The importance of standards for Enterprise SOA and Cloud Security Francois Lascelles Technical Director, Europe
Aug 20, 2015
The importance of standards for Enterprise SOA and Cloud Security
Francois LascellesTechnical Director, Europe
Layer 7 Confidential 2
Agenda
The importance of standards for Enterprise SOA and Cloud security
SOA and cloud
Loose coupling and security
Agility and security
Vendor neutrality and security
Enterprise cloud and identity
Examples
Layer 7 Solutions
Layer 7 Confidential 3
Enterprise SOA, cloud landscape
enterprise boundary
SAASCloud deployed services
SAAS
SOA
• Sensitive data, apps• Mission critical• ID authority• Legacy
partner
Layer 7 Confidential 4
Aspects of the cloud-enabled enterprise SOA
Services deployed across multiple zones
On-premise service endpoints
Off-premise service endpoints (public cloud)
SAAS-type cloud services
Partner services endpoints, partner service consumers
Multiple and varying identity authorities
A mix of WS-*, REST and Web API style services
Layer 7 Confidential 5
Service orientation and security
web apps .
Through presentation layer, you control requesting side and can more easily impose a security mechanism
There is a user, a browser
HTTP-only
Presentation tier
Server code
Service requester
Service instance
web services
The requester is not necessarily a browser
Often machine to machine
No login forms, sessions, cookies
Security decoupled from the service implementation
Layer 7 Confidential 6
Service security and agility
Service orientation is meant to provide agility
Security mechanisms and infrastructure must accommodate agility, not choke it
Service composition patterns and global security requirements require a decoupling of security from service implementation
decoupling
Security in application logic
Securityas a Service,
Gateways
agili
ty Agentsolutions
Containersecurity
X
X
X
X
Layer 7 Confidential 7
Vendor neutrality
Standards and vendor neutrality
- More than best practice
- Defining characteristic of SOA
Single vendor platform inhibits future evolution
Don’t think in terms of a isolated platforms
- Objective: the ability to substitute/add/remove any component of your SOA
Favor best of breed instead of single vendor platform
Layer 7 Confidential 8
Enterprise cloud and identity
Is your identity management infrastructure enabling you to adopt cloud solutions securely?
Identity silos represent security risks, management challenges
Enable trust management of issuing authorities
Support standard compliant identity federation mechanisms
- SAML, XACML, WS-Trust
Favor cloud solutions (SAAS, PAAS) that support such standards
Layer 7 Confidential 9
Example: web service access control management
PEP in-line of transactionWS requester WS endpoint
Directory
LDAP Identity authentication and authorization based on group membership or attribute
Layer 7 Confidential 10
Example: web service access control management
PEP in-line of transactionWS requester WS endpoint
PDP
XACML Delegated authorization to PDP using XACML
Layer 7 Confidential 11
Example: web service access control management
WS requester WS endpoint
Custom IAM, SSO, or governance solution
agent
?
Layer 7 Confidential 12
Example: SaaS access control
Enterprise user
Enterprise boundarySF
Other SAAS
Login
Usernames + passwords
Identity silos
Layer 7 Confidential 13
Example: SaaS access control
Enterprise boundarySF
Other SAAS
Login locally via redirect
SAAS instance configured with enterprise issuing
authority certificateDMZ
SAML issuing authority
Locally controlled global access control
Enterprise user
Layer 7 Confidential 14
Example: SaaS – callback to private resource
Private resource
Enterprise boundary Secure link, VPN-ish Google Apps
DMZ
SDC
Other SAAS
SF
WS endpoint
Layer 7 Confidential 15
Example: SaaS – callback to private resource
Private resource
Enterprise boundary
SSL mutual
Google AppsDMZ
Neutral,standards
basedgateway
Other SAAS
SF
WS endpoint
WS-S
OAuth
Layer 7 Confidential 16
Layer 7 SecureSpan solution
Standards based, best of breed services gateway
WS-*, REST, XML, JSON
Policy Enforcement Point (PEP)
Access Control
Edge Threat protection
Compliance
Orchestration, virtualization
SLA enforcement
Transformation
Layer 7 Confidential 17
Layer 7 CloudConnect
On Premise Network
Existing IAM
System of Record
Securely connect enterprises to the cloud:
Leverage existing IAM infrastructure for SaaS SSO
Securely integrate with SaaS apps
Track usage of SaaS
CloudConnect
Layer 7 Confidential 18
Layer 7 CloudSpan Family
CloudConnect = “Your Gateway to the Cloud”
- Allows enterprises to safely consume SaaS and cloud-based services
CloudProtect = “Your Gatekeeper in the Cloud”
- DMZ-level security for applications and services deployed in public and private clouds
CloudControl = “The Gate Minder for your Cloud”
- Secure, orchestrate and manage application and service APIs exposed to third-parties