Layer 7 SecureSpan Solution

SecureSpan Solution   Security and Monitoring for Services Inside the Enterprise and out to the Cloud

K. Scott Morrison CTO & Chief Architect Layer 7 Technologies

Layer 7 Confidential 2

About Layer 7

  Layer 7 is the leading vendor of security and governance for:

2003 2006 2009

Cus

tom

ers

Rev

enue

XML

SOA

Cloud


Why Governance?

Governance is essential. Governance is needed for

security, planned change and configuration

management, testing, monitoring, and setting of

quality-of-service requirements. “ “

Jess Thompson, Research Vice President As quoted by CyberMedia India Online Ltd

(http://www.ciol.com/enterprise/biztech/news-reports/soa-evolving-beyond-traditional-roots/3409118003/0/)


Layer 7’s Approach to Governance

  Security   Compliance   Reliability

  SLAs   Quality of Service   Message Content

  Policy Agility   Deployment Flexibility   Interoperability


Achieve Control through Policy Enforcement

Facilitate Compliance

  Generate log and audit files at mul1ple levels

  Export of data for correla1on and forensic analysis   Verify messages for compliance to industry or government-‐mandated specifica1ons

Ensure Reliability

  Ensure data confiden1ality over the wire and at rest

  Ensure services remain readily available

  Verify messages to ensure integrity

Enforce Security

  Centralized policy enforcement point deployed in-‐house or in the cloud

  Policy-‐driven authen1ca1on and fine-‐grained, service level authoriza1on

  Enforce policies according to risk


Gain Visibility by Monitoring Services

Track Message Content

  Iden1fy trends, excep1ons or viola1ons at the message level

  Report on user, client and system access to sensi1ve data

Assure Quality of Service

  Monitor and report on service performance in real-‐1me

  Reroute and throFle services to maintain reach-‐ability and availability

  Alert or automate ac1ons based on:

  Throughput, rou1ng failures, u1liza1on, availability rates, etc

Ensure SLA Conformance

  Monitor and report on SLAs using an agent-‐less management system

  Ensure you are mee1ng your own SLAs

  Ensure you’re geMng the value you expect from 3rd-‐party service providers


React at the Pace of Business Change

Facilitate Interoperability

  Out-‐of-‐the box integra1on with leading SOA solu1ons

  Standards-‐based, open APIs facilitates integra1on

Gain Deployment Flexibility

  Deploy in-‐house or in the cloud

  Mul1ple form factors:   Hardware appliance

  SoRware appliance

  SoRware

  Cross-‐domain client

Gain Policy Agility

  Decouple security, SLA, compliance and other shared code from services

  Modify exis1ng or deploy new policies on the fly

  Out-‐of-‐the-‐box asser1ons facilitate policy assembly without coding

  Custom asser1ons let you meet specific requirements


Separation of Policy Enforcement Layer Using SecureSpan Gateways

Operator

  Consistency

  Reuse

  Central Control

LDAP and/or IAM

SecureSpan Gateway Cluster

Service Hosts

Service Requester


Leverage of Existing Identity Assets

Web Services Server

Web Services Client

XML

Access Mgmt

Security Token Service

(STS)

LDAP

Policy Decision Points (PDPs)

WS-Trust

LDAP(S) Native

ID, Access Mgmt & STS

  LDAP

  Sun OpenSSO

  RSA Cleartrust

  CA/Netegrity SiteMinder & TxMinder

  IBM TAM, TFIM

  MSAD, Infocard (on VPN client)

  Oracle Access Mgr

  New instances are simple to add


Consistency and Scalability Cluster-wide Sharing

  Cluster variables (user configurable)

  Replay

  Policy updates

  SLA

Web Services Client

HTTP Load

Balancer Transparent replication of policy across

the cluster

Horizontal scalability

Replay attack prevention across the cluster

Single point of management across

cluster


May 2009

SecureSpan™ Gateway Overview Proprietary and Confidential 11

Edge-of-Network, DMZ-based Deployment

SecureSpan Management Console

May 2009

Corporate Network

DMZ

Internal Network

Internal Applications

Service Requester

External Firewall

Internal Firewall


Message

Internet


Rich Policy Language

…


SecureSpan Management Console

May 2009


Message Consumers

Applications

Message

Pros   Consistent security for all systems   Centrally managed   High performance, hardware accelerated document processing and cryptography Cons   Need rudimentary last mile security

 SSL typically, SAML, WS-S   Must cluster for high availability

J2EE

.NET

Apache+PERL

Centralized Gateway PEP

Cluster

Policy Decision Point (PDP)

(IAM, STS, etc)

Message Producer

May 2009


  Accelerated XML transform   Accelerated XML schema val   Signing services (notary pattern)   Encryption services   Filtering for compliance   Threat detection

Message Producer/Consumers Applications

J2EE

.NET

Apache+PERL

Centralized Gateway Co-processor Cluster

Virtual Loopback

Transformed XML document

Input XML document

ESB

May 2009


Administrative changes to policy change API

Web Services Server

Web Services Client

WSDL

WSDL + Security Changes

Which API do you program to?

Security implemented in code is difficult to change

Shift of burden to client

Very programmer intensive

May 2009


SecureSpan XML VPN Client

WS-Policy Document

SOAP message “decorated” to current policy

May 2009


Web Services Server

Web Services Client

Secure CSR

Secure Certificate Download

Gateway acts as certificate authority

May 2009


Trusted Certificates

Web Services Server

Web Services Client

Administrative Import

PKI System

LDAP or HTTP Server HTTP(S)

OCSP

CRLs

Certs

LDAP(S)

Secure Message

  Protecting & monitoring your applications in the cloud

  Giving your cloud apps access to on-premises data sources

  Big picture view of the distributed application network

Enterprise On-Premise IT

?

?

NetOps

Application-Layer Isolation, Monitoring,

& Control

?

?Hardware PEP Virtual PEP

Identical Functionality

May 2009


Virtual SecureSpan

Instance

Virtual Application

Instance

Protected Application

Stack

Separate Instances

Combined Instance


Some of our Partners

Virtual SecureSpan

Instance


Some of our Customers


Summary  Cloud should be viewed as a deployment pattern for SOA

-  This means you should leverage SOA technology in the cloud

-  Virtual SOA gateways, like SecureSpan, provide you with a means to secure cloud

  SOA best practices for federation can be transferred into the cloud

-  Avoid key material in the cloud

- Use distributable token validation strategy

-  SAML, Kerberos

-  Employ authorization based on attributes, not concrete identities

-  These have persistence

K. Scott Morrison

Layer 7 Technologies

405 – 1100 Melville St.

Vancouver, B.C. V6E 4A6

Canada

(800) 681-9377

[email protected]

http://www.layer7tech.com

For further information:

Layer 7 SecureSpan Solution

Technology

Transcript of Layer 7 SecureSpan Solution