Automated Policy Enforcement by ert554898


									Automated Policy Enforcement

 Adam Vincent, Layer 7 Federal Technical Director
   Automated Policy Enforcement Overview
• A service is not actually a reusable service until it
  has completed governance processes and is ready
  to meet run-time governance requirements.


  – The challenges of run-time SOA governance
  – Critical elements for a run-time governance framework
  – The path from automated policy enforcement to governance
                        SOA Implementation Challenges

•   Delivering on the promise of SOA
     – How to implement business process
     – How to avoid “broken” integrations

•   Maintaining Security
     – Where to enforce security
     – Ensuring end to end security

•   Ensuring Compliance
     – Instrumentation of the path and ensuring integrity
     – Providing validation and alerting mechanisms

•   Automation
     – Providing the tools to manage the system
     – Fitting into existing internal processes
    Run-Time SOA Governance: Requirements and Product Mappings
•   Requirements:                                 •   Product Mappings:
     – Identity and Trust Control Process              – Identity and Trust Control
         • Authenticating and certifying                  Framework
           identities                                      • Directories, Single Sign-On,
                                                             Federation, PKI
     – Policy Definition Environment
         • Tailor security (and other) policies        – Policy Definition Environment
           to each service consumer and                    • Integrated Development
           provider relationship                             Environments, Identity and Access
                                                             Management Systems, Web
                                                             Services Policy Editors
     – Automated Policy Provisioning and
         • Establish policies that can be              – Automated Policy Provisioning and
           distributed, verified and managed             Coordination
                                                           • Registries, Repositories, Policy
                                                             Management Systems
     – Compliance Verification
         • Enforce, audit, alert and report            – Compliance Verification
           compliance to policies                        Framework
                                                           • Policy Application Points, Policy
                                                             Enforcement Points, Management
                                                             Systems, Reporting Tools, Alerting
                                                             and Correlation Systems
              With all these products what's missing?
                Manual Governance Processes (Design-Time Governance)

       Policy Definition Environment

                                                Compliance Verification Framework

      Technical Governance Tools (Design-Time/Run-Time Governance)

  Identity and Trust Control Process            Automated Policy Provisioning and

 We can not support RAPID service design, delivery and change in
accordance with the governance requirements in a manual fashion.
  Service lifecycle and governance must be automated wherever
                 Corporate And Architecture Drivers:
                    “Runtime Policy” Framework
Corporate Policy Drivers (Inputs)                  Corporate Architectural Drivers (Inputs)
-Manual Governance                                 -Flexibility and Reuse
-Compliance                                        -Platform Independence
-Security                                          -Integration with existing infrastructure
-Classification Levels                             -Security, Scalability, Availability, Performance

                   Security            SLA                  Reliability
                   -WS-Security        -Response Time       -WS-RM
                   -X509TokenProfile   -Availability        Platform
                   -SAMLTokenProfile   -IP Range, ToD       -Load Balancing
                   -XML Encryption     -Throughput Limits   -WS-Addressing
                   -XML Signatures     -Non-repudiation
                                       Transport            Threat Protection
                  Message X-Form
                                       -HTTP                -Schema Validation
                                       -TLS                 -Virus Scanning
                                       -JMS                 -Attachments
                  -Data Structures

                                        Runtime Policy
 The Evolution of a Service (not automated)

                                        Run-Time Policy Enforcement
                                       QA/Test                Deploy

                  L               QA/Test Run-Time                    Deploy Run-Time
Service Design         Security                            Security
                                         Test/QA                            Deploy
                      Monitoring                         Monitoring
                                         weather                            weather
                     Compliance                          Compliance
Policy Design
                       Run-Time                           Run-Time
                      Governance                         Governance
   White-            Configuration                      Configuration
     Policy Enforcement Automation
                             QA/Test Run-Time                 Deploy Run-Time
Service Design    Security                         Security
                                    Test/QA                         Deploy
                 Monitoring                       Monitoring
                                    weather                         weather
                 Compliance                       Compliance
Policy Design

    Policy       Automation           Approved!
  Future Vision of Service Deployment Automation

                                                  Deploy Run-Time


             Monitoring              QA/TEST
USE                                     or
             Compliance             Production
                                                  QA/Test Run-Time

      Run-Time Governance Layer

                          QA/Test                Deploy
• Run-Time Governance Builds On Existing Infrastructure
   – Identity, security, provisioning, management …

• Run-Time Governance Starts With Policies
   – Must be be concise and enforceable
   – Must fit into overall business process

• Run-Time Governance Requires Enforcement and Reporting
   – Enforcement is critical first step in implementation
   – continuous reporting on compliance is important
   – Needs to be consistent and manageable

• SOA Governance Is a Goal, Not a Product
   – No single solution, but many products can help
   – Good choices can meet immediate and long-term needs

To top