Secure Federated Application Monitoring

The Problem: Visibility of Shared Dependencies

Extensible Markup Language (XML), Service Oriented Architectures (SOAs) and other Web Services standards make secure, application-to-application information sharing practical. By exposing applications as reusable and dynamically composable services, new processes can be defined on-demand, allowing for greater IT agility. Over the past decade, the US Federal Government has increased their use of these concepts and standards in order to create a system that can quickly align federal IT assets with evolving government requirements.

As SOA adoption has matured, new services have come online and been offered throughout the government enterprise, crossing organizational, network, and even classification boundaries. These newly formed IT Communities of Interest (IT COI) require a shared knowledge of their individual and collective purpose, mission objectives, service level agreements, security, etc., but also–critically–require a common interpretation of dependencies should one or more of the services go down.

The Solution: "Reach-ability" Monitoring

Today, services within one government organization are generally well constructed, secured and monitored to ensure availability. However, current monitoring solutions provide little to no service availability information for external members of an IT COI. As such, should a firewall go down at the boundary of a service provider’s domain, external entities may no longer be able to reach a service even though the service provider will still register it as being available.

A new type of federated monitoring solution is required to solve this availability vs. “reach-ability” problem – one that monitors service characteristics not only within its own domain, but also from the service provider's network perimeter. Such a solution would allow external users to accurately measure a service’s availability, reach-ability and performance. A number of standards already exist for this purpose, including WS-Management and Web Services Distributed Management (WSDM) for metric collection, as well as WS-Notification or WS-Eventing which can be used for metric publishing/ subscription. In fact, the Department of Defense (DoD) and Intelligence Community (IC) have developed the Joint DoD/IC Enterprise Service Monitoring (JESM) specification, which is based on a subset of WSDM and WS-Eventing functionality.

The Layer 7 Advantage: Built-in JESM Support

Layer 7 Technologies’ SecureSpan and CloudSpan product lines fully support the JESM specification, providing monitoring metrics for every proxied service.  SecureSpan/CloudSpan’s JESM Service provides request/response and publish/subscribe capabilities. For each JESM-enabled service, Layer 7 policy can be used to enforce access, confidentiality, integrity, and audit of JESM data. Using policy, you can stipulate who has what level of access to the JESM data inside your IT COI versus outside; who can request/subscribe to which COI application; and who can use an application but is restricted from accessing its JESM information.

For example, you can stipulate that all of an application’s metrics be made available to your central JESM Service, but that authenticated users (based on their attributes retrieved from an Attribute Service) can only see a subset of JESM data.  In this case, SecureSpan/CloudSpan effectively redacts sensitive information from the response based on a predetermined set of policy requirements.