Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Datapower Steven Cawn


Published on

Presentación sobre Datapower de IBM. Presentada por Steven Cawn en evento de Innovación y Conectividad de IBM. 25 de junio de 2015

Published in: Technology
  • Be the first to comment

Datapower Steven Cawn

  1. 1. © IBM Corporation 1 IBM DataPower Gateway: An update on IBM’s multi - channel security gateway Steven Cawn Worldwide DataPower Sales Leader
  2. 2. IBM Corporation 2 Why use an Appliance for connectivity? • Purpose-built, fine-tuned, secure, and consumable hardware platform • Fast performance with multiple layers of specialized hardware & software acceleration Many functions incorporated in a single device Service level management Dynamic routing and load distribution Transport and message level security Policy enforcement Transport and message transformation Business to Business Partner Profile Management Simplified maintenance model Drop-in appliance form-factor Secures traffic in minutes Push-button flash upgrade process Integrates with existing operations Provides high levels of certified security assurance Transport Protocol Security (SSL/TLS) Message Level Security Authentication, Authorization, Audit (AAA) FIPS 140-2 Level 3
  3. 3. IBM Corporation 3 Potential Benefits for reduction in development labor Use cases Description Current environment estimated development hours DataPower estimated development hours B2B Protocol Handling Integrate internal and external business partners based on industry standard B2B protocols and message formats 200 20 B2B Partner Profile Manager Onboard and manage new partners for B2B integration through gateway 10 5 B2B Transaction Manager B2B transaction audit and management capability for review, resend and problem resolution 10 5 Security AAA Consumer identification, authentication, authorization, and auditing security capabilities 360 18 Security Threat Protection Non-repudiation, integrity, confidentiality and general threat protection security capabilities 1080 51 Routing Service virtualization of identity via dynamic content and context based routing 140 20 Protocol Bridging Service virtualization of protocol via bridging (e.g. HTTP to/from MQ) 140 20 Message Transformation Service virtualization of interface via message transformation to/from any format including XML 120 40 Service Level Management Monitor against thresholds based on SLAs between parties and support taking action when thresholds are crossed 280 40
  4. 4. IBM Corporation 4 Become the leading Multi-Channel Gateway Platform for Developers, Customers, Partners and IBM Products to secure, integrate, control and optimize the delivery of Applications, APIs and Data across a variety of digital business channels in a growing landscape of public, private and hybrid cloud environments in addition to on premise setups. DataPower Team DataPower’s Core Strategic Vision
  5. 5. IBM Corporation 5 What is IBM DataPower? • IBM® DataPower® Gateway appliance has been established as the leading security & integration gateway device for the industry • DataPower gateway appliances help Secure, Control, Integrate and Optimize the delivery of full range of Mobile, Web, API, SOA, Cloud, and B2B applications and services IBM DataPower Gateway
  6. 6. IBM Corporation 6 IBM DataPower - Converged Multi-Channel Gateway Business Channels Users DEVELOPERSPARTNERS CONSUMERS EMPLOYEES WEBMOBILEB2B SOA APIS CONSUMERS EMPLOYEES PARTNERS CONSULTANTS DEVELOPERS Enforcement Solutions Applications and Systems DataPower Appliance ISAM for DataPower
  7. 7. IBM Corporation 7 IBM DataPower Gateway • Extend the capabilities by providing a multitude of functions: – IBM DataPower Gateway (IDG) provides gateway functionality and is a security enforcement point. Also supports intelligent load distribution and dynamic routing via the Application Optimization module. IDG is used for service level management and monitoring, and is available in two form factors: 2U Rack mounted physical appliance and a Virtual appliance running on VMWare and Citrix, and elastic cloud environments (SoftLayer and Amazon AWS) – IBM DataPower Gateway with Integration Module extends the IDG platform supporting a wide range of integration and message mediation and transformation protocols, including mainframe integration and enablement. The Integration Option is available for both physical and virtual form factors. – IBM DataPower Gateway with the ISAM Module IBM Security Access Manager for DataPower is a new access management software module for IBM DataPower Gateways that provides web access management and strong authentication enforcement for mobile workloads integrated into the DataPower platform. – IBM DataPower Gateway with Business to Business (B2B) Module provides a high- throughput, secure entry point at the edge for B2B traffic into enterprises. The B2B options build on the capabilities of IDG, offering partner profile management, and inter-enterprise messaging and document support. The B2B option is available in both physical appliance and virtual form factors NOTE: Other modules are: Application Optimization (routing and load balancing); Tibco (connectivity to Tibco EMS)
  8. 8. IBM Corporation 8 Security Gateway New connection to target Proxying and Enforcement • Terminate incoming connection • Terminate transport-level security (SSL/TLS offload) • Threat protection • Enforce Service Level Agreement policies • Inspect message content and filter (Schema validate) • Enforce security policies on message content (Encrypt/decrypt, Verify/sign digital signatures) • Authentication, Authorization, Auditing (AAA) • Call out to virus checker • Transform content & enrich message • Translate security token • Dynamically route based on content and load balance (Establish a new connection to pass results) • Cache data on-box or in centralized, shared XC10 grid Connection from client ACL Virus Scanner Consumer Provider Web Service Request Basic Auth, OAuth 2.0, WS-Security UNT, etc Outside World Internal NetworkDMZ HTTP(s) HTML, JSON, XML, SOAP MME, DIME, MTOM XMLDSIG, XMLENC WS-Security WS-Security Policy WS-Trust SAML OAuth 2.0 Internet SaaS Partner Apps Browsers ProtocolFirewall Security Gateway Packaged Apps Proprietary Apps Data HTTP(s) ESB ISAM MS Active Directory Any LDAP, e.g. Oracle CA SiteMinder PDP (XACML, SAML, other) DomainFirewall ACL Security Gateway Internal Consumer Incoming access control; Threat protection Outgoing access control; SAML injection etc Internal Security Web Service Request SAML, LTPA, Kerberos
  9. 9. IBM Corporation 9 AAA : Authentication Authorization Auditing Extract Identity HTTP Headers WS-Security Tokens WS-SecureConversation WS-Trust Kerberos X.509/SSL SAML Assertion IP Address LTPA Token HTML Form OAuth Custom Authenticate Extract Resource URL XPath SOAP Operation HTTP Operation Custom LDAP/Active Directory System/z NSS (RACF, SAF) IBM Security Access Manager Kerberos WS-Trust Netegrity SiteMinder RADIUS SAML LTPA Verify Signature Custom Authorize Audit & Post-Process Map Identity Map Resource LDAP/ActiveDirectory System/z NSS IBM Security Access Manager Netegrity SiteMinder SAML XACML OAuth Custom Add WS-Security Generate z/OS ICRX Token Generate Kerberos Generate Spnego Generate SAML Generate LTPA Map Tivoli Federated Identity External Access Control Server or Onboard Identity Management Store input output
  10. 10. IBM Corporation 10 • Data format & language – JavaScript ‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0 • Security policy enforcement ‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication (LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol ‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3 Supported standards & protocols • Transport & connectivity – HTTP, HTTPS, WebSocket Proxy – FTP, FTPS, SFTP – WebSphere MQ – WebSphere MQ File Transfer Edition (MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout – NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle, Sybase, IMS • Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2 • Public key infrastructure (PKI) ‒ RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12 ‒ XKMS for integration with Tivoli Security Policy Manager (TSPM) • Management ‒ Simple Network Management Protocol (SNMP) ‒ SYSLOG ‒ IPv4, IPv6 • Open File Formats ‒ Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) ‒ VMware Virtual Machine Disk Format (VMDK) Link to DataPower Information Center • Web services – WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management (WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation (DIME) – Multipurpose Internet Mail Extensions (MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription – WebSphere Service Registry and Repository (WSRR)
  11. 11. IBM Corporation 11 Protection of data plus XML & JSON threat protection Use DataPower to help resolve PCI compliance issues Easily sign, verify, encrypt, decrypt any content Configurable XML Encryption and Digital Signatures – Message-level, Field-level, Headers Security standards: OAuth, WS-Security, WS-Policy, WS- SecurityPolicy, SAML, XACML, WS-Trust, … Use WS-SecurityPolicy to define security requirements for your web services – DataPower natively consumes and enforces WS-SecurityPolicy statements • Integrity & Confidentiality, SupportingTokens, Message/Transport Protection Use XACML to define access and authorization policies for your web services – DataPower natively consumes and enforces XACML policies • Resource-based Authorization • PEP, PDP DataPower security is policy driven XML Threat Protection • Entity Expansion/Recursion Attacks • Public Key DoS • XML Flood • Resource Hijack • Dictionary Attack • Replay Attack Message/Data Tampering Message Snooping XPath or SQL Injection XML Encapsulation XML Virus …many others JSON Threat Protection • Label - Value Pairs ‒ Label String Length (characters) ‒ Value String Length (characters) ‒ Number Length (characters) • Threat Protection ‒ Maximum nesting depth (levels) ‒ Maximum document size (bytes)
  12. 12. IBM Corporation 12 VISA International Provide Greater Agility, Flexibility & Adaptability Solution Implemented DataPower Security Gateway XG45 to form the backbone of Web services infrastructure Through content-based message routing, security policy enforcement & data encryption, the XG45 helps to ensure safe & efficient flow of confidential customer data between Web site & backend systems Integrated seamlessly into existing heterogeneous environment increasing interoperability & promoting reuse Benefits Secure SOA on standards-based platform Easily reuse Web services throughout enterprise Boosts productivity of IT staff Substantially shorten time to market for new services WebSphere DataPower Security Gateway XG45 WebSphere Application Server Challenge Consistently & securely delivery of online services to members that could be shared, integrated & flexible to meet specific needs Web services infrastructure needed to support highly secure data routing with daily high volume & sensitive nature of information
  13. 13. IBM Corporation 13 Multi-channel gateway for Mobile workloads • ISAM for DataPower module provides the reverse proxy component that enables – Centralized user authentication & coarse-grained authorization – Advance session management, & web SSO – Enforcement of context based access & mobile SSO policies – Strong authentication including one-time password and multi- factor authentication ISAM Module ISAM for Mobile DataPower IBM MobileFirst Mobile Application Leverage the combined capabilities of IBM DataPower Gateway and IBM Security Access Manager in a single, converged security and integration gateway
  14. 14. IBM Corporation 14 14 Challenge –Missing out on new opportunities in mobile advertising –Aggressive growth in mobile creating new opportunities –Differentiation with Sprint profile information –How to increase topline revenue –Increase in competition from non-traditional companies – no longer just the other carriers Solution –WebSphere DataPower Integration Appliance XI52 and XC10 Caching Appliance for mobile access control and security, wirespeed performance & consistent operational environment –Deployed as a Mobile gateway, providing schema validation & trust formations –Augmented existing infrastructure Benefits –Fast speed to market –Low development cost –Well established operational support (within Sprint) –Deployed within secured Sprint network –Secure connectivity to dependent systems –Sprint controlled data security –Scalable as volumes grow –Ability to maintain a consistent interface to clients regardless of backend changes Enterprise Application Integration Web Services Gateway Platform XI52 Adapters Back-office Systems Back-office System Web Services SOAP Service Consumers XI52 Message Broker Custom Code XC10 Customer Testimonial:
  15. 15. IBM Corporation 15 Multi-channel gateway for API workloads Assemble business APIs easily Provide Secure or Open APIs Control APIs at a fine-grained level Explore API documentation Interactively exercise APIs Provision application keys Developer Portal API Manager Management Console Define and manage APIs Explore API usage with analytics Manage API user communities Provision system resources Monitor runtime health Scale the environment API Gateway (DataPower) Analyze API usage Manage private, partner, public app developers Provide self-service app developer onboarding API configurations are deployed to the gateway, which provides the enforcement point for runtime policies to control API traffic.
  16. 16. IBM Corporation 16 Improved User Experience: Pattern-based Configuration Reduce time-to-value, increase productivity & quality of DataPower solutions Pattern captures a tested solution to a common recurring problem Built-in, intuitive, new interface for creating & deploying common DataPower configuration patterns • Reduce time to value through accelerated user configuration & deployment for both new & experienced users • Increase developer productivity by leveraging working examples of common use cases • Improve quality through reuse of configuration created by skilled roles Pre-built and user-defined patterns • Ten new pre-built web application & web services patterns Deploy new service from a pattern Create service pattern for reuse Browse patterns
  17. 17. IBM Corporation 17 Supports on-premise & cloud deployment Purpose-built, DMZ-ready appliances provide physical security High density 2U rack-mount design 8 x 1 and 2 x 10 GbE ports Cryptographic acceleration card Trusted platform module Customized intrusion detection Optional HSM (FIPS 140-2 Level 3 certified) Virtual appliances provide deployment flexibility Support multiple hypervisors and cloud environments − VMware − Citrix XenServer − IBM PureApplication System (x86 nodes) − IBM PureApplication Service on SoftLayer (x86 nodes) − IBM SoftLayer bare metal instances using supported hypervisors VirtualPhysical
  18. 18. IBM Corporation 18 New Cloud Offerings Secure Gateway for Bluemix Applications Easier DevOps with new REST API Secure. Integrate. Control. Optimize. GatewayScript Enhancements Robust Platform Security 7.2 Features Deploy DataPower Gateways on Amazon EC2 and SoftLayer CCI to provide enhanced cloud elasticity for cloud workloads. Enhanced hybrid cloud integration to securely connect between IBM Bluemix applications and on-premise services protected using DataPower Gateways Protect mission-critical applications from security vulnerabilities with enhanced TLS protocol support using Elliptic Curve Cryptography, Server Name Indication, and Perfect Forward Secrecy New REST-based management API to build deployment and automation scripts, enabling easier devops for continuous software delivery and quicker problem resolution. Enhanced Mobile and API security Easily transform between XML and JSON messages to quickly integrate System of Records data sources with Systems of Engagement interfaces Increased mobile and API security for protecting mission-critical transactions with JSON Encryption, JSON Signature, JSON Key, and JSON Token Available June 19th, 2015 Announce May 26th, 2015
  19. 19. IBM Corporation 19 19 Summary IBM DataPower Gateway provides these benefits for security and integration needs within an enterprise: • Ease of Use: Solves complex security and integration challenges in a secure, easy to consume and extremely low TCO network device. DataPower appliances are configuration driven not program driven which simplifies deployment • Performance: DataPower is a network device that operates at wire speed. Greater processing power is realized with every new firmware release. This is even more critical with the advent of mobile. • Flexibility: Secure, integrate, bridge and version applications without application modification • Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” • Lower TCO: Customers’ own data has shown that DataPower can be 7X-8X less expensive to operate in the data center than traditional alternatives.
  20. 20. IBM Corporation 20 Questions & Answers
  21. 21. IBM Corporation 21 Where can I get more information? • IBM DataPower Gateway product page on • IBM DataPower Gateway product documentation • IBM DataPower Gateway user forums: – External forum • YouTube Channel: IBM DataPower Gateways • Slideshare: IBM DataPower Gateway • Twitter: @IBMGateways • LinkedIn groups: IBM DataPower Gateway • DeveloperWorks blog: IBM DataPower Gateway • IBM Security Access Manager product page on
  22. 22. IBM Corporation 22 Available Now: DataPower Handbook, Second Edition, Volume 1 Known as the ‘‘‘‘bible’’’’ of DataPower planning, implementation, and usage. New content to cover previous six years of new products/features, including 9006/7.1! Volume 1 consists of Chap 1 DataPower Intro, Chap 2 Setup Guide, new Preface and two invaluable new appendices for physical and virtual appliances. Available in softcover and e-book formats
  23. 23. © IBM Corporation 23 Backup
  24. 24. IBM Corporation 24 Public/Private Cloud Trusted ZoneDemilitarized Zone (DMZ) Mobile enhancements (1 of 2) • Provide enhanced message-level security for mobile, API, and web workloads ‒ JSON Web Encryption for message confidentiality ‒ JSON Signature for message integrity ‒ JSON Web Token to assert security assertions for Single Sign On (SSO). ‒ JSON Web Key (JWK) to represent cryptographic key • Provides end-to-end security between Mobile application and System of Record applications • Secure sensitive data (credit card data) between multiple untrusted or unmanaged systems without compromising the data and support PCI compliance DataPower Systems of Record Mobile Application
  25. 25. IBM Corporation 25 Mobile enhancements (2 of 2) • GatewayScript enhancements to transform between XML and JSON messages – Easily integrate System of Records data sources with Systems of Engagement interfaces • GatewayScript can be used to build a microservices architecture that can quickly adapt to changes required to support your digital marketing strategy Systems of Engagement Systems of Record Mobile Application JSON XML JSON <-> XML
  26. 26. IBM Corporation 26 Platform Security Enhancements • Protect mission-critical applications from security exposures with enhanced TLS protocol support by using Elliptic Curve Cryptography (ECC), Perfect Forward Secrecy (PFS), and Server Name Indication (SNI) – ECC provides robust security without compromising performance to help prevent security vulnerabilities – PFS helps prevent security exposures of prior traffic when crypto keys are compromised – SNI extends the TLS protocol to provide connectivity to multiple hosts on the same machine DataPower Service Provider Mobile Application TLS TLS
  27. 27. IBM Corporation 27 New management API using REST architecture • Quickly build DataPower automation and deployment migration scripts for easier devops by using the new REST-based management API. – Accelerate adoption of DevOps to quickly make configuration changes to support continuous delivery – Easily integrate with build tools such as Urban Code Deploy Development Test Production Build Server REST API REST API REST API
  28. 28. IBM Corporation 28 Enhanced product integration • Enhanced reliability of IMS transactions with support for IMS Commit mode 0. • Supports distributed caching with IBM WebSphere eXtreme Scale 8.6+ to provide increased response time and better application performance. • IBM Security Access Manager (ISAM) migration tools for easier promotion between ISAM products DataPower IMSMobile Application ISAM for Mobile WebSphere Extreme Scale ISAM Module
  29. 29. IBM Corporation 29 DataPower Gateway for Cloud • Current: DataPower Virtual Edition supports SoftLayer bare metal instances – Similar deployment and licensing model to on-premise virtual environments • New Support: DataPower Virtual Edition includes support for SoftLayer CloudLayer Computing Instance (CCI) and Amazon Elastic Compute Cloud (EC2) – Enhanced cloud elasticity for DataPower Gateways in cloud environments. – Scale workloads at lower costs when computing requirements change – BYOL model using Passport Advantage (PPA) – perpetual or monthly licensing options available Bare Metal Server Cloud Computing Instance Amazon EC2 New New
  30. 30. IBM Corporation 30 Hybrid cloud integration using Secure Gateway Service • Enhanced hybrid cloud integration using Secure Gateway service to securely connect between IBM Bluemix applications and on-premise services protected using DataPower Gateways ‒ Quickly setup connectivity without making enterprise firewall changes while still allowing controlled access from cloud services ‒ Supports multiple gateways instances, load balancing and fault tolerance ‒ Manage and monitor gateway instances and usage Bluemix On Premise Datacenter ServicesRuntimes New