Business is changing, gone are the days that organisations could operate tightly corralled infrastructures for the benefit of their employees and a small number of large similarly disposed partners.
Consumers demand instant access to relevant data, mobile updates in real time – updates relying on information hitherto locked tightly away at the heart of your business. Always-on access – that does not peak or trough with the traditional rhythms of the day. Downtime is not tolerated and security breaches can lead tp fatal loss of trust.
Simultaneously organisations are expected to work seamlessly with an ever-increasing range of partners and loosely coupled- often startup – organisations that rely on technologies such as OAuth, JSON and Web Services to interact and provide services.
The impact of this is greater risk, more exposure to the internet and significant headaches for Security Architects and practitioners. Increasingly Fortune 500 and even Government have been deploying IBM WebSphere DataPower equipment to meet these demands. Now Big Blues naming of products is something of a maze, Im not sure how they intend to move the branding forward for clarity, but as the old joke goes I wouldn’t start from here. The upshot of this is that its frequently difficult to work out just exactly what a piece of WebSphere equipment does and particularly what a subset of the range – like DataPower – devices do. This posting aims to clear it up and describe some of the features – at least as it pertains to DataPowers.
DataPowers provide 2 main high level uses:-
1. Edge Zone Proxy / Gatekeeper aimed at REST and Web Services
2. Integration between disparate services within or between organisations
DataPowers are not supposed to be used for complex aggregation tasks or to host WebServices themselves.
DataPower started their journey about 8 years ago when XML and WebServices were becoming increasingly voguish. The core of the concept is an XSLT capability that is compiled to machine language enabling extremely fast XML and data manipulation. This capability has a clear use when dealing with high demand WebServices but also enables incoming requests and streams to be checked for data integrity and validation issues.
It’s now possible to see where the two main high level uses come from. The ability to transform and validate incoming requests enabled the DataPower to operate no only as a Proxy but as a gatekeeper – effectively becoming an application firewall. The ability to rapidly transform data from one format to another ensures that the DataPower is a potent integration device when systems are required to start talking.
So what other features recommend these systems?
The DataPowers locked down firmware places security first. Out of the box the system has no open ports. The OS is encrypted on flash memory with a key that is stored securely in an onboard TPM. On boot the decryption is only allowed once a scan of the boot sequence has been completed for interference.
The system has build in load balancing allowing multiple devices to work as one and therefore maintain service in the face of failure.
Its possible to specify the devices with an HSM which is very handy if the device is terminating TLS/SSL or performing any kind of crypto.
The systems have build in crypto libraries and authentication support for OAuth and SAML.
In summary if an organisation is designing a SOA implementation and wish to ensure low latency whilst maintaining a robust security posture these devices are certainly worth a look.