Microservices Expo Authors: Liz McMillan, Pat Romanski, Elizabeth White, Yeshim Deniz, Zakia Bouachraoui

Related Topics: Microservices Expo, Cloud Security

Microservices Expo: Article

Unifying Security Policy Across the Web, Web Services, and Web 2.0

Eliminate security policy silos before they are created for eased administration and improved control

Let's look at a specific example of a Web 2.0 site that is also driving Website security and web services security together. In Figure 4, access to the website is controlled by a cookie-based WAM product. Users of the website, once authenticated by the WAM product, use a Web 2.0 application in their browser. The Web 2.0 application makes use of web services to fetch dynamic content (for example, to fetch an insurance quote in real-time). We see an XML Gateway with an identity-based web services security system being deployed to manage access to the web services. By connecting the XML Gateway to the policy server of the web services security system, a single security system can be used to govern access to the website and the back-end web services. In addition, the XML Gateway protects the enterprise from harmful XML. The XML Gateway, acting as the PEP, enforces access to the web services and ensures that only authenticated users are allowed.

Security administrators who are skilled with using a WAM product for controlling access to websites can now use it in its extended capacity to define policy for accessing the web services used to power Web 2.0 features. In this way, retraining is not required and greater leverage of existing infrastructure and security processes can be leveraged. When the centralized policy-based system is used for both Web Access Management and web services security, it effectively becomes a Centralized Web Security System covering both flavors of web application deployment.

Putting It All Together
We have seen that it is possible to have a unified security policy framework that secures:

  • Traditional website browser access
  • Application-to-application web services traffic using XML/SOAP.
  • New Web 2.0 sites in which code at the browser connects back to web services to fetch content dynamically.

This can be achieved by using an XML Gateway and container-based agents in conjunction with a centralized identity-centric web security system. The full solution architecture is shown in Figure 5.

In Figure 5, we see all three scenarios that we have examined in this article. Working from the top to the bottom, we see:

  1. Application-to-application XML traffic secured by the XML Gateway and a container-based agent acting in conjunction with the centralized web security policy server
  2. "Traditional" website access is enforced by an Agent at the web server also working in conjunction with the same policy server. If the Web application uses a web service at the back end, then the users context can be checked through the use of the policy server
  3. New "Web 2.0" clients, in which code at the browser can dynamically connect to web services, are also managed by this same PEP/PDP-based system.

The best solution for managing the security for all web resources (both websites and web services) involves the use of a centralized, identity-centric web security system along with an XML Gateway and a container-based policy enforcement point, thus continuing to expand upon and leverage the proven PEP/PDP architecture that has served us so well in WAM products over the past 10 years.

In this model the centralized web security system makes access decisions that apply to all web resources, whether browser-based or web service-based. The XML Gateway acts as an enforcement point and applies XML threat mitigation and XML traffic management (caching, routing, XML enrichment), paired with the agent-based enforcement points that extend the security coverage to the last-mile, to the service. In this way security administrators only have to manage one set of security policies and one set of infrastructure across both websites and web services for the entire enterprise. This sets up the security administrators for eased security management and better control, in effect eliminating security silos before they have even been built.

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.

More Stories By Matthew Gardiner

Matthew Gardiner is a senior principal of Product Marketing at CA and is a recognized industry leader in the security management & IAM markets worldwide. He is published and interviewed regularly in leading industry media on a wide range of IAM and security-related topics and is a member of the Liberty Alliance’s board of directors. Matthew has a BSEE from the University of Pennsylvania and an SM in Management from MIT's Sloan School of Management.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Microservices Articles
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chie...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling independent service deployments. In this presentation we'll provide an overview of the tools, patterns and pain points we've seen when implementing contract testing in large development organizations.