Centralize Security Enforcement of Cloud-Based Applications
Security is an even greater concern in public infrastructure clouds than in an internal environment. You have no control of what other code is sitting on the same machine with you, and you have intentionally opened your APIs up to public access. Security remains an ongoing concern in cloud deployments:
- Do your APIs apply security policies consistently?
- Can changes to security policies be easily implemented across all APIs?
- Do your developers lose productivity implementing security functions for individual APIs?
- Is federated SSO a troubling issue for moving into the cloud?
CloudGate allows you to securely run your APIs in public infrastructure clouds by providing application isolation and consistent, policy-based security for all traffic into and out of the application, including call-backs to your own datacenter or external APIs. CloudGate security features compare closely to most commercial XML firewalls.
CloudGate centralizes security management for Web services and APIs to save time and ensure consistent security implementation. CloudGate removes the development overhead and reduces risk of error inherent in implementing and managing security functions on individual API interfaces.
Single Point of Security EnforcementSave implementation time and ease security management by using CloudGate as a API proxy to check and enforce policies on XML message content. With CloudGate, you can:
- Authenticate and validate users and API requests
- Enforce security policies for API access and usage
- Automatically enforce security policy changes
- Federated SSO across multiple tiers
- Simple SAML, OpenID, and OAuth 1.0 and 2.0 federation
CloudGate Features for Security Enforcement and XML FirewallCloudGate can be used as a policy enforcement point for centralized runtime governance of service-oriented environments. This deployment includes the following capabilities: Security Proxy and XML Firewall Functions
Use CloudGate as a API gateway or firewall to enable centralized security for APIs and web services and save implementation time and ease security management. This mode allows you to use CloudGate to:
- Authenticate users against LDAP and Identity Management Services
- Map tokens using Secure Token Service (STS)
- Authenticate and authorize consumers using Secure Token Service (STS)
- Handle incoming and outgoing SSL/TLS handshakes
- Block access to individual service operations based on consumer ip address
- Support connections using X.509 certificates or Kerberos
- Encrypt or decrypt XML message content for both request and response
- Insert Digital signatures in the request or response xml payload
- Validate XML digital signatures and WS-Security headers
- Block non-compliant API requests based on message content
- Validation and insertion of SAML assertions
- Support for OpenID and OAuth 1.0 and 2.0 tokens for Single Sign On
- Integaration with Google or SalesForce user stores for single sign on authentication
- Support for Windows Integrated Security in kerberos or NTLM
- Allowing consumer access to the service based on ip address of the consumer
- Client-or Server-side Kerberos authentication
- Integration with Identity providers such as CA SiteMinder, RSA ClearTrust, Oracle Access Manager, OpenSSO, PicketLink STS and Tivoli Access Manager using SAML assertions or Kerberos for Single Sign On Functionality
Consumer Authentication and Authorization
One of CloudGate's main XML or JSon Firewall features is that it can provide authentication and authorization for access to your APIs. The authentication and authorization can be done in a multiple different ways by setting specific policies for the API.
- OAuth - CloudGate can provide single sign on authentication mechianism through OAuth v1 or v2 for API access.
CloudGate can act as the server side OAuth implementation with an authorization server for token creation, and a resource server for token validation
- Through an internal directory - CloudGate can authenticat the the API consumer and be authentication and authorized to consume a specific API operation through an internal directory with in CloudGate configuration.
- Through LDAP or Active directory - CloudGate can authenticate consumers of the API ussing LDAP v2 or v3 with in LDAP server or active directory. This could include complex searches through LDAP to make sure the consumer is authorized to use the API
- Kerberos Authentication - CloudGate can act as the client in the Kerberos negotitiation that interacts with a Keberos ticketing server or on the server side as the service server during the Kerberos negotiation. It has support for keytab files.
- X509 Authentication - CloudGate can authenticate the consumer by checkig the
validity of the certificate of the client by performing certificate authentication
CloudGate can protect agains a variethttp and XML threats. Below is the list of some of the threat types CloudGate can protect againt these types of threats by performing prevention, protection and screening. A subset of these threats that CloudGate can protect from nclude:
- Replay attacks
- XML bomb attacks
- SQL injection
- Parameter tampering
- Over sized payloads
- Schema poisoning
- XPath injection
- XML morphing
- Denial of service attacks
Single Sign On
Use the CloudGate API proxy deployment option to integrate with both a variety of Identity providers or Service providers to generate tokens such as SAML, OpenID, or OAuth tokens for session caching and Single Sign on functionality. CloudGate can embbed the token into the payload, validate the token if available in the message and also send the token back to the client application and manage sessions caching with expiration. CloudGate integrates with STS and Identity management providers such as CA SiteMinder, RSA ClearTrust, Oracle Access Manager, OpenSSO, PicketLink STS and Tivoli Access Manager.
Embedded Secure Token Service (STS)
CloudGate includes a Secure Token Service for creation and validation of tokens for single sign on functionality. A single CloudGate can work both as a STS and a gateway, or separate the functionality. You can find a 10 minute demonstration of CloudGate Secure Token Service here.
SAML, OpenID service providers
Instead of costly modification of your apps to support federation,CloudGate proxy can be used to accept tokenized SSO sessions to your apps. CloudGate handles the complexity of validating and decoding the above token types and simply passes authenticated federated users into your Amazon EC2 or other public or private cloud infrastructure APIs through HTTP headers. CloudGate can also use either a host LDAP directory, SalesForce or Google user stores for authentication of the consumer for single sign on (SSO) functionality.
OAuth 1.0 and OAuth 2.0 support
CloudGate can provide OAuth security for APIs providing the OAuth authorization server, token server and vaidation server in the OAuth communication and authentication.
CloudGate can also provide functionality for OAuth communication on the client side.
Runtime Policy Enforcement FunctionsUse the CloudGate API proxy deployment option to combine enforcement of automated policies on API access and usage with visibility into policy compliance. CloudGate enables you to:
- Block access to individual API and service operations based on time of day or date
- Create and manage WS-Policy assertions using CloudGate's internal repository and WS-Policy tools
- Automatically update API and policy information from a UDDI-compliant registry
- Monitor for policy compliance and compliance failures
- Set daily or hourly usage limits on the number of API requests
- Block API messages that exceed a certain size
- Throttle messages
- Apply protocol conversion (i.e.: JMS -> HTTP or vice versa) with an open API for all protocol customization
Closed-loop API and Policy Management Functions
Increase your efficiency in managing APIs and runtime policies by integrating CloudGate with a UDDI service registry. Use CloudGate's bi-directional registry synchronization capability to:
- Automatically query the service registry and update API information
- Automatically configure new API monitoring configurations in CloudGate by querying a service registry
- Automatically query the service registry and update CloudGate policy implementations
- Create, update and manage policies through the CloudGate interface
- Export CloudGate policy implementations as WS-Policy-complaint assertions to a UDDI registry
- Automatically update the service registry with API information and policy changes made using the CloudGate interface
API Policy Profiles
CloudGate enables you to create a set of policy profiles and assign them to a group of APIs as they are discovered. You can:
- Create policy profiles once and assign them to a group of Web Services
- Assign multiple policy profiles to an API. As an example you can have one set of policies for internal consumers of the API and another set for external consumers of the API.