Vordel Party at Oracle Open World

Oracle Open World is bigger than ever this year, encompassing JavaOne and Oracle Develop. And Vordel is making it even bigger with our party on Wednesday evening at Townhall on Howard Street, just a short walk from the Moscone Center. The evening includes a conversation-starting talk by Sarah Friar, analyst from Goldman Sachs who provides insightful comment on Oracle and also Cloud Computing. Do Oracle and Cloud Computing go together like cocktails and canapés? Discuss this with Sarah and others over actual cocktails and canapés on September 22nd. Click on the image below to register free. See you there!

Filtering JSP and Flash (SWF) with the Vordel Gateway

As well as filtering API and SOA traffic, the Vordel Gateway can also filter more traditional Web traffic such as JSP (Java Server Pages), images (e.g. JPGs) and Flash files (SWFs). To illustrate this, in the screenshot below I am accessing a JSP through an SSL interface being provided by the Vordel Gateway. The JSP serves out a Flash (SWF) object and a JPEG image. The Vordel Gateway is layering on SSL in front of a back-end JSP which is being served out over HTTP.



Now, if I try to put a Cross-Site Scripting attack into the JSP invocation, the Vordel Gateway detects and blocks this, and all I see is the 403 "Access Denied" message:



Over on the Vordel Gateway's Real-Time Monitoring, I can see clearly that the JSP request was blocked because of the detection of harmful content in the request. I can also make use of Real-Time Monitoring to see the response times my JSP pages are providing, as well as any alerts being raised by the Vordel Gateway.



For more info about the management of JSP pages, contact Vordel at info@vordel.com

Case study of SOA and Web Services in government in Belgium

One Magazine has a great case study about Web Services and SOA usage in provincial government in Belgium. The solution was rolled out by Belgacom and includes Vordel products.

“Vordel turned out to be one of the most user-friendly solutions. At the same time, Belgacom’s project based approach has worked out well here.” - Project leader Wim Van Gelder from the Department of Projects and Development, Provincial Government of Vlaams-Brabant, Belgium.

Full case study here:
http://www.onemagazine.be/2010/08/20/how-to-share-information/#more-5212

Cloud Security Podcast - The question of API Keys

I had a really good discussion with Kaitlin Brunsden from EbizQ on the topic of Cloud Security in general, and API Keys in particular. All too often, CISOs and IT managers do not realize that if their organization is using Amazon Web Services (AWS), for example, then the Secret Key ID used to authenticate to AWS is often sitting on a hard drive or coded into an application. This Secret Key ID, in combination with the Access Key ID (which is readily available through traffic logs) can be used by a malicious user to provision or terminate virtual machines, to access data in Cloud-based queues or databases, or just simply to run up a large charge which will then hit the credit card linked to the API keys. Vordel can help, by protecting the API keys in the same way that our products protect keys used in other contexts (e.g. private keys for SSL).

The podcast (complete with transcription) is here: http://www.vordel.com/news/articles/31-08-10.html

VMWorld 2010: Provisioning and Managing Cloud instances with Vordel

Here at Vordel we're excited to announce that Vordel products can be used to manage virtual machines hosted by service providers such as Terremark, using the vCloud API. This means that an organization can control which employees can create virtual machines, who can reboot them, who can stop them, who can terminate them, all the time keeping an audit trail. We are addressing the chaotic situation which often occurs in organizations whereby IT Management doesn't know how their Cloud-based infrastructure is being used. Vordel allows policies to be put into place such as "only someone with a manager role can reboot a machine" and "instances can only be created during business hours" and "we limit the number of images to this particular number". This saves our customers money and also means they use Cloud-based virtual machines in a managed manner.

Be sure to visit booth 340 at VMworld where our team are demoing the Vordel management of Cloud-based images.

REST Security at Java One

I'm speaking with Vikas Jain from Oracle at Java One (co-located with Oracle Open World this year) on the topic of REST Security. The session link is below:

http://www.eventreg.com/cc250/sessionDetail.jsp?SID=314100

(or go to the main catalog page and paste the Session ID 314100 into the search form).

We'll be talking about threats and countermeasures for REST Web Services. We will also discuss the various REST authentication schemes being used by Cloud service providers today. Some of these authentication schemes (in particular that used by Amazon Web Services) is as close to an "industry standard" for REST authentication as we have now. Say what you like about the WS-Security bloat, but at least it is an open standard, whereas for REST authentication there isn't one yet (unless you count HTTP Auth). But organizations realize that they can gain an advantage by providing a REST API and opening it up to the largest amount of (authenticated) users. So here at Vordel we have customers using our Gateway for REST authentication today, so that they can provide REST authentication and navigate the current world of REST security.

Cloud rising, but what about iPhone and iPad apps?

Joe McKendrick points to an IDC survey which shows that soon, a third of all software will be delivered via the Cloud (i.e. as Software as a Service / SaaS): http://www.zdnet.com/blog/service-oriented/idc-very-soon-a-third-of-all-software-delivered-via-cloud/5474

It is interesting that this trend coincides with a resurgence of "fat client" computing in the form of iPhone and iPad applications. Two opposing trends happening at once. Users seem happy to download and install apps in certain cases, but in order cases they expect delivery wholly over the web "as a Service".

Catalyst discussion blocked by the Twitter API

Here at Burton Catalyst, many people are using Twitter clients on conference WiFi connection. Like me, many people are searching on the #CAT10 hashtag to see the latest conversation. However, twitter is rate-limiting the connection to its search service based not on identity but based on client IP address.

It is so ironic that here we are at a conference largely about identity and managing Cloud-based services, and the discussion is being curtailed by very primitive API management which ignores identity in favor of very primitive rate-limiting based on IP address.



You can see the difference between two approaches in the Vordel configuration below. In the first screen you see part of a policy which limits based on IP Address (what Twitter is doing here).



This makes for a very brute-force rate-limiting policy. But if you change the "key value" configuration item so that you instead control access based on client identity (which Vordel provides as the "authenticated.subject.id" variable) then this allows much more sophisticated throttling based on identity, even when multiple clients are coming from the same IP address.

Gunnar Peterson on Cloud Security: Gateway, STS, PEP/PDP and Monitoring

This looks like an excellent presentation today at the Cloud Identity Summit in Colorado: Gunnar Peterson on Cloud Security - Yesterday, Today, and Tomorrow

Lotus knows how to ask you to bypass security (or does it?)

Steve Riley recently pointed out some horrendous concern for customer security in a post about Priceline. Here's an example I saw today in the Lotus Sametime product. I use many collaboration tools but it's been a while since I used Sametime so it asked me run through an installation. As you can see in the screenshot below, it says "Answer YES if you receive any security warnings or Sametime will not function properly".

Highly dubious as this advice is, it actually fails because the Java Runtime identifies a problem with the signature of the Sametime application and by clicking "Yes" on the security dialog below, the Sametime meeting room client is blocked from running:



Lotus Sametime is not the only product which actively asks you to ignore security concerns. But it's the only one I've seen where the advice to bypass security actually causes the product not to install. To paraphrase Wolfgang Pauli, the advice is "So insecure it's not even wrong".

Role-based attitudes to the Cloud

Vanessa Alvarez in InformationWeek's "Plug into the Cloud" points out something I've noticed also. IT departments are often unaware of who in their own organization is using public Cloud services. Those with a role in IT are not aware of how line-of-business managers are using public Cloud services (or even if they are using them at all). As well as the obvious security issues with this, it also points to a lack of governance. One less of SOA Governance which applies here is that service usage must be discovered first, then brought under an umbrella of policy. Unless this first discovery stage is met, services are never brought under control. This is one of the roles of the Cloud Service Broker - to discover the public Cloud service usage and bring it under the same control as internal service usage.

Changing CIO & IT Roles

Many panelists pointed out that the disconnect between IT and line-of-business (LOB) managers continues to be challenging. IT is really not aware of who is using public cloud services and therefore, doesn't really see the need for deploying a cloud computing model that will deliver the features and functionalities that LOB managers are turning to the public cloud for.
http://www.informationweek.com/cloud-computing/blog/archives/2010/06/structure_2010.html

At Gartner Summit: How Cloud Service Brokers enable the move beyond IaaS

Today at the Gartner SOA & Application Development and Integration Summit here in London, Benoit Lheureux made the case for how the Cloud Service Broker enables brokerages to make the step beyond Integration-as-a-Service (a term he originally coined).

Benoit has a blog post which provided a taste of his talk today, in which he lays out the case for why the CSB model will marry governance to IaaS providers. In the actual talk, he elaborated on what is just hinted in his blog post. For example, he explained how the social aspect would allow consumers of IaaS services to potentially make their own changes to services, such as changing their interface from FTPS to Web Services. He also explained that the EDI Value-Added Networks (my own background - I worked for a VAN 12 years ago) will continue to operate, but the move to a Cloud-based model will be accelerated by the enabling technology of the Cloud Service Broker.



On a personal note, Benoit also talked about how this is his first business trip after his twins were born, and the emotion in his voice reminded me of the first trips I made (also to London) when my two kids were born.