Applying a Service Gateway architecture to integrating your e-Invoicing

Read about Pete Logan’s visit to the European E-Invoicing and E-Billing conference in Munich which addressed  a variety of ways to integrate the transfer of  e-Invoicing and e-billing into existing applications and security solutions.  Pete makes a parallel between various e-invoicing integration issues with banking and healthcare  and how those issues are already addressed by work done within Intel’s SOA Products Group. In the blog, Pete writes about the challenges faced – and the requirements for mediation and governance that make  Service Gateways an obvious solution for addressing those domains.

Check out this blog:



A Myriad of Ways to Follow Us

You’ve discovered our team blog, but have you seen the SOA Expressway Social Site Map, for info on following us on Facebook, Twitter, and through a variety of  technical and developer blogs?

Check it out. While you are at it, follow the link, register,  and post to one of our blogs and you’ll automatically be entered into a contest for a Free Apple iPad!  We’ll select a winner on September 15th, so be a part of the blogging buzz today!

One man’s serendipitous discovery of a Service Gateway

One morning, Rahul Pathri, Director for Practices at Alliance Global Services was asked by his manager to look at SOA Expressway and understand the benefits it has to offer since there was a customer specific need. Read Rahul’s blog about his fact-finding mission about the XML gateway and various scenarios that he identified where he thought it would be helpful.

SAML 2.0 Token Bridging with Intel® SOA Expressway

One of the cool features of Intel(R) SOA Expressway is its ability to easily handle token bridging with just a few clicks. What is token bridging you ask? With the increased need for Enterprises to talk outside their perimeter to other Enterprises or cloud services, we need an easy way to morph message level credentials into the proper form as they move from the Security Gateway across the dynamic perimeter of the Enterprise.

In this post written by Blake Dournaee, follow along as one is shown how to easily implement a cross-domain token broker and ease the pain of mapping a format used internally to something that might be accepted by a business partner, such as a SAML token.

Interop: WCF and Intel SOA Expressway

Want to get down to the code level? Read Boris Kaplounovsky’s blog, Securing SOA.

Separation of Concerns: Why Service Gateways are even better than they appear

Blake Dournaee has been traveling and meeting with security architects, developers and systems administrators. Read his insights about our heterogeneous computing world on his blog.

Webinar: High Assurance Federal Data Sharing

Building a Portable Security Architecture Intel to Establish Cross-domain Control — A Blueprint to Achieve High Assurance Federal Data Sharing

The focus of this webcast is to present information-sharing models and actionable security patterns that can put in place to increase control and reduce risk. The Intel federal team will outline how federal collaboration initiatives are approaching the problem. Intel security expert Blake Dournaee will present how to build a portable security architecture that can be created and managed locally and projected to other security domains.

During the webcast, the discussion will include:

  • Basics of Web service security policy enforcement;
  • Federal collaboration programs and standards;
  • Private cloud sharing- securing data at rest and in-flight; and
  • What makes a security model “high assurance.”

Webinar: JBoss SOA Security

Creating a Strong Security Infrastructure for Exposing JBoss Services

Date: Tuesday, May 25
Time: 2:00 pm EDT (GMT-4) / 14:00 GMT
Speakers: Pierre Fricke, Director Product Line Management, Red Hat
Blake Dournaee, Intel SOA Products Group, Author- SOA Demystified

Register Now

2010 DoDIIS Worldwide Conference

If you don’t have top clearance, just skip to the next post now!

Otherwise, join us in Phoenix – it’s our mission.

World of SOA

Intel SOA Expressway is Intel’s cloud security gateway that helps Enterprises regain control, increase the security of their dynamic perimeter and reduce risk in the four previously mentioned areas:

  • API protection and strong authentication
  • data protection and leakage prevention
  • audit and monitoring
  • access control and authorization

Intel® SOA Expressway is available as a software solution or hardware appliance and provides secure cloud access, runtime security policy enforcement, threat prevention, integration with existing identity management and security monitoring products as well as massive scalability based on machine language processing of XML. It runs on standard Intel® Multi- Core server hardware and can be scaled through virtualization.

In this section, we outline three practical usage models for deploying SOA Expressway, each corresponding to the current levels of Enterprise cloud adoption: private, hybrid and public.

Private Cloud
Enterprises at the early stages of cloud adoption are deploying private clouds and internal cloudlets, which can be thought of as local access points and logical divisions of their own larger cloud infrastructure. Private clouds are characterized by scalability through virtualization but the actual physical infrastructure is kept local to the Enterprise. As mentioned earlier, this provides scalability and capital cost reduction but does not incur lack of control. In this architecture, Intel SOA Expressway can be used to create an internal virtual application perimeter from the existing Enterprise information systems to the Enterprises’ own internal cloud.

This type of architecture also works as a precursor and testing ground for a hybrid cloud deployment when the actual physical resources live off-site to the Enterprise. In this environment, SOA Expressway can be used to enforce attribute based access control, authentication and data protection policies required for PCI DSS and other compliance standards.

The above Figure shows Intel® SOA Expressway deployed in a private cloud environment. In the previous Post, SOA Expressway is shown deployed primarily as an internal application perimeter on virtualized server hardware. Here, the service gateway is enabling data protection, strong authentication, auditing and monitoring and runtime policy enforcement from existing Enterprise information systems to their own private cloud. Intel® SOA Expressway is also shown deployed at the edge of the private cloudlet for edge security. It can be expected that Enterprises will want to eventually enable access to data stored in their private cloudlets to business partners or consumers, which can be done through a secure control point such as Intel® SOA Expressway. One strategy Enterprises can use is to always start with a control point for pilot projects involving cloud services. Then, if the pilot is successful, moving from testing to production becomes easier as the control point has been designed in from the start.

Hybrid Cloud
Enterprises using a hybrid cloud model have begun to offload parts of their applications and infrastructure to the cloud. Without a control point between the cloud and their remaining on-premise applications, these organizations will likely have gaps between security policies, identity islands, and their audit and monitoring systems. This problem becomes more acute if different parts of the Enterprise engage in ad hoc external cloud projects without the use of a service gateway as a control point.

The above Figure shows Intel® SOA Expressway deployed in a hybrid cloud environment, mediating between two different cloud service providers. In the previous figure, Intel® SOA Expressway is shown mediating interactions between internal Enterprise systems and three types of cloud service providers. In this scenario the functionality provided by Intel® SOA Expressway will depend on the nature of the cloud provider.

For SaaS providers, SOA Expressway is acting as an identity on-ramp and identity mediator by leveraging local identity management systems, authentication data, user databases and authorization systems and then federating these identities to the SaaS provider for seamless access to SaaS applications. Simultaneously, it is also providing audit and log information to the Enterprise SIEM system to aid in the correlation of security events and compliance.

For PaaS providers, such as Amazon web services or similar platform level services where data is sent and received directly into Enterprise middleware or information systems, SOA Expressway is providing API protection and strong authentication and performing threat defense with an outward defense posture, including denial of service protection and content filtering from these external services, ensuring that malicious content does not slip through into critical systems. Similar to the SaaS example, SOA Expressway is also providing security logs and alerts to the internal SIEM system and performing runtime governance controls for message rate and concurrent transactions, which allows the Enterprise to track and audit the usage of platform services.

Finally, for the case of infrastructure services, we can imagine an Enterprise who is running presentation tier infrastructure on an off-premise web hosting environment that then requires secure access into the heart of the Enterprise data, such as customer analytics or data warehouse systems. In this case, external users will be access the web through an off-premise web service that then generates cloud-based service requests for data within the Enterprise. In this case, Intel® SOA Expressway is acting as a control point and mediation engine for the gathering of internal data and sending this information to the IaaS platform in a format suitable for presentation. Similar to the other cases, Expressway is logging and auditing critical messages for compliance and security analysis and mediating credentials from the external user base to internal identities through the existing identity management system deployed in the Enterprise.

Public Cloud
Pure public cloud architectures represent the theoretical end-game for the Enterprise. In theory, the entire infrastructure becomes outsourced and the Enterprise focuses purely on their own product or service without the additional overhead of IT capital costs, system administration and maintenance. In the initial blog we called this the strong assumption for the public cloud. Unless an Enterprise is starting from scratch, it seems unlikely that the strong assumption will ever be completely achieved. In these cases where the Enterprise is betting big on the public cloud, SOA Expressway can be used to secure and audit the application infrastructure using a public cloud model. The following Figure shows Intel® SOA Expressway deployed in a public cloud environment.

In the previous diagram, the Enterprise is hosting its identity management system, data store, and security information monitoring system in the cloud. It is also relying on a platform provider (PaaS provider) to host any custom built applications it needs to make its business run. For packaged applications such as customer relationship management, accounting, office applications and email, we might imagine that the organization has decided to use standard, ubiquitous SaaS offerings from top vendors. In this scenario the traditional Enterprise perimeter has mostly disappeared and has been replaced with either end users, who login to the various SaaS application to do their jobs or administrators, who monitor the information state of this new hosted Enterprise. The role of the control point in this architecture is to secure and audit transactional data and ensure compliance, especially for data sent to and received by the custom hosted applications. It also acts as a user level control point for the various SaaS applications.

It is important to remember that the service gateway is a full proxy for the entirety of the application content. This means that in principle it can provide extended data protection and audit capabilities for each interaction through the gateway. Without a control point, the Enterprise users would be making distinct sessions with each of the SaaS providers without any form of coordinated central control or knowledge, and data from the custom hosted application at the PaaS provider would flow directly into the hosted database and identity system. This type of uncontrolled spaghetti flow of data is very difficult to audit and secure and any security compromise at the PaaS vendor, such as malicious code injection, could pose a serious risk to an Enterprise looking to adopt a pure public cloud environment. Intel SOA Expressway is Intel’s cloud security gateway that helps Enterprises regain control, increase the security of their dynamic perimeter and reduce risk in the four previously mentioned areas: API protection and strong authentication, data protection and leakage prevention, audit and monitoring, access control and authorization.


Get every new post delivered to your Inbox.

Join 139 other followers