Hide Notes 

Slide 1: The importance of standards for Enterprise SOA and Cloud Security Francois Lascelles Technical Director, Europe
Slide 2: Agenda The importance of standards for Enterprise SOA and Cloud security  SOA and cloud  Loose coupling and security  Agility and security  Vendor neutrality and security  Enterprise cloud and identity  Examples  Layer 7 Solutions Layer 7 Confidential 2
Slide 3: Enterprise SOA, cloud landscape SOA Cloud deployed services enterprise boundary SAAS partner • Sensitive data, apps • Mission critical • ID authority • Legacy SAAS Layer 7 Confidential 3
Slide 4: Aspects of the cloud-enabled enterprise SOA  Services deployed across multiple zones  On-premise service endpoints  Off-premise service endpoints (public cloud)  SAAS-type cloud services  Partner services endpoints, partner service consumers  Multiple and varying identity authorities  A mix of WS-*, REST and Web API style services Layer 7 Confidential 4
Slide 5: Service orientation and security  web apps .  web services Presentation tier Service requester Server code Service instance  Through presentation layer, you control requesting side and can more easily impose a security mechanism  The requester is not necessarily a browser  There is a user, a browser  HTTP-only  Often machine to machine  No login forms, sessions, cookies  Security decoupled from the service implementation Layer 7 Confidential 5
Slide 6: Service security and agility  Service orientation is meant to provide agility  Security mechanisms and infrastructure must accommodate agility, not choke it  Service composition patterns and global security requirements require a decoupling of security from service implementation X Security as a Service, Gateways agility Security in application logic X Container security X X Agent solutions decoupling Layer 7 Confidential 6
Slide 7: Vendor neutrality  Standards and vendor neutrality - More than best practice - Defining characteristic of SOA  Single vendor platform inhibits future evolution  Don’t think in terms of a isolated platforms - Objective: the ability to substitute/add/remove any component of your SOA  Favor best of breed instead of single vendor platform Layer 7 Confidential 7
Slide 8: Enterprise cloud and identity  Is your identity management infrastructure enabling you to adopt cloud solutions securely?  Identity silos represent security risks, management challenges  Enable trust management of issuing authorities  Support standard compliant identity federation mechanisms - SAML, XACML, WS-Trust  Favor cloud solutions (SAAS, PAAS) that support such standards Layer 7 Confidential 8
Slide 9: Example: web service access control management WS requester PEP in-line of transaction WS endpoint LDAP Identity authentication and authorization based on group membership or attribute Directory Layer 7 Confidential 9
Slide 10: Example: web service access control management WS requester PEP in-line of transaction WS endpoint XACML Delegated authorization to PDP using XACML PDP Layer 7 Confidential 10
Slide 11: Example: web service access control management WS requester agent WS endpoint ? Custom IAM, SSO, or governance solution Layer 7 Confidential 11
Slide 12: Example: SaaS access control Usernames + passwords SF Enterprise user Login Enterprise boundary Other SAAS Identity silos Google Layer 7 Confidential 12
Slide 13: Example: SaaS access control SAAS instance configured with enterprise issuing authority certificate Enterprise boundary DMZ SF Enterprise user SAML issuing authority Login locally via redirect Locally controlled global access control Other SAAS Google Layer 7 Confidential 13
Slide 14: Example: SaaS – callback to private resource Enterprise boundary Private resource DMZ Secure link, VPN-ish Google Apps SDC WS endpoint Other SAAS SF Layer 7 Confidential 14
Slide 15: Example: SaaS – callback to private resource Enterprise boundary Private resource DMZ Google Apps OAuth WS-S WS endpoint Other SAAS Neutral, standards based gateway SSL mutual SF Layer 7 Confidential 15
Slide 16: Layer 7 SecureSpan solution  Standards based, best of breed services gateway  WS-*, REST, XML, JSON  Policy Enforcement Point (PEP)  Access Control  Edge Threat protection  Compliance  Orchestration, virtualization  SLA enforcement  Transformation Layer 7 Confidential 16
Slide 17: Layer 7 CloudConnect Securely connect enterprises to the cloud:  Leverage existing IAM infrastructure for SaaS SSO  Securely integrate with SaaS apps  Track usage of SaaS System of Record Existing IAM CloudConnect On Premise Network Layer 7 Confidential 17
Slide 18: Layer 7 CloudSpan Family  CloudConnect = “Your Gateway to the Cloud” - Allows enterprises to safely consume SaaS and cloudbased services  CloudProtect = “Your Gatekeeper in the Cloud” - DMZ-level security for applications and services deployed in public and private clouds  CloudControl = “The Gate Minder for your Cloud” - Secure, orchestrate and manage application and service APIs exposed to third-parties Layer 7 Confidential 18
Slide 19: For more information  http://www.layer7tech.com