Bullet Proof Your Cloud Slide

7/30/2019 Bullet Proof Your Cloud Slide

1/19

Bullet-proof your Cloud

Jyothi Swaroop, Product Director. Oracle Fusion Middleware


2/19

Top of Mind for Cloud / Inter-EnterpriseOracle SOA Governance Customer Advisory Board 2011-12 Su

2

Managing the integrity of transactions across organizational boundaries

Meeting service levels for clients

Managing security across organizational boundaries

Controlling access to and utilization of external resources

Please characterize your interest in Governance for cloud or B2B computing


3/19

Common Hybrid InfrastructureBlend of Private and Shared, Public Data Centers

ERP PLM SCM HCM CRM

DATA

SYNC

Hybrid IT Infrastructure

Separate, Shared DaPrivate Data Center

3

End-to-End Security Control over Access and Utilization

Service Level Management

Transaction Integrity

On-premise Public Cloud


4/19

SOA & Cloud Security StrategyAcross Security Layers

Enterprise

Gateway

DMZ

HTTP GET/POST

REST

XML

SOAP

JMS

Extranet

First Line Of Defense Service

Virtualization

En

Se

Intranet

Web Client

(Browser)

Web Service Client

Web Service Client

Web Service Client

Web Service Client

Service BusOWSMAgent

OWSM

OWSM

Common Security Pol


5/19

First Line of DefenseXML Firewalling Against Attacks

XML content attacks

Checking for XML well-formedness; XMLdocument size; XPath and XQuery injection;

SQL injection; XML encapsulation; XML viruses

Scanning outgoing messages for sensitive

content based on metadata or regular

expression patterns

Detecting XML bombs and XML clogging

Scanning WSDL files

XML schema and DTD attacks

Checking for schema and DTD valid

Cryptographic attacks

Public Keys

Replay

SOAP attacks

SOAP operation filtering

Checking for rogue SOAP attachm

viruses)

Communication attacks HTTP header and query string ana

IP address filtering

Traffic throttling

5


6/19

Description

Intrusion detection of cryptographic, XML

and SOAP attachments Real-time monitoring

Policy management

Benefits

Ensures reliability of hybrid infrastructure

Improves performance through policy

conformance

Solution: Web Service Security in the DMZOracle Enterprise Gateway


7/19

XML Acceleration

- Fast processing of XM- Fast XML validation

- Patented acceleration

DMZ Security

- Fine grained authoriz

- Authentication

- Identity propagation

Oracle Enterprise GatewayXML Acceleration and Web Service Security in the DMZ

Passed XMLMessages

Blocked XMLMessages

XML LoadSpeed


8/19

End-to-End SecurityAuthentication Across Enterprise Boundaries

SaaS

Employee

Integrator

App

Providers offer Cloud

Gateway provides inb

security for providers

Customers use Cloud services

Gateway applies outbound security

required to access services

If request must be signed,

Gateway does the signing

EnterpriseGateway

Enterprise

Gateway

Customer loads API Key into

Gateway

Provider issues API Key to

customer

8

Gateway submits authentication

credentials including API Key

On-premise Public Clo


9/19

Access to Cloud ServicesEnterprise Gateway Connectors

Configure Enterprise Gateway to connect to Cloud services

Salesforce.com using a combination of a password and pre-shared key foauthentication

Amazon Web Services via HMAC signature over the request

Providers like Terremark using the vCloud API (through HTTP Authenticat

9


10/19

End-to-End SecurityIdentity Management and Propagation

10

Web Application

Web Service

Web Client(Browser)

Web Service Client

Web Client(Browser)

Web Service Client

Web Service Client

Web Service Client

Web Application

Web Service

Web Access Control Identity & Role Mgt

Identity Management

EnterpriseGateway

Firewall

DMZ

User Provisioning

Governance

User Identities

RBAC, Fine-

GrainedAuthorization

AuthZ AuthN

HTTP GET/POST

REST

XML

SOAP

JMS

HTTP GET/POST


11/19

Control Access and UtilizationApply Policy for Security & Service Levels

11

We

Web Service Client

Web Client(Browser)

Web Service Client

Web Service Client

Web Service Client

HTTP GET/POST

REST

XML

SOAP

JMS

PolicyAgents

J

A

SO

.NET WPL/SQL WS T

JMS

Identity

Management

SOA Management

EnterpriseGateway**

Policy Manager

Web Client(Browser)

REST

Service

Bus*

* Service Bus can be used with or without Policy Manager integration** Enterprise Gateway may optionally use same policies as Service Bus and Policy Agents

SOAP

Policy Manager

Unified policy model from the

endpoint

Policy Manager


12/19

Meet Service LevelsClient-Based SLA Alarms

Service Level Objective (SLO)

For Platinum customers: Ave. Response time per hour < 6 sec

Warning threshold


13/19

Transactions no longer vanish becauseof delays, failures, errors

- Monitoring and alerting before users

complain

- Single source for status of each transaction

Problem diagnosis and managing exceptions is less laborious, with shorter

mean-time-to-resolve

- Averts 80% of effort spent merely isolatingthe issue

- No longer a manual effort based on log mining

- Fewer developer resources diverted to IT fire-drills

Business transaction context (not just system-centric monitoring)

- Includes critical business context (Customer name, order size, part numbers)

- Captures a range ofbusiness-oriented errors & faults

Transaction IntegrityAcross Enterprise and Cloud

13

Process Engine Service Bus

Appliance Web


14/19

Approval Workflow

Compliance in the Cloud

14

Enterprise

Repository

Architect

Developer/ IntegratorCompliance

Reports

Design Policy

Cloud Services andContracts

Service approved for use in thisOrganization

Employee

On-Premise: Design time

Employee

On-Premise: Operations

Security and Access

Interoperability

Architecture

Standards

Corporate & Regulatory

Compliance

Service Level

Agreements

Audit

Logging &

Reporting

App

Security

Policy

SaaS

Public Clo

Secure

Access

XML Validation

Payment Card Industry Data Security Sta Statement on Auditing Standards 70: Ser

Standards Board of the AICPA. Health Insurance Portability and Account


15/19

API ManagementSecurity, Monitoring and Governance

API

Secure

REST APIs Threat

Protection

API GovernanceAPI Monitoring

and Management

Gaming Consoles

Mobile


16/19

Governing SOA in the CloudFarmers Insurance Group Challenges Similar

to Shared Services

16

Key Capabilities & Requirements Shared Services Cloud Computing

Platform Considerations

Multi-tenantarchitecture

Infrastructure Yes Yes

Middleware Yes Yes

Services Yes Yes

Processes No Yes

Abstracted / virtualized shared platform Yes Yes

Self-Service control panel No Yes

On-demand scaling No Yes

Visibility and Control Considerations

Security Yes Yes

On-demand provisioning No Yes

IT service catalog Yes YesIT service management Yes Yes

Lifecycle Management Yes Yes

Standardization Yes Yes

Governance and Compliance Yes Yes

Business Considerations

FinancialManagement

Metering Yes Yes

Billing Yes Yes


17/19

Oracle Fusion MiddlewareFor Policing the Cloud

17

Oracle SOA Governance

Oracle Enterprise Gateway XML Gateway for Perimeter Security; Connections to Clou

Oracle Web Services Manager Security Policy Management; Policy Agents for Endpoints

Oracle Identity Management User Provisioning; Authentication; Authorization and Fine-GRole Management

Oracle Enterprise Manager Service Level Management & Diagnostics; Business TransMonitoring & Reporting by Client

Oracle Enterprise Repository and

Service Registry

Catalog of IT Services and Contracts; Governance Workflo

Design/Architecture Compliance


18/19

Oracle SOA & Cloud Security Strategy

Cloud Security

Security Inside-Out

Flexible & Agi lePerimeter Security

Fusion Middleware

SecurityCons istent & Integrated

Application Security

Delivered through Oracle Enterprise

Gateway

Delivered through Oracle Web Services

Manager

DeSer

Age

N t St


19/19

Next Steps

Amazon EC2:

http://bit.ly/HLgyRS

2. Run Oracle SOA on the Cloud

3. Attend an Upcoming SOA Event

5. Join Oracle SOA communitie

1. Explore Oracles Web Sites

www.oracle.com/soa

http://bit.ly/soagovhttp://bit.ly/OEGateway

Oracle Event Site

www.oracle.com/events

4. Oracle SOA Governance

Resource Kit Whitepapers,

Datasheets, Demos, etc.

facebook.com/O

Oracle SOA

twitter.com/Ora

http://bit.ly/soagovkit

Blog blogs.oracle.co
http://www.oracle.com/soahttp://www.oracle.com/soahttp://www.oracle.com/soahttp://bit.ly/soagovkithttp://bit.ly/soagovkithttp://www.oracle.com/soahttp://www.oracle.com/soahttp://www.oracle.com/soahttp://www.oracle.com/soahttp://www.oracle.com/soa

Bullet Proof Your Cloud Slide

Documents

Transcript of Bullet Proof Your Cloud Slide