Matt McLarty

Matt McLarty

Matt McLarty is Vice President of Client Solutions at Layer 7 Technologies. Matt is focused on customer success, providing implementation best practices and architectural guidance to ensure clients receive the maximum benefit from Layer 7’s products. Matt brings over 15 years of technology leadership to Layer 7, with a particular focus on enterprise architecture, strategy and integration. Prior to joining Layer 7, Matt led the global IBM technical sales organization responsible for application integration software and solutions, notably helping to grow the SOA Gateway business substantially over a five-year period. Before joining IBM, Matt worked as a Senior Director and Enterprise Architect focused on SOA, electronic payments and identity management.

December 3rd, 2012

A Break in the Clouds

A Break in the CloudsA recent study by researchers at North Carolina State University and the University of Oregon describes a threat scenario that allows attackers to exploit cloud-based resources for malicious purposes like cracking passwords or launching denial-of-service attacks. The study has gotten a lot of attention, including articles in reputable sources like Dark Reading, Ars Technica and Network World.

In order to optimize the performance of mobile apps or browsers, some computation-heavy functions have been offloaded to cloud-based resources, which in turn access backend resources and Web pages. This creates a middle ground in the cloud that is exploited in the attack, which the authors call “Browser Map Reduce (BMR)”. In reading the paper, it’s clear that this is a legitimate threat. The authors actually carried it out using free resources, although they limited the scope in order not to be abusive.

Aside from questions of curiosity around the mechanics of the vulnerability, the obvious question is this: How can we mitigate this threat? Here are a few perspectives here as well as a method for each.

Apps – This “cloud offload” architecture has arisen because of the processing limitations of mobile devices. When a backend resource is requested by a mobile user, it makes sense to have the data returned in the most consumable format, in order to optimize user experience. Whenever possible, instead of doing this through “browser offload”, data should be returned as JSON objects. This API approach is a proven method that works for mobile devices and is not subject to the BMR threat.

Cloud Services – This threat should not be viewed as a dismissal of the “cloud offload” approach. Cloud-based resources are necessary for handling caching, data indexing and other key functions in the mobile paradigm. However, it serves as a warning that these dedicated cloud-based resources cannot be considered part of a walled garden that includes the associated mobile app. The resource’s entry point must be protected against attackers. Layer 7’s SecureSpan Mobile Access Gateway is an ideal choice for this access control, as it uses identity-based measures to ensure that only requests from legitimate sources are serviced.

Web-Based Resources – Although the backend Web resource was not exploited in this scenario, the study is a reminder that the topology of the mobile Web is changing and increasing in complexity. P2P app-to-API connections cannot be assumed and therefore inbound API calls cannot be implicitly trusted. API access must be controlled and the SecureSpan API Proxy is a leading solution for this purpose.

To sum up, this is a legitimate threat but not a reason to abandon the use of cloud-based resources for mobile app optimization. Be aware of the threats, employ the mitigations and then you can continue to enjoy the exciting growth of the mobile Web.

October 2nd, 2012

Non-Function Junction: API Automation for Enterprise Operations

API Operations AutomationRecently, I’ve been working closely with a number of large enterprise clients who have already gone or will soon go live with Layer 7 solutions at the core of mission-critical infrastructure. I’ve observed that, in the API Management space, proof of concept and initial projects often focus on functional needs but the emphasis shifts to non-functional requirements as environments mature and sharing increases. There’s a clear, three-phase progression for large enterprises, which moves along these lines:

  1. Solve the basic functional use cases – The 80% in the 80-20 rule
  2. Solve the remaining, more complex use cases – The 20%
  3. Deploy the basic functions on an enterprise scale – Back to the 80%

In Phase 3, it’s all about performance, scalability, operability, security, availability and consumability. The problems are very complex but the goal is to make the resulting solution as usable and simple as possible, given the wide range of users, developers, testers and operators that will be involved in its execution. As technology vendors, we are often guilty of focusing inwardly on bells and whistles, rather than outwardly on interoperability. This works well for phases 1 and 2 but brings a reckoning in the third phase. Fortunately, at Layer 7, we’ve spent the past decade working with enterprise clients and have evolved our products to meet their adaptability, reliability and automation needs.

The Layer 7 Management API is at the core of this capability. The Management API ships with all Layer 7 Gateways, to enable automated administration of policies, resources and access control that can plug into enterprise configuration management, deployment and monitoring systems. It can be accessed programmatically through a Java API, on the network through a Web service API or built into command line scripts. For the clients I have worked with, this capability and the assurance it provides on moving through the systems development lifecycle is quite simply a must have.

July 13th, 2012

Layer 7 at Your Service

Layer 7 ServicesLayer 7 has been providing solutions for more than a decade. In this time, we have gained valuable experience of how to make our industry-leading products deliver maximum benefit in critical customer environments. In particular, we’ve gained a great deal of knowledge about how to translate clients’ business needs into robust solutions that meet the functional requirements and address key non-functional areas like performance, security and operations.

Recently, we’ve added a number of industry experts to our full-time team, in order to deepen this expertise and expand our delivery. Services have become an increasingly important part of our business and we have just launched a new Services section on our Web site in order to provide details of our service offerings.

Training Services are always the right starting point for new clients and we have a number of courses we can tailor to meet any customer’s needs. Following training, we can customize IT Services to provide consulting, configuration and any implementation activity. Our Business Services help companies explore new opportunities through technology. The current focus is on the many possibilities offered by APIs and we’re very excited to have noted industry experts Mike Amundsen and Ronnie Mitra leading this practice.

Please have a look at all the services we offer and let us know if any of these would help your company out. No matter what phase of a project you’re in, we will be happy to be at your service!

June 6th, 2012

Start Spreading the News… Cloud Expo, New York

Cloud Expo 2012Cloud Expo 2012 is almost here. This promises to be an incredible event, with thousands of attendees and over 100 speakers. As previously mentioned, I’m privileged to be presenting on Making Hybrid Cloud Safe & Reliable. I’m particularly excited that I’ll be introducing attendees to the new concept of API-Aware Traffic Management. It will also be great to be back in New York City!

I recently read Daniel Kahneman’s book Thinking Fast & Slow, a fascinating study of how the human mind works. With the new capabilities offered by big data and Cloud computing — the dual themes for next week’s event — and the increasing personalization of technology through Mobile devices, I think we have an opportunity to make our digital systems more human in their processing. What does that mean?  Well, more intuitive in user experience, more lateral through caching of unstructured data and more adaptive to changing conditions. API-Aware Traffic Management certainly reflects this potential.

If you are going to be (or hope to be) at the event, add a response in the comments box or tweet to @MattMcLartyBC. Hope to see you there!

May 15th, 2012

API-Aware Traffic Management

Cloud ExpoAs I mentioned in my last blog post, the promise of cost reduction is compelling many enterprises to move their workloads into the Cloud but many IT leaders are reluctant to do so, for fear of compromising the security and availability of their services. These concerns are well-founded but the benefits of Cloud are too great to ignore. To obtain these benefits, companies must adopt techniques that protect against the attendant risks, without compromise.

Many people are familiar with Layer 7’s industry-leading security functionality, so it’s no surprise that I’d recommend using our Gateway technology to protect connections from on-premise infrastructure to off-premise Cloud services. The flexibility of deployment options we offer makes it possible to create a network of secure on- and off-premise endpoints to meet the most stringent requirements. This covers security but what about availability?

People seem to be less familiar with Layer 7’s routing capabilities. Our Gateway technology is optimized to perform flexible, content-based routing with negligible impact on overall transaction times. In the context of the Cloud, this means that traffic proxied by a Layer 7 Gateway can be re-directed using intelligent algorithms and even dynamic, state-based awareness. This routing capability, which I call “API-aware traffic management”, brings huge benefits in ensuring availability when connecting to multiple API instances – on-premise, off-premise, in multiple Clouds… anywhere on the hybrid network.

I’ll be discussing this topic in detail at the upcoming Cloud Expo 2012, June 11-14 in New York City. This promises to be a great event, so I hope you can make it and attend my discussion!