Layer 7 SecureSpan Solution

25
SecureSpan Solution Security and Monitoring for Services Inside the Enterprise and out to the Cloud K. Scott Morrison CTO & Chief Architect Layer 7 Technologies

Transcript of Layer 7 SecureSpan Solution

SecureSpan Solution   Security and Monitoring for Services Inside the Enterprise and out to the Cloud

K. Scott Morrison CTO & Chief Architect Layer 7 Technologies

Layer 7 Confidential 2

About Layer 7

  Layer 7 is the leading vendor of security and governance for:

2003 2006 2009

Cus

tom

ers

Rev

enue

XML

SOA

Cloud

Layer 7 Confidential 3

Why Governance?

Governance is essential. Governance is needed for

security, planned change and configuration

management, testing, monitoring, and setting of

quality-of-service requirements. “ “

Jess Thompson, Research Vice President As quoted by CyberMedia India Online Ltd

(http://www.ciol.com/enterprise/biztech/news-reports/soa-evolving-beyond-traditional-roots/3409118003/0/)

Layer 7 Confidential 4

Layer 7’s Approach to Governance

  Security   Compliance   Reliability

  SLAs   Quality of Service   Message Content

  Policy Agility   Deployment Flexibility   Interoperability

Layer 7 Confidential 5

Achieve Control through Policy Enforcement

Facilitate  Compliance  

  Generate  log  and  audit  files  at  mul1ple  levels  

  Export  of  data  for  correla1on  and  forensic  analysis    Verify  messages  for  compliance  to  industry  or  government-­‐mandated  specifica1ons  

Ensure  Reliability  

  Ensure  data  confiden1ality  over  the  wire  and  at  rest  

  Ensure  services  remain  readily  available  

  Verify  messages  to  ensure  integrity  

Enforce  Security  

  Centralized  policy  enforcement  point  deployed  in-­‐house  or  in  the  cloud  

  Policy-­‐driven  authen1ca1on  and  fine-­‐grained,  service  level  authoriza1on  

  Enforce  policies  according  to  risk  

Layer 7 Confidential 6

Gain Visibility by Monitoring Services

Track  Message  Content  

  Iden1fy  trends,  excep1ons  or  viola1ons  at  the  message  level  

  Report  on  user,  client  and  system  access  to  sensi1ve  data  

Assure  Quality  of  Service  

  Monitor  and  report  on  service  performance  in  real-­‐1me  

  Reroute  and  throFle  services  to    maintain  reach-­‐ability  and  availability  

  Alert  or  automate  ac1ons  based  on:  

  Throughput,  rou1ng  failures,  u1liza1on,  availability  rates,  etc  

Ensure  SLA  Conformance  

  Monitor  and  report  on  SLAs  using  an  agent-­‐less  management  system  

  Ensure  you  are  mee1ng  your  own  SLAs    

  Ensure  you’re  geMng  the  value  you  expect    from  3rd-­‐party  service  providers  

Layer 7 Confidential 7

React at the Pace of Business Change

Facilitate  Interoperability  

  Out-­‐of-­‐the  box  integra1on  with  leading  SOA  solu1ons  

  Standards-­‐based,  open  APIs  facilitates  integra1on  

Gain  Deployment  Flexibility  

  Deploy  in-­‐house  or  in  the  cloud  

  Mul1ple  form  factors:      Hardware  appliance  

  SoRware  appliance  

  SoRware  

  Cross-­‐domain  client  

Gain  Policy  Agility  

  Decouple  security,  SLA,  compliance  and  other  shared  code  from  services  

  Modify  exis1ng  or  deploy  new  policies  on  the  fly  

  Out-­‐of-­‐the-­‐box  asser1ons  facilitate  policy  assembly  without  coding  

  Custom  asser1ons  let  you  meet      specific  requirements  

Layer 7 Confidential 8

Separation of Policy Enforcement Layer Using SecureSpan Gateways

Operator

  Consistency

  Reuse

  Central Control

LDAP and/or IAM

SecureSpan Gateway Cluster

Service Hosts

Service Requester

Layer 7 Confidential 9

Leverage of Existing Identity Assets

Web Services Server

Web Services Client

XML

Access Mgmt

Security Token Service

(STS)

LDAP

Policy Decision Points (PDPs)

WS-Trust

LDAP(S) Native

ID, Access Mgmt & STS

  LDAP

  Sun OpenSSO

  RSA Cleartrust

  CA/Netegrity SiteMinder & TxMinder

  IBM TAM, TFIM

  MSAD, Infocard (on VPN client)

  Oracle Access Mgr

  New instances are simple to add

Layer 7 Confidential 10

Consistency and Scalability Cluster-wide Sharing

  Cluster variables (user configurable)

  Replay

  Policy updates

  SLA

Web Services Client

HTTP Load

Balancer Transparent replication of policy across

the cluster

Horizontal scalability

Replay attack prevention across the cluster

Single point of management across

cluster

Layer 7 Confidential 11

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 11

Edge-of-Network, DMZ-based Deployment

SecureSpan Management Console

May 2009

Corporate Network

DMZ

Internal Network

Internal Applications

Service Requester

External Firewall

Internal Firewall

SecureSpan Gateway Cluster

Message

Internet

Layer 7 Confidential 12

Rich Policy Language

SecureSpan Gateway Cluster

SecureSpan Management Console

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 13

Message Consumers

Applications

Message

Pros   Consistent security for all systems   Centrally managed   High performance, hardware accelerated document processing and cryptography Cons   Need rudimentary last mile security

 SSL typically, SAML, WS-S   Must cluster for high availability

J2EE

.NET

Apache+PERL

Centralized Gateway PEP

Cluster

Policy Decision Point (PDP)

(IAM, STS, etc)

Message Producer

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 14

  Accelerated XML transform   Accelerated XML schema val   Signing services (notary pattern)   Encryption services   Filtering for compliance   Threat detection

Message Producer/Consumers Applications

J2EE

.NET

Apache+PERL

Centralized Gateway Co-processor Cluster

Virtual Loopback

Transformed XML document

Input XML document

ESB

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 15

Administrative changes to policy change API

Web Services Server

Web Services Client

WSDL

WSDL + Security Changes

Which API do you program to?

Security implemented in code is difficult to change

Shift of burden to client

Very programmer intensive

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 16

SecureSpan XML VPN Client

WS-Policy Document

SOAP message “decorated” to current policy

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 17

Web Services Server

Web Services Client

Secure CSR

Secure Certificate Download

Gateway acts as certificate authority

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 18

Trusted Certificates

Web Services Server

Web Services Client

Administrative Import

PKI System

LDAP or HTTP Server HTTP(S)

OCSP

CRLs

Certs

LDAP(S)

Secure Message

  Protecting & monitoring your applications in the cloud

  Giving your cloud apps access to on-premises data sources

  Big picture view of the distributed application network

Enterprise On-Premise IT

?

?

NetOps

Application-Layer Isolation, Monitoring,

& Control

?

?Hardware PEP Virtual PEP

Identical Functionality

May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 21

Virtual SecureSpan

Instance

Virtual Application

Instance

Protected Application

Stack

Separate Instances

Combined Instance

Layer 7 Confidential 22

Some of our Partners

Virtual SecureSpan

Instance

Layer 7 Confidential 23

Some of our Customers

Layer 7 Confidential 24

Summary  Cloud should be viewed as a deployment pattern for SOA

-  This means you should leverage SOA technology in the cloud

-  Virtual SOA gateways, like SecureSpan, provide you with a means to secure cloud

  SOA best practices for federation can be transferred into the cloud

-  Avoid key material in the cloud

- Use distributable token validation strategy

-  SAML, Kerberos

-  Employ authorization based on attributes, not concrete identities

-  These have persistence

K. Scott Morrison

Layer 7 Technologies

405 – 1100 Melville St.

Vancouver, B.C. V6E 4A6

Canada

(800) 681-9377

[email protected]

http://www.layer7tech.com

For further information: