December 3rd, 2012

A Break in the Clouds

A Break in the CloudsA recent study by researchers at North Carolina State University and the University of Oregon describes a threat scenario that allows attackers to exploit cloud-based resources for malicious purposes like cracking passwords or launching denial-of-service attacks. The study has gotten a lot of attention, including articles in reputable sources like Dark Reading, Ars Technica and Network World.

In order to optimize the performance of mobile apps or browsers, some computation-heavy functions have been offloaded to cloud-based resources, which in turn access backend resources and Web pages. This creates a middle ground in the cloud that is exploited in the attack, which the authors call “Browser Map Reduce (BMR)”. In reading the paper, it’s clear that this is a legitimate threat. The authors actually carried it out using free resources, although they limited the scope in order not to be abusive.

Aside from questions of curiosity around the mechanics of the vulnerability, the obvious question is this: How can we mitigate this threat? Here are a few perspectives here as well as a method for each.

Apps – This “cloud offload” architecture has arisen because of the processing limitations of mobile devices. When a backend resource is requested by a mobile user, it makes sense to have the data returned in the most consumable format, in order to optimize user experience. Whenever possible, instead of doing this through “browser offload”, data should be returned as JSON objects. This API approach is a proven method that works for mobile devices and is not subject to the BMR threat.

Cloud Services – This threat should not be viewed as a dismissal of the “cloud offload” approach. Cloud-based resources are necessary for handling caching, data indexing and other key functions in the mobile paradigm. However, it serves as a warning that these dedicated cloud-based resources cannot be considered part of a walled garden that includes the associated mobile app. The resource’s entry point must be protected against attackers. Layer 7’s SecureSpan Mobile Access Gateway is an ideal choice for this access control, as it uses identity-based measures to ensure that only requests from legitimate sources are serviced.

Web-Based Resources – Although the backend Web resource was not exploited in this scenario, the study is a reminder that the topology of the mobile Web is changing and increasing in complexity. P2P app-to-API connections cannot be assumed and therefore inbound API calls cannot be implicitly trusted. API access must be controlled and the SecureSpan API Proxy is a leading solution for this purpose.

To sum up, this is a legitimate threat but not a reason to abandon the use of cloud-based resources for mobile app optimization. Be aware of the threats, employ the mitigations and then you can continue to enjoy the exciting growth of the mobile Web.

September 25th, 2012

Do You Need MBaaS to be a Mobile Bad Ass Developer?

MBaaSSimple answer: no. But if you’re a developer building the next great consumer app in a hurry, it probably won’t hurt. MBaaS (“mobile backend as a service”) solves some pretty prickly problems for the start-up developer. MBaaS offerings like Appcelerator, CloudMine, FeedHenry and StackMob deliver the basic components for storage, messaging, notification, user management and so forth that mobile developers need, making it easy for developers to set up and operate the backend for their applications.

But let’s say you’re not a bad-ass consumer app developer. Imagine you’re a mild-mannered enterprise dev looking to make a solid app for your field sales organization. What does MBaaS do for you? Maybe the right question is what does MBaaS not do for you? Answer: it doesn’t get you access to the one thing you need as an enterprise developer – enterprise data.

Enterprise apps need data like plants need sunlight. It could be customer records, documentation, pricing information, inventory levels or a myriad other things. But that data is stuck in the enterprise, inside of SAP this and SharePoint that and database the other. No amount of simplifying interactions with AWS will get that information into your hands to build the super-compelling apps employees need access to.

Enter mobile middleware like Layer 7’s SecureSpan Mobile Access Gateway. Getting the stuff that’s locked inside the enterprise into the hands of devs is a middleware problem. It’s about information sharing. It’s about opening up but in a very targeted manner. MBaaS has some great ideas for making a mobile developer’s life easier. Enterprise devs want the same benefits but with the added benefit of access to enterprise data. I joined Layer 7 from a prior gig at RIM to help that happen. Stay tuned for details.

September 21st, 2012

Layer 7 at the International SOA, Cloud + Service Technology Symposium

SOA, Cloud + Service Technology SymposiumThe International SOA, Cloud + Service Technology Symposium takes place next week in London and the track titles remind me how much SOA has changed in the last 10 years. Mobile and cloud use cases have revolutionized the way we architect, deploy and manage SOA infrastructures, resulting in forward-looking tracks such as “New Service-Orientation Practices & Models” and “Emerging Service Technology Innovation.”

For the Layer 7 perspective on these service technology trends, come see our presentations throughout the week. On Monday, I’ll be speaking about how traditional SOA technologies such as the enterprise service bus (ESB) need to adapt to an evolving IT landscape. On Tuesday, our CTO Scott Morrison will be giving a closing keynote about “The New Governance”.  Wednesday brings an API Management Workshop at the Canadian High Commission, hosted by Layer 7 along with our customer MoneySupermarket.com and analyst firm RedMonk.

Layer 7 is a Founding Partner at the Symposium and we’re excited to welcome a who’s who of analysts, vendors and enterprises to join in the conversation. These illustrious attendees have helped to define the industry and revolutionize enterprise IT – and I’m looking forward to insightful speakers and great networking opportunities. For a more intimate conversation, stop by our booth (#110) to see a demo or discuss your SOA, cloud, API or mobile use cases.

London has shown an incredible amount of enthusiasm for sporting events this summer, from the Olympics and Paralympics to the Tour de France, which was won by a Brit for the first time in its history. Let’s keep that excitement going – see you at the Symposium!

August 30th, 2012

Tech Talk, September 4: Publishing Cloud APIs

Publishing Cloud APIsMore and more businesses are moving applications and data to cloud-based infrastructure. The integration models and vendor offerings that facilitate this are pretty diverse (SaaS, IaaS, PaaS, vCloud, AWS, OpenStack… ) but there is a common thread – the need for APIs with which these services can be managed and maintained.

The importance of APIs continues once the infrastructure is in place. Applications in the cloud can expose their own APIs, opening data access to partners, mobile devices or other cloud technologies. This raises questions around how enterprises can effectively leverage cloud APIs while addressing the security and management concerns that will inevitably arise.

I’ll be discussing some of these concerns when I take part in Layer 7’s latest Tech Talk on Tuesday September 4 at 9am PDT/12pm EDT/5pm BST. The subject matter will be Publishing Cloud APIs and – like all our Tech Talks – this interactive Q&A will be broadcast live on the Layer 7 Facebook page and via Livestream.

Here’s how you can join the conversation:

Feel free to ask questions around:

  • Securely exposing APIs from a cloud-based solution
  • Orchestrating APIs for value-added interfaces
  • Enforcing access control and threat protection across hybrid cloud environments

I’m looking forward to chatting with you. Don’t forget to add the Tech Talk to your calendar. See you on Tuesday!

 

August 24th, 2012

Layer 7 at VMworld 2012

VMworld 2012VMworld 2012 kicks off at the Moscone Center in San Francisco this week. At the event, VMware will be making some exciting announcements around the delivery and management of public and private clouds using automation technologies.

Rapid deployment and onboarding has always been a key requirement for Layer 7 solutions, which is what initiated our strong partnership with VMware years ago. These announcements will showcase the next step in that evolution.

Layer 7 will be presenting at the VMworld Solutions Exchange and we’d love for you to stop by to talk about how we take advantage of the latest VMware technology. Come discuss your use case and find out how we can:

  • Protect and manage vCloud APIs
  • Securely expose APIs from a vCloud-based solution
  • Govern infrastructures based on the vCloud Architecture Toolkit (vCAT)
  • Orchestrate APIs for value-added interfaces
  • Dynamically provision vApps from policy based on SLAs
  • Enforce access control and threat protection across hybrid cloud environments

We’ll also be giving demonstrations of our VMware Ready certified products, including the SecureSpan Mobile Access Gateway and Layer 7 API Portal. In case you can’t catch us on the west coast, we’ll also be at the VMware Forum in Toronto on September 20.