Between Cloud, Mobility and the Enterprise is the API Middle Ground

Scott Morrison

Subscribe to Scott Morrison: eMailAlertsEmail Alerts
Get Scott Morrison: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Top Stories by Scott Morrison

It's a problem as old as networked computing. Consider two applications. They negotiate a level of trust. How can that trust - or security context - be transferred to a third application, one that may exist in an entirely different security domain from the first? This problem has been solved before, but is limited by proprietary solutions that resist integration. The challenge now, which is a significant one, is to solve it again, but this time for Web services - a task complicated by the need to accommodate a broad range of established security procedures and legacy technologies. Context in Context Security context is an ambiguous term. Take, for example, the SSL protocol. Here, security context is largely cryptographic metadata - the master key, derived session keys, ciphers and hashes, etc. - which are associated by a public SSL session ID. The session ID exists ... (more)

How to Secure REST and JSON

Here at Layer 7 we get asked a lot about our support for REST. We actually have a lot to offer to secure, monitor and manage REST-style transactions. The truth is, although we really like SOAP and XML here at Layer 7, we also really like REST and alternative data encapsulations like JSON. We use both REST and JSON all the time in our own development. Suppose you have a REST-based service that you would like to publish to the world, but you are concerned about access control, confidentiality, integrity, and the risk from incoming threats. We have an answer for this: SecureSpan Gate... (more)

Visualizing the Boundaries of Control in the Cloud

Cloud Security Journal on Ulitzer Two weeks ago, I delivered a webinar about new security models in the cloud with Anne Thomas Manes from Burton Group. Anne had one slide in particular, borrowed from her colleague Dan Blum, which I liked so much I actually re-structured my own material around it. Let me share it with you: This graphic does the finest job I have seen of clearly articulating where the boundaries of control lie under the different models of cloud computing. Cloud, after all, is really about surrendering control: we delegate management of infrastructure, application... (more)

The Challenge of Web Services Security Inside the Firewall - A true story from the consulting trenches

True story from the consulting trenches: the operations staff had left hours ago, shaking their heads and reluctantly leaving the consultants to resolve a problem with their code. It was well past midnight, in the middle of winter, in a town many time zones from home. The project was late. Altogether, this was an awkward situation that you probably know well. The consultants - falling into that murky classification of not quite outsider, nor regular employee - worked from hobbled accounts; the security staff were pros and took their charge seriously. By 2:00 a.m., the group was ... (more)

Policy-It's More Than Just Security - From just-in-time integration to Web services

Business has long pursued the goal of making IT more of a strategic tool and less of a necessary evil. Organizations are constantly looking for easier, cheaper, and more logical ways to build applications and unite the silos of functionality they still depend on. One approach that has met with some success is the concept of just-in-time integration - a technique to combine new functionalities as quickly and cheaply as required, whether they reside inside an organization or outside of it (i.e., with a business partner). From the architectural perspective, just-in-time integration ... (more)