Securing IBM WebSphere Cast Iron Appliance while integrating with Salesforce-Part I

Introduction

The IBM WebSphere Cast Iron is a cloud integration platform that enables enterprises to integrate applications without any traditional coding. While the IBM Websphere Cast Iron can be used for almost any type of integration, it is most widely used to integrate the Cloud applications (SaaS, PaaS) with the on-premise applications. Integrating cloud applications with the traditional on-premise applications introduces some new challenges, particularly, in terms of security. An organization needs to carefully design their network security in order to avoid any pitfalls as otherwise it has to face several issues from compliance to customer dissatisfaction to data theft to lawsuits …you name it and you have it. We will see some of the key security questions that needs to be answered when we design our network/application security.

This article series will cover several solutions to secure your Cast Iron server. This is by no means a complete list, but covers most widely used scenarios.

Background

The enterprises typically have a separate network zone called DMZ through which all the communication from internal systems & applications that interact with the public network goes through. It is a common and best practice to deploy the Cast Iron server in this DMZ which acts like a middle-tier that integrates the cloud applications with on-premise applications. The following snapshot provides a rough idea on how this looks in a typical enterprise.

CI-01

This architecture offers several advantages such as

  • a central place to manage all your incoming / outgoing requests
  • need to open only the required ports, specifically, HTTP/S ports

Since this is going to be a gateway to your enterprise applications, securing the Cast Iron server is very important as explained in the ‘Introduction’ section. Several key questions arise while designing the security for integrating Salesforce cloud with our on-premise solutions using IBM Websphere Cast Iron server.

  • What systems can access our Cast Iron server?
  • Who can be allowed to access our Cast Iron server?
  • Will the data be encrypted? If so, do we need to have the clients prove its identity?
  • How do we make sure cross org/environment calls are blocked?
  • What type of authentication do we need to use?

As you can guess, there is no single solution that can satisfy all the security requirements and we need to implement multiple solutions in order to secure the organization’s integration assets. This article is going to address these questions and will propose multiple solutions answering all these questions. Now, some of the questions may not be an issue at all for some organizations and in those cases, it is okay to not implement them. For e.g. two-way SSL authentication may not be necessary, provided, firewall access restrictions, one-way SSL authentication along with Organization based authentication are implemented.

This article series will provide in-depth insight along with practical solutions to address the security concerns. The article series will be divided as follows:

Let’s dive into the details. The Part-2 of this article series will discuss about the Firewall Access Restriction.

Advertisements

Tagged: , , ,

2 thoughts on “Securing IBM WebSphere Cast Iron Appliance while integrating with Salesforce-Part I

  1. […] ← Securing IBM WebSphere Cast Iron Appliance while integrating with Salesforce-Part I […]

  2. […] two-way SSL/Certification based authentication also solves another problem that we discussed in part-I, which is how to make sure if the request originated from our own orgs instead of some other […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: