Beruflich Dokumente
Kultur Dokumente
Sharing services across distributed organizations is key to maximizing ROI in any SOA initiative, but it can be a complex undertaking, involving issues of trust, identity management and access control. control
In a Service Oriented Architecture (SOA), where services can invoke (and be invoked by) other services both within and between security domains, ensuring proper authentication and authorization is challenging. The problem lies , challenging in the fact that traditional Identity and Access Management (IAM) solutions are predicated on user raditional user-machine interactions and cannot easily accommodate machine machine interactions. One solution, based on XML-based machine-to-machine XML Web services has been to securely embed identity and access information in every message. However, matching the security details supplied in a Web service consumers request to the security requirements demanded by the Web service provider is a fine balancing act, r he requiring constant updating of both consumer and provider applications within an organization (in addition to regular out-of-band communications between band communication organizations) as industry regulations and corporate requirements change. The SecureSpan XML VPN Client (XVC) streamlines consumer and provider interactions by automatically negotiating the handshake between them. The handshake could be as simple as verifying that the client is permitted to access the service, or as complex as ensuring that the request is properly encrypted, carries the correct credentials, originates from a trusted domain has been digitally signed, and so on. domain, Based on a scalable appliance model, Layer 7 provides a turnkey, reusable, and standards-based method for based overcoming the security challenges in a SOA SOA: The SecureSpan XML Firewall or SOA Gateway (Gateway) is typically installed at the boundary of a Web services security domain, gating inbound access and regulating outbound communication. Available as an appliance, virtual appliance or software, the gateway performs various XML and Web services security enforcement activities, including threat protection, access management, privacy enforcement, data validation, routing, transformation, and auditing auditing. The SecureSpan Manager (Manager) is used to create fine-grained, identity-based entitlements and security anager) based policies for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign Sign-On (SSO) sources can also be configured through the Manager Manager. The SecureSpan XML VPN Client (XVC automatically coordinates security preferences between service XVC) consumers and providers.
While all three components work together to solve SOAs identity problems, the XVC is key to automating the solution and reducing total cost of ownership ownership.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are ogies trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
In this way, organizations can quickly extend their existing identity systems to encompass Web services and XMLbased interactions, laying the foundation to bridge independent trust environments while preserving local authentication and authorization processes.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
Once installed on a client system, the XVC interfaces with service consumers, automatically negotiating policyspecific security, routing, and transaction preferences with the Gateway in real time. Specifically, when client applications attempt to send message requests to a Gateway-protected Web service, the XVC intercepts the request and functions as a client-side proxy, applying necessary protocols, headers, or transformations to messages as required by the policy in force on the Gateway. Policies are automatically retrieved and applied by the XVC to ensure all subsequent messages conform to the updated policy. This ensures rigorous, fine-grained security with automated change control across all integrations, regardless of complexity.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
For deployments that require encryption, the XVC can be used to automate client-side Public Key Infrastructure (PKI) management. In conjunction with the Gateways internal Certificate Authority (CA), the XVC initiates the key exchange, negotiating cryptographic algorithms, and invoking Certificate Signing Requests (CSRs). The XVC can also be used with any existing X.509 certificates or other CAs accessible to the SecureSpan administrator. In this way, organizations can lower their total cost of application development and maintenance; dramatically reduce the deployment time for client applications; create end-to-end security consistency by automatically coordinating security across distributed systems; and future proof their investment by insulating their architecture from changes to industry standards and corporate policies.
Administrators can select the authorization model to be used by the Gateway on a service by service basis. When a message is received by the Gateway, subsequent processing depends on the defined Web service security policy for the requestors identity. The Gateway first checks the integrity of the bundled identity, the authentication token, and the message itself. The authentication token is examined to ensure that it has not timed out, an
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.
important consideration when using potentially long-lived cookies or SAML assertions. The certificate of the trusted authentication source is used to verify the authenticity and source of the authentication token that is presented. Additional policy processing can also be performed based on specific message elements or various assertion-based requirements that are independent of identity or the authentication token. Tight signed binding of the credentials and authentication evidence, combined with automatic sequencing ensures that no intermediate or replay attacks are possible even if the message is intercepted during transmission. This binding also provides powerful transactional evidence for local auditing and non-repudiation. If the application already has a hard-coded authorization process, or if the incoming identity has no context within the provider-side Web services security domain, the originating identity and token can be stripped out before forwarding the message to the providers application for additional authorization. Again, the local audit trail that exists for all transactions and administrative functions provides positive evidence for non-repudiation or regulatory compliance issues. In this way, organizations can bridge multiple security domains, whether those domains be internal to the organization (for example, across the Chinese Wall separating retail banking from investment banking), separated globally (as between regional branch offices), or between head office and third-party service providers.
The SecureSpan XML VPN Client can be deployed in conjunction with all currently shipping versions of the SecureSpan XML Firewall and SecureSpan SOA Gateway appliances, soft appliances and software versions. To learn more about how Layer 7 can address your needs, call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377or visit us at www.layer7tech.com.
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.