Welcome!

Microservices Expo Authors: Liz McMillan, Yeshim Deniz, Pat Romanski, Elizabeth White, Zakia Bouachraoui

Related Topics: Microservices Expo, Cloud Security

Microservices Expo: Article

Unifying Security Policy Across the Web, Web Services, and Web 2.0

Eliminate security policy silos before they are created for eased administration and improved control

How can security policies be centralized across an enterprise's set of Web applications? In particular, we examine the case of security policies for web services and for traditional websites and describe how the two can be administered and enforced together to improve both the cost of administration as well as the strength and flexibility of the security system.

Web Services and Websites: Different or the Same?
Organizations have significant investments in web-delivered applications. To date, these web systems have typically taken the form of websites serving up HTML pages accessible via web browsers. These systems include employee intranets, partner extranets, and consumer websites of infinite variety. The architecture of these sites is generally three-tier web applications backed by application servers. Access to these web applications is now often managed using an enterprise-scale web access management (WAM) system, such as CA SiteMinder WAM, for reasons of security, cost, user convenience, and ease of compliance. The WAM system controls who can access the web resources by first authenticating the user using one of many possible technologies, and then executing security policies in real-time to determine if they are entitled or authorized to use the requested web resource. Session cookies are generally used to maintain the user's login session during their visit to the organization's web property.

In contrast Web Services, a more recent innovation, involves the use of XML technology to link systems together. Many standards such as SOAP and WSDL enable web services to work across highly heterogeneous and distributed systems. Web services operate on an application-to-application basis rather than human-to-computer as in the case of a traditional website. The communications from the client to the service uses XML as the common language. This allows one application to call the services of another application over the network by sending an XML message to it.

Just as is the case with websites, web services require security policies that govern their usage and behavior. Security product categories such as the XML Gateway and broader identity-centric web services security systems have emerged in order to apply security policy to web services in a centralized way. To date, generally these web service security policies have been enforced independent of WAM-based policies used for website control, even when both types of web applications are deployed in the same organization.

Given the relative immaturity of web services deployments, it has been reasonable to operate with web services security policies and website security policies in isolation from one another. Web services security systems can deal with protecting application-to-application traffic, while separate website security products can deal with actual human beings accessing websites using browsers. However, changes in the maturity of the technology and the organizations that are using it are driving a more holistic approach to enterprise web security. This allows organizations to eliminate security silos even before they have been created.

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

More Stories By Matthew Gardiner

Matthew Gardiner is a senior principal of Product Marketing at CA and is a recognized industry leader in the security management & IAM markets worldwide. He is published and interviewed regularly in leading industry media on a wide range of IAM and security-related topics and is a member of the Liberty Alliance’s board of directors. Matthew has a BSEE from the University of Pennsylvania and an SM in Management from MIT's Sloan School of Management.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling independent service deployments. In this presentation we'll provide an overview of the tools, patterns and pain points we've seen when implementing contract testing in large development organizations.
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.