Last week, I was involved with a Layer 7 workshop in Tysons Corner, VA, just outside of Washington, DC. This workshop, called Defining, Enforcing & Validating Web Services Policy on AWS was presented in association with our friends at Amazon Web Services. The goal of the session was to teach attendees how build a secure bridge between the enterprise and the public Cloud.

You see, for organizations with variable application loads or the need to scale rapidly, Cloud services like AWS offer a truly elastic way to accommodate changing compute needs. But it’s rare for an enterprise to be able to run a workload in the public Cloud isolated from data or applications residing inside the enterprise. These organizations need ways to bridge the enterprise and the Cloud without compromising security or limiting scale-out.

The Layer 7/AWS workshop demonstrated a solution based on Layer 7′s industry-leading SecureSpan EC2 Appliance, which makes it simple for organizations in this situation to address the challenges of federation, integration and governance they are facing. Specifically, the event began with an overview of AWS before providing practical instructions on how the SecureSpan EC2 Appliance can be used to:

• Ensure security and federate identities in Cloud/enterprise integrations
• Implement fine-grained access and data security policies without coding
• Secure and manage REST APIs for Cloud applications

We certainly got a great response from attendees. Also, during registration, we got quite a few requests for similar events in different cities. If you’d like us to hold a Layer 7/AWS workshop in your city, please don’t hesitate to contact us by calling 1-800-681-9377 or emailing sales@layer7.com. In the meantime, if you want to know more, the slides presented at the workshop are available here. Additionally, here’s a demo of Layer 7 federation features specific to AWS:

Layer 7 is now accepting registrations for an upcoming event near Washington, DC, which will provide practical instructions on how to secure a Cloud-based IT infrastructure built upon Amazon Web Services (AWS). Here are the full details:

Defining, Enforcing & Validating Web Services Policy on AWS
Thursday October 6, 6pm-8pm
Tysons Corner Marriott (Salons E and F, Grand Ballroom, Main Level), Tysons Corner, VA

Click here to register for the event

This hands-on workshop will demonstrate how a Layer 7 SecureSpan EC2 Appliance can be configured to secure integrations to and from the AWS Cloud. The event will include an overview of AWS security as well as practical instructions on how to:

• Ensure security and federate identities in Cloud/enterprise integrations
• Implement fine-grained access and data security policies without coding
• Secure and manage REST APIs for Cloud applications

To sweeten the deal even more, we’ll be providing a light dinner and giving all attendees a 90-day evaluation of the SecureSpan EC2 Appliance. If you’re interested in attending, don’t wait around too long before you register – our last event in this part of the word was a sell-out!

Register now for Defining, Enforcing & Validating Web Services Policy on AWS

I’m excited to announce that HP has just awarded ArcSight Common Event Format (CEF) certification to Layer 7’s SecureSpan and CloudSpan product suites. We’ll be proudly demoing our newly-certified CEF integration at the ArcSight Protect 2011 show in Washington DC, September 11-14.

To whet your appetite, I’d like to provide a quick preview of precisely what we’ll be demoing. Essentially, what we’re talking about here is a hybrid risk-management solution for the extended enterprise, based on integration between the Layer 7 gateway and HP’s ArcSight Enterprise Threat and Risk Management (ETRM) platform.

ETRM helps enterprises collect and analyze data on security risks. Layer 7’s support for ArcSight’s native CEF specification creates an awareness of and visibility into security threats in situations where applications and services are extended beyond normal enterprise boundaries – for example, when they are deployed in the cloud or made available on mobile devices.

The core value of the Layer 7/ETRM integration comes from its ability to correlate cross-domain security data. Layer 7’s CEF integration achieves this by allowing ETRM users to map events and identities associated with external entities to known internal identities. This creates an end-to-end view of access control decisions based on user credentials, organizations and roles.

Our product suite is particularly well placed to map this information as it delivers an extremely rich set of identity features. SecureSpan and CloudSpan support a wide variety of credential types, authentication servers and authorization mechanisms. They also deliver standards-based Security Token Service functionality for additional credential mapping.

Layer 7’s CEF support also creates a comprehensive view of application usage and vulnerabilities. For example, when an application interface is exposed to external consumers as an API, Layer 7 can enforce security policies on external application requests and extract usage data essential to event correlation across all executions of the application.

If you’re going to be at ArcSight Protect and you’d like to see what all this looks like in practice, stop by booth 37. I’ll see you there!

This week I gave a talk at ITP’s SOA, BPM & Integration Forum in Zurich, a one-day conference with analyst presentations, customer case studies and one-to-one sessions.My talk, called “Accelerating Security & Governance with SOA”, had two main aims:

• To provide an overview of how and why many organizations are accelerating the design and deployment of SOA security and governance environments
• To discuss (and hopefully provide answers to) questions arising from this acceleration

To give you an idea of the ground I covered in my presentation, here’s a link to the slide deck I used. I’d also like to take a moment here to explain why I believe the acceleration of SOA security and governance programs is an important issue that demands our attention at this time.

First of all, SOA is continuing to expand throughout organizations, across organizational boundaries and into the Cloud. Organisations are reacting as dynamically as they can to the integration challenges this creates. At the same time, security and governance need to keep up, so the smart players are also accelerating these aspects of their SOA environments.

Second, the acceleration of SOA security and governance programs creates issues of its own. While, the rapid infrastructural changes created by growth in SOA and Cloud adoption certainly need to be managed and security must be enforced consistently, acceleration of security and governance raises a number of tricky questions, which I endeavoured to tackle in my talk:

• How do you manage the implementation of SOA security and governance without slowing down your organisation?
• How will your SOA remain operational as it evolves?
• How can you deliver APIs quickly while enforcing perimeter security and integration?

I got some very interesting feedback on my answers at the forum and I’m certainly looking forward to hearing more from the online community!

The Register today published an excellent summary of the latest issues with SSL. In the typically blunt and mordant style for which the publication is so famous, Dan Goodin illustrates how the gossamer-thin SSL web of trust is built on a superstructure of astonishingly dubious merit. It’s a wonder the whole thing works at all. Have a careful read of How is SSL hopelessly broken? Let us count the ways and then re-examine the cartel certs that anchor your own web browsing experience. As you roll out your API strategy, make sure you deploy your SSL endpoints with certificates that were subject to organizational or (much better) extended validation. Encourage—or if you can, demand—that your API clients limit their trust stores to a small subset containing only the most legitimate CAs. The opportunity is largely over in the browser world; affecting massive change there will only happen when individuals personally lose money on a grand scale. But APIs still have a chance to regain some level of trust through rigorous application of SSL best practices, and API providers and developers can take the initiative here.