Ensure Secure Data Exhange via HSMs by Layer7Tech


More Info
									                                      Ensure Secure Data Exchange via HSMs
Enterprise-scale encryption and digital signing of all sensitive data shared across
SOA, Cloud, Web and mobile applications

Industries from defense to banking to finance, as well as government organizations follow cryptographic best practices to
ensure security, privacy and data integrity when sharing sensitive information both within and beyond their enterprise
boundaries. But these enterprises are challenged to manage increasingly large and complex security architectures. After all,
identity and authorization are no longer about people – the focus is now squarely on systems and services. Rather than
extending traditional encryption, digital signing and authentication systems to manage the risks and meet compliance
requirements for new initiatives that encompass SOA, cloud, and mobile access to sensitive information, what’s required is a
more flexible security framework that not only meets these emerging needs, but also incorporates secure key management
and tamper-resistant cryptography.
For this reason, Layer 7 has integrated the Thales nShield™ family of nCipher Hardware Security Modules (HSMs) with Layer
7’s CloudSpan and SecureSpan families of SOA gateways.
Layer 7’s gateways act as policy-driven identity and security enforcement points that can be implemented both in the
enterprise and in the cloud to addresses a broad range of behind the firewall, SOA, B2B, API management and Cloud security
challenges. With support for all leading directory, identity, access control, Single Sign-On (SSO) and Federation services, Layer
7 provides unparalleled flexibility in defining and enforcing identity-driven security policies, leveraging SSO session cookies,
Kerberos tickets, SAML assertions and Public Key Infrastructure (PKI). Support for all major WS* and WS-I security protocols
provides enterprise architects with advanced policy controls for specifying message and element security rules, including the
ability to branch policy based on any message context. Layer 7 also ensures enterprise application and infrastructure services
are protected again malicious attack or accidental damage due to poorly structured data.
Thales has a history of delivering industry-leading security solutions that allow organizations to protect data wherever it’s
stored and whenever it moves or is accessed inside the extended enterprise. To protect information that ranges from
'sensitive but unclassified' to 'top secret' military data, Thales ensures confidentiality, proof of identity, data integrity and non-
repudiation by allowing organizations to protect and manage the cryptographic keys that lie at the heart of an organization’s
trusted encryption, digital signing and authentication processes.
Both Layer 7’s gateways and Thales’ nCipher HSMs are certified to FIPS 140-2 Level 3 and Common Criteria EAL4+ standards,
delivering the highest levels of security and best-in-class performance. Together, the integrated Layer 7/Thales solution
provides encryption and digital signing for sensitive data shared across security boundaries (such as those spanning internal
enterprise domains, as well as enterprise-to-partner, enterprise-to-cloud or Web-to-mobile applications), thereby streamlining
compliance and regulatory tasks while delivering enterprise-grade security for organizations that require cryptographic best
Secure Data Exchange
The Layer 7/Thales solution is designed to address multi-domain issues, especially the need to maintain trust when exchanging
information with third parties. Layer 7 gateways act as Policy Enforcement Points (PEPs) located in the enterprise, allowing
organizations to layer on key control and visibility capabilities for all third party interactions. By creating and enforcing policies
on the Layer 7 gateway, organizations can determine how data is securely exchanged between which systems and services
interacting across security boundaries – all without coding.
In brokering connections between the enterprise and third parties, Layer 7 gateways provide not only protocol mediation and
data transformation, but also more traditional application-layer functionality such as caching and traffic throttling.
Additionally, cross-domain exchange of data often requires federated identity capabilities provided by Layer 7’s built-in Secure
Token Service (STS) that features comprehensive support for SAML and OAuth.
The resulting combination of Thales HSMs and Layer 7 gateways allows the implementation of secure data exchange, allowing
organizations to govern and secure all their third-party interactions.
Key Features
Identity and Message Level Security
Cryptography                       •    Support for onboard Thales nShield Solo HSM and Thales nShield Connect network HSM
                                   •    Support for elliptic curve cryptography (conforms to NSA’s Suite B algorithms)
                                   •    FIPS 140-2 support in both hardware (Level 3) and software (Level 1)
Identity-based access to           •    Integration with all leading external identity, access, SSO and federation systems
services and operations            •    Onboard identity store for administering identities and staging new services
Manage security for cross-         •    Credential chaining, credential remapping and support for federated identity
domain and B2B                     •    Integrated STS/SAML issuer supports SAML 1.1/2.0 and Security Context Tokens
relationships                      •    Integrated PKI CA for automated deployment and management of client-side certificates
                                        and RA ability for external CA’s including Verisign
Web SSO                            •    Support for Web browser STS, facilitating single sign on for users logging into SaaS/cloud
Threat Protection
Filter XML content for Web         •    Configurable validation & filtering of HTTP headers, parameters and form data
2.0 and SOA                        •    Detection of classified or “dirty” words or arbitrary signatures with subsequent scrubbing,
                                        rejection or redaction of messages
                                   •    Support for XML, SOAP, POX, AJAX, REST and other XML-based services
Transactional Integrity            •    Protect against identity spoofing and session hijacking cluster-wide
Protection                         •    Assure integrity of communication end-to-end
Prevent XML attack and             •    Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language
intrusion                               injection attacks
                                   •    Protection against XML content tampering and viruses in SOAP attachments
SOA Governance
Runtime enforcement of             •    Enforce security policies such as those that digitally sign and/or encrypt parts of the
governance policies                     message; issue security tokens to ensure proper authentication, etc
                                   •    Enforce compliance with policies such as those that verify message structure and content to
                                        meet corporate, industry or government standards, etc
                                   •    Enforce reliability with policies such as those that reroute traffic to facilitate failover;
                                        throttle traffic to ensure availability and maintain quality of service, etc
Centralized SLA                    •    Throttling/rate limiting controls provide the ability to support service over subscription with
enforcement/Quality of                  per-service throttling of excess messages
Service                            •    Service availability features include support for strict failover, round robin, and best effort
         Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan, CloudSpan and the Layer 7 Technologies design mark are
               trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
 Transport and protocol            •    Full support for Class of Service based message processing and routing based on identity,
 mediation                              message content, time of day, etc
                                   •    Transport mediation between HTTP, HTTPS, MQS, JMS, raw TCP
 API Management
 API Publication                   •    Secure, manage, monitor and control access to APIs exposed to third parties
                                   •    API usage can be throttled to ensure backend services are not overwhelmed; limited by user,
                                        time of day, location, etc; and quota managed (i.e., # of uses / user / day)
 API Metrics and Reporting         •    Configurable, out-of-the-box reports provide insight into API performance: measure throughput,
                                        routing failures, utilization and availability rates, etc
                                   •    Failed authentications and/or policy violations can be tracked to identify patterns and potential
 API Security                      •    Support for all major WS* and WS-I security protocols
                                   •    Support for all major authentication and authorization standards, including SAML, Kerberos,
                                        digital signatures, X.509 certificates, LDAP, XACML, etc
 Logging & Reporting
 Services Reporting                •    Configurable, out-of-the-box reports provide insight into SSG operations, service-level
                                        performance, and user experience.
 Customer Mapping                  •    Report on service performance, policy violations and SLA conformance based on specific
                                        customers, composites (i.e., processes and transactions using a service) or clients to build a
                                        profile of actual enterprise/cloud user experience.
 Audit and Logging                 •    Log message-level transaction information
                                   •    Spool log data to off-board data stores and management systems
 Thales nShield
 Hardware Security Module          •    Protects encryption and signing keys on servers in a highly secure, tamper-resistant
                                        hardware module
 Standards Support                 •    FIPS 140-2 Level 2 and Level 3 validation
                                   •    Common Criteria EAL4+
                                   •    Optional support for Suite B elliptic curve cryptography (ECC)
 Performance                       •    Up to 6,000 signing transactions/sec (TPS) with 1K RSA keys; 3,000 TPS using RSA 2K bit keys
                                   •    Hardware-accelerated cryptographic operations, including signing of digital certificates
                                   •    Accelerated SSL termination with the embedded nShield Solo card
 Form Factors                      •    Thales nShield Solo 6000e PCI-E add-in card with tamper-resistant key storage
                                   •    Thales nShield Connect 6000 network-attached, 1U HSM server featuring dual, hot-swap
                                        power supplies; 2x 1 Gigabit Ethernet ports; and tamper-resistant key storage
 Layer 7 Gateway Form Factors
 Hardware                          •    Active-active clusterable, dual power supply, mirrored hot-swappable drives, 2-way dual
                                        core 1U server
 Software                          •    Solaris 10 for x86 and Niagara, SUSE Linux, Red Hat Linux 4.0/5.0
 Virtual Appliance                 •    VMware/ESX (VMware Ready certified)
 Supported Standards
 X.509 Certificates, FIPS 140-2, XML Signature, XML Encryption, SSL/TLS, SNMP, SMTP, IMAP4, HTTP/HTTPS, JMS, MQ Series,
 Tibco EMS, FTP/FTPS, WS-Security, WS-Trust, WS-Federation, WS-SecureExchange, WS-Addressing, WS-SecureConversation,
 WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WSIL, WS-I, WS-I BSP, UDDI, WSRR, MTOM, IPv6,

To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377.
You can also email us at info@layer7.com; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on
twitter @layer7.
         Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan, CloudSpan and the Layer 7 Technologies design mark are
               trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

To top