TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Layer 7 SecureSpan Solution
1. SecureSpan Solution
Security and Monitoring for Services Inside the Enterprise and out to the Cloud
K. Scott Morrison
CTO & Chief Architect
Layer 7 Technologies
2. About Layer 7
Layer 7 is the leading vendor of security and governance for:
Cloud
SOA
Customers
Revenue
XML
2003 2006 2009
Layer 7 Confidential 2
3. Why Governance?
Governance is essential. Governance is needed for
“
security, planned change and configuration
“ management, testing, monitoring, and setting of
quality-of-service requirements.
Jess Thompson, Research Vice President
As quoted by CyberMedia India Online Ltd
(http://www.ciol.com/enterprise/biztech/news-reports/soa-evolving-beyond-traditional-roots/3409118003/0/)
Layer 7 Confidential 3
5. Achieve Control through Policy Enforcement
Enforce
Security
Ensure
Reliability
Centralized
policy
enforcement
point
deployed
Ensure
data
confiden1ality
over
the
in-‐house
or
in
the
cloud
wire
and
at
rest
Policy-‐driven
authen1ca1on
and
fine-‐grained,
Ensure
services
remain
readily
available
service
level
authoriza1on
Verify
messages
to
ensure
integrity
Enforce
policies
according
to
risk
Facilitate
Compliance
Generate
log
and
audit
files
at
mul1ple
levels
Export
of
data
for
correla1on
and
forensic
analysis
Verify
messages
for
compliance
to
industry
or
government-‐mandated
specifica1ons
Layer 7 Confidential 5
6. Gain Visibility by Monitoring Services
Ensure
SLA
Conformance
Assure
Quality
of
Service
Monitor
and
report
on
SLAs
using
an
agent-‐less
Monitor
and
report
on
service
management
system
performance
in
real-‐1me
Ensure
you
are
mee1ng
your
own
SLAs
Reroute
and
throFle
services
to
Ensure
you’re
geMng
the
value
you
expect
maintain
reach-‐ability
and
availability
from
3rd-‐party
service
providers
Alert
or
automate
ac1ons
based
on:
Throughput,
rou1ng
failures,
u1liza1on,
availability
rates,
etc
Track
Message
Content
Iden1fy
trends,
excep1ons
or
viola1ons
at
the
message
level
Report
on
user,
client
and
system
access
to
sensi1ve
data
Layer 7 Confidential 6
7. React at the Pace of Business Change
Gain
Policy
Agility
Gain
Deployment
Flexibility
Decouple
security,
SLA,
compliance
and
other
Deploy
in-‐house
or
in
the
cloud
shared
code
from
services
Mul1ple
form
factors:
Modify
exis1ng
or
deploy
new
policies
on
the
fly
Hardware
appliance
Out-‐of-‐the-‐box
asser1ons
facilitate
policy
SoRware
appliance
assembly
without
coding
SoRware
Custom
asser1ons
let
you
meet
Cross-‐domain
client
specific
requirements
Facilitate
Interoperability
Out-‐of-‐the
box
integra1on
with
leading
SOA
solu1ons
Standards-‐based,
open
APIs
facilitates
integra1on
Layer 7 Confidential 7
8. Separation of Policy Enforcement Layer Using
SecureSpan Gateways
Service
Hosts
Consistency
Reuse
Central Control Operator
SecureSpan
Gateway Cluster
LDAP and/or
IAM
Service
Requester
Layer 7 Confidential 8
9. Leverage of Existing Identity Assets
ID, Access Mgmt & STS
LDAP
Sun OpenSSO
RSA Cleartrust
Web Services
Server
CA/Netegrity SiteMinder & TxMinder
IBM TAM, TFIM Security
WS-Trust Token Service
MSAD, Infocard (on VPN client) (STS)
XML
LDAP(S)
Oracle Access Mgr Native
New instances are simple to add
Web Services
Client
LDAP
Access
Mgmt Policy Decision
Points (PDPs)
Layer 7 Confidential 9
10. Consistency and Scalability
Cluster-wide Sharing
Cluster variables (user configurable)
Replay
Policy updates
Horizontal Replay attack
SLA scalability prevention
across the
cluster
HTTP
Load
Balancer
Transparent
replication of
policy across
the cluster
Web Services
Client
Single point of
management across
cluster
Layer 7 Confidential 10
11. Edge-of-Network, DMZ-based Deployment
Internal
Applications
Internal
Firewall
External
Firewall
SecureSpan
Gateway Cluster
SecureSpan
Internet Management
Console
Message Internal
Network
DMZ
Corporate
Network
Service
May 2009 May 2009
Requester
Layer 7 Confidential 11
SecureSpan™ Gateway Overview Proprietary and Confidential 11
13. Apache Message
+PERL Consumers
Policy Decision
Point (PDP)
(IAM, STS, etc) .NET
J2EE
Applications
Message
Pros
Consistent security for all systems
Centrally managed
Centralized High performance, hardware accelerated document
Gateway PEP processing and cryptography
Cluster Cons
Message Producer Need rudimentary last mile security
SSL typically, SAML, WS-S
Must cluster for high availability
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 13
14. Centralized Gateway Co-
Accelerated XML transform processor Cluster
Accelerated XML schema val
Signing services (notary pattern) Virtual
Loopback
Encryption services
Filtering for compliance
Threat detection
Transformed
XML document
Input XML
Apache document
+PERL
.NET
J2EE
ESB
Message Producer/Consumers Applications
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 14
15. WSDL
WSDL +
Security Web Services
Changes
Server
Which API do you
program to?
Web Services Shift of burden to
Client Administrative
client changes to policy
change API
Security implemented in code
is difficult to change Very programmer
intensive
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 15
16. WS-Policy
Document
SecureSpan XML
VPN Client
SOAP message
“decorated” to
current policy
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 16
17. Gateway acts as
certificate
authority Web Services
Server
Secure
CSR
Secure
Certificate
Download
Web Services
Client
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 17
18. Trusted
Certificates
Web Services
Server
LDAP or HTTP
HTTP(S)
Server
LDAP(S)
OCSP
CRLs
Administrative
Web Services
Client Secure Message
Import
PKI System
Certs
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 18
19. Protecting & monitoring your
?
applications in the cloud
Giving your cloud apps access to
on-premises data sources
?
Big picture view of the distributed
application network
Enterprise On-
Premise IT
20. Hardware PEP Virtual PEP
?
Identical
?
Functionality
Application-Layer
Isolation, Monitoring,
& Control
NetOps
21. Virtual
Application
Instance
Virtual
SecureSpan
Instance
Separate
Instances Protected
Application
Stack
Combined
Instance
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 21
22. Some of our Partners
Virtual
SecureSpan
Instance
Layer 7 Confidential 22
24. Summary
Cloud should be viewed as a deployment pattern for SOA
- This means you should leverage SOA technology in the cloud
- Virtual SOA gateways, like SecureSpan, provide you with a means to secure cloud
SOA best practices for federation can be transferred into the cloud
- Avoid key material in the cloud
- Use distributable token validation strategy
- SAML, Kerberos
- Employ authorization based on attributes, not concrete identities
- These have persistence
Layer 7 Confidential 24
25. For further information:
K. Scott Morrison
Layer 7 Technologies
405 – 1100 Melville St.
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377
smorrison@layer7tech.com
http://www.layer7tech.com