Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Cloud Security Case Studies of PaaS, SaaS, and Iaas

Mark O'Neill, CTO of Vordel
by

Mark O'Neill

on 6 June 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Cloud Security Case Studies of PaaS, SaaS, and Iaas

Tip of the Iceberg Student is logged into Google Apps Who is the Identity Provider? The College Portal

The Colleges use Axway API Servers
to sign students into Google Apps

How?

The API Server
Validates the student's authentication status
Constructs the SAMLResponse message for Google
Signs the SAMLResponse with the key issued to the college by Google
URL-encodes and sends to Google User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 6477

RelayState=http%3A%2F%2www.college.com%3A8080%2Fwelcome&SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWxwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vZWMyLTc1LTEwMS0xOTYtMjQ4LmNvbXB1dGUtMS5hbWF6b25hd3MuY29tOjgwODAvaGVhbHRoY2hlY2siIElEPSJfNTE2NTVhOThhZjA5ZWVkM2M4NTJhMWJjNmQyYTU5OGIiIElzc3VlSW5zdGFudD0iMjAxMS0wOS0wOVQwNDoxOToxNC44NTZaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL3 What is this key? This is the partner key registered with Google
Used to sign the SAMLResponse
An RSA or DSA private key
Vital that this key is protected “What sits between you and the cloud will become a critical success factor in cloud computing as cloud services multiply and expand faster than the ability of cloud consumers to manage or govern them in use" Daryl Plummer, Gartner SaaS: Single Sign-On to Google Apps How are Enterprises Connecting to the Cloud? to the cloud... IaaS: Management of Cloud Server Instances






Remember: IaaS servers cost money Requirement:
Do not allow developers access to the vCloud keys
Keep audit trail of all Cloud server creation, reboot, and termination
Monitor response time of the vCloud services Solution:
Axway API Server protects vCloud API Keys
Developers connect to the Cloud services through the API Server
Axway API Server applies security
All services are monitored
Usage data is logged: No billing surprises PaaS: API Management GET /ProcessAPIRequest HTTP/1.1
Connection: keep-alive
Transfer-Encoding: chunked
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0
timestamp: 110708054739159GMT
Nonce: Id-0000013108497d0e-0000000001bed3d1-57
encryption_type: HmacSHA1
client_ref_id: client
Authorization: MGJ4aVdxeTIwWXltNTNSSUIvQW9vT2xOOE1BPQ==
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Via: 1.1 Dell-PC (Gateway)
Host: 127.0.0.1:7071
Content-Type: application/x-www-form-urlencoded

firstname=fname&lastname=lname&id=xyz Requirement:
Authenticate API usage from Facebook
High performance
Use industry standards API Request validated by the Axway API Server API Key Management is again vital Virtual Servers are more convenient than physical servers
Quicker to provision
Operational Expenditure not Capital Expenditure
Very simple to configure new virtual servers
With the vCloud API keys, developers simply spin up new virtual machines, reboot them, and terminate them But wait, what about:
An audit trail of what machines have been provisioned
Control over who can spin up machines, who can reboot them, and who can terminate them
A central point to apply governance
Monitoring performance of the IaaS provider apps.facebook.com/giftcardmall Virtual Gift Cards are
provisioned using an API s
Full transcript