September 30th, 2011

FROM THE VAULT: White Paper – The Role of XML Gateways in SOA

Written by
Category From the Vault, SOA

Role of XML Gateways in SOA White PaperA week ago, we began a weekly series of blog posts on key content from the Layer 7 Resource Library. We started things off by bringing about our Expanding Role of XML Gateways in SOA, Mobile & Cloud webinar. This week we’re going to stick with the same general area of interest but focus in a bit on the specific uses of Gateways in SOA.

Our white paper The Role of XML Gateways in SOA is consistently one of the most popular items in the Resource Library, which goes to show that the topic of SOA is still on a lot of people’s minds. This white paper explains how XML Gateways deliver “application networking” functionality, making it possible to complete critical SOA tasks without programming.

In contrast to conventional networking devices, XML gateways specialize in the application-level protocols rendered within XML or Web services messages. An XML gateway can rapidly inspect and process XML messages to efficiently perform a range of processes vital to SOA, including content routing protocol switching, data transformation and identity authentication.

By doing so, XML gateways make it easy for SOA architects to:

  • Implement security
  • Optimize performance
  • Enable advanced policy operations

To get more detailed insight into the value of XML gateways to SOA deployments, download the white paper.

September 28th, 2011

Mobilizing the Workplace

Written by

Mobilizing the WorkplaceOver the previous two days, GigaOM hosted its fourth annual Mobilize event. While smart phones have been with us for several years and most of us have experienced firsthand the impact of the iPhone, Android and yes even the Blackberry on our everyday lives, this year was especially interesting because of the impact of the tablet in the workplace.

The iPad is not really all that new and Microsoft has arguably been beavering away at workplace tablet technology for years. What’s different this year is that the tablet is becoming an acceptable mainstream device for a wide range of work-related tasks, both inside and outside the actual workplace. This is changing the way IT goes about enabling its employees.

For a long time, enabling the mobile workforce meant equipping each remote worker with a laptop, VPN software and a virus scanner. However, none of these necessarily make sense for or are practical on a tablet. For enterprises in the iPad age, enabling mobile staff means figuring out how to share information with workers and partners in a selective, managed way.

Various types of organization are helping enterprises figure out how to do this:

  • Large ISVs like SAP, which recently launched the NetWeaver Gateway, making the company’s various systems available on mobile devices
  • API Management vendors like Mashery, Apigee and Layer 7, which help enterprises better manage what gets exposed outside organizational boundaries
  • Identity vendors like Ping and – again – Layer 7, which help organizations implement SAML and OAuth technologies for simplifying who gets access to what

Over the coming weeks, Layer 7 will have a great deal to say on this topic as we will be:

With a new Amazon tablet announced today, a new iPhone announcement expected next week and an update to the iPad anticipated for early in the New Year, it seems more than likely that that mobile enablement of the workforce will continue to be a hot topic for enterprises over the coming months and beyond.

September 23rd, 2011

Clouds Down Under

When I was young I was fascinated with the idea that the Coriolis effect—the concept in physics which explains why hurricanes rotate in opposing direction in the southern and northern hemispheres—could similarly be applied to common phenomenon like water disappearing down a bathtub drain. On my first trip to Cape Town many years ago I couldn’t wait to try this out, only to realize in my hotel bathroom that I had never actually got around to checking what direction water drains in the northern hemisphere before I left. So much for the considered rigor of science.

It turns out of course that the Coriolis effect, when applied on such a small scale, becomes negligible in the presence of more important factors such as the shape of your toilet bowl. And so, yet another one of popular culture’s most cherished myths is busted, and civilization advances ever so slightly.

Something that definitely does not run opposite south of the equator turns out to be cloud computing, though to my surprise conferences down under take a turn in the positive direction. I’ve just returned from a trip to Australia where I attended the 2nd Annual Future of Cloud Computing in the Financial Services, held last week, held in both Melbourne and Sydney. What impressed me is that most of the speakers were far beyond the blah-blah-blah-cloud rhetoric we still seem to hear so much, and focused instead on their real, day-to-day experiences with using cloud in the enterprise. It was as refreshing as a spring day in Sydney.

Greg Booker, CIO of ANZ Wealth, opened the conference with a provocative question. He simply asked who in the audience was in the finance or legal departments. Not a hand came up in the room. Now bear in mind this wasn’t Microsoft BUILD—most of the audience consisted of senior management types drawn from the banking and insurance community. But obviously cloud is still not front of mind for some very critical stakeholders that we need to engage.

Booker went on to illustrate why cross-department engagement is so vital to making the cloud a success in the enterprise. ANZ uses a commercial cloud provider to serve up most of its virtual desktops. Periodically, users would complain that their displays would appear rendered in foreign languages. Upon investigation they discovered that although the provider had deployed storage in-country, some desktop processing took place on a node in Japan, making this kind of a grey-area in terms of compliance with export restrictions on customer data. To complicate matters further, the provider would not be able to make any changes until the next maintenance window—an event which happened to be weeks away. IT cannot meet this kind of challenge alone. As Randy Fennel, General Manager, Engineering and Sustainability at Westpac put it succinctly, “(cloud) is a team sport.”

I was also struck by a number of insightful comments made by the participants concerning security. Rather than being shutdown by the challenges, they adopted a very pragmatic approach and got things done. Fennel remarked that Westpac’s two most popular APIs happen to be balance inquiry, followed by their ATM locator service. You would be hard pressed to think of a pair of services with more radically different security demands; this underscores the need for highly configurable API security and governance before these services go into production. He added that security must be a built-in attribute, one that must evolve with a constantly changing threat landscape or be left behind. This thought was echoed by Scott Watters, CIO of Zurich Financial Services, who added that we need to put more thought into moving security into applications. On all of these points I would agree, with the addition that security should be close to apps and loosely coupled in a configurable policy layer so that over time, you can easily address evolving risks and ever changing business requirements.

The entire day was probably best summed up by Fennel, who observed that “you can’t outsource responsibility and accountability.” Truer words have not been said in any conference, north or south.

September 22nd, 2011

Defining, Enforcing & Validating Web Services Policy on AWS

Written by

Layer 7 is now accepting registrations for an upcoming event near Washington, DC, which will provide practical instructions on how to secure a Cloud-based IT infrastructure built upon Amazon Web Services (AWS). Here are the full details:

Defining, Enforcing & Validating Web Services Policy on AWS
Thursday October 6, 6pm-8pm
Tysons Corner Marriott (Salons E and F, Grand Ballroom, Main Level), Tysons Corner, VA

Click here to register for the event

Amazon Web Services

This hands-on workshop will demonstrate how a Layer 7 SecureSpan EC2 Appliance can be configured to secure integrations to and from the AWS Cloud. The event will include an overview of AWS security as well as practical instructions on how to:

  • Ensure security and federate identities in Cloud/enterprise integrations
  • Implement fine-grained access and data security policies without coding
  • Secure and manage REST APIs for Cloud applications

To sweeten the deal even more, we’ll be providing a light dinner and giving all attendees a 90-day evaluation of the SecureSpan EC2 Appliance. If you’re interested in attending, don’t wait around too long before you register – our last event in this part of the word was a sell-out!

Register now for Defining, Enforcing & Validating Web Services Policy on AWS

September 20th, 2011

Upcoming Webinar: A Practical Guide to API Security & OAuth for the Enterprise

Recently, anything to do with Web APIs has been a hot topic. Right now, no API-related topic is hotter than OAuth. Enterprises moving into API publishing want to know what OAuth can do for them and how to implement it. Layer 7 will be providing some answers to these questions in the upcoming webinar A Practical Guide to API Security & OAuth for the Enterprise.

This one-hour webinar, featuring research from Forrester Research, Inc., will take place on Wednesday, October 12 at 9am Pacific (which is noon Eastern and 5pm if you’re in the UK). We’re accepting registrations now – so, if you want to learn all about how to securely publish APIs and how to implement OAuth, click here to register.

Eve Maler, Principal Analyst, Forrester Research, Inc.

The webinar will be led by Layer 7 CTO/Chief Architect Scott Morrison and will feature input from Forrester Principal Analyst Eve Maler. Topics covered will include:

  • Different approaches to exposing information through APIs
  • Security considerations for protecting APIs
  • API management best practices
  • When to use OAuth and how best to implement it

If your organization is launching an API publishing program or if you’d simply like to find out what OAuth is all about, you won’t want to miss this webinar.

Register now for A Practical Guide to API Security & OAuth for the Enterprise