The importance of standards for Enterprise SOA and Cloud Security

Francois LascellesTechnical Director, Europe

Layer 7 Confidential 2

Agenda

The importance of standards for Enterprise SOA and Cloud security

SOA and cloud

Loose coupling and security

Agility and security

Vendor neutrality and security

Enterprise cloud and identity

Examples

Layer 7 Solutions

Layer 7 Confidential 3

Enterprise SOA, cloud landscape

enterprise boundary

SAASCloud deployed services

SAAS

SOA

• Sensitive data, apps• Mission critical• ID authority• Legacy

partner

Layer 7 Confidential 4

Aspects of the cloud-enabled enterprise SOA

Services deployed across multiple zones

On-premise service endpoints

Off-premise service endpoints (public cloud)

SAAS-type cloud services

Partner services endpoints, partner service consumers

Multiple and varying identity authorities

A mix of WS-*, REST and Web API style services

Layer 7 Confidential 5

Service orientation and security

web apps .

Through presentation layer, you control requesting side and can more easily impose a security mechanism

There is a user, a browser

HTTP-only

Presentation tier

Server code

Service requester

Service instance

web services

The requester is not necessarily a browser

Often machine to machine

No login forms, sessions, cookies

Security decoupled from the service implementation

Layer 7 Confidential 6

Service security and agility

Service orientation is meant to provide agility

Security mechanisms and infrastructure must accommodate agility, not choke it

Service composition patterns and global security requirements require a decoupling of security from service implementation

decoupling

Security in application logic

Securityas a Service,

Gateways

agili

ty Agentsolutions

Containersecurity

X

X

X

X

Layer 7 Confidential 7

Vendor neutrality

Standards and vendor neutrality

- More than best practice

- Defining characteristic of SOA

Single vendor platform inhibits future evolution

Don’t think in terms of a isolated platforms

- Objective: the ability to substitute/add/remove any component of your SOA

Favor best of breed instead of single vendor platform

Layer 7 Confidential 8

Enterprise cloud and identity

Is your identity management infrastructure enabling you to adopt cloud solutions securely?

Identity silos represent security risks, management challenges

Enable trust management of issuing authorities

Support standard compliant identity federation mechanisms

- SAML, XACML, WS-Trust

Favor cloud solutions (SAAS, PAAS) that support such standards

Layer 7 Confidential 9

Example: web service access control management

PEP in-line of transactionWS requester WS endpoint

Directory

LDAP Identity authentication and authorization based on group membership or attribute

Layer 7 Confidential 10

Example: web service access control management

PEP in-line of transactionWS requester WS endpoint

PDP

XACML Delegated authorization to PDP using XACML

Layer 7 Confidential 11

Example: web service access control management

WS requester WS endpoint

Custom IAM, SSO, or governance solution

agent

?

Layer 7 Confidential 12

Example: SaaS access control

Enterprise user

Enterprise boundarySF

Other SAAS

Google

Login

Usernames + passwords

Identity silos

Layer 7 Confidential 13

Example: SaaS access control

Enterprise boundarySF

Other SAAS

Google

Login locally via redirect

SAAS instance configured with enterprise issuing

authority certificateDMZ

SAML issuing authority

Locally controlled global access control

Enterprise user

Layer 7 Confidential 14

Example: SaaS – callback to private resource

Private resource

Enterprise boundary Secure link, VPN-ish Google Apps

DMZ

SDC

Other SAAS

SF

WS endpoint

Layer 7 Confidential 15

Example: SaaS – callback to private resource

Private resource

Enterprise boundary

SSL mutual

Google AppsDMZ

Neutral,standards

basedgateway

Other SAAS

SF

WS endpoint

WS-S

OAuth

Layer 7 Confidential 16

Layer 7 SecureSpan solution

Standards based, best of breed services gateway

WS-*, REST, XML, JSON

Policy Enforcement Point (PEP)

Access Control

Edge Threat protection

Compliance

Orchestration, virtualization

SLA enforcement

Transformation

Layer 7 Confidential 17

Layer 7 CloudConnect

On Premise Network

Existing IAM

System of Record

Securely connect enterprises to the cloud:

Leverage existing IAM infrastructure for SaaS SSO

Securely integrate with SaaS apps

Track usage of SaaS

CloudConnect

Layer 7 Confidential 18

Layer 7 CloudSpan Family

CloudConnect = “Your Gateway to the Cloud”

- Allows enterprises to safely consume SaaS and cloud-based services

CloudProtect = “Your Gatekeeper in the Cloud”

- DMZ-level security for applications and services deployed in public and private clouds

CloudControl = “The Gate Minder for your Cloud”

- Secure, orchestrate and manage application and service APIs exposed to third-parties

For more information http://www.layer7tech.com