eBizQ Forum Question: What are your questions?

Posted on August 27, 2009 | Leave a comment

Peter Schooff, who moderates the eBizQ forum, turns the tables on the participants and asks what are the burning questions that they have about SOA? The participants provide a good measurement of the state of SOA in the minds of its thought leaders.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

Avoiding the Toll Road into the Cloud

Posted on August 27, 2009 | Leave a comment

I have a new article I co-wrote with Andrew Finall and Jay Thorne now published on GigaOm. It’s about leased lines to the cloud, an especially timely topic given yesterday’s announcement from Amazon about its Virtual Private Cloud service (more on this in an upcoming post).

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Randy Hefner on the State of SOA Security

Posted on August 25, 2009 | Leave a comment

Randy Hefner wrote an encouraging piece recently in ComputerWorld titled SOA Security: Good Enough and Getting Better. I say encouraging because from his perspective—which is broad and well-informed by virtue of his role as a Forrester analyst—most organizations now understand the importance of SOA security, and they are implementing the basics today. The more advanced pieces, particularly around complex identity-centric use cases such as single sign-on and federation, remain elusive; but at least there is a solid baseline to work from. Randy maintains:

“Thus it is important, even if you start with a simple SOA security solution, to anticipate the need for and leave paths open to build additional, deeper security functionality as business requirements demand and SOA security maturity allows.”

This is something I definitely agree with. Security can begin with the basics, as long as you put the time and energy into your basic policy and security architecture upfront. If you design it for growth, you can easily add in support for scenarios like non-repudiation later on. Security should always be an iterative process. It’s something you never finish, and you need to keep this in mind as you are designing your security architecture. You don’t want your tools and infrastructure to let you down at some point in the future.

But Randy’s real gem is here:

“Forrester strongly recommends that you design a solution that does not require application developers to do security-related coding. Even with strong guidelines and code reviews, embedding security into application code is risky both in terms of achieving consistent security and of allowing future flexibility and enhancement of application security.”

Bravo Randy—and Forrester by extension. This is the critical insight that so many people miss. Here at Layer 7, we’ve been evangelizing for years that developers need to be taken out of the equation when it comes to securing the communications that make up a secure SOA application. SOA security is a complex discipline, and it’s risky to assume that each of your development teams will implement it consistently and correctly. You need to dedicate an expert to the problem and make this person (or persons) responsible for implementing a security model across all of your SOA apps.

The fundamental associated risk with standards like WS-Security (WS-S) is their complexity. This is a very broad specification, one that relies on a host of other specifications as its core. By design, it is not prescriptive about how you should use it; rather, it is a framework for securing SOAP transactions to your business needs.

I was (am still am) an editor of the WS-I Basic Security Profile (BSP), along with colleagues from IBM, from Nortel, and from Microsoft (a number of other companies also contributed to the specification as participants in the working group). I’ve worked alongside the best SOA security minds on the planet, and I learned first hand how easy it is to inadvertently create WS-S (or, for that matter, BSP)-compliant security models that are riddled with holes. OASIS and WS-I, through the standards and profiles they produce, do not have a mandate to offer formulas for securing SOA apps. They are in the business of providing frameworks for experts to implement secure solutions, or to promote interoperability.

This is why it’s so important that security for SOA be placed in the hands of dedicated experts, and that the tools to support an overall governance strategy—such as Layer 7 SecureSpan Gateway line—allow security policies to be enacted simply and comprehensively. I’ve always said that the soul of good security is consistency. Your tools need to support this.

In a forthcoming blog entry, I’ll demonstrate how simple it is to implement SOA security using Layer 7’s SecureSpan Gateways, and thus deliver on Randy’s assertion that we must take application developers out of the SOA security process.

SecureSpan Gateway Cluster deployed in a common, edge-of-the-network scenario. This is just one example of many different deployment possibilities. Here, the gateway cluster provides consistent security policy enforcement for all services published by the organization.

SecureSpan Gateway Cluster deployed in a common, edge-of-the-network scenario. This is just one example of many different deployment possibilities. Here, the gateway cluster provides consistent security policy enforcement for all services published by the organization.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , , , ,

SQL Attack and the Largest Data Breach in US History

Posted on August 17, 2009 | 3 comments

CNET’s Elinor Mills wrote an article today about the indictment of three men in the largest US data breach on record. Her article details how three system crackers, two Russians and a man from Florida,  allegedly stole data relating to 130m credit and debit cards and conspired to sell these to others. The story has also been picked up by BBC News.

The hack involved using SQL injection, a technique that was pioneered back in the PowerBuilder client/server days. Many people believe that the attack reached its zenith back then, and is of little real threat today. Clearly, this is not the case.

Indeed, in the services world, SQL injection remains a powerful and often used exploit. Here at Layer 7 we developed technology to defeat this many years ago. We use the acceleration technology in SecureSpan Gateways to scan for SQL attack signatures in messages, blocking transactions that test positive for SQL attacks.

Good security should be simple to apply. If it’s easy to implement, people will use it. Here’s what a policy with SQL injection protection looks like in the SecureSpan Gateway:

SQLAttack

It doesn’t get much simpler than this–and that’s the point. Good security must be simple to comprehend, comprehensive, and broadly applicable.

Now, if you click on the SQL attack protection assertion, you can configure for particular attacks. This is important, because databases respond differently to certain signatures:

SQLAttackDetails

Can a single programmer write similar protections into his or her code? Absolutely. But do they? Well, Elinor has drawn our attention to the potential cost of not doing so. This kind of security is best applied consistently across all applications.  It’s just not realistic to assume developers will always do this correctly (or at all). Governance of services needs to be done by a dedicated security officer, one who understands the problems, and is disconnected enough from the application development process to be impartial. You separate development and QA for a good reason; sometimes you need to separate development and run time security enforcement for similar reasons.

If more organizations realized there were strong technical solutions like SecureSpan that augment their overall security and governance programs, then maybe we would hear less about massive breaches in privacy and trust like the one above.

The last word from the ever-brilliant xkcd:

3 Comments

Posted in Layer 7 Technologies

Tagged , , , ,

Cloud Use Cases

Posted on August 10, 2009 | Leave a comment

Where does Layer 7 play in the cloud?

Here are the three basic scenarios we see all the time here at Layer 7 with our cloud customers:

1. Governing Access to External Cloud Apps

Problem: Employees can access cloud services with only a credit card and a browser

Solution: Use Layer 7 SecureSpan Gateway clusters to enforce policy and provide a consistent on-ramp to cloud services.

  • Control employee access
  • Maintain authoritative usage records
  • Provide simple on ramp for cloud services (apply cloud-specific security decorations, etc)

Deployment: Physical appliances for extremely high performance (featuring accelerated cryptography, hardware key management (HSM),  and XML processing), software installation on existing server infrastructure, or virtual appliances deployed on commodity hardware. Deploy in clusters for policy synchronization and ease of administration.

Scenario 1

2. Governing Cloud Apps That Need Access to Internal Resources

Problem: Cloud applications (such as Salesforce.com) need access to internal resources (like directories, legacy data bases, mainframes, etc).

Solution: Use Layer 7 SecureSpan Gateway clusters in the DMZ to ensure than only authorized external services (and identities) are permitted access to mission-critical internal systems.

  • Authentication
  • Fine-grained authorization
  • Identity mapping
  • Threat detection
  • SLA enforcement (for example, throttling access rate to servers)
  • Automated internal failover

Deployment: Deploy SecureSpan Gateways in the DMZ to provide secure, managed access to internal network resources. Use hardware appliances for extremely high performance (featuring accelerated cryptography, hardware key management (HSM),  and XML processing), software installation on existing server infrastructure, or virtual appliances deployed on commodity hardware. Deploy in clusters for policy synchronization and ease of administration.

Scenario 2

3. Cloud Application Security and Monitoring

Problem: How do you protect cloud applications?

Solution: Use Layer 7 SecureSpan Virtual Appliances to secure and manage all communications in or out of cloud applications.

  • Resident in-cloud
  • Automatic policy synchronization between other gateways
  • Rapid re-deployment and mapping of policy dependencies (IP addresses, etc) within cloud provider, or between cloud providers
  • Fine-grained service isolation
    • Secure container model or standalone gateway.

Deployment: Hardened and optimized virtual appliances deployed in the cloud. Appliances can be bound to individual machine images, or share responsibility for multiple image instances. Specific virtualized instances for VMWare or Xen-based clouds, or Amazon EC2.

Scenario 3

Why Choose Layer 7?

  • Experience in Cloud Technology: Layer 7 isn’t just another company jumping on the cloud bandwagon; we’ve been  shipping fully supported, productized virtual appliances (not one-offs, nor proof-of-concepts) for over 2 1/2 years. Since the company’s founding in 2002, we have leveraged virtualization technologies. We draw on years of internal expertise in optimizing virtualized images and hardening base operating systems to create a trustworthy application base. SecureSpan is used as the security basis for countless military and intelligence applications. SecureSpan Gateways form the fundamental security infrastructure for the largest cloud project on the planet, which is run by the department of defense.
  • True Clustering Solution: Management of outgoing communications cannot become a bottleneck or a single point of failure. Layer 7 is the only vendor in this space that has a real clustering solution for scalability, fault tolerance, and ease of administration.
  • Multiple Deployment Options: Hardware appliance, software install, or virtual appliance. Choose what works best for your environment. Mix and match solutions at will.
  • Dynamic Policy Download: Layer 7 SecureSpan Gateways can automatically load policies from trusted downstream gateways or central repositories. We pioneered this use case between branch offices and home office, and it extends identically to the cloud

More on this in a following post, including some actual customer deployment scenarios with SaaS providers like Salesforce.com.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , ,

eBizQ Forum Question: Is SOA Something Small to Medium-Size Businesses Can Work With?

Posted on August 6, 2009 | Leave a comment

My thoughts are here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Application Governance Cannot Be Ignored On the Cloud

Posted on July 29, 2009 | Leave a comment

I had a good discussion the other day with Rob Barry of SearchSOA. He’s written it up here.

Rob really got it, and had a lot of interesting observations. He was particularly interested in the reasons for the current uptick in interest around SOA (and by extension, cloud) governance. I believe this is due to the realization that as you move to the cloud, even a single service merits a formal governance process. You can’t hide behind existing security infrastructure and internal policy, as you sometimes can when you are behind your corporate firewall.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

Cloud will change the roles in IT

Posted on July 24, 2009 | Leave a comment

Anytime something is commoditized, jobs change. Cloud is no exception. As enterprises move applications into off-premises cloud infrastructure, jobs will inevitably be eliminated, and roles will change. We’ve observed this effect for many years at Layer 7. New technologies like SOA demand that people break out of existing roles and take on new vision and responsibilities. The silos and job descriptions that were developed over the years in traditional IT departments cannot easily function in SOA (or by extension, in cloud). This is a great opportunity for the ambitious people to shine, but it also leaves people in its wake who can’t (or won’t) change with the times. When these people dig and and resist the change, they threaten the initiative and often stall the entire project. Cloud is going to face this significantly, particularly when it is being mandated from above.

Infoworld has an interesting article about how cloud will threaten certain IT jobs (and create new ones) here.

with the move to SOA is that new technology often demands entirely new roles and responsibilities be defined

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Do Cloud Initiatives Come From IT or Corporate Mgmt?

Posted on July 24, 2009 | Leave a comment

Here’s a good example of how cloud initiatives will often be driven not by technical staff, but by management. Washington State Representative Reuven Carlyle is questioning the state IT department proposal for a traditional, $300M IT processing center in Olympia. He maintains that the proposal is not well thought through, and that the state (famously home to Amazon and Microsoft) should be instead looking at embracing cloud technologies.

I wrote about this in my white paper Steer Safely into the Clouds. Cloud is one of those rare technical trends that easily captures the imagination of non-technical organizational management. It’s just that accessible and compelling. My argument in the paper is that IT needs to be ready with a rigorous cloud strategy because the impetus to go to the cloud is likely to come from the boardroom, not the cubes.

More details here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

eBizQ Forum Question: Are Web Services Protocols Such as SOAP and REST and AJAX Effective for Building SOA Off of Mainframe, Large Systems or Legacy Environments?

Posted on July 23, 2009 | Leave a comment

Joe McKendrick poses this interesting question on the eBizQ forum. The question of when to use MOM, SOAP, REST is one that I’m really interested in.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , , ,