October 18th, 2011

Presentation: API Security & OAuth Patterns

OAuth PatternLast week, Layer 7’s Director of Solutions Engineering, Francois Lascelles, gave a presentation at the RSA Europe Conference in London. The presentation, called Enterprise Access Control Patterns for REST and Web API, provided an overview of the various authentication and identity federation mechanisms applicable to Web APIs and RESTful Web services.

With more and more organizations looking to expose application data via APIs, the issue of API security is on a lot of people’s minds. Francois’ aim was to help some of these people make sense of protocols like OAuth, SAML and OpenID. He also aimed to explain how these protocols fit together and how they can be leveraged to enable trust management and access control.

Francois got a very positive response to this presentation, so we decided to make his slide deck more widely available. You can view the whole thing right now in the player below, courtesy of the Layer 7 Slide Share page:

October 17th, 2011

New White Paper: A Simple & Secure Approach to Integration across SOA, API & Cloud

Written by

Lightweight ESB White PaperWe’re very pleased to announce the publication of a new Layer 7 white paper, called SOA Appliances: A Simple & Secure Approach to Integration across SOA, API & Cloud. Written by Jamie Ryan, Layer 7’s Partner Solutions Architect, this white paper explores how a SOA Gateway can be deployed as a lightweight alternative to the conventional Enterprise Service Bus (ESB).

The ESB has emerged in recent years in response to the increased need for IT integration, which enterprises have experienced as a result of rapidly proliferating Cloud and mobile technologies. ESBs tend to be extremely feature-rich. Consequently, they can also be very complex, to the point that they are often difficult and costly to install, administer and secure.

Our new white paper explains that a SOA Gateway represents a simpler, more cost-effective alternative to the ESB – crucially, an alternative that does not require the enterprise to compromise on security. Using a SOA Gateway as an ESB enables a modern integration architecture but with a much lighter footprint and user experience.

Click here to download SOA Appliances: A Simple & Secure Approach to Integration across SOA, Cloud & API

October 14th, 2011

FROM THE VAULT: Resources on How to Choose a SOA Gateway

Not All SOA Gateways are Created Equal white paperOur weekly From the Vault series highlights classic resources from the Layer 7 Library. This week, we’ve got not one but two items, both of which will prove highly valuable to anyone who is researching options for purchasing or replacing a SOA Gateway – a white paper called Not All SOA Gateways are Created Equal and a webinar called How to Choose a SOA Gateway.

Not All SOA Gateways are Created Equal notes that most Gateways on the market are able to address a good deal of the most common functional requirements. However, the white paper explains, the total cost of ownership (TCO) varies widely between Gateways – and TCO extends well beyond the initial licensing fees to encompass a range of significant factors.

The white paper goes on to examine those factors that will have the greatest impact on TCO, namely:

  • Ease of deployment and customization
  • Manageability, scalability and reliability
  • Cost of upgrade or repurchasing

Click here to find out more about the white paper and to download the PDF

How to Choose a SOA Gateway expands upon the content of this white paper to provide business managers with practical instructions on which key operational and functional needs, as well as potential pitfalls, to consider when selecting a SOA Gateway, including:

  • Portability considerations
  • Scalability risks
  • Extensibility and upgradeability needs
  • Global management implications
  • Hidden operational costs

You can either click here to find out more about the webinar and to download a copy or you can stream it in the player below, courtesy of the Layer 7 YouTube channel:

October 13th, 2011

Recorded Webinar: A Practical Guide to API Security & OAuth for the Enterprise featuring Forrester Research, Inc.

Forrester - Eve MalerYesterday, Layer 7 held what turned out to be the company’s number one most popular webinar ever: A Practical Guide to API Security & OAuth for the Enterprise. The remarkably large number of sign-ups we had for this event stands as evidence of the hunger for expert insight into issues around Web API generally and OAuth in particular. In this case, the expert insight was provided by Eve Maler, Principal Analyst at Forrester Research, Inc.,  as well as by Layer 7’s own Scott Morrison. Judging from the feedback we received during and after the session, quite a few people found this webinar to be particularly insightful and thought-provoking.

Input from Forrester Research, Inc. is always valuable and Eve Maler’s presentation – OAuth as a Serious API Security Tool for Enterprises: A Practical Overview – certainly didn’t disappoint. She began by positioning OAuth as “a powerhouse of API security and SSO solutions” and went on to advise that enterprises should “Leverage OAuth’s ascendance while minding its weaknesses”. The key point here was that OAuth may be simple but that doesn’t mean it has to be a low-security option. If an enterprise uses and insists on OAuth best practices, OAuth can indeed be a serious API security tool and can work in environments that require “zero trust”. Eve went on to give some great, practical advice for security and risk professionals and developers looking to leverage OAuth

Next, Scott provided a practical demonstration of how Layer 7′s OAuth Toolkit can be used to ensure the consistent application of these best practices. The OAuth Toolkit provides enterprises with a centralized way to create and implement OAuth for all their protected services and APIs. Layer 7’s OAuth capabilities support a variety of standards, including OAuth 1.0a, OAuth 2.0, SAML 1.1, SAML 2.0, WS-Trust, REST and JSON, among others.

For those of you who missed the event, we now have the full one-hour recording online. Click here to find out more about the webinar and download a copy. Alternatively, you can simply stream the complete recording in the player below, courtesy of the Layer 7 YouTube channel.

October 12th, 2011

Event Follow-Up: Defining, Enforcing & Validating Web Services Policy on AWS

Amazon Web ServicesLast week, I was involved with a Layer 7 workshop in Tysons Corner, VA, just outside of Washington, DC. This workshop, called Defining, Enforcing & Validating Web Services Policy on AWS was presented in association with our friends at Amazon Web Services. The goal of the session was to teach attendees how build a secure bridge between the enterprise and the public Cloud.

You see, for organizations with variable application loads or the need to scale rapidly, Cloud services like AWS offer a truly elastic way to accommodate changing compute needs. But it’s rare for an enterprise to be able to run a workload in the public Cloud isolated from data or applications residing inside the enterprise. These organizations need ways to bridge the enterprise and the Cloud without compromising security or limiting scale-out.

Layer 7/AWS Event

The Layer 7/AWS workshop demonstrated a solution based on Layer 7′s industry-leading SecureSpan EC2 Appliance, which makes it simple for organizations in this situation to address the challenges of federation, integration and governance they are facing. Specifically, the event began with an overview of AWS before providing practical instructions on how the SecureSpan EC2 Appliance can be used to:

  • Ensure security and federate identities in Cloud/enterprise integrations
  • Implement fine-grained access and data security policies without coding
  • Secure and manage REST APIs for Cloud applications

We certainly got a great response from attendees. Also, during registration, we got quite a few requests for similar events in different cities. If you’d like us to hold a Layer 7/AWS workshop in your city, please don’t hesitate to contact us by calling 1-800-681-9377 or emailing sales@layer7.com. In the meantime, if you want to know more, the slides presented at the workshop are available here. Additionally, here’s a demo of Layer 7 federation features specific to AWS: