I recently spoke with Scott Morrison, VP Engineering at Layer 7 Technologies, a SOA and governance company that has been doing appliance based gateways for years looking at traffic, cryptography, authentication, authorization, etc, and setting rules and policy. Layer 7 is now moving what they do into the clouds. From their release;
With Layer 7’s AMI, Amazon applications are safe from attack. Layer 7’s gateway is the public face and everything goes through it. Layer 7 looks at the application layer information and decides whether it will get to its destination. DDoS attacks that move up the stack is what the new appliance targets. Routers and conventional equipment take care of low-level attacks. It’s amazingly easy to take down a server with a huge XML document. Layer 7 can detect that and make sure it can’t get into an enterprise’s internal infrastructure.
Their rationale for this move is their perception that, with the rise to fame of virtualization, the management and monitoring of virtual machine (VM) instances received a lot of attention. Security, however, has been relegated to a second-order problem and remains largely unaddressed.
Layer 7 is cogniscent of the fact that governance is not just about technology, rather it is about policy and process – infrastructure is simply a tool, and the capabilities of these tools should never define what governance means to you.
Layer 7 is trying to provide a deep and fine-grained view over security in the clouds and does this by creating the virtualized Policy Enforcement Point – they’re not about low-level network protection: rather, their products are designed to help people who are moving up the stack using XML-based protocols put access control decisions into applications. The PEP is an SOA gateway that combines enforcement, monitoring, decision-making, lifecycle management, and localized registry/repository in a single virtual appliance. A cloud embodiment of a physical governance appliance if you will, mimicking virtual servers, the cloud embodiment of physical hardware.
It’s a way to make applications run within EC2 appear as extended parts of an organizations own enterprise. A natural fit to the recent move towards virtual private clouds, and a move seemingly attracting some high profile proponents – government customers include: U.S. Department of Defense, Federal Aviation Administration, Department of Transportation, the US armed forces (Army, Navy, Air Force, Coast Guard) and the Dutch Ministry of Health. Enterprise customers include Raytheon and the University of Chicago Medical Center and Kenexa.