<Insert Picture Here>

Bullet-proof your Cloud

Jyothi Swaroop, Product Director. Oracle Fusion Middleware

Top of Mind for Cloud / Inter-Enterprise

Oracle SOA Governance Customer Advisory Board 2011-12 Survey

Please characterize your interest in Governance for cloud or B2B computing

Managing the integrity of transactions across organizational boundaries
Meeting service levels for clients

83%
82%

Managing security across organizational boundaries

Controlling access to and utilization of external resources

81%
83%

Common Hybrid Infrastructure

Blend of Private and Shared, Public Data Centers
On-premise Public Cloud

End-to-End Security
Control over Access and Utilization Service Level Management Transaction Integrity
ERP PLM SCM HCM CRM

DATA SYNC

Private Data Center

Separate, Shared Data Center

Hybrid IT Infrastructure
3

SOA & Cloud Security Strategy

Across Security Layers
First Line Of Defense Service Virtualization End Point Security

OWSM Agent Web Client (Browser) Web Service Client

OWSM

Web Service

HTTP GET/POST REST OWSM Agent Web Service

Web Service Client

OWSM

XML Enterprise Gateway SOAP

OWSM Agent

Service Bus

OWSM Agent

Web Service

Web Service Client

OWSM Agent JMS

Web Service

Web Service Client

Extranet

DMZ

Intranet Common Security Policies

OWSM Agent

Web Service

First Line of Defense

XML Firewalling Against Attacks
XML content attacks
Checking for XML well-formedness; XML document size; XPath and XQuery injection; SQL injection; XML encapsulation; XML viruses Scanning outgoing messages for sensitive content based on metadata or regular expression patterns Detecting XML bombs and XML clogging Scanning WSDL files XML schema and DTD attacks
Checking for schema and DTD validation

Cryptographic attacks
Public Keys Replay

SOAP attacks SOAP operation filtering Checking for rogue SOAP attachments (e.g., viruses)

Communication attacks
HTTP header and query string analysis IP address filtering Traffic throttling

Solution: Web Service Security in the DMZ

Oracle Enterprise Gateway
Description
Intrusion detection of cryptographic, XML and SOAP attachments Real-time monitoring Policy management

Benefits
Ensures reliability of hybrid infrastructure Improves performance through policy conformance

Oracle Enterprise Gateway

XML Acceleration and Web Service Security in the DMZ
Passed XML Messages Blocked XML Messages

XML Acceleration - Fast processing of XML queries - Fast XML validation - Patented acceleration engine DMZ Security - Fine grained authorization - Authentication - Identity propagation
XML Load Speed

End-to-End Security
Authentication Across Enterprise Boundaries
On-premise Public Cloud

Employee Provider issues API Key to customer

Enterprise Gateway
App

Enterprise Gateway

SaaS

Customer loads API Key into Gateway

Integrator

Customers use Cloud services Gateway applies outbound security required to access services If request must be signed, Gateway does the signing
8

Gateway submits authentication credentials including API Key

Providers offer Cloud services Gateway provides inbound security for providers services

Access to Cloud Services

Enterprise Gateway Connectors Configure Enterprise Gateway to connect to Cloud services
Salesforce.com using a combination of a password and pre-shared key for authentication Amazon Web Services via HMAC signature over the request Providers like Terremark using the vCloud API (through HTTP Authentication)

End-to-End Security
Identity Management and Propagation
Web Application

Web Client (Browser)

HTTP GET/POST

Web Application Firewall

Identity Management
Web Access Control Web Client (Browser) Web Service Client HTTP GET/POST RBAC, FineGrained Authorization Identity & Role Mgt User Provisioning & Role Governance User Identities

REST

Web Service Client

XML

Web Service Client

SOAP

AuthZ
Enterprise Gateway

AuthN

Web Service

Web Service Client

JMS

Web Service DMZ

10

Control Access and Utilization

Apply Policy for Security & Service Levels
.NET WS PL/SQL WS Tibco WS, JMS Service Bus* Enterprise Gateway**

Web Client (Browser)

Web Client (Browser)

HTTP GET/POST

Policy Agents

REST REST

WebCenter App Java EE WS ADF BC WS SOA Composite

Web Service Client

SOAP
Identity Management

Web Service Client

XML

Web Service Client

SOAP

Web Service Client

JMS Metadata Store (MDS) SOA Management Policy Manager Policy Manager Policy Manager

* Service Bus can be used with or without Policy Manager integration ** Enterprise Gateway may optionally use same policies as Service Bus and Policy Agents

Unified policy model from the request to endpoint

11

Meet Service Levels

Client-Based SLA Alarms
1

Service Level Agreement

Service Level Objective (SLO) For Platinum customers: Ave. Response time per hour < 6 sec Warning threshold <= 4 sec - Action: alerts

Performance against objectives

Stabilized response times for Platinum customers

Usage tracked and segmented e.g. by Platinum, Gold, Silver

Gold

Automatically triggers alerts before compliance failure for Platinum customers

12

Transaction Integrity
Across Enterprise and Cloud
Appliance Web
Process Engine Service Bus

DBMS

Transactions no longer vanish because of delays, failures, errors

Monitoring and alerting complain Single source for status of each transaction before users

Partner & Cloud

SaaS

Problem diagnosis and managing exceptions is less laborious, with shorter mean-time-to-resolve
Averts 80% of effort spent merely isolating the issue No longer a manual effort based on log mining Fewer developer resources diverted to IT fire-drills

Service Bus

DBMS

Business transaction context (not just system-centric monitoring)

Includes critical business context (Customer name, order size, part numbers) Captures a range of business-oriented errors & faults

13

Compliance in the Cloud

On-Premise: Design time
Architect
Approval Workflow
Service approved for use in this Organization

Public Cloud

Design Policy
Enterprise Repository

Architecture Standards

Developer/ Integrator

Compliance Reports

Cloud Services and Contracts

SaaS

On-Premise: Operations
Employee
Secure Access

Service Level Agreements Security and Access

Security Policy

Audit
Logging & Reporting

Interoperability
App

XML Validation

Audit

Employee

Logging & Reporting

Corporate & Regulatory Payment Card Industry Data Security Standards (PCI DSS) Compliance Statement on Auditing Standards 70: Service Organizations (SAS 70 ) per Auditing
Standards Board of the AICPA. Health Insurance Portability and Accountability Act (HIPAA.)

14

API Management
Security, Monitoring and Governance

Secure REST APIs

Threat Protection

Tablets

Mobile

API
API Governance API Monitoring and Management

Gaming Consoles

Devices, Sensors

Governing SOA in the Cloud

Farmers Insurance Group Challenges Similar to Shared Services
Key Capabilities & Requirements Shared Services Cloud Computing Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Platform Considerations Infrastructure Yes Multi-tenant Middleware Yes architecture Services Yes Processes No Abstracted / virtualized shared platform Yes Self-Service control panel No On-demand scaling No Visibility and Control Considerations Security Yes On-demand provisioning No IT service catalog Yes IT service management Yes Lifecycle Management Yes Standardization Yes Governance and Compliance Yes Financial Management Business Considerations Metering Yes Billing Yes

16

Oracle Fusion Middleware

For Policing the Cloud

Oracle SOA Governance

Oracle Enterprise Gateway
XML Gateway for Perimeter Security; Connections to Cloud

Oracle Web Services Manager

Oracle Identity Management Oracle Enterprise Manager Oracle Enterprise Repository and Service Registry

Security Policy Management; Policy Agents for Endpoints

User Provisioning; Authentication; Authorization and Fine-Grained Entitlements; Role Management Service Level Management & Diagnostics; Business Transaction Management; Monitoring & Reporting by Client Catalog of IT Services and Contracts; Governance Workflow; Reuse Analytics; Design/Architecture Compliance

17

Oracle SOA & Cloud Security Strategy

Security Inside-Out

Cloud Security

Control & Assurance Delivered through Oracle Enterprise Gateway

Flexible & Agile Delivered through Oracle Enterprise Gateway

Perimeter Security

Application Security

Broad & Deep Coverage Delivered through Oracle Web Services Manager, & 3rd Party Agents

Consistent & Integrated Delivered through Oracle Web Services Manager

Fusion Middleware Security

Next Steps
1. Explore Oracles Web Sites
www.oracle.com/soa http://bit.ly/soagov http://bit.ly/OEGateway

4. Oracle SOA Governance Resource Kit Whitepapers, Datasheets, Demos, etc.

http://bit.ly/soagovkit

5. Join Oracle SOA communities: 2. Run Oracle SOA on the Cloud Amazon EC2: http://bit.ly/HLgyRS twitter.com/OracleSOA

facebook.com/OracleSOA
3. Attend an Upcoming SOA Event Oracle SOA Group Blog blogs.oracle.com/governance

Oracle Event Site www.oracle.com/events