AAA as Chess

These paragraphs by Gunnar Peterson in a larger blog post deserve a blog post of their own:

Chess has some lessons to teach us here. Chess has three main stages - the Opening(where vast analysis applied to the various opening strategies: the Sicilian, Ruy Lopez and so on), the Middle game (which is chaotic), and the End game (strategies to capture the opponent's King). Each stage in the game has a unique set of strategies that are related but separate from the other stage strategies.

A Chess match is not one side dictating rules and the other side simply moving, instead its a synthesis of each side trying various gambits that result in unique permutations from match to match. The nature and structure of these permutations are not possible to calculate effective beyond a certain point so pattern recognition must be used.

Coming full circle back to infosec, the best we can hope for is a good design that facilitates a good Opening game followed by a stream of events and logs that enable effective middle and end games. I think of AAA access control technologies as Opening Game strategies - many people think of Kerberos and other ticketing systems are security, but really they just establish the initial ruleset for operations, the real game begins once they're in place, in use, and under attack. The structure used at the opening does not dictate all or maybe even most of the events that occur in the middle and end game.

Following through the analogy - once the Opening game (authentication) has passed, then identity can survive in the chaotic Middle game by propagating verifiable identity (or attributes) in the transaction (which Gunnar covered back in 07). Then the End game is when, at the endpoint, a fine-grained authorization decision can be made based on identity and attributes. The key, like in chess, is not to only perfect the Opening game and then just hope for the best.

Running the Vordel XML Gateway on Sun Solaris

Running the Vordel XML Gateway on Sun Solaris is very straightforward, in fact not much different than running on Windows or Linux.

First, download the SunOS version of the Vordel Gateway from here (you'll need a Vordel Extranet account first. If you're a Vordel partner or customer already then you'll have one. Otherwise email info@vordel.com to ask for one).

Decompress the installation package using a command like this, substituting the downloaded file name as appropriate:

prompt# gunzip -c [DownloadedFileName].tar.gz|tar xvf -

Now run the Vordel XML Gateway once, and you will see the host-based license information. Email this to licenses@vordel.com and we'll issue you a license.

You're all set then to connect up to the Gateway and start working with policies.

Here are some case studies of Vordel's XML Gateway on Sun hardware:

• The Spanish Government case study on the Vordel Website describes a case study of a Vordel XML Gateway deployed on Sun Solaris in front of Web Services which provide government services
• Mazda uses Vordel Gateways on Sun hardware for communications with car dealers and partners. The goal is to improve business efficiency at dealerships and head office by reducing the double keying of information, and to provide streamlined access to multiple sources of information via one interface. A full case study is available on the Vordel website.
  

XML - the soft underbelly of the Cloud

I'm giving a talk at the RSA Conference in March about the continuing usage of XML as an attack path into Cloud services. Many Cloud services include WSDLs and XML-consuming services. Although XML has now been around a long time, attacks making use of XML are surprisingly resilient (or many not surprising at all, given that SQL Injection has also been known about for a long time). The Cloud just provides a much larger attack surface.

As I've written before, a cloud service broker is the way option to augment security and compliance in front of the Cloud service itself. But, in order to protect the "soft underbelly of the Cloud", Cloud service providers themselves will realize in time that their corporate customers would like the broker effectively baked at the edge.

So, hope to see you at RSA! This year it's earlier than usual, at the start of March, in San Francisco's Moscone Center.

All the Web’s an API

I've written a "guest view" article for SD Times about the usage of API Keys in Web/Cloud APIs. API keys seem like a simple way to manage access to a Web API, but if the authentication scheme is not secure then they are dangerously simple (or simply dangerous). A key part of Cloud security is effective management of API key based authentication.

The article is here:

http://www.sdtimes.com/GUEST_VIEW_ALL_THE_WEB_S_AN_API/By_MARK_O_NEILL/About_APIS_and_CLOUDCOMPUTING_and_SECURITY/34049

Vordel is Hiring!

Vordel is currently hiring developers, support engineers, QA engineers, and technical writers. Here is the scoop:

Got your head in the clouds? Then Vordel has a job for you!

Vordel is a world leader in the design, development and delivery of enterprise products to enable leading global corporations and governments control their SOA and Cloud-based computing environments. Customers include Allianz, ASR Nederland, BNP Paribas, Ericsson, Mazda, QPass, Telefonica, Telecom Italia Mobile, the European Union, Spanish Government, UK Government, US Federal and State Governments and many others.

Join our team and help build game-changing technology for the world's leading enterprises and national governments worldwide.

We're constantly on the look-out for the right kind of people to join our team and if you are passionate, dedicated and prepared work hard to achieve your goals then we can offer you a fulfilling career path.

Currently we have vacancies in the following areas:

Senior Development Engineers - Dublin, Ireland
Support Engineers - Dublin, Ireland
QA Engineers - Dublin, Ireland
Technical Writers - Dublin, Ireland


If you believe you have what it takes to make a difference then send your resume/CV to openvacancies@vordel.com

Vordel is an Equal Opportunities Employer.

Building Trust in the Cloud

Knowledge Management World has an interesting article this week on "Building Trust in the Cloud".

Users of individual SaaS products have generally become confident that their vendor is proficient in maintaining security, ensuring that data is backed up and carrying out other support tasks. However, venturing more broadly into “the cloud,” where many applications may be used as services, is a different matter; establishing trust with numerous third-party suppliers is a complex process.

To help address the problem, Vordel introduced the Vordel Cloud Service Broker in November 2009. It manages multidomain cloud services by registering them in a single repository to facilitate monitoring and policy enforcement. Cloud Service Broker also optimizes performance by providing caching, acceleration and data transformation.
http://www.kmworld.com/Articles/ReadArticle.aspx?ArticleID=60342&PageNum=1

The article goes on to describe some early adopters of the Vordel Cloud Service Broker. It gives an example of an organization applying control to services used in the Amazon cloud.

It is worth contrasting the Cloud Service Broker approach with previous "SOA Governance" approaches. With "SOA Governance", an organization would apply policies to its internal services. However, a business depends on more than just its internal services. The approach of the Cloud Service Broker is to apply control to all the services which a business depends upon. So, these are not only internal services, but also services in the Cloud.

Running the Vordel XML Gateway on Oracle VM

XML Gateways are generally available as hardware-only, software-only, or with the option of hardware or software. One of the great advantages of the software option is that it means the XML Gateway can be deployed in a virtualized environment. However, XML Gateways which are available as software but require a hardware card for performance are not good candidates for virtualization. Only if the Gateway has inherent acceleration capabilities, which are not hardware dependent, can be successfully virtualized without a loss in performance.

The following table shows the three different categories of XML Gateways, and their suitability for virtualization:

Hardware only	Not suitable for virtualization
Software with reliance on hardware card for acceleration	Not suitable for virtualization
Software with no hardware dependencies	Suitable for virtualization

Since it is available as software as well as an appliance, the Vordel XML Gateway is well-suited to running in a virtualized environment. A purely hardware-based product, or a product which depends on a third-party hardware component such as a Tarari card for its performance, can't map to a virtualization environment. By contrast, the Vordel Gateway does not include hardware dependencies which would hobble it in the virtualization arena.

Oracle VM is a great example of a Xen-based virtualization platform which is well-suited to running the Vordel XML Gateway. Setting up the Vordel XML Gateway on Oracle VM is straightforward. To run the Vordel XML Gateway on Oracle VM, I created a Vordel installation on an Oracle VM template running Oracle Enterprise Linux v5 with 1GB memory and 4GB hard drive.

I used Oracle VM Manager to spin up the template. Oracle VM Server then creates a virtual machine which (in this case) retrieves an IP address via DHCP and shows up on my network as 10.10.1.106. Now, I can access it just like any Vordel Gateway instance:

This means that I can now monitor the Vordel Gateway on Oracle VM:



I can manage its policies using Policy Studio, by connecting to the Oracle VM instance:



And I can test the Vordel Gateway on Oracle VM using SOAPbox:



To test the Vordel Gateway on Oracle VM, grab a copy of the Vordel Gateway and Oracle VM and get testing!

Congratulations to Burton Group

Looking down my blogroll earlier today, I see "A message from Jamie Lewis". Jamie is the CEO of Burton Group, and always worth listening to, especially at his Catalyst talks. So, I click on the link and read that Burton has been acquired by Gartner! Analyst consolidation continues into 2010...

Congratulations to all at Burton, especially Richard Watson who spoke at Vordel's conference last November, Anne Thomas Manes whose views on SOA are quite literally a matter of life and death, and Phil Schacter who has been tracking Vordel since 2001.