Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security

The importance of standards for Enterprise SOA and Cloud Security

Francois LascellesTechnical Director, Europe

Layer 7 Confidential 2

Agenda

The importance of standards for Enterprise SOA and Cloud security

SOA and cloud

Loose coupling and security

Agility and security

Vendor neutrality and security

Enterprise cloud and identity

Examples

Layer 7 Solutions


Enterprise SOA, cloud landscape

enterprise boundary

SAASCloud deployed services

SAAS

SOA

• Sensitive data, apps• Mission critical• ID authority• Legacy

partner


Aspects of the cloud-enabled enterprise SOA

Services deployed across multiple zones

On-premise service endpoints

Off-premise service endpoints (public cloud)

SAAS-type cloud services

Partner services endpoints, partner service consumers

Multiple and varying identity authorities

A mix of WS-*, REST and Web API style services


Service orientation and security

web apps .

Through presentation layer, you control requesting side and can more easily impose a security mechanism

There is a user, a browser

HTTP-only

Presentation tier

Server code

Service requester

Service instance

web services

The requester is not necessarily a browser

Often machine to machine

No login forms, sessions, cookies

Security decoupled from the service implementation


Service security and agility

Service orientation is meant to provide agility

Security mechanisms and infrastructure must accommodate agility, not choke it

Service composition patterns and global security requirements require a decoupling of security from service implementation

decoupling

Security in application logic

Securityas a Service,

Gateways

agili

ty Agentsolutions

Containersecurity

X

X

X

X


Vendor neutrality

Standards and vendor neutrality

- More than best practice

- Defining characteristic of SOA

Single vendor platform inhibits future evolution

Don’t think in terms of a isolated platforms

- Objective: the ability to substitute/add/remove any component of your SOA

Favor best of breed instead of single vendor platform


Enterprise cloud and identity

Is your identity management infrastructure enabling you to adopt cloud solutions securely?

Identity silos represent security risks, management challenges

Enable trust management of issuing authorities

Support standard compliant identity federation mechanisms

- SAML, XACML, WS-Trust

Favor cloud solutions (SAAS, PAAS) that support such standards


Example: web service access control management

PEP in-line of transactionWS requester WS endpoint

Directory

LDAP Identity authentication and authorization based on group membership or attribute



PEP in-line of transactionWS requester WS endpoint

PDP

XACML Delegated authorization to PDP using XACML



WS requester WS endpoint

Custom IAM, SSO, or governance solution

agent

?


Example: SaaS access control

Enterprise user

Enterprise boundarySF

Other SAAS

Google

Login

Usernames + passwords

Identity silos


Example: SaaS access control

Enterprise boundarySF

Other SAAS

Google

Login locally via redirect

SAAS instance configured with enterprise issuing

authority certificateDMZ

SAML issuing authority

Locally controlled global access control

Enterprise user


Example: SaaS – callback to private resource

Private resource

Enterprise boundary Secure link, VPN-ish Google Apps

DMZ

SDC

Other SAAS

SF

WS endpoint


Example: SaaS – callback to private resource

Private resource

Enterprise boundary

SSL mutual

Google AppsDMZ

Neutral,standards

basedgateway

Other SAAS

SF

WS endpoint

WS-S

OAuth


Layer 7 SecureSpan solution

Standards based, best of breed services gateway

WS-*, REST, XML, JSON

Policy Enforcement Point (PEP)

Access Control

Edge Threat protection

Compliance

Orchestration, virtualization

SLA enforcement

Transformation


Layer 7 CloudConnect

On Premise Network

Existing IAM

System of Record

Securely connect enterprises to the cloud:

Leverage existing IAM infrastructure for SaaS SSO

Securely integrate with SaaS apps

Track usage of SaaS

CloudConnect


Layer 7 CloudSpan Family

CloudConnect = “Your Gateway to the Cloud”

- Allows enterprises to safely consume SaaS and cloud-based services

CloudProtect = “Your Gatekeeper in the Cloud”

- DMZ-level security for applications and services deployed in public and private clouds

CloudControl = “The Gate Minder for your Cloud”

- Secure, orchestrate and manage application and service APIs exposed to third-parties

For more information http://www.layer7tech.com

http://www.layer7tech.com

Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security

Technology

service security

cloud security soa

security enterprise

security agility

security risks

decouplingof security

security web apps

security vendor neutrality