Upload
layer7tech
View
33
Download
1
Embed Size (px)
DESCRIPTION
Share services securely across distributed organizations Sharing services across distributed organizations is one of the keys to maximizing ROI in a SOA initiative. However, it can be a complex undertaking, involving issues of trust, identity management and access control. Matching security details supplied by a Web service consumer to the security requirements demanded by the service provider is a fine balancing act.The SecureSpan XML VPN Client automatically coordinates security preferences between service consumers and providers. Combined with the a SecureSpan Gateway and the Layer 7 Enterprise Service Manager, the XML VPN client is a key part of Layer 7’s leading SOA identity solution. The VPN Client automates this solution and minimizes total cost of ownership.
Citation preview
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved.
trademarks of Layer 7 Technologies Inc.
SecureSpan
Sharing services across distributed organizations is key to
it can be a complex undertaking, involving
In a Service Oriented Architecture (SOA),
and between security domains, ensuring proper authentication and authorization is
in the fact that traditional Identity and Access Management (IAM) solutions are predicated on user
interactions and cannot easily accommodate machine
Web services has been to securely embed
However, matching the security details supplied in a
demanded by the Web service provider is a fine balancing act, r
provider applications within an organization
organizations) as industry regulations and corporate requirements change.
The SecureSpan XML VPN Client (XVC)
negotiating the “handshake” between them. The handshake could be as simple as verifying that the
permitted to access the service, or as complex as
correct credentials, originates from a trusted domain
Based on a scalable appliance model, Layer 7
overcoming the security challenges in a SOA
• The SecureSpan XML Firewall or SOA
services security domain, gating inbound access and regulating outbound communication.
appliance, virtual appliance or software, the gateway
enforcement activities, including threat protection, access management, privacy enforcement, data validation,
routing, transformation, and auditing
• The SecureSpan Manager (Manager) is used to
policies for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign
(SSO) sources can also be configured through the Manager
• The SecureSpan XML VPN Client (XVC
consumers and providers.
While all three components work together to
solution and reducing total cost of ownership
ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective
SecureSpan™ XML VPN Client
services across distributed organizations is key to maximizing ROI in any SOA
it can be a complex undertaking, involving issues of trust, identity management and access control
In a Service Oriented Architecture (SOA), where services can invoke (and be invoked by) other services both within
, ensuring proper authentication and authorization is challenging
raditional Identity and Access Management (IAM) solutions are predicated on user
interactions and cannot easily accommodate machine-to-machine interactions. One solution, based on XML
embed identity and access information in every message.
details supplied in a Web service consumer’s request to the security requirements
he Web service provider is a fine balancing act, requiring constant updating of both consumer and
provider applications within an organization (in addition to regular out-of-band communication
as industry regulations and corporate requirements change.
streamlines consumer and provider interactions by automatically
negotiating the “handshake” between them. The handshake could be as simple as verifying that the
permitted to access the service, or as complex as ensuring that the request is properly encrypted, carries the
correct credentials, originates from a trusted domain, has been digitally signed, and so on.
Layer 7 provides a turnkey, reusable, and standards-based method for
in a SOA:
SOA Gateway (Gateway) is typically installed at the boundary of a Web
services security domain, gating inbound access and regulating outbound communication.
appliance or software, the gateway performs various XML and Web services security
enforcement activities, including threat protection, access management, privacy enforcement, data validation,
routing, transformation, and auditing.
anager) is used to create fine-grained, identity-based entitlements and security
for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign
(SSO) sources can also be configured through the Manager.
XVC) automatically coordinates security preferences between service
together to solve SOA’s identity problems, the XVC is key to automating the
cost of ownership.
SecureSpan and the Layer 7 Technologies design mark are
copyrights are the property of their respective owners.
XML VPN Client Solutions
ROI in any SOA initiative, but
issues of trust, identity management and access control.
services can invoke (and be invoked by) other services both within
challenging. The problem lies
raditional Identity and Access Management (IAM) solutions are predicated on user-machine
machine interactions. One solution, based on XML-based
Web service consumer’s request to the security requirements
constant updating of both consumer and
band communications between
by automatically
negotiating the “handshake” between them. The handshake could be as simple as verifying that the client is
properly encrypted, carries the
based method for
(Gateway) is typically installed at the boundary of a Web
services security domain, gating inbound access and regulating outbound communication. Available as an
performs various XML and Web services security
enforcement activities, including threat protection, access management, privacy enforcement, data validation,
based entitlements and security
for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign-On
between service
solve SOA’s identity problems, the XVC is key to automating the
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
Extend Existing Identity Management Infrastructure to SOA
To create a standard security model and lower the IT costs associated with maintaining large numbers of users and
their associated access privileges, most organizations have adopted Lightweight Directory Access Protocol (LDAP)
directories, Microsoft Active Directories (MSAD), Single Sign-On (SSO) systems or Identity and Access Management
(IAM) products (such as CA SiteMinder, IBM Tivoli Access Manager, Novell CentraSite, or Sun OpenSSO). While
these are proven solutions for ensuring that users are authenticated and restricted to those resources to which
they are entitled, it does nothing to address machine-to-machine interaction, which is a key function of any
Services Oriented Architecture (SOA).
While current generation LDAP, MSAD, SSO and IAM solutions can be extended to handle machine-based
identities, most don’t natively support the ability to make decisions based on Web service parameters like URL
address, SOAP Action, Operation name or XML element. Moreover, none address the challenge of implementing
an identity-based infrastructure in a SOA, which typically requires some form of digital certificate, token or other
credential to be embedded in a client’s request before that request will be accepted by a target service. New
technology is therefore necessary to help machine identities prove who they claim to be, and which resources they
can access.
The SecureSpan XML VPN Client (XVC) coordinates with the SecureSpan Gateway (Gateway) to overcome this
machine-to-machine identity problem. The Gateway is typically implemented at the perimeter of the Web services
provider’s domain, enforcing security policy and controlling access to Web services. Using the SecureSpan
Manager (Manager), an administrator can assemble policies that define a set of requirements needed to access a
Web service – requirements that might include such things as transport protocol, threat safeguards, access
permissions, signing and encryption expectations, and other preferences.
With the Gateway in place, the XVC can simply be installed on any client machine as a “drop in” solution to the
machine-to-machine communication problem. The XVC automatically intercepts messages destined for the Web
services provider, authenticating (and potentially authorizing) on behalf of the requesting application against the
appropriate source.
In this way, organizations can quickly extend their existing identity systems to encompass Web services and XML-
based interactions, laying the foundation to bridge independent trust environments while preserving local
authentication and authorization processes.
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
Integrate with Service Providers More Cost-effectively
Centralizing and standardizing organization-wide security requirements in an intermediary is one of the key
benefits of introducing the SecureSpan Gateway. Rather than depending on application developers to hard-code
security and other infrastructure requirements within an backend application or service provider, subject matter
experts create centralized policies that can be implemented and enforced on the Gateway, thereby generating
improved development and operational efficiency by eliminating the need to recode, retest and redeploy
applications when industry standards and/or corporate security parameters change.
In much the same way, organizations can leverage the XVC to effectively abstract out the security and other
infrastructure requirements from a service consumer, insulating the client-side application from policy changes
and ensuring continuity of business. For example:
• Insurance providers can realize increased revenues by making it easier for their broker network to do
business with them via rich, XML-based applications that won’t break when policies change
• Web services-based travel aggregation sites can derive increased margins by linking in new online tour
operators more cost-effectively
• Global logistics companies can gain a competitive advantage by onboarding new transport services in
diverse geographies quicker than the competition
• Healthcare providers can secure and streamline their interactions with third-party test labs and regional
health authorities
• And so on
Once installed on a client system, the XVC interfaces with service consumers, automatically negotiating policy-
specific security, routing, and transaction preferences with the Gateway in real time. Specifically, when client
applications attempt to send message requests to a Gateway-protected Web service, the XVC intercepts the
request and functions as a client-side proxy, applying necessary protocols, headers, or transformations to
messages as required by the policy in force on the Gateway. Policies are automatically retrieved and applied by the
XVC to ensure all subsequent messages conform to the updated policy. This ensures rigorous, fine-grained security
with automated change control across all integrations, regardless of complexity.
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
For deployments that require encryption, the XVC can be used to automate client-side Public Key Infrastructure
(PKI) management. In conjunction with the Gateway’s internal Certificate Authority (CA), the XVC initiates the key
exchange, negotiating cryptographic algorithms, and invoking Certificate Signing Requests (CSRs). The XVC can also
be used with any existing X.509 certificates or other CAs accessible to the SecureSpan administrator.
In this way, organizations can lower their total cost of application development and maintenance; dramatically
reduce the deployment time for client applications; create end-to-end security consistency by automatically
coordinating security across distributed systems; and “future proof” their investment by insulating their
architecture from changes to industry standards and corporate policies.
Onboard New Acquisitions Quicker
Acquiring companies is often a two-edged sword: while revenue potential escalates, costs balloon as the
organizations attempt to integrate their disparate infrastructure. In the long run, the organizations will realize
efficiencies by consolidating and standardizing on a single application, platform and infrastructure layer, but in the
short term they may be better off functioning as independent but interoperable business units. To do so, however,
the organizations will need to overcome problems with identity federation, which quickly arise as IT departments
try to bridge identities between separate security domains.
Identity bridging is a unique and powerful model that separates authentication and authorization tasks occurring
between security domains in a SOA, delegating authentication to the service requestor while preserving control
over authorization for the provider hosting the service.
Messages bound for a Gateway-protected Web service are intercepted by the XVC, which uses an established key
relationship to initiate an authentication request on behalf of the client application against the local authentication
source. The resultant artifact of the authentication (i.e., cookie or SAML assertion) and the originating identity are
bound into the message by the XVC, signed, sequenced, and forwarded to the provider’s Gateway for processing.
The Gateway then delegates authorization to the service provider by interfacing to the provider’s trusted
authorization source that validates requests.
Administrators can select the authorization model to be used by the Gateway on a service by service basis. When a
message is received by the Gateway, subsequent processing depends on the defined Web service security policy
for the requestor’s identity. The Gateway first checks the integrity of the bundled identity, the authentication
token, and the message itself. The authentication token is examined to ensure that it has not timed out, an
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
important consideration when using potentially long-lived cookies or SAML assertions. The certificate of the
trusted authentication source is used to verify the authenticity and source of the authentication token that is
presented. Additional policy processing can also be performed based on specific message elements or various
assertion-based requirements that are independent of identity or the authentication token.
Tight signed binding of the credentials and authentication evidence, combined with automatic sequencing ensures
that no intermediate or replay attacks are possible even if the message is intercepted during transmission. This
binding also provides powerful transactional evidence for local auditing and non-repudiation.
If the application already has a hard-coded authorization process, or if the incoming identity has no context within
the provider-side Web services’ security domain, the originating identity and token can be stripped out before
forwarding the message to the provider’s application for additional authorization. Again, the local audit trail that
exists for all transactions and administrative functions provides positive evidence for non-repudiation or regulatory
compliance issues.
In this way, organizations can bridge multiple security domains, whether those domains be internal to the
organization (for example, across the Chinese Wall separating retail banking from investment banking), separated
globally (as between regional branch offices), or between head office and third-party service providers.
The SecureSpan XML VPN Client can be deployed in conjunction with all currently shipping versions of
the SecureSpan XML Firewall and SecureSpan SOA Gateway appliances, soft appliances and software
versions.
To learn more about how Layer 7 can address your needs, call us today at +1 800.681.9377 (toll free
within North America) or +1.604.681.9377or visit us at www.layer7tech.com.