Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security


Published on

Europe CTO Francois Lascelles discusses why standards matter when it comes to SOA and Cloud security.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security

  1. 1. The importance of standards for Enterprise SOA and Cloud Security Francois Lascelles Technical Director, Europe
  2. 2. Agenda The importance of standards for Enterprise SOA and Cloud security  SOA and cloud  Loose coupling and security  Agility and security  Vendor neutrality and security  Enterprise cloud and identity  Examples  Layer 7 Solutions Layer 7 Confidential 2
  3. 3. Enterprise SOA, cloud landscape SOA Cloud SAAS partner deployed services enterprise boundary • Sensitive data, apps • Mission critical • ID authority • Legacy SAAS Layer 7 Confidential 3
  4. 4. Aspects of the cloud-enabled enterprise SOA  Services deployed across multiple zones  On-premise service endpoints  Off-premise service endpoints (public cloud)  SAAS-type cloud services  Partner services endpoints, partner service consumers  Multiple and varying identity authorities  A mix of WS-*, REST and Web API style services Layer 7 Confidential 4
  5. 5. Service orientation and security  web apps .  web services Presentation tier Service requester Server code Service instance  Through presentation layer, you  The requester is not necessarily a control requesting side and can more browser easily impose a security mechanism  Often machine to machine  There is a user, a browser  No login forms, sessions, cookies  HTTP-only  Security decoupled from the service implementation Layer 7 Confidential 5
  6. 6. Service security and agility  Service orientation is meant to provide agility  Security mechanisms and infrastructure must accommodate agility, not choke it  Service composition patterns and global security requirements require a decoupling of security from service implementation X Security as a Service, Gateways Container X Agent agility security solutions X Security in application logic X decoupling Layer 7 Confidential 6
  7. 7. Vendor neutrality  Standards and vendor neutrality - More than best practice - Defining characteristic of SOA  Single vendor platform inhibits future evolution  Don’t think in terms of a isolated platforms - Objective: the ability to substitute/add/remove any component of your SOA  Favor best of breed instead of single vendor platform Layer 7 Confidential 7
  8. 8. Enterprise cloud and identity  Is your identity management infrastructure enabling you to adopt cloud solutions securely?  Identity silos represent security risks, management challenges  Enable trust management of issuing authorities  Support standard compliant identity federation mechanisms - SAML, XACML, WS-Trust  Favor cloud solutions (SAAS, PAAS) that support such standards Layer 7 Confidential 8
  9. 9. Example: web service access control management WS requester PEP in-line of transaction WS endpoint Identity authentication and authorization LDAP based on group membership or attribute Directory Layer 7 Confidential 9
  10. 10. Example: web service access control management WS requester PEP in-line of transaction WS endpoint Delegated authorization to PDP using XACML XACML PDP Layer 7 Confidential 10
  11. 11. Example: web service access control management WS requester WS endpoint agent ? Custom IAM, SSO, or governance solution Layer 7 Confidential 11
  12. 12. Example: SaaS access control Usernames + passwords Enterprise boundary SF Enterprise Login user Other SAAS Identity silos Google Layer 7 Confidential 12
  13. 13. Example: SaaS access control SAAS instance configured with enterprise issuing authority certificate Enterprise boundary DMZ SF Enterprise user SAML issuing authority Login locally via redirect Other SAAS Locally controlled global access control Google Layer 7 Confidential 13
  14. 14. Example: SaaS – callback to private resource Enterprise boundary DMZ Secure link, VPN-ish Google Apps Private resource SDC WS Other SAAS endpoint SF Layer 7 Confidential 14
  15. 15. Example: SaaS – callback to private resource Enterprise boundary DMZ Google Apps Private resource OAuth WS-S WS Other SAAS endpoint Neutral, standards based SSL mutual gateway SF Layer 7 Confidential 15
  16. 16. Layer 7 SecureSpan solution  Standards based, best of breed services gateway  WS-*, REST, XML, JSON  Policy Enforcement Point (PEP)  Access Control  Edge Threat protection  Compliance  Orchestration, virtualization  SLA enforcement  Transformation Layer 7 Confidential 16
  17. 17. Layer 7 CloudConnect Securely connect enterprises to the cloud:  Leverage existing IAM infrastructure for SaaS SSO  Securely integrate with SaaS apps  Track usage of SaaS System of Record Existing IAM CloudConnect On Premise Network Layer 7 Confidential 17
  18. 18. Layer 7 CloudSpan Family  CloudConnect = “Your Gateway to the Cloud” - Allows enterprises to safely consume SaaS and cloud- based services  CloudProtect = “Your Gatekeeper in the Cloud” - DMZ-level security for applications and services deployed in public and private clouds  CloudControl = “The Gate Minder for your Cloud” - Secure, orchestrate and manage application and service APIs exposed to third-parties Layer 7 Confidential 18
  19. 19. For more information 
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.