layer 7: building multi enterprise soa

Building Building MultiMulti--Enterprise SOAEnterprise SOA

Philip Walston

September 2008

Philip WalstonVP Product ManagementLayer 7 Technologies

OverviewOverview

Discussion of multi-enterprise SOA implementations, the challenges involved and how SOA appliances can help buildthese architectures

• What is multi-enterprise?

• The Role of SOA

• Real World Issues

• Implementation challenges

September 2008

Building Multi-Enterprise SOA

• Implementation challenges

• Characteristics of a solution

• The role of SOA appliances

• Summary and Questions

September 2008

What Exactly is MultiWhat Exactly is Multi--Enterprise?Enterprise?

Enterprise-Centric

• Most ERP and business applications use enterprise-centric architecture

• Focus is on meeting the enterprise's objectives

Extended enterprise

• An attempt to support the needs of partners by extending and elongating the enterprise data and process model

• Enables partners to interact with each other more easily, but

September 2008


• Enables partners to interact with each other more easily, but this environment is not ideal

• Each partner still has to learn how to work with each other’s business applications, each integration is point-to-point

Multi-enterprise

• A new architecture is required for more complex and interactive multi-enterprise business processes

September 2008

Adapted from: The Emergence of the Multienterpise Business Process Platform - Gartner, 11/07

MultiMulti--Enterprise ExamplesEnterprise Examples

Examples from many business verticals:

Manufacturing

� Manufacturers and suppliers

Insurance

� Insurers and brokers

Corporate

September 2008


� Corporations and outsourced service providers

Telecom

� Service providers and content providers

Architectural models used in these implementations includes:

� EDI, Web, SOA, B2B, Saas, Cloud …

Where Does SOA Fit In?Where Does SOA Fit In?

Corporate NetworkUntrusted ?

Flexible integration across departments, clients and partners

Reuse of software components across business processes

Interoperability across applications

September 2008


Network

PartnerBusiness Unit

Untrusted Entity

?

Web ServicesNetwork

MQSeriesNetwork

CORBANetwork

Implementation ChallengesImplementation Challenges

Corporate NetworkUntrusted ?

• Big step between point solutions and multi-enterprise services� Requires managed, standards compliant SOA framework

• Not all partners are created equal� Rationalizing differences between development skills, security and legal requirements

• The real world is messy� Making integrations work across all boundaries will be tough

September 2008


Network

PartnerBusiness Unit

Untrusted Entity

?

Web ServicesNetwork

MQSeriesNetwork

CORBANetwork

The Real World …The Real World …

September 2008


The Real World …The Real World …

MultipleIdentitySources

MultipleDomains

September 2008


Domains

Web Applications

MultiplePlatforms

GreenScreenSystems

MultipleTransports

(Some) Real World Issues(Some) Real World Issues

Application Silos• Applications from different vendors with narrowly defined interfaces and tight coupling to other systems

Islands of Identity• Different identity repositories, schemas and provisioning systems

Mixed Transport• SSL, HTTP, JMS, MQ, etc.

September 2008


Heterogeneous Platforms• Linux, UNIX, Windows, client-server, mainframe

Heterogeneous Clients• Browsers, green screen, thick clients, other applications

Web Portals• May already be default on-ramp for external partners

Moving to MultiMoving to Multi--EnterpriseEnterprise

Security

• Much more granular and much stronger

• Authentication / authorization mechanism is required

• May need to segregate data physically with separate databases

Integration

• More complex - participating applications and systems are scattered across companies

• Integration approaches will need to be simplified and rationalized to

September 2008


• Integration approaches will need to be simplified and rationalized to manage the increase in complexity across multistep process integration

Data and Process Model

• Need to be designed around common keys that help link enterprises in their interactions

• Gets more complex with potential range of range of one-to-one and one-to-many (and even many-to-many) business processes over time

September 2008

Adapted from: The Emergence of the Multienterpise Business Process Platform - Gartner, 11/07

A Spectrum of Implementation ChallengesA Spectrum of Implementation Challenges

Delivering on the Promise of SOA • How to implement business process

• How to avoid “broken” integrations

Maintaining Security• Where to enforce security

• Ensuring consistent security

September 2008


Meeting SLAs• Measuring and meeting both project and service SLAs

• Reporting and acting on SLA violations

Ensuring Compliance• Instrumentation of the path and ensuring integrity

• Providing validation and alerting mechanisms

Management• Providing the tools to manage the system

• Fitting into existing internal processes

The SecureSpan Product LineThe SecureSpan Product Line

First suite of security and networking products to address the full spectrum of XML deployments:

• Service Oriented Architectures (SOA)

• Web 2.0 and Web Oriented

September 2008


• Web 2.0 and Web Oriented Architectures (WOA)

• AJAX, REST and non-SOAP applications

• ESB, Portal, B2B and Application Oriented Networking

A SOA Gateway’s View of the WorldA SOA Gateway’s View of the World

What roles does a SecureSpan XML Networking Gateway perform?

• Read policies

• Create / store policies

• Enforce policies

• Identify exceptions

September 2008



• Act on exceptions

• Report exceptions

• Capture audit trail

*Enforcement points enforce policies within a specific context

Run-Time

Design-Time

A SOA Gateway’s View of the WorldA SOA Gateway’s View of the World

What roles does a SecureSpan XML Networking Gateway perform?

• Read policies

• Create / store policies

• Enforce policies


September 2008


Diagnostic

Run-Time• Identify exceptions

• Act on exceptions

• Report exceptions

• Capture audit trail

*Enforcement points enforce policies within a specific context

A Few Policy Examples A Few Policy Examples

Threat Protection

• Screen messages for specific / general threats

Identity Based Access Control

• Grant access to specific users or groups

Content-Based Processing

• Perform different processing based on specific content

September 2008


• Perform different processing based on specific content

Selective Version Control

• Transform to mediate client / service versioning issues

Service-Level Agreement

• Process based on measured quota or class of service

Common MultiCommon Multi--Enterprise SOA RequirementsEnterprise SOA Requirements

• Identity and Trust Control Process

� Authenticating and certifying identities

• Policy Definition Environment

� Tailor security (and other) policies to each service consumer and provider relationship

September 2008


• Automated Policy Provisioning and Coordination

� Establish policies that can be distributed, verified and managed

• Compliance Verification Framework

� Enforce, audit, alert and report compliance to policies and SLAs

SOA Appliances and MultiSOA Appliances and Multi--Enterprise SOAEnterprise SOA

Service Endpoints

(Secure Zone)

Internal Firewall

• Security policy composed in policy editor

• Enforcement point acts on policy

• Client software conforms to policy

• Enforcement point reports on compliance

September 2008


SOA Gateway

Corporate Identity Server

Policy Editor

Business Partners

External Firewall

DMZ

SecureSpan and MultiSecureSpan and Multi--Enterprise SOAEnterprise SOA

Service Consumer with Hard-Coded

Policy

Service Endpoints

(Secure Zone)

• Security policy composed in SecureSpan Manager

• XML Networking Gateway acts on policy

• Client software conforms to policy OR

• XML VPN Client conforms to policy

• Enforcement point reports on compliance

September 2008


Service Consumer with SecureSpan XML

VPN Client

Policy

WS-Policy

WS-Policy

SecureSpan XML Networking Gateway

Corporate Identity Server

SecureSpan Manager

(Some) Real World Issues(Some) Real World Issues

Application Silos• Applications from different vendors with narrowly defined interfaces and tight coupling to other systems

Islands of Identity• Different identity repositories, schemas and provisioning systems

Mixed Transport• SSL, HTTP, JMS, MQ, etc.

September 2008


Heterogeneous Platforms• Linux, UNIX, Windows, client-server, mainframe

Heterogeneous Clients• Browsers, green screen, thick clients, other applications

Web Portals• May already be default on-ramp for external partners

How SecureSpan Addresses Real World IssuesHow SecureSpan Addresses Real World Issues

Application Silos• Almost all major commercial applications are SOA-enabled

Islands of Identity• SecureSpan can leverage LDAP, SSO and federation systems

Mixed Transport• SecureSpan supports a mix of transports including HTTP, FTP, JMS

September 2008


Heterogeneous Platforms• SecureSpan is standards-based and application platform independent

Heterogeneous Clients• SecureSpan has solutions to help fill the gap between clients and apps

Web Portals• SecureSpan works in conjunction with both portals and SSO systems

MultiMulti--Enterprise WideEnterprise Wide--Area Routing FabricArea Routing Fabric

Business Partner With SecureSpan Appliances


September 2008



SecureSpan XML Networking Gateway Cluster

SummarySummary

SOA Can Be Extended Outside of the Enterprise

• Identity, security, provisioning, management …

SOA Appliances Can Help

• Can provide fine-grained personalization of policies

• Robust, high-performance enough for the DMZ

Be Aware of Potential Blockers

September 2008


Be Aware of Potential Blockers

• Establishing meaningful authentication, negotiating portals …

• Coordinating policies with partners

Multi-Enterprise SOA is Not a Product

• No single solution, but lots of products can help

• Good choices can meet immediate and long-term needs

September 2008

layer 7: building multi enterprise soa

Technology