Professional Documents
Culture Documents
Tivoli
2
IBM Software Solution Brief
Tivoli
Secure access in SOA and Web services Secure hybrid cloud and SaaS
deployments deployments
Many organizations are implementing SOA to transform Throughout the consumer and public sectors, cloud comput-
their IT and application environments and deploy large num- ing is proving a flexible and cost-effective means of delivering
bers of Web services to support business needs. For example, IT services over the Internet. Cloud resources can be rapidly
utility companies that install smart meters on customers’ deployed and easily scaled, with applications and services pro-
premises are introducing more Web services into their tech- visioned on demand, regardless of user location. This brings
nology environments. One of the advantages of installing benefits such as the ability to increase service delivery effi-
smart meters is more efficient, lower-cost operations, because ciencies, streamline IT management, and align IT services
the smart meters can send customer usage data directly to the with business requirements. But for many organizations,
utility company’s SOA-based IT environment—rather than these benefits are perceived to have an associated cost and
requiring their employees to physically go out and read the risk: the challenge of security. In addition to the usual
meters. Because the meters use Web service interfaces to challenges of developing secure IT systems, cloud computing
transmit this data, those Web services must be secured within can add risk because essential services are often externalized
the SOA environment. in the cloud model. In a hybrid cloud model, an organization
could engage a cloud provider to host their services while
Web services can be secured by offering security as an maintaining ownership of the data. This requires a high
operational service that can be consumed directly by the level of trust in the providers and how they bring security to
applications and services within the architecture. The key is the organization’s critical data.
to take a policy-based approach that incorporates security
management capabilities and runtime security services that There are several types of clouds, and not all of them have
can be integrated easily within existing SOA components the same security requirements. Clouds can be private, in
such as the XML firewall, enterprise service bus (ESB), and which the cloud is owned by a single organization, or public,
service registries and repositories. Effective security policy in which the cloud is available to anyone with Internet access.
management must include message protection and fine- The categories of service delivered in cloud models include
grained entitlement management capabilities for strengthen- Software as a Service (SaaS), Platform as a Service (PaaS) and
ing data security by centrally administering and enforcing Infrastructure as a Service (IaaS). Many organizations elect to
permissions and data-level controls within applications combine the private and public models to form a hybrid
and services. cloud to meet specific business and technology requirements.
3
IBM Software Solution Brief
Tivoli
Collaboration CRM/ERP/HR
(Federation)
SaaS
Security Enabled
Business Industry
Processes Applications
Software as a Service
Platform as a Service
Networking Storage
Infrastructure as a Service
With the SaaS deployment, most of the responsibility for The key to securing these cloud-based services is leveraging
security management lies with the cloud provider, who can an end-to-end security strategy that brings together the
take advantage of a number of ways to control access, includ- identity and access management foundation (including data
ing user identity management. The PaaS deployment allows entitlement management capabilities) that exists within the
the organization that is employing the cloud to assume organization and the federated access control and runtime
more responsibility for managing the security of middleware, security services that are deployed in the cloud. To do this
database software and application runtime environments. The successfully requires having data center network and virtual-
IaaS deployment transfers even more control to the organiza- ization security in place so that migration of applications and
tion. In a hybrid environment, organizations can leverage the services to the cloud is inherently secure.
benefits of these models without the security risk inherent in
a public deployment.
4
IBM Software Solution Brief
Tivoli
Security plays two key roles in cloud deployments: to enable and distributed policy enforcement across cloud-based serv-
organizations to establish secure cloud-based service deploy- ices. Data entitlement management makes it possible to man-
ments, and to offer security as a service in the cloud to age and enforce data security policies associated with
support new applications that are being built for cloud different services and applications, rather than having to
deployment. The practical security solution for hybrid cloud deal with multiple policies that all have product-specific
computing is a defense in depth approach that addresses both definitions. With the rapid deployment of Web services, this
the ability to use powerful internal security capabilities as a capability helps reduce the time and cost to manage security
basis for extending into cloud computing and the ability to policies and also reduces the risk of deploying inconsistent
use security as a service to easily run access federation, access control policies and providing unintended access to
entitlements management and other security runtime sensitive data.
enforcement capabilities directly in the cloud.
IBM WebSphere® DataPower® SOA Appliances are connec-
Enhance security with IBM Tivoli Access tivity and XML firewall devices that can help secure and
Management for cloud and SOA accelerate your SOA and Web services transformation. By
IBM security solutions provide key capabilities required in providing on-demand integration as part of the SOA infra-
the identity and access management infrastructure to secure structure, WebSphere DataPower SOA Appliances represent
access for cloud and SOA environments, including the fol- one of the few non-disruptive technologies for application
lowing offerings. optimization and integration. Tivoli Access Management
solutions for SOA environments are designed specifically to
IBM Tivoli Federated Identity Manager provides federated integrate out of the box with WebSphere DataPower SOA
single sign-on (SSO) techniques to secure user access to Appliances and support centralized SSO, user session man-
on- and off-premise applications and services and simplify agement, and consistent security policy management to help
application, SaaS and cloud-based services integration using demonstrate compliance.
multiple forms of user credentials. It facilitates secure infor-
mation sharing between trusted partners, and it incorporates IBM Security Virtual Server Protection for VMware is an
an identity mediation service to manage, map and propagate essential component of the underlying infrastructure on
user identities without having to manage them in the cloud. which to build secure cloud deployments for services delivery.
It supports broad consumer and user-centric federation func- By delivering integrated and optimized security for virtual-
tionality and provides identity awareness and auditable access ized data centers, Virtual Server Protection for VMware
across SOA and Web services deployments. helps ensure that the virtualized environment itself is secure
when applications and services are moved out into the cloud.
IBM Tivoli Security Policy Manager is a powerful data
and application entitlement management solution that equips
organizations with centralized security policy management
5
For more information
To learn more about IBM security solutions for cloud
and SOA environments, please contact your IBM sales
representative or IBM Business Partner, or visit
ibm.com/tivoli/security
© Copyright IBM Corporation 2010
cations and business processes, as well as physical security IBM, the IBM logo, ibm.com, and Tivoli are trademarks or
points such as biometric, smart-card and badge readers. registered trademarks of International Business Machines Corporation
in the United States, other countries, or both. If these and other
IBM trademarked terms are marked on their first occurrence in this
Additionally, financing solutions from IBM Global Financing information with a trademark symbol (® or ™), these symbols indicate
can enable effective cash management, protection from tech- U.S. registered or common law trademarks owned by IBM at the time
this information was published. Such trademarks may also be registered
nology obsolescence, improved total cost of ownership and or common law trademarks in other countries. A current list of
return on investment. Also, our Global Asset Recovery IBM trademarks is available on the Web at “Copyright and trademark
Services help address environmental concerns with new, more information” at ibm.com/legal/copytrade.shtml
energy-efficient solutions. For more information on Other company, product and service names may be trademarks or service
IBM Global Financing, visit: ibm.com/financing marks of others.
Product data has been reviewed for accuracy as of the date of initial
publication. Product data is subject to change without notice. Any
statements regarding IBM’s future direction and intent are subject
to change or withdrawal without notice, and represent goals and
objectives only.
Please Recycle
TIS14053-USEN-00