Monthly Archives: September 2009

Clouds May Be Big, But You Should Start Small

James Urquardt, from Cisco, published a review of the US Government’s recently announced cloud initiative. I had the pleasure of sharing a panel with James recently at GigaOm Structure, and his CNET column should be on your must-read list if clouds are of interest to you.

In this article, James makes an interesting point that the government is really following the “Adopt at your own pace mentality” with respect to cloud. Obviously this isn’t about moving IT completely into the cloud–let’s face it, governments, of all organizations, hold data that will always be inappropriate for public cloud deployment. But it does demonstrate that a perfectly reasonable strategy is to create the opportunity to move select applications into the cloud (such as blogs, as the article mentions), and provide a mechanism so that these can coexist with existing internal IT. This is the so-called hybrid approach (particularly if there is a private cloud as part of the “internal” deployment).

But hybrid clouds face a big problem. To be useful, there must be secure communications between internal applications and new services deployed in the public (or semi-public) cloud. Amazon recently announced it’s Virtual Private Cloud initiative  to address this issue. I was encouraged by their efforts; clearly, Amazon is taking the hybrid model very seriously–no doubt they’ve had a lot of customers asking them to solve this problem. However, I do question the strategy of deploying a VPN tunnel between internal IT and a public cloud. Despite efforts to secure and make private the operating environment of the public cloud, the VPN solution remains a risky proposition.

The trouble with VPNs is that they are indiscriminate over traffic. The trust model of VPNs is based on both ends being equal secure. A VPN makes sense when you integrate a branch office into your central corporate network, as the later is subject to the same corporate security standards and policy. It can be dangerous if the remote site is one where you have any less control over the entire security model, as is the case in the cloud. Imbalance in security implementation is an opportunity for attack. If a single application on the cloud side is compromised, a system cracker can then leverage the VPN tunnel to get full access into the internal network. (This same problem exists with conventional VPNs and laptops, and believe me, it keeps security guys up at night.)

A better solution is to constrain communications on a service-by-service basis, managed under policy control. That way, if a system is compromised, it provides limited opportunity to launch a further attack. Here you are creating zones of trust between services, which is much more finely grained and deliberately constrained. The Layer 7 version of the secure hybrid model looks like this:

cloud VPN

Here, virtual and physical SecureSpan appliances coordinate communications between internal applications and services residing in the cloud. All transactions are managed under policy control. They are rigorously monitored, scrubbed for threats, and constrained to the appropriate parties. Architectures like this allow organizations of any size to move at their own pace into the cloud. It’s a model we’ve been advocating for some time. SecureSpan is already the security foundation of what is arguably the largest private cloud in the world, which is an existing government initiative that predates this latest announcement.


eBizQ Forum Question: Is Service Reuse Overrated as a Value Proposition for SOA? Does Reuse Even Work in Real-Life Situations?

Ah, the reuse question. My thoughts are here.

Is Cloud Computing Secure? Prove It

I had a discussion with Wayne Rash the other day about security in cloud computing. He followed up with an excellent article in eWeek with the provocative title Is Cloud Computing Secure? Prove It. I’d encourage you to have a look; Wayne spoke to a number of well-known people in the industry, and they offer up some valuable insights in his piece.

Wayne is interesting to talk to. He’s a retired naval officer who has been in the IT business long enough to have earned a very broad perspective.  Cloud has a lot of roots in earlier technologies (virtualization, time sharing, ASPs, outsourced data centres, etc). I find that it’s always instructive to discuss cloud computing with people like him who recognize not just the similarities, but also the differences between cloud and its antecedents.

If you ever meet Wayne, be sure and ask him about his experiences with Rear Admiral Grace Hopper.

eBizQ Forum Question: Do You Think the Pervasive Use of Cloud Computing Will Expand or Contract the Use of SOA?

My answer is here.

SecureSpan Product Line Certified Against Red Hat’s JBoss Enterprise SOA Platform

We were at this week’s RedHat Summit/JBoss World show in Chicago to announce that the SecureSpan line is now fully certified against the JBoss Enterprise SOA Platform. We’ve seen increasing use of JBoss in our engagements, so this endorsement is important for both Layer 7 and RedHat. We’re huge fans of open source technologies here at Layer 7, and it’s great to be more closely aligned with JBoss.

How Does it Work?

Here’s a very common deployment scenario, showing a SecureSpan Gateway in the DMZ, providing edge-of-the-network governance for JBoss Enterprise SOA platforms:


Of course, this isn’t restricted to hardware appliances. Every product in the SecureSpan line can be deployed as:

  • Hardware
  • Software on various OS platforms
  • Virtual Appliances for VMWare, Xen, or cloud providers like Amazon.

These options offer architects a lot of flexibility in how they deploy JBoss servers in combination with SecureSpan. It’s not uncommon for developers to run virtual images of both JBoss and SecureSpan on their laptops. The policies they develop in this environment can be transferred to production systems regardless of the target form factor.

Policy migration is made easy using regular import functions built into SecureSpan, or–if the application network is more complex–using our Enterprise Manager product. The later has advanced mapping features for automagically correcting policy attributes like IP address, or switching over to production LDAP systems instead of development. This is something that’s often overlooked (and I can tell you from experience that it’s a very difficult problem to solve well); but it’s an essential part of SOA policy management.

For more information:

Integrating SecureSpan Gateways and Sun’s OpenSSO

François Lascelles, who is Technical Director for Europe here at Layer 7, has just published an excellent article on Sun’s Developer Network site titled Delegating XML Gateway Runtime Authorization to OpenSSO. It goes into detail about how entitlements in Sun’s OpenSSO can be enforced for Web services, XML, and REST transactions using a SecureSpan Gateway and OpenSSO server.

This combination of Policy Decision Point (PDP)–in this case, OpenSSO–and Policy Enforcement Point (PEP)– the Layer 7 SecureSpan Gateway–is a common deployment pattern for us. Most organizations have already made PEP PDPan investment in Identity and Access Management (IAM) infrastructure; however, this is not sufficient on its own for SOA access control. That’s where Layer 7 can help. Deployed in combination with an IAM system like OpenSSO, SecureSpan does the heavy lifting of XML processing and enforcement, but delegates the access control decision process (and often identity token validation) to the existing, familiar IAM infrastructure. It’s a powerful combination, and one that extends existing investment in IAM into the SOA world.

Over the past seven years, we’ve built connectors into virtually all of the IAM systems out there. When we built SecureSpan, we were careful to build an effective framework for authentication and authorization so that it’s easy to build connectors into different systems. This is important, because unfortunately the IAM marketplace evolved rapidly and without a lot of standardization.

Have a look at François’ article. He’s been with the company since it’s beginning, and has as broad a perspective on this area as you will find.