Middleware Technical Enlightenment BLOG: Securing Enterprise Services with Oracle API Gateway

Companies worldwide are actively using web services, both in intranet and extranet environments. While web services offer many advantages over traditional alternatives (e.g., distributed objects or custom software), deploying networks of interconnected web services still presents key challenges, especially in terms of security and management.

Web services can be implemented using different approaches and technologies which need to be secured at the different stages of the request/response cycle between clients (relying parties such as users or applications) and service providers (companies or divisions within a company exposing web services).

Several security layers are defined between clients and web services providers. The first security layer, also known as “perimeter security” or “first line of defense,” is referred to as the demilitarized zone or DMZ. The second security layer, or “green zone” to continue with the military analogy, is located behind the inner firewall of the DMZ. In some cases, the green zone may include several security sub-layers designed to further filter access to web services. Finally, the last security layer, or “last-mile security,” is provided by agents co-located with the web services or applications to be protected.

Oracle API Gateway operates with and complements other web services security systems, in particular Oracle Web Services Manager, which focuses on the security of the web services deployed in the green zone.

In summary, with AST implementing the Oracle API Gateway customers have access to a toolbox of components that can be deployed to orchestrate the process for accomplishing any task. For example, the Oracle API Gateway can receive a web service from a client utilizing SAML security then pass the web service to a backend SOA server with a different security mechanism.  It can also initiate a file transfer from a remote server on the internet, download a file, scan for viruses and then push it into the backend server for processing.