, no dependencies.
  • 6. Policy Studio Policies are created by organizing assertions in logical tree structures. Policies are changed on the fly, without service interruptions. Rich palette, extensible through JAVA API. Design, implementation and deployment in hours, not months or years. Automated, scripted provisioning and management through API.
  • 7. Message level aware intermediary Web Services Delegate common or expensive XML related tasks from your endpoints to your infrastructure. Cut development costs and increase governance by implementing more business logic at infrastructure level.
  • 8. How to implement security in the Enterprise SOA?
    • Authentication
    • Authorization
    • Integrity
    • Confidentiality
    • Key management
    • Threat protection
    • Non-repudiation
    • Audit
    Security implemented in the service endpoints? endpoints applications IAM
    • Less governance
    • Expensive development task
    • An obstacle to loose coupling
    • Resources not used effectively
    • ESB and WS stacks not appropriate for edge security
  • 9. Delegating endpoint security XML Gateway enforces security for incoming traffic on behalf of protected services. XML Gateway secures outgoing traffic on behalf of protected services. protected services
  • 10. Identity Federation, Trust Management
    • Identity and Access Management interfacing
        • Runtime access control rules enforcement
        • LDAP, SUN OpenSSO, Novell AM, Oracle AM, Netegrity, Tivoli, MSAD
    • STS, SSO
        • SAML issuing, validation
        • WS-Trust, SAML-P
        • WS-SecureConversation
        • WS Federation
    • Fined grain trust management
  • 11. Threat Protection
    • Network/OS level threats
    • Message level threats
    • Consistent security policies for heterogeneous environment
    Schema poisoning Recursive entity attacks Code injections WSDL fishing Parser attacks …
  • 12. Service level monitoring, enforcement
    • Real time contract lookup and enforcement (SLA)
    • Throughput quotas
        • Per identity, per operation
    • Throttling
        • Protect service endpoints
    • Monitoring of response times
        • Custom alert triggers
        • Custom reporting
    • Priority routing rules
  • 13. Loose coupling, late binding Who does that? Route message to appropriate endpoint
    • Routing based on
    • remote IP
    • content
    • identity, identity attribute
    • pattern
    New type of request
    • Last minute binding involving consultation of resource
    • LDAP
    • UDDI
    • database
    • external WS
  • 14. ESB co-processing
    • SecureSpan Infrastructure Service
      • Accelerated XSLT
      • Accelerated XSD
      • Accelerated pattern detection
      • WSS Processing
      • SLA Enforcement
  • 15. Enterprise Service Manager Agent-less WS Management  Enterprise wide view of services  Performance and usage reports  Service and policy migration  Remote gateway start/stop  Custom reports  Remote gateway upgrade, upload modules*
  • 16. Assisted migration across environments
  • 17. Enterprise services in the cloud Enterprise deploys own services on cloud provider Monitoring? Msg level security? Quality of service? Reports? Enterprise subscriber Lack of in-house service governance is a barrier to adoption
  • 18. SecureSpan on public/enterprise cloud
  • 19. Customer case: air traffic scheduling service provider Hosted service Data agglomeration Fixed file length proprietary format LHR AMS FRA YYZ Runway information fed from airports Repurposed data sent to airlines and outsourced systems EDS flight planner Lufthansa systems Swiss airline
    • Edge security, threat protection
    • Trust management
    • Transformation
    • Service virtualization
  • 20. Customer case: insurance cross platform integration
    • Central access point to all services
    • Transport mediation (e.g. http to mq)
    • WS mediation (e.g. addressing, security)
    • Identity mapping
    • Centralized transaction platform
    • Mainframe
      • - consumers
      • - providers
    • Enterprise resource planning
    • SAP (XI/PI)
      • - consumers
      • - providers
    • Distributed transaction platform
    • JBoss
      • - consumers
      • - providers
    • Office Automation
    • . NET , Office
      • - consumers
      • - providers
  • 21. Customer case: healthcare electronic exchange - Health records - Prescriptions - Provider services National PKI infrastructure …
    • Service virtualization for simulation projects
    • Complex security validation
      • SHA256 based signatures
      • Custom token extensions
    • Full PKI integration, revocation checking
    • Sophisticated validation (XSD, Schematron)
    Hospital and emergency applications
  • 22. Customer case: military CDS
    • Guard pattern
    • Federation/Trust Management/SAML
    • Data screening
    • FIPS 140-2 level 3 compliancy
    • Common criteria EAL4+
  • 23. For more information about SecureSpan: