Inaugural Boston Cloud Security Alliance meeting on April 27

My colleague Josh has organized the first Boston CSA meet at CA's offices in Framingham next Wednesday at 6pm. There are two great speakers lined up: Bhargav Shah from KPMG will talk about risks and controls for cloud models, and Robert Levine from SENA Systems will talk about the impact of Identity and Access Management (IAM) on cloud computing (in the immortal words of Gloria Estevan, IAM "cuts both ways" with cloud computing, since you can host IAM in the cloud, but also use IAM to control access to cloud-based resources).

I suspect that some of the discussion at the CSA meet will focus on the recent travails at the Amazon Web Services datacenter beside Dulles Airport. How can such outages be mitigated? Lew Moorman of Rackspace said it's like the equivalent of a plane crash, which is alarming but doesn't call all of air travel into question. Where the air travel analogy breaks down is that a person can't travel on two planes at once. The large cloud customers like Netflix who spread their cloud usage across centers were not brought down. As Dan Lohrman says on the Govtech website, it's a reason "You need a backup for your cloud provider's backup". The big guys like Netflix were able to organize (and pay for) this spread. But this is difficult for the smaller guys, like Quora who were brought down, but it's a further pointer to a broker model where off-the-shelf brokers open up the "cloud of clouds" to the mass market.

See you next Wednesday!

Cloud Security Alliance blog - Protect the keys to you API Kingdom

I've a new post up on the Cloud Security Alliance blog on how to "Protect the API Keys to your Cloud Kingdom". It talks about the Cloud Service Broker pattern, and how this can be brought to bear on the problem. I've tried to gear the article toward practical advice, because there is so much theoretical information out there on Cloud security. Check it out at:

http://blog.cloudsecurityalliance.org/2011/04/18/protect-the-api-keys-to-your-cloud-kingdom/

As goes the Cisco ACE XML Gateway, so goes the Flip

Roman Stanek pithily tweets today that "The Flip flopped", and Cisco is discontinuing it (rather than selling the business unit, thus denying the opportunity to use the headline "Cisco flips the Flip"). I guess the irony is that, as Ars Technica reports, far from actually flopping, "the Flip was still holding its ground against competition like Kodak with its own line of small, pocketable video cameras. Pure Digital offered one of the cleanest and easiest to use non-phone video solutions."

So Cisco purchases and discontinues a product. Nothing fundamentally wrong with the product, but Cisco refocuses and does what it does best. It reminds me of the Cisco ACE XML Gateway, discontinued and being replaced by customers with the Vordel Gateway through the Cisco ACE XML Gateway Replacement Program. Cisco refocuses, customers still get the functionality through other means, and overall life goes on.

Getting your hands on Vordel 6.0.3

Since I posted a video demo of the Vordel Gateway v6.0.3 a couple of days ago, I've been getting emails asking how to get a copy. I can confirm that the Vordel Gateway is, as my German-speaking colleagues say, verfügbar (meaning "available" in German, though the word sounds a lot less positive to non-German ears). The first step is to contact Vordel from this page. We'll show you a live demo (the next step from the video demo on this blog) and get you started with the Gateway. Happy Gateway-ing (if that is a word, in any language :~) ).

Steve Coplan from 451 Group on Vordel

Steve Coplan, Senior Analyst with the 451 Group's Enterprise Security Practice, has produced a report on Vordel. Follow the link from his tweet.

Video: Registering and managing a Web Service: Vordel 6.0.3 in Action

This demo shows the Vordel Gateway v6.0.3 in action, covering the common case of (a) Registering a service, (b) applying policies, (c) showing the Gateway in action enforcing the policies, (d) reporting on service usage, (e) showing why messages are blocked. Finally we see the Policy Studio in action, this is what is used to make and edit policies.

If you want to see more specific video demos, check out the demos of the Vordel Gateway working with Oracle Entitlements Server and Oracle Access Manager here.

Note: Increase to full-screen to see the detail (or, if you're using a phone or tablet, simply pinch and zoom the video to see more).

Webinar on SOA and Cloud auf Deutsch

Last week Vordel ran a case study webinar with Badenia AG (a German bank) on SOA and Cloud security. The information is below (auf Deutsch), and here is a link to view the Webinar.

Webinar: Sicherheit bei der Verwendung von Webservices und XML

Es werden die wichtigsten Security Maßnahmen beim Einsatz von Webservice (XML) an einem Beispiel aus der Praxis, der "Deutsche Bausparkasse Badenia AG ", gezeigt.

Webservices (XML) werden immer häufiger eingesetzt! Hierbei wird zwischen der Inhouse Kommunikation und der über die Unternehmensgrenzen hinausgehenden externen Kommunikation unterschieden. Bei externer Kommunikation werden heute Firewalls verwendet, diese aber Schauen in der Regel nicht in die jeweiligen XML Ströme hinein und lassen eine Kommunikation zu. Bei der Integration von Backendservices wird üblicherweise auf Security Maßnahmen verzichtet, was zur Folge hat, dass die Risiken der Inhouse Kommunikation nicht identifiziert werden. Bei der Absicherung von Webservices (XML) wird am Beispiel des Vordel Gateways aufgezeigt das Security nicht einen Performance Verlust bedeutet. Eine wichtige Komponente ist der zentrale Policy Enforcement Point, der in Verbindung mit einem Zertifikate Store die XML Ströme absichern kann. Dabei besteht die Möglichkeit, mittels einer Script Engine, die Standard Funktionalitäten zu erweitern und Ihren speziellen Anforderungen anzupassen.

Die Deutsche Bausparkasse Badenia setzt für die Erfüllung ihrer Webservice Security Anforderungen bereits seit dem Jahr 2004 Produkte von Vordel ein. Inzwischen ist das Vordel XML Gateway zu einem zentralen Bestandteil der Anwendungssicherheit geworden, was zu einer guten Bewertung der Infrastruktur in mehreren Security Reviews führte. Im Webinar wird gezeigt, wie das XML Gateway in die bestehende Infrastrukturlandschaft integriert ist, und welche Policies für die Herstellung der Webservice Security konfiguriert wurden. Es wird anhand eines Beispiels aus der Praxis gezeigt, wie flexibel das Gateway an spezielle kundenspezifische Anforderungen angepasst werden kann.

Cloud API Single Sign-On at Cloud Expo in NYC

In June I'm going to be speaking at the Cloud Expo in NYC on Single Sign-On to Cloud APIs. I'll be expanding on the points I made in my Cloud Security Alliance blog post back in February, namely that:

- API Keys must be protected (and an interesting side-note here is that HSM vendors have a lot to gain from this, as they have been in the key management business for years)

- A broker model allows you to use local sign-in (to a PC, or to a portal) and leverage this into sign-in to a Cloud service (such as Gmail).

- Standards such as SAML and OAuth are certainly important, but so are "de facto standards" like how Amazon's "Query API" authentication.

And, as ever, I believe that the most valuable part of a talk like this are practical case studies. I'll include a number, including an education provider using Vordel to manage Single Sign-On to Google Apps for its students, and an organization which needed to choose which access management options use for its API.

See you in New York!