Intel SOA Expressway is Intel’s cloud security gateway that helps Enterprises regain control, increase the security of their dynamic perimeter and reduce risk in the four previously mentioned areas:
- API protection and strong authentication
- data protection and leakage prevention
- audit and monitoring
- access control and authorization
Intel® SOA Expressway is available as a software solution or hardware appliance and provides secure cloud access, runtime security policy enforcement, threat prevention, integration with existing identity management and security monitoring products as well as massive scalability based on machine language processing of XML. It runs on standard Intel® Multi- Core server hardware and can be scaled through virtualization.
In this section, we outline three practical usage models for deploying SOA Expressway, each corresponding to the current levels of Enterprise cloud adoption: private, hybrid and public.
Enterprises at the early stages of cloud adoption are deploying private clouds and internal cloudlets, which can be thought of as local access points and logical divisions of their own larger cloud infrastructure. Private clouds are characterized by scalability through virtualization but the actual physical infrastructure is kept local to the Enterprise. As mentioned earlier, this provides scalability and capital cost reduction but does not incur lack of control. In this architecture, Intel SOA Expressway can be used to create an internal virtual application perimeter from the existing Enterprise information systems to the Enterprises’ own internal cloud.
This type of architecture also works as a precursor and testing ground for a hybrid cloud deployment when the actual physical resources live off-site to the Enterprise. In this environment, SOA Expressway can be used to enforce attribute based access control, authentication and data protection policies required for PCI DSS and other compliance standards.
The above Figure shows Intel® SOA Expressway deployed in a private cloud environment. In the previous Post, SOA Expressway is shown deployed primarily as an internal application perimeter on virtualized server hardware. Here, the service gateway is enabling data protection, strong authentication, auditing and monitoring and runtime policy enforcement from existing Enterprise information systems to their own private cloud. Intel® SOA Expressway is also shown deployed at the edge of the private cloudlet for edge security. It can be expected that Enterprises will want to eventually enable access to data stored in their private cloudlets to business partners or consumers, which can be done through a secure control point such as Intel® SOA Expressway. One strategy Enterprises can use is to always start with a control point for pilot projects involving cloud services. Then, if the pilot is successful, moving from testing to production becomes easier as the control point has been designed in from the start.
Enterprises using a hybrid cloud model have begun to offload parts of their applications and infrastructure to the cloud. Without a control point between the cloud and their remaining on-premise applications, these organizations will likely have gaps between security policies, identity islands, and their audit and monitoring systems. This problem becomes more acute if different parts of the Enterprise engage in ad hoc external cloud projects without the use of a service gateway as a control point.
The above Figure shows Intel® SOA Expressway deployed in a hybrid cloud environment, mediating between two different cloud service providers. In the previous figure, Intel® SOA Expressway is shown mediating interactions between internal Enterprise systems and three types of cloud service providers. In this scenario the functionality provided by Intel® SOA Expressway will depend on the nature of the cloud provider.
For SaaS providers, SOA Expressway is acting as an identity on-ramp and identity mediator by leveraging local identity management systems, authentication data, user databases and authorization systems and then federating these identities to the SaaS provider for seamless access to SaaS applications. Simultaneously, it is also providing audit and log information to the Enterprise SIEM system to aid in the correlation of security events and compliance.
For PaaS providers, such as Amazon web services or similar platform level services where data is sent and received directly into Enterprise middleware or information systems, SOA Expressway is providing API protection and strong authentication and performing threat defense with an outward defense posture, including denial of service protection and content filtering from these external services, ensuring that malicious content does not slip through into critical systems. Similar to the SaaS example, SOA Expressway is also providing security logs and alerts to the internal SIEM system and performing runtime governance controls for message rate and concurrent transactions, which allows the Enterprise to track and audit the usage of platform services.
Finally, for the case of infrastructure services, we can imagine an Enterprise who is running presentation tier infrastructure on an off-premise web hosting environment that then requires secure access into the heart of the Enterprise data, such as customer analytics or data warehouse systems. In this case, external users will be access the web through an off-premise web service that then generates cloud-based service requests for data within the Enterprise. In this case, Intel® SOA Expressway is acting as a control point and mediation engine for the gathering of internal data and sending this information to the IaaS platform in a format suitable for presentation. Similar to the other cases, Expressway is logging and auditing critical messages for compliance and security analysis and mediating credentials from the external user base to internal identities through the existing identity management system deployed in the Enterprise.
Pure public cloud architectures represent the theoretical end-game for the Enterprise. In theory, the entire infrastructure becomes outsourced and the Enterprise focuses purely on their own product or service without the additional overhead of IT capital costs, system administration and maintenance. In the initial blog we called this the strong assumption for the public cloud. Unless an Enterprise is starting from scratch, it seems unlikely that the strong assumption will ever be completely achieved. In these cases where the Enterprise is betting big on the public cloud, SOA Expressway can be used to secure and audit the application infrastructure using a public cloud model. The following Figure shows Intel® SOA Expressway deployed in a public cloud environment.
In the previous diagram, the Enterprise is hosting its identity management system, data store, and security information monitoring system in the cloud. It is also relying on a platform provider (PaaS provider) to host any custom built applications it needs to make its business run. For packaged applications such as customer relationship management, accounting, office applications and email, we might imagine that the organization has decided to use standard, ubiquitous SaaS offerings from top vendors. In this scenario the traditional Enterprise perimeter has mostly disappeared and has been replaced with either end users, who login to the various SaaS application to do their jobs or administrators, who monitor the information state of this new hosted Enterprise. The role of the control point in this architecture is to secure and audit transactional data and ensure compliance, especially for data sent to and received by the custom hosted applications. It also acts as a user level control point for the various SaaS applications.
It is important to remember that the service gateway is a full proxy for the entirety of the application content. This means that in principle it can provide extended data protection and audit capabilities for each interaction through the gateway. Without a control point, the Enterprise users would be making distinct sessions with each of the SaaS providers without any form of coordinated central control or knowledge, and data from the custom hosted application at the PaaS provider would flow directly into the hosted database and identity system. This type of uncontrolled spaghetti flow of data is very difficult to audit and secure and any security compromise at the PaaS vendor, such as malicious code injection, could pose a serious risk to an Enterprise looking to adopt a pure public cloud environment. Intel SOA Expressway is Intel’s cloud security gateway that helps Enterprises regain control, increase the security of their dynamic perimeter and reduce risk in the four previously mentioned areas: API protection and strong authentication, data protection and leakage prevention, audit and monitoring, access control and authorization.