Welcome!

Microservices Expo Authors: Liz McMillan, Zakia Bouachraoui, Elizabeth White, Pat Romanski, Yeshim Deniz

Blog Feed Post

Betwixt and Between – Service Gateway for Enterprise Mobile Applications

Over the next several posts, I will explore some of the core patterns for Service Gateways that provide access to Enterprise Mobile Applications that need to leverage enterprise apps and data. Before I go there – a word about risk. Mobile security is a hot topic. Is Android less secure than iOS? What about rooted devices? How should enterprise deal with BYOD? How do mobile dev teams write secure code for mobile platforms? And the list goes on and on, there are plenty of important questions to ask.

Amidst all these gnarly big and small questions on technical security for enterprise mobile applications. its vital to remain focused on risk. And where is the risk for enterprise mobile applications? On the apps, identity, and data housed on the numerous mobile devices? Sure. There’s risk on individual mobile apps and devices, but the lion’s share of data, functionality and identity is on the server side, and that’s where the lion’s share of the risk is too.

Boundary crossings are a key focus area for security architects. The Enterprise Service Gateway defines the boundary between “external” systems and “internal” systems (note – I am not sold that this is a valid distinction in many instances but its commonly used and holds up for the purposes of this pattern). The transition between external and internal confronts the security architect with a number of design choices. We can divide the message exchanges into two sets

1. Mobile device -> Gateway: asynchronous Web service calls via REST

2. Service Gateway -> Enterprise backend app servers: synchronous and asynchronous calls via REST, JMS, SOAP, and more

The inbound calls to the Service Gateway usually follow a simple message exchange pattern (albeit its asynchronous which is something new to many enterprises but we’ll save that for another day), whereas the Gateway -> Enterprise message exchange patterns can run the gamut. In effect, the external services simplify the experience for the user and the internal services- well they just go where the data is.

The implications here shed light on the core utility of the gateway. The gateway is the location to implement three sets of security policies.

1. External security policy: for the Mobile device -> Service Gateway message exchanges

2. Internal security policy: for the Service Gateway -> Enterprise backend message exchanges

3. External <-> Internal mapper security policy: to facilitate the right security and identity services for each boundary transition

Security is about reducing vulnerabilities (access control services) and coping with threats (hardening, defensive services).  Service Gateways play a key role in each.

In the case of access control and identity services, the identity protocols and tokens that are used by the mobile device are usually validated and terminated at the gateway. The gateway then maps the relevant user identity, such as username and attributes, and instantiates a second protocol to communicate with the enterprise backend.

In the case of defensive services, enterprise applications are not hardened for external access, after all that’s why there is a DMZ. Inbound calls, messages, and data must be inspected for malicious code targeting the enterprise.  In effect the Service Gateway is what enables the internal services to be consumed externally.

To make sure mobile security is effective, from a big picture, strategic perspective its important to keep in mind the vital role of the gateway in managing risk on both the mobile device and the enterprise backend. To execute tactically its important to divide the Gateway’s role in to how it works for each separate policy zone, and how it maps between the zones.  So many projects, start out assuming that mobile is just another front end to hook up to existing middle tiers – it isn’t. To get an idea on some key differences, I highly recommend this Mobile Middleware White Paper as a solid read for more on the subject.  In the next post we’ll look at some policy options for each zone.

 

The post Betwixt and Between – Service Gateway for Enterprise Mobile Applications appeared first on Application Security.

Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

Microservices Articles
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes high” is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee A...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addresse...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...