Layer 7: The Importance of Standards for Enterprise SOA and Cloud Security
1. The importance of standards for Enterprise
SOA and Cloud Security
Francois Lascelles
Technical Director, Europe
2. Agenda
The importance of standards for Enterprise SOA and Cloud security
SOA and cloud
Loose coupling and security
Agility and security
Vendor neutrality and security
Enterprise cloud and identity
Examples
Layer 7 Solutions
Layer 7 Confidential 2
4. Aspects of the cloud-enabled enterprise SOA
Services deployed across multiple zones
On-premise service endpoints
Off-premise service endpoints (public cloud)
SAAS-type cloud services
Partner services endpoints, partner service consumers
Multiple and varying identity authorities
A mix of WS-*, REST and Web API style services
Layer 7 Confidential 4
5. Service orientation and security
web apps . web services
Presentation tier Service requester
Server code Service instance
Through presentation layer, you The requester is not necessarily a
control requesting side and can more browser
easily impose a security mechanism
Often machine to machine
There is a user, a browser
No login forms, sessions, cookies
HTTP-only
Security decoupled from the service
implementation
Layer 7 Confidential 5
6. Service security and agility
Service orientation is meant to provide agility
Security mechanisms and infrastructure must accommodate agility, not choke it
Service composition patterns and global security requirements require a decoupling
of security from service implementation
X
Security
as a Service,
Gateways
Container X Agent
agility
security solutions
X
Security in
application
logic
X
decoupling
Layer 7 Confidential 6
7. Vendor neutrality
Standards and vendor neutrality
- More than best practice
- Defining characteristic of SOA
Single vendor platform inhibits future evolution
Don’t think in terms of a isolated platforms
- Objective: the ability to substitute/add/remove any component of your SOA
Favor best of breed instead of single vendor platform
Layer 7 Confidential 7
8. Enterprise cloud and identity
Is your identity management infrastructure enabling you to adopt cloud solutions
securely?
Identity silos represent security risks, management challenges
Enable trust management of issuing authorities
Support standard compliant identity federation mechanisms
- SAML, XACML, WS-Trust
Favor cloud solutions (SAAS, PAAS) that support such standards
Layer 7 Confidential 8
9. Example: web service access control management
WS requester PEP in-line of transaction WS endpoint
Identity authentication and authorization
LDAP
based on group membership or attribute
Directory
Layer 7 Confidential 9
10. Example: web service access control management
WS requester PEP in-line of transaction WS endpoint
Delegated authorization to PDP using
XACML
XACML
PDP
Layer 7 Confidential 10
11. Example: web service access control management
WS requester WS endpoint
agent
?
Custom IAM, SSO, or
governance solution
Layer 7 Confidential 11
12. Example: SaaS access control
Usernames +
passwords
Enterprise boundary
SF
Enterprise Login
user
Other SAAS
Identity silos
Google
Layer 7 Confidential 12
13. Example: SaaS access control
SAAS instance configured
with enterprise issuing
authority certificate
Enterprise boundary DMZ
SF
Enterprise
user
SAML issuing
authority
Login locally via
redirect Other SAAS
Locally
controlled
global access
control
Google
Layer 7 Confidential 13
14. Example: SaaS – callback to private resource
Enterprise boundary DMZ Secure link,
VPN-ish Google Apps
Private
resource
SDC
WS Other SAAS
endpoint
SF
Layer 7 Confidential 14
15. Example: SaaS – callback to private resource
Enterprise boundary DMZ
Google Apps
Private
resource OAuth
WS-S
WS Other SAAS
endpoint Neutral,
standards
based SSL mutual
gateway
SF
Layer 7 Confidential 15
17. Layer 7 CloudConnect
Securely connect enterprises to the cloud:
Leverage existing IAM infrastructure for SaaS SSO
Securely integrate with SaaS apps
Track usage of SaaS
System of
Record
Existing
IAM
CloudConnect
On Premise
Network
Layer 7 Confidential 17
18. Layer 7 CloudSpan Family
CloudConnect = “Your Gateway to the Cloud”
- Allows enterprises to safely consume SaaS and cloud-
based services
CloudProtect = “Your Gatekeeper in the Cloud”
- DMZ-level security for applications and services deployed
in public and private clouds
CloudControl = “The Gate Minder for your Cloud”
- Secure, orchestrate and manage application and service
APIs exposed to third-parties
Layer 7 Confidential 18