Layer 7 SecureSpan Solution


Published on

Security and Monitoring for Services Inside the Enterprise and out to the Cloud

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Layer 7 SecureSpan Solution

  1. 1. SecureSpan Solution   Security and Monitoring for Services Inside the Enterprise and out to the Cloud K. Scott Morrison CTO & Chief Architect Layer 7 Technologies
  2. 2. About Layer 7   Layer 7 is the leading vendor of security and governance for: Cloud SOA Customers Revenue XML 2003 2006 2009 Layer 7 Confidential 2
  3. 3. Why Governance? Governance is essential. Governance is needed for “ security, planned change and configuration “ management, testing, monitoring, and setting of quality-of-service requirements. Jess Thompson, Research Vice President As quoted by CyberMedia India Online Ltd ( Layer 7 Confidential 3
  4. 4. Layer 7’s Approach to Governance   Security   Compliance   Reliability   Policy Agility   Deployment Flexibility   Interoperability   SLAs   Quality of Service   Message Content Layer 7 Confidential 4
  5. 5. Achieve Control through Policy Enforcement Enforce  Security   Ensure  Reliability     Centralized  policy  enforcement  point  deployed     Ensure  data  confiden1ality  over  the   in-­‐house  or  in  the  cloud   wire  and  at  rest     Policy-­‐driven  authen1ca1on  and  fine-­‐grained,     Ensure  services  remain  readily  available   service  level  authoriza1on     Verify  messages  to  ensure  integrity     Enforce  policies  according  to  risk   Facilitate  Compliance     Generate  log  and  audit  files  at  mul1ple  levels     Export  of  data  for  correla1on  and  forensic  analysis     Verify  messages  for  compliance  to  industry  or   government-­‐mandated  specifica1ons   Layer 7 Confidential 5
  6. 6. Gain Visibility by Monitoring Services Ensure  SLA  Conformance   Assure  Quality  of  Service     Monitor  and  report  on  SLAs  using  an  agent-­‐less     Monitor  and  report  on  service   management  system   performance  in  real-­‐1me     Ensure  you  are  mee1ng  your  own  SLAs       Reroute  and  throFle  services  to       Ensure  you’re  geMng  the  value  you  expect     maintain  reach-­‐ability  and  availability   from  3rd-­‐party  service  providers     Alert  or  automate  ac1ons  based  on:     Throughput,  rou1ng  failures,   u1liza1on,  availability  rates,  etc   Track  Message  Content     Iden1fy  trends,  excep1ons  or  viola1ons  at  the  message  level     Report  on  user,  client  and  system  access  to  sensi1ve  data   Layer 7 Confidential 6
  7. 7. React at the Pace of Business Change Gain  Policy  Agility   Gain  Deployment  Flexibility     Decouple  security,  SLA,  compliance  and  other     Deploy  in-­‐house  or  in  the  cloud   shared  code  from  services     Mul1ple  form  factors:       Modify  exis1ng  or  deploy  new  policies  on  the  fly     Hardware  appliance     Out-­‐of-­‐the-­‐box  asser1ons  facilitate  policy     SoRware  appliance   assembly  without  coding     SoRware     Custom  asser1ons  let  you  meet         Cross-­‐domain  client   specific  requirements   Facilitate  Interoperability     Out-­‐of-­‐the  box  integra1on  with  leading  SOA  solu1ons     Standards-­‐based,  open  APIs  facilitates  integra1on   Layer 7 Confidential 7
  8. 8. Separation of Policy Enforcement Layer Using SecureSpan Gateways Service Hosts   Consistency   Reuse   Central Control Operator SecureSpan Gateway Cluster LDAP and/or IAM Service Requester Layer 7 Confidential 8
  9. 9. Leverage of Existing Identity Assets ID, Access Mgmt & STS   LDAP   Sun OpenSSO   RSA Cleartrust Web Services Server   CA/Netegrity SiteMinder & TxMinder   IBM TAM, TFIM Security WS-Trust Token Service   MSAD, Infocard (on VPN client) (STS) XML LDAP(S)   Oracle Access Mgr Native   New instances are simple to add Web Services Client LDAP Access Mgmt Policy Decision Points (PDPs) Layer 7 Confidential 9
  10. 10. Consistency and Scalability Cluster-wide Sharing   Cluster variables (user configurable)   Replay   Policy updates Horizontal Replay attack   SLA scalability prevention across the cluster HTTP Load Balancer Transparent replication of policy across the cluster Web Services Client Single point of management across cluster Layer 7 Confidential 10
  11. 11. Edge-of-Network, DMZ-based Deployment Internal Applications Internal Firewall External Firewall SecureSpan Gateway Cluster SecureSpan Internet Management Console Message Internal Network DMZ Corporate Network Service May 2009 May 2009 Requester Layer 7 Confidential 11 SecureSpan™ Gateway Overview Proprietary and Confidential 11
  12. 12. Rich Policy Language SecureSpan Gateway Cluster … SecureSpan Management Console Layer 7 Confidential 12
  13. 13. Apache Message +PERL Consumers Policy Decision Point (PDP) (IAM, STS, etc) .NET J2EE Applications Message Pros   Consistent security for all systems   Centrally managed Centralized   High performance, hardware accelerated document Gateway PEP processing and cryptography Cluster Cons Message Producer   Need rudimentary last mile security  SSL typically, SAML, WS-S   Must cluster for high availability May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 13
  14. 14. Centralized Gateway Co-   Accelerated XML transform processor Cluster   Accelerated XML schema val   Signing services (notary pattern) Virtual Loopback   Encryption services   Filtering for compliance   Threat detection Transformed XML document Input XML Apache document +PERL .NET J2EE ESB Message Producer/Consumers Applications May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 14
  15. 15. WSDL WSDL + Security Web Services Changes Server Which API do you program to? Web Services Shift of burden to Client Administrative client changes to policy change API Security implemented in code is difficult to change Very programmer intensive May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 15
  16. 16. WS-Policy Document SecureSpan XML VPN Client SOAP message “decorated” to current policy May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 16
  17. 17. Gateway acts as certificate authority Web Services Server Secure CSR Secure Certificate Download Web Services Client May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 17
  18. 18. Trusted Certificates Web Services Server LDAP or HTTP HTTP(S) Server LDAP(S) OCSP CRLs Administrative Web Services Client Secure Message Import  PKI System Certs May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 18
  19. 19.   Protecting & monitoring your ? applications in the cloud   Giving your cloud apps access to on-premises data sources ?   Big picture view of the distributed application network Enterprise On- Premise IT
  20. 20. Hardware PEP Virtual PEP ? Identical ? Functionality Application-Layer Isolation, Monitoring, & Control NetOps
  21. 21. Virtual Application Instance Virtual SecureSpan Instance Separate Instances Protected Application Stack Combined Instance May 2009 SecureSpan™ Gateway Overview Proprietary and Confidential 21
  22. 22. Some of our Partners Virtual SecureSpan Instance Layer 7 Confidential 22
  23. 23. Some of our Customers Layer 7 Confidential 23
  24. 24. Summary   Cloud should be viewed as a deployment pattern for SOA -  This means you should leverage SOA technology in the cloud -  Virtual SOA gateways, like SecureSpan, provide you with a means to secure cloud   SOA best practices for federation can be transferred into the cloud -  Avoid key material in the cloud -  Use distributable token validation strategy -  SAML, Kerberos -  Employ authorization based on attributes, not concrete identities -  These have persistence Layer 7 Confidential 24
  25. 25. For further information: K. Scott Morrison Layer 7 Technologies 405 – 1100 Melville St. Vancouver, B.C. V6E 4A6 Canada (800) 681-9377