Mission critical applications typically require periodic investments in capacity planning and new hardware, resulting in significant, ongoing capital expenditures. Amazon Elastic Cloud Compute (EC2) may offer a better alternative, providing a virtual pool of computing resources and the ability to ramp up/ramp down those resources on demand. By paying only for the computing resources they use, organizations can effectively convert capital expenditures to operating expenditures, realizing significant savings. But any application deployed on EC2 whose functionality is required as part of a larger business process (i.e., the sales process, or order to bill process, etc) will need to be integrated with the other applications in that process (i.e., CRM system, ERP system, accounting, etc). While Amazon offers some ability to secure applications (primarily at the network, machine image and data level), they do not currently provide security at the application/Web services layer. Organizations that want to integrate their Amazon EC2-based applications with their enterprise-based applications using Web services will require the ability to: - Secure integration channels at the Web services application layer
- Traditional VPNs and Amazon's Virtual Private Cloud (VPC) only secure communications at level 3/level 4 of the network stack
- Leverage local authentication/authorization/single sign-on capabilities
- Re-use existing, secure, enterprise-based IAM infrastructure rather than creating identity silos in the cloud
- Monitor network, service provider and service availability over time
- Amazon provides “snapshot” monitoring that indicates general AWS system availability – there is no tracking over time, and no way to tell whether your specific services are available
- Log, track and audit all Web services-based interactions between enterprise and Amazon EC2 applications
- EC2 is focused on providing a simple, manageable SSH session, which provides logging at the VM layer only
- Ensure data-level validation for information exchanged between enterprise and Amazon EC2 applications
- EC2 currently provides no equivalent offering
The SecureSpan family of XML Gateways has a proven track record of providing government agencies and Fortune 500 companies with enterprise-based, state-of-the-art, Web services security and governance. The Layer 7 SecureSpan Gateway AMI (Layer 7 AMI) makes this same technology available for Amazon Web Services, ensuring EC2-based applications can securely integrate with enterprise applications. The Layer 7 AMI acts as a virtual Policy Enforcement Point (vPEP) for controlling how applications delivered as programmatic Web services get accessed and consumed. Using the Layer 7 AMI, application-level policies are enforced on a service and operation level, allowing organizations to implement fine-grained access control, data security and availability policies without code. As a result, organizations can make their Amazon EC2 applications look, feel and operate like extended parts of their secure enterprise. For more information, please refer to the Amazon Web Services listing for the SecureSpan AMI.  Features/Functionality
| Supported EC2 Features | | CloudFront | - Leverages the Amazon Web Services Firewall for IP-level firewalling
- Leverages the Amazon load balancer for availability and greater reliability
| | Elastic | - On-demand instances can be created for spin up to handle demand spikes and/or scaled down during periods of low traffic to minimize costs
| | Virtual Private Cloud | - Compatible with Amazon VPC, allowing secure administration of the SecureSpan AMI
| | CloudWatch | - Leverages Amazon CloudWatch for monitoring system metrics such as CPU utilization, disk reads and writes, and network traffic
| | Instances | - Supports EC2’s “on-demand” and “reserved” instances
| | Identity and Message Level Security | | Identity-based access | - Authenticate users and applications based on identities stored on-site or on-premise
- Integrate with leading identity, access, SSO and federation systems from Oracle, Sun, Microsoft, CA, IBM Tivoli, Novell
- Enforce fine-grained entitlement decisions authored in an XACML PDP, ensuring only those users and applications that have the correct entitlements can access specific services, operations or APIs
| | Manage security for cross-domain and B2B relationships | - Selectively control how your Amazon-based applications get programmatically exposed to partners and other third parties
- Support for credential chaining, credential remapping and federated identity
- Integrated SAML STS issuer featuring comprehensive support for SAML 1.1/2.0 authentication, authorization and attribute based policies
- Integrated PKI CA for automated deployment and management of client-side certificates, and integrated RA for external CAs
- STS supports WS-Trust, WS-Federation and SAML-P protocols
| | Enforce WS* and WS-I standards | - Support for all major WS* and WS-I security protocols, including SOAP 1.0/1.1/1.2, WS-Security 1.1 / 1.2, WS-SecureConversation, WS-SecurityPolicy, WS-Addressing, WS-Trust, WS-Federation, WS-Secure Exchange, WS-Policy and WS-I Basic Security Profile
| | Secure WSDL, REST and POX interfaces | - Selectively control access to interfaces down to an operation level
- Create on-the-fly composite WSDL views tailored to specific requestors
- Service look-up and publications using WSIL and UDDI
| | Audit transactions | - Log message-level transaction information
| | Cryptography | - Optional onboard HSM, as well as support for external HSMs (i.e., SafeNet Luna)
- Support for elliptic curve cryptography (conforms to NSA’s Suite B algorithms)
- FIPS 140-2 support in both hardware (Level 3) and software (Level 1)
| | API Management | API Publication
| - Secure, manage, monitor and control access to APIs exposed to third parties
- API usage can be throttled to ensure backend services are not overwhelmed; limited by user, time of day, location, etc; and quota managed (i.e., # of uses per user per day)
| | API Metrics and Reporting | - Configurable, out-of-the-box reports provide insight into API performance: measure throughput, routing failures, utilization and availability rates, etc
- Failed authentications and/or policy violations can be tracked to identify patterns and potential threats
| | API Security | - Support for all major WS* and WS-I security protocols
- Support for all major authentication and authorization standards, including SAML, Kerberos, digital signatures, X.509 certificates, LDAP, XACML, etc
| | Enterprise-scale Management | | Operations Console | - A single, real time view of all Gateways across the enterprise and cloud showing audits, events and key metrics
| | Policy Migration | - Centrally move policies between environments (development, testing, staging, production, etc), settings (enterprise, cloud, etc) or geographies, automatically resolving discrepancies such as SSG licenses, IP addresses, IT resources (i.e., LDAPs may be named differently), etc
| | Services Reporting | - Configurable, out-of-the-box reports provide insight into SSG operations, service-level performance, and service user experience
| | Remote Patching | - Selectively update any software installed on Gateways, including system files and operating system
| | Disaster Recovery | - Centrally back up SSG config files and policies from one or more Gateways/clusters, and remotely restore, enabling full disaster recovery
| | Management API | - Remote management APIs allow customers to hook their existing, third-party management tools into the SSG, simplifying asset management
| | XML Threat Protection | | Filter XML content for SOA, Web 2.0 and Cloud | - Configurable validation & filtering of HTTP headers, parameters and form data
- Detection of classified or “dirty” words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages
- Support for XML, SOAP, POX, AJAX, REST and other XML-based services
| | Transactional Integrity Protection | - Protect against identity spoofing and session hijacking cluster-wide
- Preserve privacy, confidentiality and integrity of messages/data flowing between the enterprise and Amazon EC2
| | Prevent XML attack and intrusion | - Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language injection attacks; external entity attacks
- Protection against XML content tampering and viruses in SOAP attachments
- US Department of Defense STIG vulnerability tested and assured
| | Supported Standards | | XML 1.0, SOAP 1.2, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, FIPS 140-2, Kerberos, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL/TLS 3.0/1.1, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, JMS 1.0, MQ Series, Tibco EMS, FTP, WS-Security 1.1, WS-Trust 1.0, WS-Federation, WS-Addressing, WSSecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WSIL, WS-I, WS-I BSP, UDDI 3.0, XACML 2.0, MTOM | | Share: | More | | | 
or
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Resources Datasheet:
Layer 7 SecureSpan Gateway AMI Download PDF | 1MB White Paper:
Steer Safely Into The Clouds Download PDF | 1MB White Paper:
Value of Governance in the Cloud Download PDF | 1MB Webinar:
Making the Business Case and ROI for Cloud Download PDF | View Webinar Webinar:
Cloud Control: Reducing the Risk for Cloud deployments Download PDF | View Webinar |
