Ensure Secure Data Exchange via HSMs

Enterprise-scale encryption and digital signing of all sensitive data shared across SOA, Cloud, Web and mobile applications

Industries from defense to banking to finance, as well as government organizations follow cryptographic best practices to ensure security, privacy and data integrity when sharing sensitive information both within and beyond their enterprise boundaries. But these enterprises are challenged to manage increasingly large and complex security architectures. After all, identity and authorization are no longer about people the focus is now squarely on systems and services. Rather than extending traditional encryption, digital signing and authentication systems to manage the risks and meet compliance requirements for new initiatives that encompass SOA, cloud, and mobile access to sensitive information, whats required is a more flexible security framework that not only meets these emerging needs, but also incorporates secure key management and tamper-resistant cryptography. For this reason, Layer 7 has integrated the Thales nShield family of nCipher Hardware Security Modules (HSMs) with Layer 7s CloudSpan and SecureSpan families of SOA gateways. Layer 7s gateways act as policy-driven identity and security enforcement points that can be implemented both in the enterprise and in the cloud to addresses a broad range of behind the firewall, SOA, B2B, API management and Cloud security challenges. With support for all leading directory, identity, access control, Single Sign-On (SSO) and Federation services, Layer 7 provides unparalleled flexibility in defining and enforcing identity-driven security policies, leveraging SSO session cookies, Kerberos tickets, SAML assertions and Public Key Infrastructure (PKI). Support for all major WS* and WS-I security protocols provides enterprise architects with advanced policy controls for specifying message and element security rules, including the ability to branch policy based on any message context. Layer 7 also ensures enterprise application and infrastructure services are protected again malicious attack or accidental damage due to poorly structured data. Thales has a history of delivering industry-leading security solutions that allow organizations to protect data wherever its stored and whenever it moves or is accessed inside the extended enterprise. To protect information that ranges from 'sensitive but unclassified' to 'top secret' military data, Thales ensures confidentiality, proof of identity, data integrity and nonrepudiation by allowing organizations to protect and manage the cryptographic keys that lie at the heart of an organizations trusted encryption, digital signing and authentication processes. Both Layer 7s gateways and Thales nCipher HSMs are certified to FIPS 140-2 Level 3 and Common Criteria EAL4+ standards, delivering the highest levels of security and best-in-class performance. Together, the integrated Layer 7/Thales solution

provides encryption and digital signing for sensitive data shared across security boundaries (such as those spanning internal enterprise domains, as well as enterprise-to-partner, enterprise-to-cloud or Web-to-mobile applications), thereby streamlining compliance and regulatory tasks while delivering enterprise-grade security for organizations that require cryptographic best practices.

Secure Data Exchange

The Layer 7/Thales solution is designed to address multi-domain issues, especially the need to maintain trust when exchanging information with third parties. Layer 7 gateways act as Policy Enforcement Points (PEPs) located in the enterprise, allowing organizations to layer on key control and visibility capabilities for all third party interactions. By creating and enforcing policies on the Layer 7 gateway, organizations can determine how data is securely exchanged between which systems and services interacting across security boundaries all without coding. In brokering connections between the enterprise and third parties, Layer 7 gateways provide not only protocol mediation and data transformation, but also more traditional application-layer functionality such as caching and traffic throttling. Additionally, cross-domain exchange of data often requires federated identity capabilities provided by Layer 7s built-in Secure Token Service (STS) that features comprehensive support for SAML and OAuth. The resulting combination of Thales HSMs and Layer 7 gateways allows the implementation of secure data exchange, allowing organizations to govern and secure all their third-party interactions.

Key Features
Identity and Message Level Security
Cryptography Support for onboard Thales nShield Solo HSM and Thales nShield Connect network HSM Support for elliptic curve cryptography (conforms to NSAs Suite B algorithms) FIPS 140-2 support in both hardware (Level 3) and software (Level 1) Integration with all leading external identity, access, SSO and federation systems Onboard identity store for administering identities and staging new services Credential chaining, credential remapping and support for federated identity Integrated STS/SAML issuer supports SAML 1.1/2.0 and Security Context Tokens Integrated PKI CA for automated deployment and management of client-side certificates and RA ability for external CAs including Verisign Support for Web browser STS, facilitating single sign on for users logging into SaaS/cloud applications Configurable validation & filtering of HTTP headers, parameters and form data Detection of classified or dirty words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages Support for XML, SOAP, POX, AJAX, REST and other XML-based services Protect against identity spoofing and session hijacking cluster-wide Assure integrity of communication end-to-end Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language injection attacks Protection against XML content tampering and viruses in SOAP attachments Enforce security policies such as those that digitally sign and/or encrypt parts of the message; issue security tokens to ensure proper authentication, etc Enforce compliance with policies such as those that verify message structure and content to meet corporate, industry or government standards, etc Enforce reliability with policies such as those that reroute traffic to facilitate failover; throttle traffic to ensure availability and maintain quality of service, etc Throttling/rate limiting controls provide the ability to support service over subscription with per-service throttling of excess messages Service availability features include support for strict failover, round robin, and best effort routing

Identity-based access to services and operations Manage security for crossdomain and B2B relationships Web SSO

Threat Protection
Filter XML content for Web 2.0 and SOA

Transactional Integrity Protection

Prevent XML attack and intrusion

SOA Governance
Runtime enforcement of governance policies Centralized SLA enforcement/Quality of Service

Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan, CloudSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

Transport and protocol mediation

Full support for Class of Service based message processing and routing based on identity, message content, time of day, etc Transport mediation between HTTP, HTTPS, MQS, JMS, raw TCP
Secure, manage, monitor and control access to APIs exposed to third parties API usage can be throttled to ensure backend services are not overwhelmed; limited by user, time of day, location, etc; and quota managed (i.e., # of uses / user / day) Configurable, out-of-the-box reports provide insight into API performance: measure throughput, routing failures, utilization and availability rates, etc Failed authentications and/or policy violations can be tracked to identify patterns and potential threats Support for all major WS* and WS-I security protocols Support for all major authentication and authorization standards, including SAML, Kerberos, digital signatures, X.509 certificates, LDAP, XACML, etc

API Management
API Publication API Security

API Metrics and Reporting

Logging & Reporting

Services Reporting Customer Mapping Configurable, out-of-the-box reports provide insight into SSG operations, service-level performance, and user experience. Report on service performance, policy violations and SLA conformance based on specific customers, composites (i.e., processes and transactions using a service) or clients to build a profile of actual enterprise/cloud user experience. Log message-level transaction information Spool log data to off-board data stores and management systems Protects encryption and signing keys on servers in a highly secure, tamper-resistant hardware module FIPS 140-2 Level 2 and Level 3 validation Common Criteria EAL4+ Optional support for Suite B elliptic curve cryptography (ECC) Up to 6,000 signing transactions/sec (TPS) with 1K RSA keys; 3,000 TPS using RSA 2K bit keys Hardware-accelerated cryptographic operations, including signing of digital certificates Accelerated SSL termination with the embedded nShield Solo card Thales nShield Solo 6000e PCI-E add-in card with tamper-resistant key storage Thales nShield Connect 6000 network-attached, 1U HSM server featuring dual, hot-swap power supplies; 2x 1 Gigabit Ethernet ports; and tamper-resistant key storage Active-active clusterable, dual power supply, mirrored hot-swappable drives, 2-way dual core 1U server Solaris 10 for x86 and Niagara, SUSE Linux, Red Hat Linux 4.0/5.0 VMware/ESX (VMware Ready certified)

Audit and Logging

Thales nShield
Hardware Security Module Standards Support

Performance

Form Factors

Layer 7 Gateway Form Factors

Hardware Software Virtual Appliance

Supported Standards
XML, JSON, SOAP, REST, PCI-DSS, AJAX, XPath, XSLT, WSDL, XML Schema, LDAP, SAML, XACML, OAuth, PKCS, Kerberos, POP3, X.509 Certificates, FIPS 140-2, XML Signature, XML Encryption, SSL/TLS, SNMP, SMTP, IMAP4, HTTP/HTTPS, JMS, MQ Series, Tibco EMS, FTP/FTPS, WS-Security, WS-Trust, WS-Federation, WS-SecureExchange, WS-Addressing, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WSIL, WS-I, WS-I BSP, UDDI, WSRR, MTOM, IPv6, WCF

To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377. You can also email us at info@layer7.com; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on twitter @layer7.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan, CloudSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.