VIEWS: 0 PAGES: 5 POSTED ON: 4/4/2012
Share services securely across distributed organizations Sharing services across distributed organizations is one of the keys to maximizing ROI in a SOA initiative. However, it can be a complex undertaking, involving issues of trust, identity management and access control. Matching security details supplied by a Web service consumer to the security requirements demanded by the service provider is a fine balancing act.
SecureSpan™ SecureSpan XML VPN Client Solutions Sharing services across distributed organizations is key to maximizing ROI in any SOA initiative, but control it can be a complex undertaking, involving issues of trust, identity management and access control. In a Service Oriented Architecture (SOA), where services can invoke (and be invoked by) other services both within , challenging and between security domains, ensuring proper authentication and authorization is challenging. The problem lies raditional user-machine in the fact that traditional Identity and Access Management (IAM) solutions are predicated on user machine-to-machine XML interactions and cannot easily accommodate machine machine interactions. One solution, based on XML-based Web services has been to securely embed identity and access information in every message. However, matching the security details supplied in a Web service consumer’s request to the security requirements he demanded by the Web service provider is a fine balancing act, r requiring constant updating of both consumer and band communication provider applications within an organization (in addition to regular out-of-band communications between organizations) as industry regulations and corporate requirements change. The SecureSpan XML VPN Client (XVC) streamlines consumer and provider interactions by automatically negotiating the “handshake” between them. The handshake could be as simple as verifying that the client is permitted to access the service, or as complex as ensuring that the request is properly encrypted, carries the domain, correct credentials, originates from a trusted domain has been digitally signed, and so on. based Based on a scalable appliance model, Layer 7 provides a turnkey, reusable, and standards-based method for SOA: overcoming the security challenges in a SOA • The SecureSpan XML Firewall or SOA Gateway (Gateway) is typically installed at the boundary of a Web services security domain, gating inbound access and regulating outbound communication. Available as an appliance, virtual appliance or software, the gateway performs various XML and Web services security enforcement activities, including threat protection, access management, privacy enforcement, data validation, auditing. routing, transformation, and auditing • anager) based The SecureSpan Manager (Manager) is used to create fine-grained, identity-based entitlements and security Sign-On policies for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign Manager. (SSO) sources can also be configured through the Manager • XVC) The SecureSpan XML VPN Client (XVC automatically coordinates security preferences between service consumers and providers. While all three components work together to solve SOA’s identity problems, the XVC is key to automating the ownership. solution and reducing total cost of ownership ogies Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. Extend Existing Identity Management Infrastructure to SOA To create a standard security model and lower the IT costs associated with maintaining large numbers of users and their associated access privileges, most organizations have adopted Lightweight Directory Access Protocol (LDAP) directories, Microsoft Active Directories (MSAD), Single Sign-On (SSO) systems or Identity and Access Management (IAM) products (such as CA SiteMinder, IBM Tivoli Access Manager, Novell CentraSite, or Sun OpenSSO). While these are proven solutions for ensuring that users are authenticated and restricted to those resources to which they are entitled, it does nothing to address machine-to-machine interaction, which is a key function of any Services Oriented Architecture (SOA). While current generation LDAP, MSAD, SSO and IAM solutions can be extended to handle machine-based identities, most don’t natively support the ability to make decisions based on Web service parameters like URL address, SOAP Action, Operation name or XML element. Moreover, none address the challenge of implementing an identity-based infrastructure in a SOA, which typically requires some form of digital certificate, token or other credential to be embedded in a client’s request before that request will be accepted by a target service. New technology is therefore necessary to help machine identities prove who they claim to be, and which resources they can access. The SecureSpan XML VPN Client (XVC) coordinates with the SecureSpan Gateway (Gateway) to overcome this machine-to-machine identity problem. The Gateway is typically implemented at the perimeter of the Web services provider’s domain, enforcing security policy and controlling access to Web services. Using the SecureSpan Manager (Manager), an administrator can assemble policies that define a set of requirements needed to access a Web service – requirements that might include such things as transport protocol, threat safeguards, access permissions, signing and encryption expectations, and other preferences. With the Gateway in place, the XVC can simply be installed on any client machine as a “drop in” solution to the machine-to-machine communication problem. The XVC automatically intercepts messages destined for the Web services provider, authenticating (and potentially authorizing) on behalf of the requesting application against the appropriate source. In this way, organizations can quickly extend their existing identity systems to encompass Web services and XML- based interactions, laying the foundation to bridge independent trust environments while preserving local authentication and authorization processes. Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. Integrate with Service Providers More Cost-effectively Centralizing and standardizing organization-wide security requirements in an intermediary is one of the key benefits of introducing the SecureSpan Gateway. Rather than depending on application developers to hard-code security and other infrastructure requirements within an backend application or service provider, subject matter experts create centralized policies that can be implemented and enforced on the Gateway, thereby generating improved development and operational efficiency by eliminating the need to recode, retest and redeploy applications when industry standards and/or corporate security parameters change. In much the same way, organizations can leverage the XVC to effectively abstract out the security and other infrastructure requirements from a service consumer, insulating the client-side application from policy changes and ensuring continuity of business. For example: • Insurance providers can realize increased revenues by making it easier for their broker network to do business with them via rich, XML-based applications that won’t break when policies change • Web services-based travel aggregation sites can derive increased margins by linking in new online tour operators more cost-effectively • Global logistics companies can gain a competitive advantage by onboarding new transport services in diverse geographies quicker than the competition • Healthcare providers can secure and streamline their interactions with third-party test labs and regional health authorities • And so on Once installed on a client system, the XVC interfaces with service consumers, automatically negotiating policy- specific security, routing, and transaction preferences with the Gateway in real time. Specifically, when client applications attempt to send message requests to a Gateway-protected Web service, the XVC intercepts the request and functions as a client-side proxy, applying necessary protocols, headers, or transformations to messages as required by the policy in force on the Gateway. Policies are automatically retrieved and applied by the XVC to ensure all subsequent messages conform to the updated policy. This ensures rigorous, fine-grained security with automated change control across all integrations, regardless of complexity. Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. For deployments that require encryption, the XVC can be used to automate client-side Public Key Infrastructure (PKI) management. In conjunction with the Gateway’s internal Certificate Authority (CA), the XVC initiates the key exchange, negotiating cryptographic algorithms, and invoking Certificate Signing Requests (CSRs). The XVC can also be used with any existing X.509 certificates or other CAs accessible to the SecureSpan administrator. In this way, organizations can lower their total cost of application development and maintenance; dramatically reduce the deployment time for client applications; create end-to-end security consistency by automatically coordinating security across distributed systems; and “future proof” their investment by insulating their architecture from changes to industry standards and corporate policies. Onboard New Acquisitions Quicker Acquiring companies is often a two-edged sword: while revenue potential escalates, costs balloon as the organizations attempt to integrate their disparate infrastructure. In the long run, the organizations will realize efficiencies by consolidating and standardizing on a single application, platform and infrastructure layer, but in the short term they may be better off functioning as independent but interoperable business units. To do so, however, the organizations will need to overcome problems with identity federation, which quickly arise as IT departments try to bridge identities between separate security domains. Identity bridging is a unique and powerful model that separates authentication and authorization tasks occurring between security domains in a SOA, delegating authentication to the service requestor while preserving control over authorization for the provider hosting the service. Messages bound for a Gateway-protected Web service are intercepted by the XVC, which uses an established key relationship to initiate an authentication request on behalf of the client application against the local authentication source. The resultant artifact of the authentication (i.e., cookie or SAML assertion) and the originating identity are bound into the message by the XVC, signed, sequenced, and forwarded to the provider’s Gateway for processing. The Gateway then delegates authorization to the service provider by interfacing to the provider’s trusted authorization source that validates requests. Administrators can select the authorization model to be used by the Gateway on a service by service basis. When a message is received by the Gateway, subsequent processing depends on the defined Web service security policy for the requestor’s identity. The Gateway first checks the integrity of the bundled identity, the authentication token, and the message itself. The authentication token is examined to ensure that it has not timed out, an Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. important consideration when using potentially long-lived cookies or SAML assertions. The certificate of the trusted authentication source is used to verify the authenticity and source of the authentication token that is presented. Additional policy processing can also be performed based on specific message elements or various assertion-based requirements that are independent of identity or the authentication token. Tight signed binding of the credentials and authentication evidence, combined with automatic sequencing ensures that no intermediate or replay attacks are possible even if the message is intercepted during transmission. This binding also provides powerful transactional evidence for local auditing and non-repudiation. If the application already has a hard-coded authorization process, or if the incoming identity has no context within the provider-side Web services’ security domain, the originating identity and token can be stripped out before forwarding the message to the provider’s application for additional authorization. Again, the local audit trail that exists for all transactions and administrative functions provides positive evidence for non-repudiation or regulatory compliance issues. In this way, organizations can bridge multiple security domains, whether those domains be internal to the organization (for example, across the Chinese Wall separating retail banking from investment banking), separated globally (as between regional branch offices), or between head office and third-party service providers. The SecureSpan XML VPN Client can be deployed in conjunction with all currently shipping versions of the SecureSpan XML Firewall and SecureSpan SOA Gateway appliances, soft appliances and software versions. To learn more about how Layer 7 can address your needs, call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377or visit us at www.layer7tech.com. Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
"SecureSpan XML VPN Client Solutions"