VIEWS: 6 PAGES: 3 POSTED ON: 4/4/2012 Public Domain
Apply enterprise-scale encryption and digital signing of all shared sensitive data Financial services companies, defense agencies and governmental organizations follow strict cryptographic best practice when sharing sensitive information. Managing the complex security architectures required to execute these best practices is becoming ever-more challenging.
Ensure Secure Data Exchange via HSMs Enterprise-scale encryption and digital signing of all sensitive data shared across SOA, Cloud, Web and mobile applications Industries from defense to banking to finance, as well as government organizations follow cryptographic best practices to ensure security, privacy and data integrity when sharing sensitive information both within and beyond their enterprise boundaries. But these enterprises are challenged to manage increasingly large and complex security architectures. After all, identity and authorization are no longer about people – the focus is now squarely on systems and services. Rather than extending traditional encryption, digital signing and authentication systems to manage the risks and meet compliance requirements for new initiatives that encompass SOA, cloud, and mobile access to sensitive information, what’s required is a more flexible security framework that not only meets these emerging needs, but also incorporates secure key management and tamper-resistant cryptography. For this reason, Layer 7 has integrated the Thales nShield™ family of nCipher Hardware Security Modules (HSMs) with Layer 7’s CloudSpan and SecureSpan families of SOA gateways. Layer 7’s gateways act as policy-driven identity and security enforcement points that can be implemented both in the enterprise and in the cloud to addresses a broad range of behind the firewall, SOA, B2B, API management and Cloud security challenges. With support for all leading directory, identity, access control, Single Sign-On (SSO) and Federation services, Layer 7 provides unparalleled flexibility in defining and enforcing identity-driven security policies, leveraging SSO session cookies, Kerberos tickets, SAML assertions and Public Key Infrastructure (PKI). Support for all major WS* and WS-I security protocols provides enterprise architects with advanced policy controls for specifying message and element security rules, including the ability to branch policy based on any message context. Layer 7 also ensures enterprise application and infrastructure services are protected again malicious attack or accidental damage due to poorly structured data. Thales has a history of delivering industry-leading security solutions that allow organizations to protect data wherever it’s stored and whenever it moves or is accessed inside the extended enterprise. To protect information that ranges from 'sensitive but unclassified' to 'top secret' military data, Thales ensures confidentiality, proof of identity, data integrity and non- repudiation by allowing organizations to protect and manage the cryptographic keys that lie at the heart of an organization’s trusted encryption, digital signing and authentication processes. Both Layer 7’s gateways and Thales’ nCipher HSMs are certified to FIPS 140-2 Level 3 and Common Criteria EAL4+ standards, delivering the highest levels of security and best-in-class performance. Together, the integrated Layer 7/Thales solution provides encryption and digital signing for sensitive data shared across security boundaries (such as those spanning internal enterprise domains, as well as enterprise-to-partner, enterprise-to-cloud or Web-to-mobile applications), thereby streamlining compliance and regulatory tasks while delivering enterprise-grade security for organizations that require cryptographic best practices. Secure Data Exchange The Layer 7/Thales solution is designed to address multi-domain issues, especially the need to maintain trust when exchanging information with third parties. Layer 7 gateways act as Policy Enforcement Points (PEPs) located in the enterprise, allowing organizations to layer on key control and visibility capabilities for all third party interactions. By creating and enforcing policies on the Layer 7 gateway, organizations can determine how data is securely exchanged between which systems and services interacting across security boundaries – all without coding. In brokering connections between the enterprise and third parties, Layer 7 gateways provide not only protocol mediation and data transformation, but also more traditional application-layer functionality such as caching and traffic throttling. Additionally, cross-domain exchange of data often requires federated identity capabilities provided by Layer 7’s built-in Secure Token Service (STS) that features comprehensive support for SAML and OAuth. The resulting combination of Thales HSMs and Layer 7 gateways allows the implementation of secure data exchange, allowing organizations to govern and secure all their third-party interactions. Key Features Identity and Message Level Security Cryptography • Support for onboard Thales nShield Solo HSM and Thales nShield Connect network HSM • Support for elliptic curve cryptography (conforms to NSA’s Suite B algorithms) • FIPS 140-2 support in both hardware (Level 3) and software (Level 1) Identity-based access to • Integration with all leading external identity, access, SSO and federation systems services and operations • Onboard identity store for administering identities and staging new services Manage security for cross- • Credential chaining, credential remapping and support for federated identity domain and B2B • Integrated STS/SAML issuer supports SAML 1.1/2.0 and Security Context Tokens relationships • Integrated PKI CA for automated deployment and management of client-side certificates and RA ability for external CA’s including Verisign Web SSO • Support for Web browser STS, facilitating single sign on for users logging into SaaS/cloud applications Threat Protection Filter XML content for Web • Configurable validation & filtering of HTTP headers, parameters and form data 2.0 and SOA • Detection of classified or “dirty” words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages • Support for XML, SOAP, POX, AJAX, REST and other XML-based services Transactional Integrity • Protect against identity spoofing and session hijacking cluster-wide Protection • Assure integrity of communication end-to-end Prevent XML attack and • Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language intrusion injection attacks • Protection against XML content tampering and viruses in SOAP attachments SOA Governance Runtime enforcement of • Enforce security policies such as those that digitally sign and/or encrypt parts of the governance policies message; issue security tokens to ensure proper authentication, etc • Enforce compliance with policies such as those that verify message structure and content to meet corporate, industry or government standards, etc • Enforce reliability with policies such as those that reroute traffic to facilitate failover; throttle traffic to ensure availability and maintain quality of service, etc Centralized SLA • Throttling/rate limiting controls provide the ability to support service over subscription with enforcement/Quality of per-service throttling of excess messages Service • Service availability features include support for strict failover, round robin, and best effort routing Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan, CloudSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. Transport and protocol • Full support for Class of Service based message processing and routing based on identity, mediation message content, time of day, etc • Transport mediation between HTTP, HTTPS, MQS, JMS, raw TCP API Management API Publication • Secure, manage, monitor and control access to APIs exposed to third parties • API usage can be throttled to ensure backend services are not overwhelmed; limited by user, time of day, location, etc; and quota managed (i.e., # of uses / user / day) API Metrics and Reporting • Configurable, out-of-the-box reports provide insight into API performance: measure throughput, routing failures, utilization and availability rates, etc • Failed authentications and/or policy violations can be tracked to identify patterns and potential threats API Security • Support for all major WS* and WS-I security protocols • Support for all major authentication and authorization standards, including SAML, Kerberos, digital signatures, X.509 certificates, LDAP, XACML, etc Logging & Reporting Services Reporting • Configurable, out-of-the-box reports provide insight into SSG operations, service-level performance, and user experience. Customer Mapping • Report on service performance, policy violations and SLA conformance based on specific customers, composites (i.e., processes and transactions using a service) or clients to build a profile of actual enterprise/cloud user experience. Audit and Logging • Log message-level transaction information • Spool log data to off-board data stores and management systems Thales nShield Hardware Security Module • Protects encryption and signing keys on servers in a highly secure, tamper-resistant hardware module Standards Support • FIPS 140-2 Level 2 and Level 3 validation • Common Criteria EAL4+ • Optional support for Suite B elliptic curve cryptography (ECC) Performance • Up to 6,000 signing transactions/sec (TPS) with 1K RSA keys; 3,000 TPS using RSA 2K bit keys • Hardware-accelerated cryptographic operations, including signing of digital certificates • Accelerated SSL termination with the embedded nShield Solo card Form Factors • Thales nShield Solo 6000e PCI-E add-in card with tamper-resistant key storage • Thales nShield Connect 6000 network-attached, 1U HSM server featuring dual, hot-swap power supplies; 2x 1 Gigabit Ethernet ports; and tamper-resistant key storage Layer 7 Gateway Form Factors Hardware • Active-active clusterable, dual power supply, mirrored hot-swappable drives, 2-way dual core 1U server Software • Solaris 10 for x86 and Niagara, SUSE Linux, Red Hat Linux 4.0/5.0 Virtual Appliance • VMware/ESX (VMware Ready certified) Supported Standards XML, JSON, SOAP, REST, PCI-DSS, AJAX, XPath, XSLT, WSDL, XML Schema, LDAP, SAML, XACML, OAuth, PKCS, Kerberos, POP3, X.509 Certificates, FIPS 140-2, XML Signature, XML Encryption, SSL/TLS, SNMP, SMTP, IMAP4, HTTP/HTTPS, JMS, MQ Series, Tibco EMS, FTP/FTPS, WS-Security, WS-Trust, WS-Federation, WS-SecureExchange, WS-Addressing, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WSIL, WS-I, WS-I BSP, UDDI, WSRR, MTOM, IPv6, WCF To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377. You can also email us at firstname.lastname@example.org; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on twitter @layer7. Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan, CloudSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
Pages to are hidden for
"Ensure Secure Data Exhange via HSMs"Please download to view full document