2. Where SOA and cloud connect? Cloud is service oriented infrastructure How to build applications => service orientation How to deploy services => cloud Agility Enterprises that already started adopting SOA internally are in a better position to leverage cloud computing Enterprise SOA infrastructure enables better cloud deployment
12. Who secures cloud based deployments? “When you deploy a service on a public cloud, you are no longer in control of security” Not necessarily Different security scopes can be assumed by different entities Physical access Platform/OS level Network level Application/message level
13. Early adoption stage: SAAS salesforce NetSuite enterprise boundary mashups browser driven API calls arbitrary saas
15. Enable SAAS identity federation Identity federation token issuer (e.g. SAML IdP) Edge deployment to accommodate external users Interface with existing enterprise idm infrastructure Single point of account management across all SAAS (existing idm) Single point of access control Arbitrary SAAS managed trust issuer
16. Id federation, trust management in SAAS example “The key critical success factor to managing identities at cloud providers is to have a robust federated identity management architecture and strategy internal to the organization.” “Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federation” -2009 Cloud Security Alliance
35. PEP cloud enablement Gateway Pre-canned image of PEP virtual appliance No native dependencies Requires network isolation and/or last mile security Agent Lightweight Native integration supports only certain applications Latency Co-hosted Localhost isolation Hardened and secured environment OS dependencies
36. Distributed SOA and PKI PKI essential to sophisticated security mechanisms Message level security (XML digital signatures, XML-Enc) M2M, partner transactions Non-repudiation “Segregate enterprise key management from the cloud provider” - CSA Each service zones need their own certificates As private keys move to external providers, revocation mechanisms become critical Infrastructure assisted PKI (e.g. CSR) facilitates on-demand provisioning
37. Enable IAAS identity federation Same identity federation infrastructure as for SAAS WS-Trust enabled for M2M, SAML WS-S binding Leverage IAAS PEP for managing trust and incoming token validation Fine grain, enforce specific attributes, enforce conditions Enable external partners by managing trust for their own id federation authority (cross-domain) IAAS Enterprise issuer PEP ws-trust issuer Partner
38. Distributed SOA coordination Enterprise Policy/metadata provisioning PEP/PDP/PMP dependencies Local authorization vs central authorization Trust rules PEP/PDP PEP PEP Provider B Provider A
39. Distributed SOA governance Enterprise Policy authoring Policy repository Central point of management PEP remote control Reporting, monitoring, audit SAAS or enterprise component Long term persistence PEP/PDP PMP SAAS PEP PEP IAAS B IAAS A
40. Summary Infrastructure for an agile, distributed SOA Identity management, federation Issuing authority Trust management rules enforcement Infrastructure assisted PKI In-house and cloud side SOA gateway, PEP Security Compliance Distributed SOA governance solution
43. Other cloud-side PEP benefits SLA enforcement/QoS monitoring Quotas, throughput limits, response times Validation/Compliance Intercept problematic messages before they reach your services Collection of metrics Feed into global reporting infrastructure Threat protection Message level threats Acceleration Reduce latency