Tuesday, November 2, 2010

Cisco ACE gateway EOL: How to Pick a Replacement XML Gateway

It's official:  Cisco has published End-of-Life announcements for it's Cisco ACE XML Gateway.  Here are the top factors that end customers must consider in making replacement decisions:
  1. Select a Patented Product:  Going with non-patented XML Gateway means that customers will have to replace their XML Gateways in the future yet again.  Customers tend to select innovative and leading technology providers with defensible Intellectual Property (IP).  They prefer to minimize their risk by avoiding trailing "me-too" technologies that continue to copy the leading patented XML Gateways.
  2. Understand XML Gateway vs. ESB:  Would you add custom code to your network packet firewall?  Then why would you ever consider adding custom code to your XML Gateway?  A clear separation of roles should be enforced between an XML Gateway and an ESB/Application Server.  When replacing Cisco ACE XML Gateway, focus on security.  Let the ESBs and Application Servers run your custom code.  If you choose an XML Gateway that allows you to drop jar files, shared objects or any arbitrary code into its runtime environment, then you have selected and XML Gateway with a flawed security model.  Such XML Gateway architectures can make you feel safe while compromising your corporate infrastructure, especially your sensitive data.
    • Conclusion: Review vendors' XML Gateway architecture before replacing the Cisco ACE Gateway.  Don't make the same mistake twice.  Cisco's architecture permitted dropping code on the Gateway that resulted in a poor security model.  Other XML Gateway vendors have followed Cisco's XML Gateway architecture that permits adding custom code.  IBM DataPower and Forum Sentry are the only products that do not permit arbitrary code to be dropped into their XML Gateways and stay true to the XML Gateway roles.
  3. Demand Independent Security Assessment:  XML Gateways are typically deployed close to the corporate boundary and serve as a centralized conduit for information exchange between corporations and their trading partners.  The nature, volume, and value of transactions flowing through the XML Gateway requires a high degree of security and reliability.
    • Conclusion: Review vendors independent security assessment.  FIPS 140-2 is the gold standard for independent security assessment.  Demand certification details from vendors.  Sticking an HSM crypto card into a hardware appliance and claiming FIPS certification is not sufficient.  The ENTIRE XML Gateway, not just the HSM crypto card should be FIPS 104-2 certified.  For any other certification, ask for the "boundary" of certification.  Most vendors have never subjected their entire XML Gateway Appliance to an independent security evaluation.  Forum Sentry is the only product in the industry to have achieved FIP 140-2 security certification across the entire hardware boundary.
  4. Validate Comparable Features:  Migration of your policies from the Cisco ACE Gateway to the replacement XML Gateway should be seamless.  The selected XML Gateway should be architected with modular policy design for fundamental constructs such as Keys, Encryption/Signature Policies, Firewall rules can be readily moved from the ACE Gateway to the selected replacement platform.  The selected gateway should have the same or better functionality than Cisco ACE Gateway.
    • Conclusion: Selecting patented, industry-leading XML Gateway is paramount.  This ensures that there are no functional gaps between existing and replacement products.  XML Gateway companies that continue to innovate and patent their IP are more sustainable and provide broader features than vendors that follow the leaders.
  5. Replacement Costs:  For corporations that have made a bet on technology that has been EOLed, there are a number of costs including: i) Product Cost ii) Configuration Cost iii) Transition Costs. iv) On-going support and maintenance costs.  Replacement vendors should have flexible pricing models to accommodate your corporate EOL plan.
    • Conclusion: Select vendors that can work within your budget and time-lines. Vendors should be flexible in reducing your CapEX expense while working with your planned multi-year support and maintenance budgets. Depending on the complexity of your policies, vendors should be open to helping you with your migration costs.  For a duration, you may be required to run both Cisco ACE and your new XML Gateway together while you migrate away from the ACE Gateway.  Your selected XML Gateway vendor should provide pricing options to accommodate this transition process.
XML Gateways are essential components of corporate infrastructure.  Choosing the right vendor initially or for replacement should be a rigorous and methodical process based on key factors as listed above.  Without this rigor, corporations may to choose inferior technology that, in the future, will have to be replaced yet again.

Wednesday, October 6, 2010

Next Generation of patented XML Gateway - Forum Sentry v8.0 - announced in Berlin, Germany

New Capabilities for Company's Flagship XML Gateway Ease Enterprise-to-Cloud Migration; Enable Seamless Extension of SOA to the Cloud

BOSTON and BERLIN, Oct. 5 /PRNewswire/ -- Crosscheck Networks, Inc. today introduced the next generation of its flagship product, Forum Sentry v8.0, helping organizations seamlessly migrate their enterprise SOA deployments to the cloud while capitalizing on the cloud computing model for business and competitive advantage. The company unveiled the latest version of Forum Sentry at the International SOA & Cloud Symposium, the world's largest international SOA and cloud computing conference.

Notably, at the show today, Crosscheck Networks (Booth # 13) CEO Mamoon Yunus will explore enterprise-to-cloud migration in the session, "Requirements for Extending Enterprise SOA to Public Clouds." Additionally, company CTO Jason Macy will share best practices in SOA threat defense in "SOA Threat Modelling: Attacking and Defending REST, XML and SOAP based Services."

With patented XML security acceleration technology and an architecture certified by NIST and the U.S. Department of Defense, the Forum Sentry XML Gateway is the industry standard for XML and SOAP security, access control and integration. Deployment highlights include processing:

  • More than one billion transactions per day globally;
  • 95% of the world's credit card information; and
  • 80% of the traffic at one of the world's largest and most respected telecommunications services companies.

Underscoring its increasing adoption worldwide, Forum Sentry serves as the transactional foundation at more than 300 global organizations including:

  • One of world's premier treasuries, which leverages Forum Sentry to accommodate the increased volume, and processing, of large data files -- up to 10 GB each in size;
  • Europe's top counter-terrorism organization, which utilizes Forum Sentry to coordinate rapid information sharing among its neighbor countries; and
  • One of the U.S.'s longest-standing and largest health benefits companies, which uses Forum Sentry to promote secure exchange of its Electronic Health Records (EHR).

According to Lydia Leong, Research VP, Gartner, "Although many organizations first look at cloud IaaS [Infrastructure as a Service] because they're interested in cost savings, agility and flexibility, rather than cost, tend to be the eventual primary drivers; the cost of the cloud IaaS, especially in comparison to efficient large-enterprise IT, can be higher than IT managers expect."(1)

"As organizations scale their infrastructures to accommodate rapid business growth and increased customer demand, they are frequently looking to the public cloud to help them offset capital expense and operational costs. But without the appropriate tools, businesses are unable to determine the true costs of cloud migration," said Crosscheck Networks CEO Mamoon Yunus. "With our simulation tool, CloudPort, we enable enterprises and government entities to perform the requisite cost analysis, and evaluate and select a provider for migrating all or parts of their infrastructure to the cloud."

Yunus continued: "Once organizations determine that moving to the public cloud makes business and fiscal sense, Forum Sentry's next-generation platform empowers them to take the next step -- migrating to the cloud cost effectively while securely extending their SOA deployments for the most seamless enterprise-to-cloud integration."

Helping organizations to successfully leverage the cloud computing model, key new capabilities in Forum Sentry v8.0 include:

  • Integrated Cloud Adaptors for dynamic provisioning, auto scaling and load balancing across multiple cloud providers including Amazon EC2, OpSource Cloud, GoGrid and Rackspace.
  • A Centralized WSDL Library and Extended Virtualization Support via Virtual WSDL and WSDL Versioning for increased collaboration and control of business services across diverse application development, security and testing roles.
  • A Robust Management API for enhanced policy life cycle management, and secure, versatile cloud configuration, deployment and administration.
  • Oracle WebLogic and JBoss Enterprise Middleware Adaptors to bolster federated SOA deployments. This support builds on Crosscheck Networks', a Red Hat Ready Partner, announcement earlier this year that the company has joined the Red Hat Independent Software Vendors (ISV) Partner Program.
  • REST Identity Adaptor for flexible integration with custom enterprise identity systems.

About Crosscheck Networks

Crosscheck Networks and its wholly owned subsidiary Forum Systems deliver solutions for deploying robust, resilient, secure and reliable Service Oriented Architecture (SOA). More than 50,000 users in 42 countries across organizations such as the U.S. Treasury, British Telecommunications, Fidelity, Premera Blue Cross and the Dutch Health Care System rely on Crosscheck Networks and Forum Systems as the backbone of their secure transaction processing. Recognized as a technology innovator and security leader, Crosscheck Networks is the only company granted a patent for its Forum Sentry XML Gateway and has been certified by NIST and the U.S. Department of Defense. Forum Sentry is the de facto standard for XML and SOAP security, and Forum Systems has key OEM relationships with Barracuda Networks and Radware, among others. For more information, please visit www.crosschecknet.com.
(1) Gartner, "Cloud Infrastructure as a Service: An Essential Overview" by Lydia Leong, September 8, 2010

Monday, February 8, 2010

XML Gateway Myths

There are some common XML Gateway myths that this post would like to dispel. These myths are a manifestation of vendors overwhelming the customers with the latest bells and whistles of their product without explaining to the user fundamental basic capabilities of the product.

Myth #1: FTP protocol is only used to transfer unstructured bulk data to our back end systems.

FTP (File Transport Protocol) is the workhorse protocol that is still used today for majority bulk file transfers between enterprise corporations. FTP maybe a legacy protocol, but this legacy protocol is one of the most reliable and interoperable file transfer protocols available today to businesses. FTP can be used not only to transfer unstructured data but it can also be used to transfer SOAP or XML data between various different systems. An XML Gateway provides the capability to support XML data transfers over FTP for inbound or outbound traffic. Alternatively, an XML Gateway provides the means to protocol mix between FTP and HTTP protocol. For example, an incoming HTTP protocol carrying XML can be transformed into an FTP protocol carrying XML data or vice versa.

Myth #2: We don't need to virus scan SOAP with attachments since we have a virus scanner deployed at the edge.

This notion that a virus scanner can take any incoming raw file at the edge of the network before sending it to the back end is sufficient for processing SOAP with attachments provides a false sense of security. First, most SOAP/XML incoming traffic from the internet is SSL enabled. A virus scanner at the edge is not capable of peering into the encrypted data that is being sent to the back end application servers. Second, even if the SSL traffic is being decrypted at the edge, it is possible that SOAP with attachments might be encrypted or Base64 encoded thus rendering a edge virus scanner ineffective. An XML gateway provides the capabilities to terminate SSL connections, perform content-level decryption, and decode attachments for on board virus scanning.

Myth #3: XML Gateways cannot handle non-XML requests for authentication and authorization.

XML gateways always had strong integration capabilities with traditional identity management systems. Authentication and authorization of inbound SOAP or XML traffic is one of the strongest pillars of an XML Gateway. Given the tie in with traditional identity management systems, XML Gateways are no longer relegated to authenticating and authorizing XML traffic only. An XML Gateway today has the same capabilities to authenticate and authorize non-XML data that one would find in a software web agent installed in a Microsoft IIs or an Apache server. In fact, XML gateways make it easier for enterprise users to manage the authentication and authorization of XML and non-XML (HTML) requests on a single gateway.

Enterprise customers that are deploying Service-Oriented Architecture (SOA) using XML web services should be cognizant of these myths. An XML Gateway provides rich functionality that extends its capabilities beyond traditional web services XML integration use cases.