Tag Archives: cloud governance

Upcoming Webinar: Controlling Your SOA Across The Global Enterprise and Cloud

Posted on December 11, 2009 | Leave a comment

I’ll be delivering a Webinar next week about Layer 7’s Enterprise Service Manager (ESM) product. ESM offers the global view of clusters of SecureSpan Gateways and the services under their management. It’s functions fall into three main areas:

Enterprise-scale Management

  • Centrally manage and monitor all Gateways and associated services across the extended enterprise and into the cloud

Automated Policy Migration

  • Centrally approve and then push policy to any Gateway across the enterprise, automatically resolving environmental discrepancies

Disaster Recovery

  • Remotely manage, troubleshoot, backup and restore all Gateways, supporting full disaster recovery

ESM is an important tool for managing SOA in the Enterprise, but it also plays a critical role when SOA moves to the cloud. In addition to extending an organization’s visibility and control, ESM provides critical tools for automating the migration of policy to new environments:

I’ll go into this process in detail in the webinar. Hope to see you there. Here is the official abstract:

Organizations have begun extending their SOA initiatives beyond traditional enterprise boundaries to encompass third-party, geographically remote, and even cloud-based resources. As a result, the complexity associated with migrating applications across these environments (for example, from development in India to test in the cloud to production in a hosted data center) has increased exponentially. In this webinar from Layer 7, you will learn how topology and identity issues between environments, geographies and settings (i.e., enterprise vs. cloud) can be easily resolved and even automated, dramatically reducing migration risk.

You can sign up for this webinar at http://www.layer7tech.com/main/media/webinars.html.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

Visualizing the Boundaries of Control in the Cloud

Posted on December 1, 2009 | 5 comments

Two weeks ago, I delivered a webinar about new security models in the cloud with Anne Thomas Manes from Burton Group. Anne had one slide in particular, borrowed from her colleague Dan Blum, which I liked so much I actually re-structured my own material around it. Let me share it with you:

This graphic does the finest job I have seen of clearly articulating where the boundaries of control lie under the different models of cloud computing. Cloud, after all, is really about surrendering control: we delegate management of infrastructure, applications, and data to realize the benefits of commoditization. But successful transfer of control implies trust–and trust isn’t something we bestow easily onto external providers. We will only build this trust if we change our approach to managing cloud security.

Cloud’s biggest problem isn’t security; it’s the continuous noise around security that distracts us from the real issues and the possible solutions. It’s not hard to create a jumbled list of things to worry about in the cloud. It is considerably harder to come up with a cohesive model that highlights a fundamental truth and offers a new perspective from which to consider solutions. This is the value of Dan’s stack.

The issues in the cloud that scare us the most all fall predicatably out of the change in control this environment demands. Enterprise IT has carefully constructed an edifice of trust based on its existing on-premise security models. Cloud challenges these models. Cloud rips pieces from the foundation of this trust, leaving a structure that feels unstable and untrustworthy.

We cannot simply maintain existing security models in the cloud; instead, we need to embrace a new approach to security that understands the give-and-take of control that is inherent to the cloud. This demands we recognize where we are willing to surrender control, acknowledge that this conflicts with our traditional model, and change our approach to assert control elsewhere. Over time we will gain confidence in the new boundaries, in our new scope of control, and in our providers–and out of this will emerge a new formal model of trust.

Let’s consider Infrastructure-as-a-Service (IaaS) as a concrete example. Physical security is gone; low-level network control is gone; firewall control is highly abstracted. If your security model–and the trust that derives from this–is dependent on controlling these elements, then you had better stay home or build a private cloud. The public cloud providers recognize this and will attempt to overlay solutions that resemble traditional security infrastructure; however, it is important to recognize that behind this façade, the control boundaries remain and the same stack elements fall under their jurisdiction. Trust can’t be invested in ornament.

If you are open to building a new basis for trust, then the public cloud may be a real option. “Secure services, not networks” must become your guiding philosophy. Build your services with the resiliency you would normally reserve for a DMZ-resident application. Harden your OS images with a similar mindset. Secure all transmissions in or out of your services by re-asserting control at the application protocol level. This approach to secure loosely coupled services was proven in SOA, and it is feasible and pragmatic in an IaaS virtualized environment. It is, however, a model for trust that departs from traditional network-oriented security thinking, and this is where the real challenge resides.

5 Comments

Posted in Layer 7 Technologies

Tagged , , ,

I Went for Coffee and RDS was Waiting for Me When I Returned

Posted on November 26, 2009 | 2 comments

Here at Layer 7, we’ve been really excited about Amazon’s Relational Data Service (RDS) ever since they announced it last month. RDS is basically a managed mySQL v5.1 instance running in the Amazon infrastructure. The point of RDS to provide another basic service that we all need all of the time, managed within the AWS ecosystem. It offers some great scaling options (in terms of instance sizing), but best of all, it provides automatic snapshoting of  database instances. This revolutionizes EC2 because it solves the nagging persistence problem that we all face when we terminate instances. We’ve all come up with clever ways of dealing with this using S3 and EBS,  but now it’s gotten much easier.

Since RDS is really mySQL under the covers, I had been hearing that it’s pretty easy to port to. We’ve been itching to play with it here, using Layer 7’s SecureSpan Gateway AMI that’s runs in EC2. Unfortunately, this Fall has been really busy, so none of us have had an opportunity to play with it until now.

The inimitable Jay Thorne, who is a musician first but holds down a day job here as Director of Development for the Tactical group, finally cleared an afternoon to put RDS through it’s paces. I had to step out for coffee with another of our execs, which turned into a longer-than-expected discussion. But by the time I got back, Jay was done: SecureSpan using persistent Amazon RDS storage. Hello, cloud registry/repository…

Here’s Jay’s summary, which I think speaks for itself:

Total elapsed time: 1.25 hours
Number of pdf documents read: 1
Number of web pages read: 3
Number of command copy/pastes from doc: 6
Number of dbs created by mistake until I got the zoning right: 2
Number of mistyped credentials until I learned to use a creds file: 7
Number of dumpfiles created source side: 1
Number of times I had to import to get it right: 1
Number of characters in the hostname of the db: 50
Number of hosts I put in the db firewall allow list: 1
Number of sets of user credentials I created: 1
Number of lines in our internal wiki article I wrote about this: 35
Number of bangs on the keyboard in frustration: 0

 

2 Comments

Posted in Layer 7 Technologies

Tagged , , , , ,

Webinar Available: New Security Model Requirements for the Cloud

Posted on November 26, 2009 | Leave a comment

Last week, Anne Thomas Manes, Research Director from Burton and I did a Webinar entitled New Security Model Requirements for the Cloud. It’s probably generated the most feedback of any webinar I’ve done. It’s now online, so have a look at it here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Cloud Use Cases

Posted on August 10, 2009 | Leave a comment

Where does Layer 7 play in the cloud?

Here are the three basic scenarios we see all the time here at Layer 7 with our cloud customers:

1. Governing Access to External Cloud Apps

Problem: Employees can access cloud services with only a credit card and a browser

Solution: Use Layer 7 SecureSpan Gateway clusters to enforce policy and provide a consistent on-ramp to cloud services.

  • Control employee access
  • Maintain authoritative usage records
  • Provide simple on ramp for cloud services (apply cloud-specific security decorations, etc)

Deployment: Physical appliances for extremely high performance (featuring accelerated cryptography, hardware key management (HSM),  and XML processing), software installation on existing server infrastructure, or virtual appliances deployed on commodity hardware. Deploy in clusters for policy synchronization and ease of administration.

Scenario 1

2. Governing Cloud Apps That Need Access to Internal Resources

Problem: Cloud applications (such as Salesforce.com) need access to internal resources (like directories, legacy data bases, mainframes, etc).

Solution: Use Layer 7 SecureSpan Gateway clusters in the DMZ to ensure than only authorized external services (and identities) are permitted access to mission-critical internal systems.

  • Authentication
  • Fine-grained authorization
  • Identity mapping
  • Threat detection
  • SLA enforcement (for example, throttling access rate to servers)
  • Automated internal failover

Deployment: Deploy SecureSpan Gateways in the DMZ to provide secure, managed access to internal network resources. Use hardware appliances for extremely high performance (featuring accelerated cryptography, hardware key management (HSM),  and XML processing), software installation on existing server infrastructure, or virtual appliances deployed on commodity hardware. Deploy in clusters for policy synchronization and ease of administration.

Scenario 2

3. Cloud Application Security and Monitoring

Problem: How do you protect cloud applications?

Solution: Use Layer 7 SecureSpan Virtual Appliances to secure and manage all communications in or out of cloud applications.

  • Resident in-cloud
  • Automatic policy synchronization between other gateways
  • Rapid re-deployment and mapping of policy dependencies (IP addresses, etc) within cloud provider, or between cloud providers
  • Fine-grained service isolation
    • Secure container model or standalone gateway.

Deployment: Hardened and optimized virtual appliances deployed in the cloud. Appliances can be bound to individual machine images, or share responsibility for multiple image instances. Specific virtualized instances for VMWare or Xen-based clouds, or Amazon EC2.

Scenario 3

Why Choose Layer 7?

  • Experience in Cloud Technology: Layer 7 isn’t just another company jumping on the cloud bandwagon; we’ve been  shipping fully supported, productized virtual appliances (not one-offs, nor proof-of-concepts) for over 2 1/2 years. Since the company’s founding in 2002, we have leveraged virtualization technologies. We draw on years of internal expertise in optimizing virtualized images and hardening base operating systems to create a trustworthy application base. SecureSpan is used as the security basis for countless military and intelligence applications. SecureSpan Gateways form the fundamental security infrastructure for the largest cloud project on the planet, which is run by the department of defense.
  • True Clustering Solution: Management of outgoing communications cannot become a bottleneck or a single point of failure. Layer 7 is the only vendor in this space that has a real clustering solution for scalability, fault tolerance, and ease of administration.
  • Multiple Deployment Options: Hardware appliance, software install, or virtual appliance. Choose what works best for your environment. Mix and match solutions at will.
  • Dynamic Policy Download: Layer 7 SecureSpan Gateways can automatically load policies from trusted downstream gateways or central repositories. We pioneered this use case between branch offices and home office, and it extends identically to the cloud

More on this in a following post, including some actual customer deployment scenarios with SaaS providers like Salesforce.com.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , ,

Application Governance Cannot Be Ignored On the Cloud

Posted on July 29, 2009 | Leave a comment

I had a good discussion the other day with Rob Barry of SearchSOA. He’s written it up here.

Rob really got it, and had a lot of interesting observations. He was particularly interested in the reasons for the current uptick in interest around SOA (and by extension, cloud) governance. I believe this is due to the realization that as you move to the cloud, even a single service merits a formal governance process. You can’t hide behind existing security infrastructure and internal policy, as you sometimes can when you are behind your corporate firewall.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

Do Cloud Initiatives Come From IT or Corporate Mgmt?

Posted on July 24, 2009 | Leave a comment

Here’s a good example of how cloud initiatives will often be driven not by technical staff, but by management. Washington State Representative Reuven Carlyle is questioning the state IT department proposal for a traditional, $300M IT processing center in Olympia. He maintains that the proposal is not well thought through, and that the state (famously home to Amazon and Microsoft) should be instead looking at embracing cloud technologies.

I wrote about this in my white paper Steer Safely into the Clouds. Cloud is one of those rare technical trends that easily captures the imagination of non-technical organizational management. It’s just that accessible and compelling. My argument in the paper is that IT needs to be ready with a rigorous cloud strategy because the impetus to go to the cloud is likely to come from the boardroom, not the cubes.

More details here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Podcast: Security, Management & Compliance in the Cloud

Posted on June 9, 2009 | Leave a comment

This is the week for publishing podcasts. Here’s one I did recently with John Moran. We spoke in detail about what cloud governance really is and how this evolves out of your SOA governance program. Have a listen and give me your feedback.

Leave a comment

Posted in Layer 7 Technologies

Tagged

eWeek: Managing Identity in the Cloud Podcast

Posted on June 8, 2009 | Leave a comment

I did a podcast recently with Mike Vizard of eWeek. Mike had some excellent questions around all the issues is managing identity and trust relationships in the cloud. This is one of those under-reported issues around cloud computing. Security always comes down to trust, and this is going to be the significant issue business faces as it moves applications out of it’s corporate network.

Listen to it here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , , , ,

Upcoming Webinar with David Linthicum

Posted on May 27, 2009 | Leave a comment

Dave and I are co-presenting a webinar this Thursday, May 27th at 10am Pacific/1pm Eastern. The title is Cloud Control: Reducing the Risk for Cloud Deployments.

It’s going to be great to share the stage with Dave, whose work I have followed for a long time and is truly one of the great thought leaders in the SOA and cloud computing space.

Dave is going to introduce the key issues in cloud governance, and I’m going to present some concrete technological solutions that should be the foundation of your cloud governance program.

I hope you can join us. Register here.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , ,