August 7th, 2012

Using WebSockets – Part 1: Minding the Gates

HTML 5 and WebSocketOne of the most exciting features introduced with HTML5 was support for WebSockets. The WebSocket protocol has been through a lot of churn over the last two years, with browser vendors desperately trying to keep pace with changes in the specification. Thankfully, the standard has now become stable enough to be utilized in enterprise projects.

The beauty the WebSocket protocol is that it lets an application seamlessly move from an HTTP/Web-based flow into a socket-based conversation and then back to a Web-based flow. In this way, it allows Web- and mobile-based applications to easily move from the traditional request-reply HTTP world into new forms of full-duplex, bi-directional communication.

We’ve seen a similar evolution in the past within the message-oriented middleware world. With the emergence of SOA and API, enterprises realized they needed new ways of moving data around and middleware technologies emerged that facilitated the movement of data in ways that were not possible with existing request-reply synchronous messaging infrastructures.

Traditionally, Web and mobile applications had to work hard in order to send or receive real-time data. Now, developers can use WebSocket to move data up and down the communication channel quickly and efficiently. This is like moving from an email client that requires you to constantly check for new mail to one that instantly alerts you when a new email arrives.

This style of communication will provide enormous benefits for applications that require messages to be passed quickly between the client and server.  Architects will have an easier time building applications with real-time messaging requirements, opening the door to some very intriguing solution designs.  Targeted notification systems, more-responsive UIs and even complex architectures such as massive grid networks built on top of the Web will be much easier to implement properly.

But, what’s missing from the WebSocket story is an effective way of minding the gates. The “black hat” guys already see WebSockets as representing a new attack surface, so organizations that are serious about providing reliable, scalable solutions will require some form of Gateway on the server side, to guard against security breaches.

To address WebSocket security, a Gateway must be able to enforce SSL handshakes, limit the number of connection requests, protect against payload injection attacks and enforce strong authentication methods – the same set of attack vectors that exist for SOAP/XML Web services and REST/JSON APIs.

That’s why I’m particularly excited about Layer 7′s recently-announced SecureSpan Mobile Access Gateway product. The Mobile Access Gateway extends Layer 7’s industry-leading technology for SOA and API in order to address mobile-specific concerns – and it includes a very secure WebSocket implementation.

In addition to the security benefits, the Gateway can be used to enrich or filter data in real-time. This opens the door to a new set of compelling use cases that includes data auditing, image watermarking and blacklist filtering – possibilities intriguing enough to stand on their own as justifications for implementing a WebSocket Gateway.

So, we’ve discussed what the WebSocket protocol is and why it’s so important to keep WebSockets secure. But how does all this fit into the exciting world of APIs that we’ve been focusing on in many of our recent blog posts? Our Principal API Architect Mike Admundsen will tackle this question next week, in our continuing series on this very important protocol.

June 8th, 2012

Layer 7 at Gartner Security & Risk Management Summit

Gartner Security and Risk ManagementNext week (June 11-14), Layer 7 will be exhibiting at the Gartner Security & Risk Management Summit near Washington, DC (in National Harbor, MD). Speakers will run the gamut from Michael Dell to the Cybersecurity Coordinator for the White House, because enterprises and governmental organizations share a serious interest in securing data and applications.

The combination of security and risk management is particularly interesting these days, as rapid migration to Cloud and Mobile has introduced a new set of risks. These new platforms raise issues around compliance, information security and identity management, which can only be addressed with a comprehensive approach to security, using proven technology.

If you’re at the show, stop by and visit Layer 7 at Booth 92. We’d love to demonstrate how our SOA Governance and API Management solutions can counteract the risks involved with adopting these new technologies. Our solutions – flexibly deployed on-premise or in the Cloud – provide control over data and applications being exposed to partners, Cloud and Mobile.

And our industry-leading technology has been certified at the highest levels for use in both corporate and governmental organizations – PCI-DSS compliance for retail, STIG vulnerability testing for the DoD, FIPS 140-2 for cryptographic functionality and Common Criteria certification for overall security.

Don’t let the risk outweigh the reward – come talk to us!

March 23rd, 2012

Layer 7 at the 2012 DoDIIS Worldwide Conference

2012 DoDIIS Worldwide ConferenceLayer 7 is proud to be exhibiting at the 2012 Department of Defense Intelligence Information Systems (DoDIIS) Worldwide Conference, which will be taking place in Denver this April 1-4. The show will be focusing on the Defense Intelligence Agency’s goal of unifying defense intelligence infrastructure and information sharing initiatives.

Never before has so much intelligence data been collected and never has the challenge of securely sharing these valuable assets been greater. As new intelligence systems come online, issues inevitably arise around the need to make data and security credentials interoperable between these new systems and existing capabilities.

As the leading provider of secure messaging and security Gateway solutions to the US Federal Intelligence Community, Layer 7 will be at the show, demonstrating its solutions for data and security interoperability within the enterprise and the Cloud. If you’re attending the DoDIIS conference, stop by Booth 917 to see first-hand how you can resolve interoperability and fine-grained access challenges with a Common Criteria EAL 4+ certified solution from Layer 7.

March 19th, 2012

Layer 7 Helps Keep America Safe

Layer 7 Helps Keep America SafeAt Layer 7, we often talk about how we can help enterprises open up net-centric information-sharing APIs. Often overlooked is the vital national security role APIs and net-centric computing perform – they are crucial to connecting applications residing across national agencies and even on mobile devices, vehicles and machines.

For several years, Layer 7 has proudly served national security communities in the US, Canada and Europe, with high-resiliency API security and management technologies for various SOA, mobile and Cloud initiatives. We are proud to include among our clients some of the most demanding organizations on Earth, including the US DoD, US Department of Homeland Security, US Department of Justice, US Department of Transportation and NATO.

Layer 7 is continuing its efforts to help organizations like these address the challenges and opportunities associated with SOA-based information sharing and interoperability in the context of reduced budgets, increasing cyber threats, Cloud infrastructure and the need to leverage existing systems in a networked environment.

Due to the sensitive nature of the projects, much of our work to make these efforts successful goes unheralded. However, we are thrilled that one of our recent efforts in supporting Northrup Grumman modernize the US Air Force Air & Space Operations Center Weapons System has been publicly announced.

Layer 7 is working with a consortium of vendors under Northrup Grumman to make the Air & Space Operations Center more agile and net-centric via Service-Oriented, API-based approaches to information sharing. Clearly, SOA and net-centric computing are becoming cornerstones of how applications are discovered, connected and protected and how information is shared.

February 7th, 2012

API Management – Infrastructure Versus SaaS

API Management - Infrastructure Versus SaaS

The Enterprise is buzzing with API initiatives these days. APIs not only serve mobile applications, they are increasingly redefining how the enterprise does B2B and integration in general. API management as a category follows different models. On one hand, certain technology vendors offer specialized infrastructure to handle the many aspects of API management. On the other, an increasing number of SaaS vendors offer a service which you subscribe to, providing a pre-installed, hosted, basic API management system. Hybrid models are emerging but that’s a topic for a future post.

Before opting for a pure SaaS-based API management solution, think about these key considerations:

The Cloud Advantage
One can realize the benefits of Cloud computing from an API management solution without losing the ability to control its underlying infrastructure. For example, IaaS solutions let you host your own API management infrastructure. Private Clouds are also ideal for hosting API management infrastructure and provide the added benefit of running "closer" to key enterprise IT assets. Through any of these SaaS alternatives, an API management infrastructure optimizes computing resource utilization. IaaS and private Cloud-based API management infrastructure also provide elasticity and can scale on demand. Look for an API management solution that offers a virtual appliance form factor to maximize the benefits of Cloud.

Return on Investment
The advantage of a lower initial investment from SaaS-delivered API management solutions quickly becomes irrelevant when the ongoing cost of a per-hit billing structure increases exponentially. With your own API management infrastructure in place, you can leverage an initial investment over as many APIs as you want to deliver, no matter how popular the APIs become. Many early adopters, which originally opted for the SaaS model, are currently making the switch to the infrastructure model in order to remedy a monthly cost that has grown to unmanageable levels. Unfortunately, such transitions are sometimes costing more than any initial costs savings.

Agility, Integration
SaaS solutions provide easy-to-use systems isolated in their own silos. This isolation from the rest of your enterprise IT assets creates a challenge when you attempt to integrate the API management solution with other key systems. Do you have an existing Web portal? How about existing identity, business intelligence or billing systems? If your API management solution is infrastructure-based, you have access to all the low-level controls and tooling that are required to integrate these systems together. Integrating your API management with existing identity infrastructure can be important to achieving runtime access control. Integrating with billing systems is crucial to monetizing your APIs. Feeding metrics from an API management infrastructure into an existing BI infrastructure provides better visibility.

Security
Depending on the audience for your APIs, various regulations and security standards may apply. Sensitive information traveling through a SaaS-based system is outside your control. Are any of your APIs potentially dealing with cardholder information? Does PCI-DSS certification matter? If so, a SaaS-based API management solution is likely to be problematic. In addition to the off-premise security issue, SaaS-based API management solutions offer limited security and access control options. For example, the ability to decide which versions of OAuth you choose to implement matters if you need to cater to a specific breed of developers.

Performance
Detours increase latency. By routing API traffic through a hosted system before it gets to the source of the data, you introduce detours. By contrast, if you architect an API management infrastructure in such a way that runtime controls happen in the direct path of transaction, you minimize latencies. For example, using the infrastructure approach, you can deploy everything in a DMZ. Also, by owning the infrastructure, you have complete control over the computing resources allocated to it.

I'll be touching upon some of these issues when I give a presentation called Enterprise Access Control Patterns for REST & Web APIs on March 2, at the RSA Conference in San Francisco.