McAfee Adds Two New Solutions to Cloud Security Platform

We are excited to announce the latest additions to the McAfee Cloud Security Platform – McAfee Services Gateway and McAfee Cloud Identity Manager. Developed with Intel, these new products add breadth and depth to the McAfee Cloud Security Platform, extending McAfee security to Web Services and to SaaS access management.

McAfee Services Gateway provides a layer of security, control, and management for application-to-application traffic (e.g., SOA or REST). More than just middleware, an XML Gateway, or an XML firewall, Services Gateway delivers a unique set of features tailor-made to integrate, mediate, secure, and scale services in a dynamic application perimeter.

McAfee Cloud Identity Manager enables total control for the entire lifecycle of cloud-based applications. In addition to providing convenient Single Sign-on for users, it provides automated provisioning for SaaS applications, strong authentication based on policy, one-time password and two-factor authentication capabilities, as well as consolidated logging and audit trails for user SaaS access.

For more information on these products, check out www.mcafee.com/cloudsecurity.

Essential Elements of API Management

Here’s a question – do we really care about SOAP or REST any longer? With the advent of cloud and the increased focus on the rapidly changing software consumption model, it seems like Enterprises should come full circle back to API. What do I mean by API in this context? Yes, it’s a programming interface, but as I’ll argue in this post, it’s a generalized programming interface accessible over HTTP. I’m not talking about a .NET DLL or Java RMI interface here.

General interfaces can be implemented in a few ways and the specific implementation (while important) is no longer the salient aspect. Instead, the goal for an Enterprise is how to manage such an API, how to secure it, how to scale it and make it work for the business.

API management, then, is about securing, managing and auditing an increasingly important Enterprise I/O point, one that has enormous potential to connect and expand the Enterprise to new customers through all manner of technology including smart-phone applications, browsers, middleware, legacy applications and just about anything that can talk HTTP.

I also think that this focus on API management is historically connected to SOA and services. Here is how I think we got there:

• First, behind the firewall “SOA” brought low-cost, HTTP-based standard SOAP APIs into the Enterprise mindshare. Rather than thinking in terms of RMI, we can think in a platform independent way and expose interfaces outside the Enterprise.
• Then, Web 2.0 trends and the REST hype coupled with the use of the “WS-* complexity backlash” (new term!) brought REST APIs into the Enterprise mindshare, but Enterprises continued to use SOAP because REST lacked a coherent security model
• Next, the cloud consumption model begins to emerge and software service providers such as Salesforce.com and Amazon want thriving developer communities. Unmarred by any previous history, they offer both SOAP and REST APIs (aka ‘query’ APIs).

If we compose these previous events they lead to a conclusion that moves the discussion from SOA to Services to APIs. I will argue that what Enterprises care about is how to manage API connectivity outside their organization and leave it up to the technology providers to not only make the piping work, but also make it secure, reliable, cheap, scalable, standards-based and compliant. At Intel, we have the concept of a service gateway or enforcement point specifically for this.

From what we’ve seen, there are three conceptual usage models centered on three actors: Enterprise, Service Provider, and Consumer.

The Enterprise is a traditional enterprise normally thought of as one that exposes services to other enterprises for some B2B transaction. Service providers are the term I use to describe a software service provider such as Salesforce.com or Amazon, which expose different types of services (IaaS, PaaS, or SaaS), and Consumers can be end-consumers with a smart-phone, a developer, or thick client.

 

API Management Use Cases

The three use cases are:

1. Enterprise Edge Security – Here the enterprise wants to securely expose services to business partners, with a focus on authentication, auditing, and perimeter security for B2B transactions. A variation on this case is a set of enterprise services exposed to customers, consumed through a tablet or smart-phone. Here is a conceptual picture of the use case with a gateway shown as a control point for the API

1. API Security – Here the service provider wants to securely expose services to customers and developers, with a focus on quality of service enforcement, authentication and API mediation

1. Hybrid Cloud Gateway – This category has three important sub-usage models:
1. Data Gateway – Here the enterprise wants to securely utilize a service provider like Amazon, Microsoft or Google as for additional platform-level services such as queuing and storage. Here the focus is on quality of service enforcement, data protection (encryption/tokenization), authentication and attack prevention
2. Control Gateway – Here the enterprise wants to securely utilize a service provider like Amazon EC2 or Rackspace to as a way to spin-up and spin-down additional server capacity and enforce authentication, authorization and quality of service enforcement on access to external, hosted virtual machine instances.
3. Hosted Edge Security – Here the enterprise deploys a service at a cloud service provider and needs Enterprise class security on the exposed API. Focus is on authentication, attack protection, secure migration and policy consistency between the service provider and Enterprise.

 

The hybrid cloud use cases are shown in the following diagram.

Use case (a) is the conceptual deployment for a control or gateway gateway and use case (b) is the case where an Enterprise is beginning to externally host their infrastructure on a cloud service provider. Here, the gateway is augmenting the API management capabilities provided by the cloud service provider and allowing policies to migrate from the Enterprise to the cloud.

It should be emphasized that there are many, many variations to case (b). Sometimes, the applications themselves are created using the cloud service provider’s own infrastructure, such as Microsoft Azure or Google Apps engine (PaaS). In other cases (depicted in the diagram), it’s Enterprise middleware or other systems migrated to the cloud and hosted (IaaS) with a requirement for Enterprise security policies.

It’s also clear that some of these variations are more speculative than others – it’s an open question whether Enterprises will be willing to risk migrating their core information systems and business processing to the cloud. This is really the big question on everyone’s mind – how much can Enterprises risk today and what can they do to minimize this risk? We think that a service gateway can help minimize this risk, but the Enterprise must place a high degree of trust in the cloud service provider.

These are the three cases that we’ve come across. Notice that the issue of API type is really not at the forefront – any of these could be done with a SOAP/XML, REST/XML or REST/JSON implementation style. What is needed is a way to control and secure these exposed APIs – which is the topic of API management.

I’d love to get comments on this idea and especially new usage models. In some upcoming blogs I’ll be expanding on these and then trying to get into specific details.

-Blake

Securing the Extended Enterprise with Bi-Directional Protocol Handling

Large Enterprises face a constant challenge in balancing technology costs with new business goals. Many enterprises have existing business processes bound up in applications that communicate using ‘legacy’ protocols such as FTP and MQ, which were really designed for behind the firewall operation in a trusted network. Given these constraints what’s the best way for a large Enterprise to extend these applications to external customers and partners without relying on an expensive re-engineering effort or concentrating risk in a single vendor?

One option is to use a security gateway such as the Intel® Expressway Service Gateway to centralize security policy deployment, increase performance, reduce development costs, and simplify the architecture. In this post, Blake Dournaee describes a recent customer use case for a Service Gateway that highlights the value of this class of products.

http://software.intel.com/en-us/blogs/2011/01/28/beyond-the-simple-proxy-using-a-service-gateway-to-secure-the-extended-enterprise-with-bi-directional-protocol-handling/

 

 

 

Visit us at HIMSS Healthcare IT Conference and Exhibition in Orlando February 20th-24th

Join us at HIMSS11 – Healthcare IT Conference and Exhibition and learn about the first purpose-built SOA integration appliance for healthcare.

The event is taking place Februay 20th – 24th at the Orange County Convention Center in Orlando, Florida.

We’ll be in booth #2963.

Intel^® SOA Expressway for Healthcare delivers best-in-class performance, open standards, and simplified security. It provides real-time, accelerated message processing, legacy connectors, and service enablement capabilities to power best-of-breed Health Information Exchange solution architectures for systems integrators, governments, health plans, and large providers.

 

 

Infosys on Service Oriented Architecture

Check out this interesting blog written by an Infosys Architect comparing hardware SOA appliances to software SOA appliances.  The author takes a stab at summarizing the differences, and makes some comments about Intel’s SOA Expressway. Just thought I’d chime in here and help flesh out the picture and add a few words from my own perspective being that I’m on the Intel team. SOA Expressway is a Service Gateway that complements and augments middleware products from any vendor.

And While middleware, BPM, and ESBs are good solutions for service mediation within a specific domain…it’s been our experience that customers have trouble scaling ESB products across domains to the edge of the network where they tend to have security and performance security gaps. It should be noted that ESBs can perform security policy enforcement but generally require additional plug-ins as well as code development.

Service gateways enable services to be composed for sets of ESBs, BPM systems and middleware deployed across different domains in the Enterprise. Service Gateways are deployed for cross-domain service mediation, threat prevention, security policy enforcement, AAA functions and are generally used for shorter-running transactions.

As for deployment models, the preferred way to deploy two gateways, one in the DMZ for threat prevention, external user authentication and application security, generally in a hardware appliance form factor and then a second gateway (software or hardware) closer to the middleware for trust functions, acceleration, and non-XML format handling.

If you have any questions and want to learn more, please don’t hesitate to email me at  jeffreyx.m.goldberg AT intel.com . Definitely take the time to visit www.dynamicperimeter.com for more info.

http://www.infosysblogs.com/soa/2010/11/soa_appliance_-_opportunities.html

 

 

 

Just thought I’d chime in here and add a few words from my own unique perspective being that I’m on the Intel team. SOA Expressway is a Service Gateway that complements and augments middleware products from any vendor.

 

While middleware, BPM, and ESBs are good solutions for service mediation within a specific domain…it’s been our experience that customers have trouble scaling ESB products across domains to the edge of the network where they tend to have security and performance security gaps.

 

It should be noted that ESBs can perform security policy enforcement but generally require additional plug-ins as well as code development.

 

Service gateways enable services to be composed for sets of ESBs, BPM systems and middleware deployed across different domains in the Enterprise. Service Gateways are deployed for cross-domain service mediation, threat prevention, security policy enforcement, AAA functions and are generally used for shorter-running transactions

As for deployment models, the preferred way to deploy two gateways, one in the DMZ for threat prevention, external user authentication and application security, generally in a hardware appliance form factor and then a second gateway (software or hardware) closer to the middleware for trust functions, acceleration, and non-XML format handling.

 

 

 

 

 

Intel SOA Expressway allows configurable policies for Content Attack Prevention (CAP)

Intel’s SOA Expressway is a software package that allows for the many different options in controlling the flow and security of web services throughout an organization or even those published to external consumers through a DMZ. In many instances, especially for public interfacing web services, it is essential to have some type of filtering (also called reverse-proxy) of requests from a consumer of a web service and this is the specialty of SOA Expressway and how it is used to protect web services. In addition to the built-in security features provided by a proxy workflow, proxy workflows within SOA Expressway can contain Content Attack Prevention (CAP) policies.

In this post by Andy Good, read a good summary of what CAP policies are, what risks they can mitigate and how you can use them.

http://communities.intel.com/community/openportit/blog/2010/09/15/intel-soa-expressway-allows-configurable-policies-for-content-attack-prevention-cap;jsessionid=1677AE286272EE13851F4514F1279AFE.node7COM

 

Securing Oracle* Fusion Middleware with Microsoft* Active Directory

Read Allen Shortnacy’s interesting post about how to leverage an existing Identity Management asset such as Microsoft* Active Directory along with Intel® SOA Expressway in order to bring authentication and authorization to your Oracle* Fusion Middleware SOA implementation.

Service Gateway Usage Scenarios 101 – Securing SOAP & REST Services

Don’t miss this really engaging webinar with Gunnar Peterson, recognized Security Expert & MVP, that promises to provide an excellent introduction to the Service Gateway security model.  It’s live, tomorrow, September 15th at 1pm EST (GMT – 0400). SOAP and REST based security practices will be outlined, and typical attack vectors will be covered. Learn how architects & developers can collaborate using a gateway.

Register here.

Reading this after September 15th? Register for the replay!

World of SOA

Security in the Cloud

Security risks are a concrete expression of the lack of control a business faces when considering moving critical business systems to the cloud. From the perspective of the enterprise, there are seven major risks to be considered. Of these seven, four can be easily controlled or mitigated by the Enterprise. The remaining three remain the responsibility of the cloud provider of which the Enterprise has little real control, other than voting with their wallet. It may be argued that the Enterprise should make “demands” of the cloud provider through the use of contracts or third party audits, but in reality the market will determine the amount of security provided to Enterprises by cloud service providers and the level of acceptable risk. It may turn out that the cheaper price of cloud computing comes with necessarily increased risk, which may be a self-limiting factor in itself to the pervasive use of cloud computing by Enterprises.

We outline the top security risks as follows:

1. Insecure, Porous APIs: Most cloud services offer two categories of web-accessible APIs: Those based on web services (called SOAP) and those based on pure HTTP (called REST). Increasingly, some cloud providers are offering only REST style APIs which lack robust “Enterprise class” message level security and authentication mechanisms. Some APIs, such as the Twitter API are purposely designed for rapid development and allow and even encourage the use of unprotected user credentials which are more susceptible to man in the middle or replay attacks. While some providers, such as Amazon.com offer strong authentication mechanisms, it’s not clear yet how well these APIs stand up to content-based threats such as code injection, denial of service attacks, script injection, or malicious XML content. Moreover, it’s also not clear how much trust should be placed in data received by the Enterprise from a cloud API for potential threats. A compromised cloud service API session may be a direct avenue for an attack. Internal information systems exposed to the cloud at the API layer offer a universal tunnel for a savvy attacker. Without explicit protection, cloud APIs essentially expose previously guarded Enterprise data across the Internet into the hands of a third party. Moreover, for IaaS systems that expose XML based APIs for image management, these management APIs also require strong authentication and access control as an attacker may conveniently replace a trusted machine image with a rouge one.

2. Logical Multi-Tenancy: With shared cloud computing infrastructure, the division of Enterprise data is now logical rather than physical. This logical separation is typically achieved through the use of virtualized infrastructure which is a cheap and easy way to support a multi-tenant architecture at the cloud service provider. The perceived risk in this scenario is for an attacker to subvert the logical division provided by the guest virtual machine and gain access to the data of another tenant. A number of attacks on virtual machines, from detecting the presence of a hypervisor to running arbitrary code on the host have been documented3. These attacks highlight the uncertain security of multitenant, shared environments for critical Enterprise data. An Enterprise horror story would be an attacker signing up for a “free” account at the cloud service provider, detect the presence of a virtual machine and “escape out” of the VM instance to access the physical server operating system and potentially gain access to the Enterprise data. Technology such as Intel® Trusted Execution Technology (TXT) are available that can mitigate this type of attack, but responsibility for implementation ultimately still lies with the cloud service provider.

3. Data Protection and Confidentiality: Data stored, processed or indexed in a remote cloud service defines the extent of the new perimeter for the Enterprise. This new “fuzzy” boundary changes and moves with the data itself, not the traditional firewall. A necessary complication here is that for data to be used effectively by cloud services it must remain unencrypted or else SaaS providers will have a hard time indexing it for any function that relies on search. Common examples include spell-checking in a Google document or looking up sales leads in a CRM application. The Enterprise may have to give up encryption and data privacy requirements for some of its data but should also recognize the option of applying selective field or message level protection mechanisms for data before it reaches the cloud. A practical example of this is protecting employee or critical customer information on messages before the data is released to the cloud. This is one aspect of data protection that an Enterprise can control on data before it reaches the cloud service provider.

4. Data Loss and Reliability: When critical business data is moved to a cloud service, there is some inherent risk of data loss. Even if cloud service vendors offer multiple back-ups and data redundancy, there is no perfect way to protect against the failure of physical media and disasters are apt to strike at just the wrong time. To take an example, services such as Amazon’s storage service offer “credits” in the face of data unavailability4 within a given month. This SLA may be too weak a proposition for business critical data and Enterprises may need more protection to manage this risk. Data loss and unavailability at precisely the wrong time may completely cripple an Enterprise. It may be argued that this is a false risk because the Enterprise has a similar risk of catastrophic data loss inside its own datacenter and simply moving the data to the cloud doesn’t change the equation. This claim ignores the fact that the cloud service provider is offering the same product at a much cheaper price and the reliability that the Enterprise has built around its data may simply not be present with the cloud service provider. It should be noted that this risk may turn out to be a red herring. The convenience and cost savings of the cloud service and record of actual failures may reduce this potential risk to near-zero, but it is too early to tell.

5. Audit and Monitoring: The first step in managing the security of any system to know when specific risky events occur. If an Enterprise decides that cloud services provide value to the Enterprise but wants to audit when these services are accessed to evaluate risk, it needs a way to know when data flows to and from the cloud. Enterprises need to know who is making the service request, when the request is happening, how much data is sent or received and how the data is used. Given the convenience and ease with which cloud service providers can be accessed the biggest risk to an Enterprise concerns the use of unmanaged “rogue” cloud services or projects that go unnoticed or unmanaged by the Enterprise CSO.

6. Cloud Provider Insider Threats: A potential problem or weak spot with cloud services is the mismatch between the security requirements inside the Enterprise as compared to those employed by the cloud service provider. To take an example, many large Enterprises make special efforts to secure “endpoint” data on IT-issues laptops with two-factor authentication technology, forced password rotation and fully encrypted hard-disk drives. Moreover, data is often segmented with access controls that distinguish between full employees and contractors, especially in large companies with diverse geographies. In most cases these controls increase the security of the Enterprise data. It should be noted that has taken Enterprises many years to reach this level of increased protection. Once the data is moved from protected assets to the cloud, however, an instant “weak spot” is created. Security breaches are often breaches of the weakest link, and a determined attacker motivated either by financial gain or industrial espionage will likely find it easier to execute an insider threat from the cloud service provider to gain access to the Enterprise data rather than try to execute a brute force attack on an encrypted hard disk. It should be noted that this is not the same as “hacking into Amazon’s API” or “hacking Google documents.” Sophisticated attackers use social engineering techniques and insider connections to find the weakest link. A motivated attacker may even take a low level job at the cloud provider itself if it provides an easier path to the Enterprise data.

7. Account Hacking, Tiered Access Control and Authorization: While hacking an account through a stolen password or compromised credential is nothing new, Enterprises to date have done a decent job of segmenting credentials and access control throughout their infrastructure. This is actually a property or benefit of the somewhat localized security inherent in individual operating systems and the uses of role based (RBAC) and attribute based access control (ABAC) within the Enterprise. In other words, if an attacker gains root access to a networked system or database they may have access to other assets, but the breach of a single system is more often than not directly localized to the breached system. Further, breaches of a single account are self-limiting by the role or attributes associated with that account in the Enterprise LDAP system. It is true that sophisticated attackers can use information from any compromised system as a stepping stone for more sophisticated attacks, but more work is required by the attacker unless they are extremely lucky in breaching the exact system they need. If we contrast this to cloud service providers, a few such as Salesforce.com have rudimentary segmented access control and privileges5, but for the majority of these a breach of one account may grant the keys to the entire castle. In fact, the pay-off for an attacker who knows that he must hack just one account to gain access to all of the Enterprises resources may seek to employ cheap, readily available cloud computing resources for brute force attacks on passwords and cryptographic keys. Moreover, fine-grained authorization of Enterprise resources is a problem just now being solved inside the Enterprise and it will be some time before cloud providers reach the same sophistication of locking down the use of individual data elements, fields, URIs, resources or API calls to individuals with a specific role or specific attributes. Account hacking from an Enterprise insider also needs to be considered. Once the Enterprise moves to cloud computing traditional insider attacks can be more costly because the Enterprise must rely on the cloud provider to help prevent the insider breach. In short, not only are the keys to the castle held in the cloud, but the Enterprise has to protect its traditional assets and now cloud assets from insider attacks. 

The previous seven risks are summarized in Table 1. Here we list the risks, a description of the threat and which party (Enterprise or Cloud Provider) is on the hook for reducing the threat. Ultimately, shoring up security risks is the job of both the Enterprise and the cloud providers. Short of a boycott, however, Enterprises have little real control over how security is implemented on the provider side. Cloud providers have yet to segment their offerings to provide increased levels of security targeted for Enterprise requirements such as higher levels of risk protection, integration with Enterprise identity systems, guarantees around multi-tenancy platform sharing (or isolation) and integration with monitoring, alerting and security event management systems. Instead, providers appear to be implementing minimum levels of security for their perceived target market. Whether this minimum security will rise as the industry matures is an open question, but for Enterprises that need to reduce risk while cautiously adopting cloud services we advocate the use of a high performance edge-oriented service gateway for those categories of risk that the Enterprise can control. This provides the necessary balance between the cost savings promised by cloud computing and the management of tangible risks that are under the Enterprise control. The next section outlines the concept of a service gateway and how it can reduce risk in four areas: (a) API protection and strong authentication, (b) Data protection and leakage, (c) Auditing and Monitoring, (d) Access Control and Authorization.