BYOA - Turtles all the way down

Joe McKendrick has a post this week on BYOA: Bring Your Own App. He cites the example of Podio. It's effectively a way to create a mobile or Web-based app, without the need to learn programming. A very neat service, nicely executed. As Joe McKendrick notes, this has been a much-promised dream for a while now. But it's getting closer to reality.

He notes optimistically that:

IT managers can do what they do best — worry about scalability, uptime, security and standards compliance on the back end or in the backbone — and leave many of the use cases for users themselves to sort out.
http://www.zdnet.com/blog/service-oriented/byoa-and-productivity-is-build-your-own-app-now-a-reality/7084

I saw "optimistically" because of the worry many IT managers would have that BYOA is simply a way for employees to circumnavigate IT departments, and avoid their pesky concerns about security and standards compliance. But surely IT departments should embrace BYOA. How? By ensuring that the BYOA apps run through an on-premises Cloud Service Broker . The CSB layers on the attributes which may be lacking from from a BYOA app. These are rules for monitoring scalability and uptime (see the piece on "It's 4am - do you know where your Cloud provider is"), as well as security and standards compliance. And what about mobile BYOA apps that aren't run from inside the enterprise? Those BYOA apps can be run through a Cloud-based infrastructure, leveraging "reachback" into the enterprise, as described here in this webinar.

One fascinating aspect of Podio is how it is a Cloud app, itself built on a stack of Cloud apps (Amazon CloudFront, on Amazon Web Services, with Zendesk). So you can built your own BYOA Cloud app on top of a Cloud service (Podio), which itself is on top of Cloud services (Amazon's). It's turtles all the way down, and I think we'll see apps like this increasingly in the future. Clouds on top of clouds. Podio is on Amazon, so an Amazon outage affects it. Its customer management is with Zendesk, so ditto. A Cloud Service Broker can monitor and manage this.

By the way, the next trend? BYOI: Bring Your Own Identity. A future post on that...

CTOEdge - It's 4am, do you know where your Cloud provider is?

I wrote an article about how to control for the reliability of third-party Cloud services. There is an old quote about distributed systems which I always think of, in relation to Cloud services:

...it is worth being mindful of the famous quote (by Leslie Lamport) that "a distributed system is one in which the failure of a computer you didn't even know existed can render your own computer unusable.” In the case of an organization using cloud services, the failure of a computer you didn't even know existed and isn’t under your control and may not even be in the same country as you can render your business inoperable...
http://www.ctoedge.com/content/its-4-am-%E2%80%94-do-you-know-where-your-cloud-provider

Check out the article over at CTOEdge.

Alternatives to OpenSSL: How to graphically create an X.509 Certificate with a private key

There are many ways to generate an X.509 Certificate, including using OpenSSL on the command line. However, mastering the OpenSSL command-line options can be tough for people who only need to create a certificate now and again. If you'd like a free tool which can an X.509 certificate graphically, no command-line needed, then take a look at the Vordel SOAPbox. It's a free download.

Once you download it, here is how to generate a certificate:

1) Go to the Security menu item, then "View Certificates"

2) Click on "Create/Import"

3) Click the "Edit" button and input the various attributes for your certificate (e.g. Common Name, stateOrProvinceName, countryName). Once you're done, press "OK".

4) Press "Sign Certificate" and choose whether you want to Self-Sign the certificate. Note that making a CSR (Certificate Signing Request) isn't an option in SOAPbox so you can either self-sign the certificate or sign it with a local CA certificate.

5) Then press "Export Certificate" to export the certificate as a .pem file. Or press "Export Certificate and Key" to export your certificate along with its private key (but note you'll have to enter a password for this, and remember the password).

Once you've done these five steps, you have your certificate. It's as simple as that.

Mobile reach, and reachback: Enabling Mobile Apps

There was a lot of great interested in the webinar last week about enabling mobile apps, including a lot of discussion of the "Reachback" architecture which enables mobile apps to connect back into the enterprise apps, through a Cloud-based "border Gateway" as Scott Matsumoto put it.

I'm happy to say that the recorded webinar is now online, and you can view it here.

Webinar on 19 May - Enabling Secure Mobile Applications

Tomorrow, 19 May, Scott Matsumoto from Cigital and I are presenting a webinar on the topic of secure mobile applications. In particular, we focus on the question of how to deploy mobile applications which must make use of internal systems behind the firewall. This is a common problem, since organizations understandably do not want to punch inbound holes in their firewalls. Additionally, the worlds of mobile apps (REST, JSON) and the enterprise world (SOAP/WSDL, message queues) must be bridged.

The webinar is at 12pm Eastern, Thursday 19 May. Register at the link below:

https://www2.gotomeeting.com/register/382089859

PCI-DSS for credit card payments with Vordel

There is a new customer case study up on the Vordel website, explaining how the Vordel Gateway manages credit card data, supporting PCI-DSS, and providing monitoring in conjunction with HP. The case study is for Cetrel in Luxembourg.

Here is the background:

• Cetrel had to create over 600 different Web Services to meet the many and varied needs of its individual customers.
• Fine-grained and customized security controls (such as crypto settings for confidentiality and integrity) specific to each Web Service and customer needed to be replicated and enforced.
• The new solution needed to be deployed without disrupting the continued delivery of the service and be able to go live into production within 4 weeks of delivery.
• Cetrel required a solution offering a broad range of security policy support; ranging from existing legacy standards to the very latest versions of WS-Security policy.
• The solution also had to be compliant with Mastercard and VISA rules and regulations (especially PCI-DSS) and be capable of integrating all relevant compliance amendments.
• Reduce as much as possible the configuration changes required to the new backend system, keeping in mind that the rollout of customers will be completed over several months.
• Finally, Cetrel required a solution offering very stable performance levels. Cetrel needs to be able to respond quickly at all times to any service outage. They sought a solution to monitor the Web Services traffic and that could report into their HP monitoring solution.

And here is the outcome:

With Vordel, Cetrel addresses all its technical concerns and is successfully delivering on its overall stated business objectives. Benefits derived from the Vordel Gateway appliance include:

• An improvement in the overall performance and efficiency of the SOA infrastructure. The gateway is dedicated to the tasks of accelerating the processing of XML and other data formats and security protocols whilst the application server infrastructure is focused on processing business logic.
• Easier and faster on-boarding of new customers via the flexibility of the security standards supported by the Vordel Gateway and versatility of applying different dedicated per user policies for the very same Web Service.
• Improved operational efficiencies via the segregation of team duties; the application support team can focus on the business logic coding whilst the infrastructure support team can focus on security and monitoring.
• Cetrel reduces the risk of security weaknesses via in-house development; now the developers can focus on business and functionality integration.
  

Speaking next week at the European Identity Conference

I'm speaking next week on a panel at Kupinger Cole's European Identity Conference (EIC) in Munich. The session is entitled How to do Authentication for the Private, Hybrid, and Public Cloud - Secure, Unified, Flexible. Also on the panel are Judith Littel from CloudID, Travis Spencer from Ping Identity and Thomas C Stewart from SecureAuth. Sebastian Rohr from Kupinger Cole is moderating. It looks to be an interesting session and I'm very much looking forward to it.