Yesterday, Layer 7 held what turned out to be the company’s number one most popular webinar ever: A Practical Guide to API Security & OAuth for the Enterprise. The remarkably large number of sign-ups we had for this event stands as evidence of the hunger for expert insight into issues around Web API generally and OAuth in particular. In this case, the expert insight was provided by Eve Maler, Principal Analyst at Forrester Research, Inc.,  as well as by Layer 7’s own Scott Morrison. Judging from the feedback we received during and after the session, quite a few people found this webinar to be particularly insightful and thought-provoking.

Input from Forrester Research, Inc. is always valuable and Eve Maler’s presentation – OAuth as a Serious API Security Tool for Enterprises: A Practical Overview – certainly didn’t disappoint. She began by positioning OAuth as “a powerhouse of API security and SSO solutions” and went on to advise that enterprises should “Leverage OAuth’s ascendance while minding its weaknesses”. The key point here was that OAuth may be simple but that doesn’t mean it has to be a low-security option. If an enterprise uses and insists on OAuth best practices, OAuth can indeed be a serious API security tool and can work in environments that require “zero trust”. Eve went on to give some great, practical advice for security and risk professionals and developers looking to leverage OAuth

Next, Scott provided a practical demonstration of how Layer 7′s OAuth Toolkit can be used to ensure the consistent application of these best practices. The OAuth Toolkit provides enterprises with a centralized way to create and implement OAuth for all their protected services and APIs. Layer 7’s OAuth capabilities support a variety of standards, including OAuth 1.0a, OAuth 2.0, SAML 1.1, SAML 2.0, WS-Trust, REST and JSON, among others.

For those of you who missed the event, we now have the full one-hour recording online. Click here to find out more about the webinar and download a copy. Alternatively, you can simply stream the complete recording in the player below, courtesy of the Layer 7 YouTube channel.

Last week, I was involved with a Layer 7 workshop in Tysons Corner, VA, just outside of Washington, DC. This workshop, called Defining, Enforcing & Validating Web Services Policy on AWS was presented in association with our friends at Amazon Web Services. The goal of the session was to teach attendees how build a secure bridge between the enterprise and the public Cloud.

You see, for organizations with variable application loads or the need to scale rapidly, Cloud services like AWS offer a truly elastic way to accommodate changing compute needs. But it’s rare for an enterprise to be able to run a workload in the public Cloud isolated from data or applications residing inside the enterprise. These organizations need ways to bridge the enterprise and the Cloud without compromising security or limiting scale-out.

The Layer 7/AWS workshop demonstrated a solution based on Layer 7′s industry-leading SecureSpan EC2 Appliance, which makes it simple for organizations in this situation to address the challenges of federation, integration and governance they are facing. Specifically, the event began with an overview of AWS before providing practical instructions on how the SecureSpan EC2 Appliance can be used to:

• Ensure security and federate identities in Cloud/enterprise integrations
• Implement fine-grained access and data security policies without coding
• Secure and manage REST APIs for Cloud applications

We certainly got a great response from attendees. Also, during registration, we got quite a few requests for similar events in different cities. If you’d like us to hold a Layer 7/AWS workshop in your city, please don’t hesitate to contact us by calling 1-800-681-9377 or emailing sales@layer7.com. In the meantime, if you want to know more, the slides presented at the workshop are available here. Additionally, here’s a demo of Layer 7 federation features specific to AWS:

When I was young I was fascinated with the idea that the Coriolis effect—the concept in physics which explains why hurricanes rotate in opposing direction in the southern and northern hemispheres—could similarly be applied to common phenomenon like water disappearing down a bathtub drain. On my first trip to Cape Town many years ago I couldn’t wait to try this out, only to realize in my hotel bathroom that I had never actually got around to checking what direction water drains in the northern hemisphere before I left. So much for the considered rigor of science.

It turns out of course that the Coriolis effect, when applied on such a small scale, becomes negligible in the presence of more important factors such as the shape of your toilet bowl. And so, yet another one of popular culture’s most cherished myths is busted, and civilization advances ever so slightly.

Something that definitely does not run opposite south of the equator turns out to be cloud computing, though to my surprise conferences down under take a turn in the positive direction. I’ve just returned from a trip to Australia where I attended the 2nd Annual Future of Cloud Computing in the Financial Services, held last week, held in both Melbourne and Sydney. What impressed me is that most of the speakers were far beyond the blah-blah-blah-cloud rhetoric we still seem to hear so much, and focused instead on their real, day-to-day experiences with using cloud in the enterprise. It was as refreshing as a spring day in Sydney.

Greg Booker, CIO of ANZ Wealth, opened the conference with a provocative question. He simply asked who in the audience was in the finance or legal departments. Not a hand came up in the room. Now bear in mind this wasn’t Microsoft BUILD—most of the audience consisted of senior management types drawn from the banking and insurance community. But obviously cloud is still not front of mind for some very critical stakeholders that we need to engage.

Booker went on to illustrate why cross-department engagement is so vital to making the cloud a success in the enterprise. ANZ uses a commercial cloud provider to serve up most of its virtual desktops. Periodically, users would complain that their displays would appear rendered in foreign languages. Upon investigation they discovered that although the provider had deployed storage in-country, some desktop processing took place on a node in Japan, making this kind of a grey-area in terms of compliance with export restrictions on customer data. To complicate matters further, the provider would not be able to make any changes until the next maintenance window—an event which happened to be weeks away. IT cannot meet this kind of challenge alone. As Randy Fennel, General Manager, Engineering and Sustainability at Westpac put it succinctly, “(cloud) is a team sport.”

I was also struck by a number of insightful comments made by the participants concerning security. Rather than being shutdown by the challenges, they adopted a very pragmatic approach and got things done. Fennel remarked that Westpac’s two most popular APIs happen to be balance inquiry, followed by their ATM locator service. You would be hard pressed to think of a pair of services with more radically different security demands; this underscores the need for highly configurable API security and governance before these services go into production. He added that security must be a built-in attribute, one that must evolve with a constantly changing threat landscape or be left behind. This thought was echoed by Scott Watters, CIO of Zurich Financial Services, who added that we need to put more thought into moving security into applications. On all of these points I would agree, with the addition that security should be close to apps and loosely coupled in a configurable policy layer so that over time, you can easily address evolving risks and ever changing business requirements.

The entire day was probably best summed up by Fennel, who observed that “you can’t outsource responsibility and accountability.” Truer words have not been said in any conference, north or south.

Layer 7 is now accepting registrations for an upcoming event near Washington, DC, which will provide practical instructions on how to secure a Cloud-based IT infrastructure built upon Amazon Web Services (AWS). Here are the full details:

Defining, Enforcing & Validating Web Services Policy on AWS
Thursday October 6, 6pm-8pm
Tysons Corner Marriott (Salons E and F, Grand Ballroom, Main Level), Tysons Corner, VA

Click here to register for the event

This hands-on workshop will demonstrate how a Layer 7 SecureSpan EC2 Appliance can be configured to secure integrations to and from the AWS Cloud. The event will include an overview of AWS security as well as practical instructions on how to:

• Ensure security and federate identities in Cloud/enterprise integrations
• Implement fine-grained access and data security policies without coding
• Secure and manage REST APIs for Cloud applications

To sweeten the deal even more, we’ll be providing a light dinner and giving all attendees a 90-day evaluation of the SecureSpan EC2 Appliance. If you’re interested in attending, don’t wait around too long before you register – our last event in this part of the word was a sell-out!

Register now for Defining, Enforcing & Validating Web Services Policy on AWS

I’m excited to announce that HP has just awarded ArcSight Common Event Format (CEF) certification to Layer 7’s SecureSpan and CloudSpan product suites. We’ll be proudly demoing our newly-certified CEF integration at the ArcSight Protect 2011 show in Washington DC, September 11-14.

To whet your appetite, I’d like to provide a quick preview of precisely what we’ll be demoing. Essentially, what we’re talking about here is a hybrid risk-management solution for the extended enterprise, based on integration between the Layer 7 gateway and HP’s ArcSight Enterprise Threat and Risk Management (ETRM) platform.

ETRM helps enterprises collect and analyze data on security risks. Layer 7’s support for ArcSight’s native CEF specification creates an awareness of and visibility into security threats in situations where applications and services are extended beyond normal enterprise boundaries – for example, when they are deployed in the cloud or made available on mobile devices.

The core value of the Layer 7/ETRM integration comes from its ability to correlate cross-domain security data. Layer 7’s CEF integration achieves this by allowing ETRM users to map events and identities associated with external entities to known internal identities. This creates an end-to-end view of access control decisions based on user credentials, organizations and roles.

Our product suite is particularly well placed to map this information as it delivers an extremely rich set of identity features. SecureSpan and CloudSpan support a wide variety of credential types, authentication servers and authorization mechanisms. They also deliver standards-based Security Token Service functionality for additional credential mapping.

Layer 7’s CEF support also creates a comprehensive view of application usage and vulnerabilities. For example, when an application interface is exposed to external consumers as an API, Layer 7 can enforce security policies on external application requests and extract usage data essential to event correlation across all executions of the application.

If you’re going to be at ArcSight Protect and you’d like to see what all this looks like in practice, stop by booth 37. I’ll see you there!