Identity Federation for Web Services: An Overview

Document Sample
Identity Federation for Web Services: An Overview Powered By Docstoc
					Identity Federation in Web Services
Securely Exchanging Identity across Domains




                                 Layer 7 Technologies

                    White Paper
Identity Federation in Web Services


Contents

                                             ................................................................................................
Introduction ................................................................                                .................................................. 3
                     ................................................................................................................................ 3
The Identity Problem ................................                                                                ....................................
                            ................................................................................................
   Integration and Isolation................................                                ........................................................... 3
                 ................................................................................................................................
   Identity Silos................................                                                                .............................................. 3
         Departmental                                                                                         ............................
   Cross-Departmental Application Integration ............................................................................................ 4
                        ............................................................................................................................... 5
   Legacy System Access ................................                                                                ...............................
                                                                                                      ........................................ 5
   Corporate Mergers and Acquisitions ................................................................................................
                             ................................................................................................
   External Trading Partners ................................                                ......................................................... 5
                                                                                                      ........................................... 5
Approaches to Bridging Identity Silos ................................................................................................
                      ................................................................................................................................ 5
   Custom Hard-Coding ................................                                                                .................................
                          ............................................................................................................................... 6
   Identity Consolidation ................................                                                                ...............................
                            ................................................................................................
   Directory Synchronization................................                                ......................................................... 6
                             ................................................................................................
   Single Sign-On Approaches ................................                                ....................................................... 6
                      ................................................................................................................................ 7
The Role of Standards ................................                                                                ...................................
                              ................................................................................................
Addressing Identity Isolation ................................                                ........................................................ 8
                       ................................................................................................................................ 8
   Simple and Effective................................                                                                ..................................
                                            ................................................................................................
   Flexible ................................................................                                ...................................................... 8
                   ................................................................................................................................
   Standards-Based ................................                                                                ....................................... 9
                    ................................................................................................................................
   Turnkey Solution ................................                                                                ....................................... 9
                 ................................................................................................................................
   Local Control ................................                                                                ............................................. 9
                                          ................................................................................................
   Secure ................................................................                                ....................................................... 9
                                           ................................................................................................
Conclusion ................................................................                                ..................................................... 9
                           ................................................................................................
About Layer 7 Technologies ................................                                ........................................................ 10
                             ................................................................................................
Contact Layer 7 Technologies ................................                                ..................................................... 10
                  ................................................................................................................................
Legal Information ................................                                                                ........................................ 10




                                             ogies
             Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                                yrights                                                                                2
   Identity Federation in Web Services


   Introduction
         based
   XML-based Web services are a powerful vehicle for reusing shared application logic across diverse business
   processes. These processes often need to traverse multiple departments, business units, and partners residing in
   separate security domains with independent preferences, capabilities, and requirements. As a consequence,
   serious communication, propagation and processing problems arise as each independent security do domain
   attempts to share Web services and applications. This problem, known as a “federation” problem, complicates and
                      spread
   restricts the wide-spread implementation of Web services.

                                                              two-fold communication issue. First, how does an
   The fundamental challenge in the federation problem is a two
   application in one security domain determine access rights for the identities coming from another security
   domain? Secondly, with application to application communication, how does one application determine those
                    hout
   access rights without first knowing which identities are entitled to access the originating application? Several
   technologies and standards have been proposed to address the identity federation problem for the World Wide
          ut
   Web, but until now, the problem for Web services has been unresolved. In order to reach their potential in the
   modern extended enterprise, Web services must be able to effectively bridge application identities across diverse
                                                                                   federation
   security domains. This paper presents a solution to the Web services identity federation problem that fulfills this
                                                                                                             is.
   requirement, and allows the technology of Web services to be fully utilized as the powerful tool that it is


   The Identity Problem
   Integration and Isolation
   In today’s business climate, most organizations have a variety of specialized applications that serve functional
                            day          operations. From general ledger, to order management, to resource
   areas critical to day-to-day business operati
   management, many of these applications were developed in isolation at different points in time. This can happen
                                  organically as new applications are introduced gradually over time, or abruptly as
Applications residing                w
                                  new applications are added suddenly due to mergers or acquisitions. These
                                  applications are often associated with the core business processes that drive
 in different security
                                  revenues. The term “application silo” is frequently used to describe the negative
domains often spawn                                isolated                             off
                                  effects of these isolate monolithic applications, one-off interfaces, and disparate
identity silos, posing            data schemas.
a significant hurdle to
    any integration               Critical application functions do not live in a vacuum. Since varying degrees of
technology, including             interaction between applications is essential, well understood integration
                                  technologies—like CORBA, RMI, COM/DCOM, and RPC—have evolved to help
                                  technologies                                               have
     Web Services                 integrate applications into business processes. Web services are simply the most
                                  recent effort for making integration technology responsive to business needs. Unlike
                                            interoperable
   past efforts, Web services enable the interoperable sharing of reusable application components across any number
   of diverse applications or platforms. But Web services has not overcome one of the principal problems associated
                                                                                     wn
   with all prior integration technologies: namely that application silos often spawn corresponding identity silos,
   where identity silos are significant hurdles to the successful integration of applications residing in different security
   domains.

   Identity Silos
                                          h                      end-users,
   Before applications can interact with other applications or end users, some form of access control is usually
   applied. At a minimum, access control consists of both authentication and authorization. Authentication involves
                                                                           olves
   the presentation and validation of credentials, and authorization involves granting access, rights, or entitlements
   based on the interpretation of the authentication results. In short, applications take the presented credentials,
                                                                                           provider,
   initiate a validation of the credentials by contacting an appropriate identity store or provider, and receive back a
   success or failure result, as well as other related information. This information is then subjected to some form of
   access control policy or business logic, and the identity is granted or denied rights accordingly. When integrating
   applications via Web services, identical mechanisms for authentication and authorization are used.
                                             ogies
             Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                                yrights                                                3
  Identity Federation in Web Services



  For consistent management, identities are typically stored in the same security domain as the application. An
                                                human user, or a group of users, and consist of elements such as
  identity may represent another application, a hu
  common name, fully qualified name, group, role, certificate, and security clearance. During the authentication and
                                                                               functional
  authorization process, the exact elements in an identity are matched to the functional requirements of the
  applications or Web services served by the identity provider.

                                   Implementing disparate identity providers within an enterprise (or between partners)
For Web services, the                                                                             ut
                                   complicates the authentication and authorization process, but there are several
                                   reasons why it would be unusual to have one common identity provider for all
identity silo problem
                                   applications. First, different applications may require identity providers with different
    is compounded                  identity elements, formats, or protocols. Second, applications and their associated
     because most                  identity providers may need to be kept in separate security domains due to internal
 interactions happen                       concerns
                                   privacy concerns or regulatory requirements. Third, many enterprises will naturally
between applications               divide into multiple departments and business units with separate IT administration
                                   and identity providers. Fourth, partners cannot expose their identity provider(s) to
  where no practical
                                               without
                                   each other without risking unauthorized access to their core applications and business
  user intervention is             processes. For these reasons, identities created locally rarely have the same or any
        possible                   relevance outside of their local security domain, indirectly leading to the identity silo
                                   problem.

  If a legitimate user, application, or Web service authenticates against a corresponding identity provider in one
  identity silo, their identity (or any evidence of the authentication) may have no relevance when requesting access
                                  eb                                                               broken,
  to another application or Web service in another identity silo. In this case, the integration is broken and the
  authorization in one silo will fail even though the authentication succeeded in another silo. For Web services, this
                                                    interactions
  problem is compounded by the fact that most interactions happen between applications, meaning that no
  practical user intervention is possible.

                                                                                                   ma
  As the following examples illustrate, identity silos are the root cause of integration issues in many common
  integration scenarios:




  Cross-Departmental Application Integration
                                                                 typically keep functional systems and departments
  For operational and regulatory reasons, financial institutions ty
  separate. Many of their customers, however, may make use of both the banking and the investment branches of a
           stitution.
  single institution. The credentials and authorization processes required to access these systems are often as
  unique as the applications themselves. This “Chinese Wall” makes it difficult for customer service representatives,

                                            ogies
            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
           trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                               yrights                                                4
  Identity Federation in Web Services

  who often need access to two or more se separate applications and corresponding databases to provide a positive
  service experience to clients. Further complicating matters is the fact that, while protecting the customer’s
                                                                            help             repudiation
  personal data, financial institutions must also provide an audit trail to he support non-repudiation procedures
  and ensure regulatory compliance.

  Legacy System Access
  Most large organizations have a variety of entrenched legacy systems that support core business processes and
  profit centers. This is even true for companies that have grown organically rather than through mergers or
  acquisitions. These legacy systems may be based on credential stores and authorization processes that create
                                                                                Web-          services
                                   internal barriers to integration with newer Web or Web services-based
                                   applications. Removing these barriers can be difficult, requiring either substantial
 Typically, substantial
                                                                   cost-prohibitive migration of the applications to
                                   coding, or middleware, or the cost         itive
investments in coding                     platforms.
                                   newer platforms
   and/or expensive
    middleware are                    Corporate Mergers and Acquisitions
    required to help              Many industry sectors have experienced a sharp increase in merger and acquisition
     manage cross-                activities, often in the form of a merger of peers. Two large organizations with
                                  sizeable client bases and business systems may choose to selectively maintain
boundary authorization
                                  parallel sets of application infrastructure, either for brand separation or simply due
  and authentication              to the complexity of migrating to a common system. Ensuring that core operational
                                  applications like Treasury, GL, ERP, and HR systems have access across both sets of
                                  applicati
                                                                            business               deadlines
  systems is challenging, and often has to be completed quickly to meet business or regulatory deadlines.

  External Trading Partners
  Competitive contractors or technology providers are often partners in large civilian or government contracts. To
                                                                                                           systems
  exchange project information, each of them may need to provide secure, fine-grained access to selected systems.
  For security reasons, granting access to each other’s identity management systems is usually a complex task
                                                                                     demand
  involving the development of custom bridging applications to provide secure, on-demand access.

                                            these
  Other examples undoubtedly exist, but the four scenarios illustrate some of the real impact associated with
  application identity silos. Despite being a common problem for a number of years, little has been done to directly
  address the issue. Most proposed solutions have had limited success, and as Web services usage expands, the
  problem becomes more acute as the human options for bri bridging identity silos disappears.


  Approaches to Bridging Identity Silos
   Attempts to integrate disparate identity systems have traditionally used one or more of the technical approaches
                                     outlined below. While each approach provides part of the solution, each also
    While a number of                                                             expensive                  effects
                                     has fundamental shortcomings that result in expensive and/or risky side effects.
solutions have been tried,
                                                 Hard-Coding
                                          Custom Hard
   including brute force
                                                                                                           identity
                                          Custom built solutions take a brute force approach to bridging ident silos on
   hard-coding, identity
                                             integration-by-integration basis. Rules and translators are created that map,
                                          an integration     integration
  consolidation, directory                transform, or otherwise manipulate identities exchanged between two silos.
   synchronization and                    Custom solutions, though not necessarily elegant, are effective, but
leveraging Single Sign On                               upfront
                                          considerable upfront work is required to define rules and use cases, and
    systems, none have                    developers must be familiar with the identity and processing models for both
                                          systems involved in the integration. Once in place, the brittle nature of the
   proven to be a silver
                                                                                       custom           lock
                                          approach requires frequent updating of the custom code in lock-step with any
   bullet for solving the                 identity-related
                                          identity related changes on either side of the integration. This leads to
 identity bridging problem                unpredictable ongoing costs and administrative issues.


                                            ogies
            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
           trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                               yrights                                                5
Identity Federation in Web Services

                                                                                              problem
Occasionally used, this is an inefficient and inflexible approach that deals with a pervasive problem one instance at
                        use
a time. Little or no re-use is likely, as each integration requires the development of a new bridging application with
                                                                      compromises.
the potential for subsequent implementation errors and security compromises

Identity Consolidation
               lidation
Identity consolidation maps identities associated with one authentication source to a single consolidated identity
for authorization purposes. For example, staff members that have access rights to a retail banking application
                                           “EMP_RETL”
might be identified as the single identity “EMP_RETL” when accessing the foreign exchange and treasury
applications. This provides a bridging mechanism between distinct identity silos, but obscures potentially
                                                                                            ability         fine
important differences between members of the consolidated identity, thus eliminating the ability to make fine-
grained authorization decisions. This simple bridging approach also produces some fundamental management
issues.

                                       non-repudiation is a particular challenge if all external accesses are mapped
Auditing use of services and ensuring non
      ingle
to a single identity. Tracking down individual actions taken when several entities are simultaneously accessing a
system becomes extremely time consuming and difficult. The overall effect is a “loss of consequences” of any
                               impediment
interactions, and a potential impedimen to security policies or regulatory compliance.

Updating the authentication and authorization processes when an individual identity account is inevitably removed
from the group is both critical and tedious. Hours or even days might elapse before changes are propagated. The
end result is often deactivation of the original consolidated account, followed by reassignment of “survivor”
identities to a new account. This administrative nightmare can be difficult to automate, and any associated
problems can break the integration or worse, create lapses in security.

Directory Synchronization
Directory synchronization addresses some of the shortcomings of consolidation by replicating some or all remote
identities into a separate store. This replicated store is effectively an exact copy of the identity store used by
remote entities residing in another security domain. The challenges associated with maintaining granularity are
                                                                              facilitating                          fine
effectively overcome since all accessing entities retain a distinct identity, facilitating local authentication and fine-
                  based
grained identity-based authorization while ensuring a detailed audit trail. Despite these improvements, directory
synchronization also introduces some significant administrative challenges.

                                 ess
The initial synchronization process may require the transfer of a significant amount of data if the data store is
large. Firewalls or routers may need to be reconfigured to provide a secure channel between the two silos if they
                                                           the
are in different security or network realms. The format of the identity data may need to be transformed during
synchronization due to incompatible formats between an application provider and requestor, or simply different
identity contexts.

                                                                  provider-side, an ongoing mechanism must be
Once the replicated store of identities has been created on the provider
established to keep the two copies synchronized. In addition to ensuring connectivity, synchronization tools need
                                                                real-time                                  s
to update the replicated copy either on a periodic basis, or in real time as changes occur to the original store. In
some cases, this can lead to race conditions as updates occur asynchronously with additions and/or changes. The
latency associated with updates can result in inadvertent access for revoked identities and/or denied access for
new identities.

            On
Single Sign-On Approaches
            On                                                                                            back-end
Single Sign-On (SSO) systems are an effective mechanism for providing single login access to a variety of back
systems through Web portals and other gateway applications. A given entity signs on once and is granted the
             s
correct access and entitlements on multiple systems through some form of opaque cookie or token. Scaling SSO
                                                        scenarios,                   challenging
systems to encompass a broader spectrum of integration scenarios, however, can be challenging.



                                          ogies
          Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                6
  Identity Federation in Web Services

  The SSO model does not eliminate the proliferation of disparate user IDs and passwords, but instead, simply masks
                          defined
  this issue for some pre-defined processes. Local applications are still responsible for authorizing users and
                                                                          pre-negotiation          an
  determining what to do with the authentication token. This requires pre negotiation of roles and entitlements, as
  well as considerable amounts of custom code to process or map the incoming identities.

  In the Web environment, most SSO products use cookies as evidence of authentication. This works well for human
  users signing into a Web browser page, but does not translate well between applications, or in Web services
  integrations where there is no equivalent to a browser application. In both of these situations, the deployment of
                                                                  interpret
  custom code or platform-specific agents is required to properly interpret and verify the cookies.

SAML-enabled SSO                  To address this, several SSO products also support Security Assertion Markup Language
products provide the                                                                                           standards
                                  (SAML) tokens that offer more flexibility than proprietary cookies. SAML is standards-
                                  based, has no dependency on a Web browser, and has growing cross cross-vendor
  best promise for                interoperability (see The Role of Standards below for more information). Typically, the
  cross-boundary                  originating identity and some form of evidence of that identity’s successful
exchange of identity              authentication are contained in a SAML assertion. Systems can pass these SAML tokens
 and authentication                                                                                        receive,
                                  both behind and across firewalls to a corresponding SAML “receiver” to receive
    by securely                   process, and verify the token. This approach is sometimes referred to as “Federated
                                                       Identity,”
                                  SSO” or “Federated Identity and requires that the implementation team define exact
    transferring                  security protocols for the token. If not protected in some manner, the same token can
credentials between                                               attacks.
                                  be used for subsequent replay attacks
      systems
                                                                                                          pre-
                               An important part of the solution, SSO systems still require considerable pre
  negotiation of identity context between silos, as well as the code to support proper authorization within this
  context. The introduction of SAML does provide a potentially powerful mechanism for exchanging both identity
                                     ut
  and evidence of authentication, but it still requires significant infrastructure to securely exchange tokens, validate
                                                                                               consuming
  their authenticity, and correctly authorize users. This can lead to an expensive and time-consuming Web services
  implementation process even if an SSO system is already in place for an existing Web portal application.


  The Role of Standards
                                          related                        of
  Several groups are assessing identity-related standards in the hopes of addressing some of the issues associated
  with identity silos. Most of this work is focused on a much broader vision of federated identity, specifically,
  securely establishing a person’s or application’s identity and sharing that identity globally across any domain or
  enterprise.

  One of the first standards to become available from multiple vendors was SAML, created by the Organization for
                                                                                            needed
  the Advancement of Structured Information Standards (OASIS). Designed to deliver much-needed interoperability
  between compliant Web access management and security products, the SAML specification itself does not define
  any new authentication technologies or approaches, nor does it address how to create privacy or security policies.
                                     transfer                                                time
  Rather, SAML makes it possible to transf security credentials between systems with one-time authentication.
                                        based
  SAML forms the basis for many Web-based SSO systems, and has proven interoperability between major vendors.
  Other standards activities are focused on strategically extending applications and Web services beyond security
                                     services-based integration.
  domain firewalls to facilitate Web services

  The Liberty Alliance is composed of a diverse group of companies spearheaded by Sun Microsystems. The
                                                     working
  collaboration claims that it is the only open body working on federated identity, but a group spearheaded by
  Microsoft, IBM, BEA, and others has presented the WSWS-Federation standard to accomplish similar tasks. From the
  beginning, IBM and Microsoft have been major forces behind the advancement of Web services, and both have
                                                          WS-Federation standard.
  helped develop a series of standards in addition to the WS



                                            ogies
            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
           trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                               yrights                                                7
Identity Federation in Web Services




Standards work continues, sometimes yielding results that overlap with OASIS and the Liberty Alliance. To
complicate matters further, the recent Liberty Alliance specification attempts to subsume the current SAML
standard, while the next version of SAML attempts to do the same with the Liberty Alliance standard.

The multitude of standards and standards bodies merely provides alternate methods for solving a similar problem
                                                                                          Federation
set. The eventual convergence of these efforts, possibly after the introduction of the WS-Federation standard,
does little to solve today’s pressing identity bridging problems.


Addressing Identity Isolation
                               enges                                                                        multi-
The difficult integration challenges resulting from identity isolation in today’s IT environments require a multi
faceted solution. This solution must address the broadest possible range of integration scenarios while possessing
the attributes explained below.

Simple and Effective
                                  related
The majority of today’s identity-related integration issues are due to integrations of a moderate number of
applications or users to address the specific business needs of an organization. The goal of these integrations is to
                                  oy
bridge identity silos, not to deploy a complex infrastructure designed to federate identity to thousands of possible
applications. To make the greatest impact, a solution must be pragmatic. It must yield an immediate return on
investment by completely solving a specific set of identity bridging issues.

Flexible
Identities and related management policies are constantly in flux due to both ordinary and extraordinary changes
in operational, business, and regulatory needs. Any solution must be able to adapt to these changes in near real
        thout
time without uncontrollable delays or escalating costs. To achieve this, the solution should be capable of
                ing                investments.
leveraging existing infrastructure investments




                                          ogies
          Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                8
   Identity Federation in Web Services

   Standards-Based
                             related                                                           .
   Identity- and integration-related standards are evolving rapidly in various standards bodies. Any solution must take
   advantage of existing work, as well as be able to adapt to new standards as they become ubiquitous in order to
   ensure maximum flexibility when interoperating with other systems.

   Turnkey Solution
                                       equires
   A solution adds little value if it requires the development of new code, or a significant integration effort to become
   operational. To ensure consistency, reliability, and rapid deployment without placing unnecessary dependencies
             party                                       technologies
   on third-party systems, all required attributes and technologi should be present in a tightly integrated, turnkey
   solution.

   Local Control
  In order to allow local administrators to manage the policies relevant to their respective security domains, the
                                     solution must permit independent control over the authentication and
The problem remains one                                                                  ur
                                     authorization processes. Authentication should occur close to the requestor to
                                     ensure maximum reliability in the identity assertion. Authorization of the
    of cost-effectively
                                     requestor should occur close to the provider to maintain strict localized access
    managing cross-                  control.
 boundary authentication
 and authorization in the                  Secure
face of changing industry                  Identity information often provides access to sensitive data and must be
   standards, business                     protected during an exchange. Security tokens should be shielded from
                                           expropriation and not reused through placement in a new message or replay in
 policies and government
                                                                                      two-sided
                                           the same message. To provide a thorough two sided audit trail, all actions
        regulations                                        requestor
                                           performed by a requestor should be securely logged by the requestor’s
                                                                                               provider.
                                           authentication provider, as well as the authorizing provider


   Conclusion
   Securely exchanging identity is critical to the successful integration of applications across identity silos. As
                    nology
   information technology rationalization and productivity pressures move more companies towards Web services,
                                            XML-based Web services to enable their reuse across diverse business
   more applications will be delivered as XML
   processes. Since business processes often impact systems across multiple departments, business units, or partners,
   these Web services will require identity federation to ensure that authentication and authorization occur in the
   appropriate security domains. Although various disparate technologies have attempted to address these
                                                                 cost-effective solution for Web services.
   requirements, they fail to deliver a practical, flexible, and cost

   The Layer 7 SecureSpan™ XML Firewall is the first turnkey solution to bridge identities in federated Web services
                                                                                                        enterprise-class
   environments while ensuring the confidentiality, flexibility, and consistent security required in an enterprise
                                                                      www.layer7tech.com.
   solution. For more information, please visit the Layer 7 web site: www.layer7tech.com




                                             ogies
             Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                                yrights                                                9
Identity Federation in Web Services


About Layer 7 Technologies
With offices in San Mateo, California; New York, New York; and Vancouver, British Columbia, Canada; Layer 7
                                                      cost-effective
Technologies helps enterprises accomplish secure and cost effective business integration using XML and Web
                                                                                  addresses
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology that addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowered integration costs, increased security reliability, and the ability to
                 ir
future-proof their Web services investments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.


Contact Layer 7 Technologies
Layer 7 Technologies welcomes your questions, comments, and general feedback.

Email:
info@layer7tech.com

Web Site:
www.layer7tech.com

Phone:
604-681-9377
1-800-681-9377 (toll free)

Fax:
604-681-9387

Address:
US Office
1200 G Street, NW, Suite 800
Washington, DC 20005

Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada


Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.




                                          ogies
          Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
                                                                             yrights                                                10