Tuesday, August 30, 2011

Enabling Single Sign-On across Hybrid Clouds Managed by VMware vCloud Director 1.5

We're very excited here at Vordel to announce, around VMworld 2011, that Vordel provides the capability to seamlessly log users into Cloud-based systems managed by VMware vCloud Director 1.5.

Single Sign-on is one of those things where the user's point of view is very different from the implementer. From the user's point of view, it "just works". A user logs in, clicks on a link, and does not have to log in a second time. From an implementer's point out view, there is a whole raft of underlying technologies in play. This Single Sign-on functionality which Vordel provides for VMware vCloud Director makes use of the long of identity management integrations provided by Vordel, including: CA SiteMinder, Oracle Identity Management, RSA, Entrust, Microsoft ADFS, and many others. But all of that underlying technology is in order to enable simplicity for the user.

Read more about it here:

Cloud Computing webinar presentation... using the Cloud

I'm listening to Wolfgang Kandek (CTO at Qualys) give an excellent overview of Cloud Computing on today's webinar series . I am speaking in an hour's time on this same series. Take a look at how Wolfgang is showing his presentation, in the screenshot below. Notice something? It's itself using the Cloud itself: Using Google Apps. Not Powerpoint. The cloud even permeates my desktop below, since I am running a VMware Micro Cloud Foundary VM in VMware Player. Many times when we talk about a trend, there can be a certain amount of hype. But in this case, it's very real since we're all using the Cloud, even for a presentation about the Cloud :-)

Monday, August 29, 2011

Upcoming webinar with Qualys and CSA: "Cloud Computing: Security, compliance and Implementation Aspects"

I'm speaking on a webinar tomorrow (August 30) alongside Wolfgang Kandek from Qualys and Steve Markey from the Cloud Security Alliance. The topic is "Cloud Computing: Security, compliance and Implementation Aspects". The full session starts at 12pm Eastern and my section is at 1.30pm Eastern. The topics we're covering are:

■Who owns the Security problem?
■What Cloud Computing security aspects should you consider?
■What is the purpose of these cloud computing security aspects and which solutions are available?
■Will I still be in control of the cloud computing security aspects?
■How about Cloud data assurance and compliance?

Table of Speakers:

Wolfgang Kandek: Chief Technical Officer at Qualys


Steve Markey: Chapter Officer at Cloud Security Alliance (US)


Mark O’Neill: CTO at Vordel and author of book "Web Services Security"

Sign up here: http://web2present.com/upcoming-webinars-details.php?id=10

Wednesday, August 24, 2011

Request throttling and concurrent connection throttling

My colleague Ian Marsh has a really useful new post on request throttling and concurrent connection throttling (not the same thing, as Ian explains). Check it out, it includes info on how the Vordel Gateway works with an Oracle product for providing a non-blocking lock on the count of concurrently executing requests: http://enterprisegateway.wordpress.com/2011/08/23/throttling-a-variation/

Friday, August 12, 2011

Lightning strikes the cloud (or does it?)

Silicon Republic covers the recent outage at Amazon's Dublin (EU-West) data center for Amazon Web Services. Initially it was blamed on lightning, but it looks like that was not the full story:
In the hours following the incident, Amazon originally blamed a lightning strike and an explosion which knocked out a generator leading to loss of power, which disrupted service for Amazon customers for up to 48 hours in some cases.

Electricity provider ESB Networks has provided a different version of events. A spokesperson told Siliconrepublic.com that the problem was due to a fault in one of its substations at Citywest and that power would have been available from an alternate source within a millisecond.


Thursday, August 11, 2011

A second chance to catch the "Bridging Security from the Enterprise to the Cloud" webinar

Missed the "Bridging Security from the Enterprise to the Cloud" webinar earlier today? Watch it below:

A BrightTALK Channel

Tuesday, August 9, 2011

Upcoming Webcast - Bridging security from the enterprise to the cloud

This Thursday there is not one but two Vordel webinars, one on BNSF's migration of their Cisco Ace XML Gateway (AXG) appliances to Vordel, and one on how to bridge security from the enterprise to the cloud.

I've already blogged about the first webinar, which will cover the process by which BNSF (Burlington Northern Santa Fe) Railway chose Vordel to replace its Cisco AXG gateways. So here's the scoop on the second one:

In the "How to bridge security from the enterprise to the cloud" webinar, I'll be talking about the pattern of "bring your own identity" for Cloud access. We are all familiar with leveraging existing identities (login with Facebook, login with Google ID) for cloud-based apps. In the enterprise world, the challenge is to allow employees to leverage their existing on-premise identities, such as their logins into Active Directory or other IdM (identity management) infrastructure. It is "bring your own enterprise identity". This is an important aspect of what it means, in practice, to bridge security from the enterprise to the cloud.

Follow this link to register, and look forward to seeing you on the webinar this Thursday: http://www.brighttalk.com/webcast/679/32827

Wednesday, August 3, 2011

How to filter SOAP MTOM/SWA attachments in the Vordel Gateway

Filtering SOAP attachments is something which is a very common feature implemented on a Gateway such as the Vordel Gateway. Here is a step-by-step guide to how to set this up:

If you've already registered a WSDL, skip forward to step 4.

Step 1: Open the Vordel Policy Studio. Connect to the Gateway you wish to configure your policy on. Either connect directly or login through Policy Director (which allows you to push configuration to multiple Gateways at once).

Once you connect, choose "Edit Active Configuration".

You will see the screen below. New Web Services are registered in the "Web Service Repository" which is accessed under the "Policies" group on the left-hand-side.

Step 2: Right-click on the "Web Service Repository" and choose "Register Web Service". Note that the Web Services are arranged in groups, and you can rename these groups.

Step 3: Select your WSDL (either via URL, file, or UDDI) and then walk through the wizard. Choose the location to deploy your virtualized service. Out of the box, there is a set of services called "Default Services" on port 8080 in the Vordel Gateway, but you can rename this or change the port. You can also add a new service group (e.g. called "SSL Services") with a different listening interface, such as SSL (create the new services, then right-click and choose "Add interface"). You can even add a JMS listener, or a file folder scanner.

Don't check the box right now to "Secure this Web Service". You'll then see a "Summary" screen in the wizard, which says what path the Virtual Service has been deployed on. Take note of this path. Press OK and then press the "Deploy" button on Policy Studio to deploy. Now open the WSDL in the browser. Note that the Vordel Gateway will automatically virtualize the service hostname in the WSDL.

Step 4: Right-click on "Policies" in the Vordel Studio and select "Add Policy". If you already have created a contained to contain your policies, you can right-click on your container and make your policy there. Note that containers are a way to group policies together, e.g. for importing and exporting them together, but don't affect the running of the policies.

Call your new policy "Filter Attachments"

Step 5. Drag in a "Content Type" filter, which you can find in the "Content Filtering" group. We are filtering the message based on its content type. Configure it as shown in the screenshot below, where only XML and PDFs are allowed (i.e. a SOAP/XML message with a PDF attachment).

Note that you must have "multipart/*" selected also, because that is used by the SOAP-with-Attachments standard to deliniate attachments. If you have not got this selected, all SOAP attachments will be blocked (note: this may be intended in some use cases).

When you drag in the filter on to the policy canvas, it is initially gray because it is not being used yet. Right-click on this filter and choose "Set as start". Now it is no longer grayed out. However, it is outlined in red because it requires an input (the message itself) which it is not getting at the moment. For it to get this input, it must be "wired up" to policy that is receiving a message through a listening interface.

Step 6: In Policy Studio, look under "Policies" and then "Generated Circuits" to find the service you've registered in Step 3. Double-click on the filter called "Service Handler for ''. Then open the "Message Interception Points" tab. Under "Before Operation-specific Policy" press on the "..." button to choose the policy you made in step 5 to filter attachments. Once it is mapped, you should see the mapping set as in the screenshot below.

Make sure you press the "Deploy" button on the Studio toolbar to deploy this policy.

Step 7: Open SOAPbox (grab your free copy from Vordel). We will be using SOAPbox to test our attachments policy. Open the Virtual Service WSDL which you obtained from Step 3. [Tip: The Service Manager interface, under :8090/ , also allows you to see the Virtual Service WSDL, if you connect with a role which allows you to use Service Manager]. In SOAPbox, press on the import WSDL and import the Virtualized WSDL (note: not the actual WSDL from the back-end service you've registered, otherwise you'll simply send your messages to the back-end services and not through the Vordel Gateway).

Step 8: You'll see a sample message created for you in SOAPbox. Click on the "Attachments" tab on the botton of
SOAPbox . Choose to add an attachment which is not allowed (i.e. something other than a PDF, since in Step 5 you chose that a PDF was the only allowable attachment. Send the message through to the Vordel Gateway in SOAPbox, by pressing the green triangular "play" button. These steps are shown in below.

The message will be blocked. Note that you can customize the response message, since in a production system it is not usual to return a SOAP Fault to clients.

Step 9: View the blocked message in the Vordel Gateway's Real-Time Monitoring by pointing a browser to :8090/ and then clicking on "Real-Time Monitoring". Note that you'll have to login as a user with a role which allows viewing of Real-Time Monitoring (e.g. an "operator" or "auditor" role):

Step 10: Import the WSDL into SOAPbox and send it through the Gateway without the SOAP Attachment. Note that SOAPbox allows you to have multiple messages saved, which you can see if you click on the small down-arrow button beside the green "play" button, and choose "Request Settings".

Other steps: Note that the Vordel Gateway includes a filter called "Remove Attachment" which you can use to remove attachments. You may use it similar to the process outlined above. In addition, the Message Size filter will block large messages based on (optionally) attachments as well as the message itself.

Tuesday, August 2, 2011

Enter the Entitlements Server

[ Update: Axway acquired Vordel in 2012 and the new name for the Vordel Gateway is the Axway API Gateway ]

It is always striking that so much work is done on authentication technologies, but so little on authorization. Usually authorization (the decision on "who can do what") is baked into code in applications. This makes it difficult to change these rules later, or to audit the rules. Entitlements Servers fill this gap, by externalizing authorization from applications. Marc Chanliau has written a really useful article on entitlements servers, which provide this service exactly.

He gives a good example of when an entitlements server is vital:
Suppose a homegrown portal application must present a sensitive piece of customer information such as a Social Security Number (SSN) when a service representative views a customer's profile. It is determined that in order to ensure compliance with various privacy regulations, only directors and senior managers may be able to view a customer's SSN. A decision has to be dynamically made whenever the application must show an SSN as to whether the current user may view the actual data or some default value (e.g., "XXX-XX-XXXX"). The decision must take into account the user's job title. A dozen parts of the application that can display a customer's SSN mean a dozen places for this business logic to be applied.

Now assume that the policy needs to be changed after the application has been in production for some time. The business has determined that senior managers in California may not view an SSN. This is an exceptional situation that requires another piece of information to be considered as part of the entitlement decision. But what if we take the example even further? Suppose that only directors above a certain salary grade can view SSNs. Now the entitlement logic has been split into multiple decisions based on runtime attributes. So the business logic must be adapted.

You can see that authorization or entitlement policies evolve very differently from application requirements. Having the entitlement logic "hard wired" into the business logic means changing code each time there is a policy change.

He then goes on to explain how an Entitlements Server works in the framework of RBAC (Role-Based Access Control) and the PEP/PDP/PIP model. Gateways like the Vordel Gateway are often deployed as the PEP part of this model, and I've written recently about the benefits of integration between the PEP and the Entitlements Server.

Monday, August 1, 2011

Rock 'n' Roll

Here is a section from Prince's rider for a recent concert (scroll down to the bottom of the article). I guess Prince is a fan of Windows (and Google):

  • Please provide a laptop computer (Windows Operating System) with large screen in the suite.
  • Please have the computer powered on with the web browser displaying the Google home page.
  • High-quality flower arrangements in suite

Job posting: Vordel, Oracle, and CA SiteMinder skills in San Diego

Qualcomm in San Diego is looking for someone with Vordel, CA SiteMinder, and Oracle skills.