Академический Документы
Профессиональный Документы
Культура Документы
Why you must have Cloud Governance before you move your apps
Layer 7 Technologies
White Paper
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
Contents
Introduction .................................................................................................................................................. 3
Cloud is Inevitable ......................................................................................................................................... 3
The Cloud Enablers ................................................................................................................................... 4
Quick In/Quick Out................................................................................................................................ 4
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 2
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
Introduction
Cloud computing is a dilemma for today’s CIO. The potential to cut capital expenditure and reign in operating costs
is so compelling that the business will push aggressively for cloud adoption. Each of the components of cloud
computing—Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS)—
offer a bulletproof economic argument that is irresistible to any CFO, CTO, or your CEO. Brought together, they
offer a promise of tangible savings and flexibility that is unprecedented in the history of computing.
But you know that money isn’t the only issue. Cloud introduces new security risks and compromises the traditional
control of IT. When data begins to move out of established corporate silos, it is vulnerable to disclosure, loss or
modification. The very act of moving sensitive data outside enterprise walls may violate national regulations for
privacy and audit that govern the corporation. As data flows through different jurisdictions in a cloud spanning the
globe, it may become subject to international controls that impede business.
When applications leave the data center, IT looses visibility and surrenders control. The once local, centralized,
manageable IT infrastructure goes global, subject to dubious SLAs and reliant on a continually shifting alliance of
partners. The shift in focus from managing infrastructure to managing applications is disruptive to any IT
organization. It challenges roles, ownership, and procedure.
These concerns haunt IT management. They introduce a justifiable unease that counters the high profile success of
cloud services such as Salesforce.com and Amazon Web Services. This stalls cloud initiatives, and once again, IT
finds itself at odds with business goals.
Fortunately, there is a solution. Cloud governance, which is a logical evolution of your current SOA governance
strategy, offers a means to assert control over both internal and external applications and data. It provides a
unified, application-centric view of your IT throughout the corporate data center and into the cloud. Cloud
governance tears down those barriers of concern erected between traditional IT and the cloud, clearing the way
for secure, managed, and incremental cloud adoption. It relies on proven technology solutions developed over the
last decade inside enterprise networks. It is a logical and justifiable step forward from what you do today.
This paper will prove to IT Management that the widely reported challenges of cloud computing can be met. It
describes a path that will guide the enterprise into the cloud in a controlled and secure manner. Finally, it will
show how even cloud governance can be deployed as a service, lowering the barrier to entry and leveraging
exactly those qualities of cloud architecture that make it so attractive.
Before you deploy a single service into the cloud, you must have a cloud governance program in place.
Cloud is Inevitable
Early cloud adoption was about agility. Startups flocked to the cloud because they could completely bypass
infrastructure acquisition and setup by deploying their applications directly to cloud providers like Joyent, GoGrid,
Google AppEngine, or Amazon Web services. This decreased their time-to-market, gave them the flexibility to
update applications in real time, and bought them the insurance of scalability to meet unanticipated traffic
volumes if their idea captured public imagination. Cost saving was simply a nice side effect.
Agility, however, is difficult to monetize. Everyone wants agility, but few are willing to pay for it; in the end, cost
effectiveness is a much easier sell. As cloud computing matures, there is a gradual shift in priorities taking place
among adopters. The business is starting to recognize that cloud computing represents a transformation in the
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 3
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
operating model for IT. Budgets dominated by capital expenditures and depreciation are giving way to those built
on predictable—and indeed, lowered—operating expenses. What is revolutionary about cloud is not the
technology; it’s the change cloud is making to the economics of IT.
Within this simple financial equation lies a truth that will make the move to cloud inevitable. The argument is so
convincing that it will resonate powerfully in the executive suite, and the decision to utilize the cloud will come not
from IT, but from the business itself. Clearly, to be perceived as in control and delivering real business value, IT
must be well prepared for this directive when it comes.
Instead, they turned to Amazon EC2 cloud services. Using Amazon, the team was able to complete the job in only
24 hours. In the end, they satisfied the requirement for a fraction of the conventional cost, and left no depreciating
IT assets behind.
These short-term, low-risk projects, which demand high volumes of processing power on a temporary basis, are
excellent candidates for cloud technologies and help the business to build confidence in this new approach.
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 4
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
This may seem manageable and ultimately beneficial to the company, but other grassroots initiatives may not be
so benign. The very accessibility of cloud services makes these both a great opportunity and a great threat. It is
hard not to be impressed when any staff member, using a web browser and a credit card, can access cloud services
in minutes. This is agile and entrepreneurial. However, the implementation may not be consistent with the
standards you have in place for your business.
Unmanaged cloud adoption will lead to the erosion of data authority and the introduction of unmanaged
dependencies. External services, whether SaaS-based or in-house applications deployed with a cloud provider,
rarely have access to centralized data sources in the enterprise. This leads to data replication on the external
system, creating coherency problems and the destruction of the central, authoritative record.
Reliability is at risk as cloud services become more finely grained and distributed. Applications sprawl across
networks, making use of services that may change or vanish at any time. This lack of formality, control and rigor
undermines the very promise of the cloud.
Cloud Control
The message for IT management is that it must put itself in control of cloud initiatives. The inevitable push to move
to the cloud will come from the business—IT can’t stop this. But IT can ensure that the internal test cases for cloud
are carefully managed and successful, and that these are used not only to justify the widespread adoption of this
technology, but to showcase how it can be done safely, securely, and under centralized control.
SOA in Clouds
It is a common misconception that cloud will replace SOA. Nothing could be further from the truth. Cloud did
knock SOA off its commanding position on the hype scale, but the truth is that we should build cloud applications
consistent with the model that SOA articulates. SOA is an architectural approach; it is a philosophy guiding the
development and management of applications. Cloud is simply a deployment and operational model that happens
to be very well suited to host the services you create under a SOA initiative.
The major cloud players are demonstrating this for us. Salesforce.com began as a monolithic SaaS application.
However, its fundamental components—services that are useful and reusable across a wide range of custom
apps—have been teased out and made available in the company’s Force.com offering. Arguably, even Amazon, the
pioneer of cloud computing, began as a monolithic web application selling books. It then followed up with granular
services that plug into its core, and finally provided the basic building blocks of their application—queuing,
database, storage, elastic computing—as services for hire. This is service-orientation evolving into cloud
computing.
When moving to the cloud, IT needs to recognize that SOA is a crucial part of its effort. Moreover, the secrets of
success in SOA are also the secrets to success in the cloud.
What is important to recognize, however, is that with on-premises SOA, governance could be ignored at first, and
retrofitted later. Existing process can hide a multitude of sins. If an organization owned its infrastructure, used
internal staff to manage this, and had a program of basic physical and IT security in place, it could get away with
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 5
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
delaying its SOA governance program. This does not imply it could ignore governance forever—SOA ultimately
cannot be successful without it—but it does allow reprioritization.
In contrast, the cloud is much less forgiving. In the cloud, your data resides on systems that you don’t control, that
may be in other countries or legal jurisdictions. These systems are unlikely to have the same security standards
that you are accustomed to with your on-premises servers. You need to develop your applications to withstand
internet-scale attacks, just like your front-line web servers. Before you deploy a single cloud service, you must have
a cloud governance program in place.
This is an important inversion point. In cloud, you give up control of networks and systems, leaving you only with
control over applications and services. Your governance program, therefore, must provide the means to control,
monitor, and adapt these services, regardless of whether they reside in an on-premises SOA, or out in a cloud-
based extension to your SOA. This consistency in approach, from existing SOA to cloud SOA, is a basic but
demanding characteristic of cloud governance.
You must recognize cloud governance as a first class citizen in cloud deployments—a gating factor that needs to be
in place before you can move to the cloud. Clearly, the process and technology behind it cannot be an impediment.
It must emphasize agility and multi-purpose application without compromising security and manageability of
services.
Cloud governance recognizes the special challenges organizations face within cloud computing. It extends SOA
governance in several important ways. Process and policy clearly need to adapt to address the exceptional
challenges with each vendor. If anything, cloud governance is uniquely demanding with respect to process and
policy because of complexity of vendor contracts, SLA expectations, and the increasingly complex regulatory
environment—factors that demand a fine balance against agility, cost reduction, and the threat of vendor-lock in.
Technology, too, must change; however, it builds on the basic solutions that already enable SOA governance.
Technology implements process, enforces rules, and monitors environments. In the SOA governance space, these
functions map cleanly into products that provide continuous enforcement of policy, broadly deployed monitoring,
and lifecycle management of SOA assets.
The challenge in moving these into the cloud is that the products must become highly distributed and cloud-
centric. Deployment must be simple, dependable and rapid across the wide variety of cloud infrastructures. They
must operate independently under all conditions, including disconnected from any centralized asset stores and
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 6
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
monitoring consoles. And they must operate seamlessly across on-premises and off-premises environments,
including “legacy” enterprise SOA deployments. Cloud governance, therefore, is as relevant in an existing SOA
installation as it is for a completely new application deployed in Amazon’s cloud center.
Cloud governance inverts the order of implementation that customers had with SOA governance. In most SOA
governance engagements, customers believed that management of assets was the first order problem, with
enforcement and monitoring the second. This often led to early purchases of registry/repository technology that
saw little practical use because it never integrated well with enforcement and monitoring infrastructure. In
contrast, cloud governance demands that you address enforcement and monitoring first, and that these solutions
bring the ability to manage assets natively. Control and visibility are fundamental problems you must overcome
before following up with tools that automate human process.
The virtual Policy Enforcement Point (vPEP): The Foundation of Cloud Governance.
Policy enforcement and monitoring is fundamental to SOA and cloud governance. IT can deploy a single entity, the
virtual Policy Enforcement Point (vPEP), to accomplish both tasks.
The idea of a standalone Policy Enforcement Point is not new; indeed, its use is widespread in most SOA environments.
In traditional SOA, the PEP acts as a gatekeeper and monitor for all service traffic. Common functionality includes:
Integrity: Ensuring communications are not Monitoring: Collecting rich data sets
altered in transit. describing both individual transaction data and
aggregate counters, and generation of graphs
and reports to summarize these.
Policy
Decision Service
Point (PEP) Host
Policy
Policy
Enforcement
Enforcement
Message
Point
Point(PEP)
(PEP)
These devices were traditionally hardware-based, and deployed in an enterprise network DMZ to manage all XML-
based streams in or out of the organization. New technological developments now allow virtualization of all PEP
functionality so that it can easily be deployed either on-premise in the traditional data center, or externally in the
cloud. The new virtual PEP offers a lightweight deployment model that allows a closer binding to services, following
them through cloud deployment and making localized services governance practical.
Consider the following use case. A third-party SaaS application requires access to data locked on a mainframe—
clearly a system that isn’t moving into the cloud soon. How can IT publish an interface to the mainframe that
ensures only authorized cloud services can access it, that protects the mainframe from Internet-originating attacks,
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 8
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
1. Start with enforcement. In cloud environments, distributed enforcement is a much more difficult and
more pressing problem than asset management. Look first for a policy enforcement point that
simultaneously answers both of these needs. This offers immediate standalone value, but with the ability
to integrate with heavyweight registry/repositories when this need develops.
2. Form factors that take you from the DMZ to the clouds. Enforcement and monitoring must scale with no
functional differences, from the wiring closet to the virtual cloud. Hardware appliances will always have
their place, but now so do virtual vPEP appliances that can rapidly deploy in the cloud.
3. Distributed, virtualized management. Management systems for policy enforcement, whether on site in
traditional SOA or in the clouds, need to be distributable so that there is no single point of failure. These
consoles manage mission-critical applications. If a local network becomes segmented or a cloud provider
is inaccessible, the management components should be locally available on every enforcement point.
4. The ability to maintain a central system of record for critical assets. There must be a central,
authoritative system of record for assets like policies. Think of this as the library storing the laws of the
land: the police reference it, but certainly not on every call.
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 9
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
5. Loose coupling is a must between enforcement points and repository. Following on #4, enforcement
points must not be tightly bound to central repositories because of the latency and reliability issues in the
cloud.
6. The ability to author centrally, but deploy globally. Policy will move with your applications in the cloud.
Localized differences (time zones, IP addresses, SLAs, etc) must be mapped automatically during
provisioning. This is a hard problem, because policy itself is often riddled with unanticipated dependency.
7. Offer a global view of the application network. You need an application-centric management and
monitoring system. It must be accommodating to the subtleties of application protocols so it can provide
an actionable view of problems as they occur.
8. Flexibility in policy language. The mechanics of governance always come down to complex details in
security policy. It is through policy that you manage, adapt, and control all communications between
services. A richly expressive policy language will give you the tools you need to manage any situation.
9. Equally relevant to SOA as to the cloud. Think of cloud governance as evolved SOA governance. Any
cloud governance solution should be as applicable to traditional SOA as it is to the cloud.
10. Utilization of the cloud in the solution. If a vendor is serious about the cloud, shouldn’t a cloud
governance solution make use of cloud services?
Conclusions
In traditional, on-premises SOA, a governance program was easy to put off. Existing processes and security
technology are often good enough to manage simple scenarios, at least until a critical mass of services appears.
In the cloud, things are different. A single service is enough to demand that you implement a cloud governance
program. You should look to SOA governance for inspiration, and extend this to the cloud. Start with a strong
program of SOA governance. If you don’t have this already, this is a good time to start. Extend this into the cloud
using new, lightweight technology such as virtual Policy Enforcement Points. These will provide you with the
security and monitoring functions that are the foundation of SOA—or cloud—governance.
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 10
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
The human elements of SOA governance transfer cleanly to the cloud. The challenge is to have the process and
policy in place so it is ready evolve to meet the additional vendor challenges that come with a cloud deployment.
Set Goals – SOA taught us that failing to set clear, measurable goals upfront very often led to project failure down
the road. We need to learn from this. Be honest and realistic about what you want to get from the cloud and you
will be successful. Ask yourself:
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 11
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
Assess Process – Take stock of your existing processes around development, deployment, and operations.
Categorize them as follows:
Assess Data – Take careful inventory of your data assets in the organization (if you don’t have this catalogued
already, now is the time to do it). Categorize these data into the following governance groupings:
• Must only reside inside of existing data center. This may be for security or compliance reasons. Take note
of special challenges, such as the data being locked up in a legacy mainframe application, but don’t let this
dictate it’s category. Physical or logistical reasons should be orthogonal this categorization.
• Could reside in a private cloud. Note that even a private cloud may be multi-tenant (tenants could
include other business units, business partners, or even third parties).
• Could reside in a public cloud.
Clearly, there is a hierarchy of loosening restriction here. The granularity of this is something you will have to
determine yourself. In a perfect world, you would categorize every field like this; however, this is clearly not
practical in most cases. Consider concrete logical dependencies and use these to aggregate fields for grouping.
Assess Applications and Services – Data isn’t the only corporate asset that may need a higher level of security or
trust than cloud can provide; services may also have special restrictions that require they be hosted on-premise.
This may be because of they are bound to sensitive data, or simply because some characteristic of their
operational behavior is a company secret (such as implementation of a proprietary algorithm).
There is a significant issue with current cloud solution offerings. They focus exclusively on management of virtual
instances, and in doing so miss a fundamental tenet of modern SOA: it’s about the services. If you put the emphasis
back onto services, your cloud governance strategy will naturally fall out of this.
Place your services into the same categories developed above for data. If you have an existing SOA, you are well
positioned because your services should be well documented.
Develop Relationship with Providers – Start this early, because it will take longer than you expect. Cloud technology
is about speed and agility; relationships are the opposite. You need time to understand the different value
propositions of each of the vendors. Furthermore, understand that these will change constantly as the industry
evolves, so the right provider one year may be the wrong one in the next. Respect the power derived from
continuity in relationships, but always be re-evaluating and ready to move.
• By SLA – This is often about uptime and response time, but there are other factors to consider. What is
their backup policy, and how fast can they recover from a catastrophic data loss? Can you request
retrieval of old copies of data? How far back, and how often, are snapshots taken? What is the data
retention policy? Does your data stay on their backup media after you’ve terminated your relationship?
What happens to virtual images on disk once these have been spun down: is the disk image wiped clean
to your standards (some governmental agencies have very strict requirements for data erasure on disk,
including multiple passes with pseudo-random data streams)? What is the handling policy for passwords
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 12
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
and keys on their site? Which provider staff can escalate privileges and gain access to your virtualized
applications and data? What is the policy governing this? Who can access audits and can these potentially
leak information from your application? Will the provider even support you when investigating issues or
recovering data?
• By Security Capability – In a multi-tenant environment, how are virtual images kept separate from each
other? Can virtual images sniff packets, or spoof IPs? How does the provider segregate data? What about
infrastructure like queues or databases? What is the authentication and authorization model to access
management APIs or consoles? Does this scale to satisfy your needs on a corporate level (consider the
logistic point of view of key distribution, revocation of credentials, lifetime of keys or passwords, etc)? Do
they provide role-based or attribute-based authorization models? Are there mechanisms available to
avoid embedding security credentials inside virtual machines? Can their infrastructure federate with your
existing identity and access management system? What is the model for communicating with resources in
the enterprise (i.e. legacy applications, private clouds, people, etc)? Does it use open encrypted pipes like
a VPN that let all communications through without discrimination (very risky if anything is compromised),
or is it finely grained on a service-by-service basis (a much more secure approach)? What firewall
capabilities are available for virtualized instances?
• By Trust – Security is always about trust. To complicate matters, this isn’t just about building trust with a
single provider, but investing trust with all of their sub-contractors and other entities they have
relationships with that could affect you. One of the biggest challenges in cloud is the implicit transitive
trust issue you engage in with any vendor. Consider also the jurisdictions and locations they may operate
in. Does this put your data at risk of subpoena or seizure by foreign entities (for political or competitive
reasons)? Are their facilities in an area that meets your needs? Remember, in a cloud covering the planet,
local conditions can become startlingly relevant. Hurricanes are not your only problem; now you need to
worry about typhoons.
• By Lock-in – Most commercial cloud providers are building on the Xen hypervisor (Amazon included).
Unfortunately, that is about as standard as it gets. There are initiatives to create standards around cloud
VM formats and administrative APIs, but these efforts have only recently begun and will take some time
to mature.
Rationalize Relationships – Keep the short list of vendors you work with short—recognize that any good business
relationship takes constant maintenance and considerable effort upfront. Continuously monitor the changing
marketplace, be ready to move, and don’t try and maintain more than two or at most three separate provider
relationships. Institute a quarterly review period and evaluate what has changed. Avoid long term contracts—the
market is changing too rapidly to make this a prudent strategy.
Implement Soft Policy for Clouds – You need to control unmanaged employee access of cloud resources.
Implement a policy as soon as possible that doesn’t forbid it, but encourages partnering with a local center of
excellence for clouds. This provides some control and monitoring without discouraging innovation or
compromising agility. Ensure it can provide some value to staff engaging with it, such as leverage of existing
provider relationships or simply expertise and perspective on cloud opportunities.
Build Management and Monitoring Layer – This is the single most important piece of infrastructure you need to
invest in. Traditional SOA advocated starting with heavyweight registry and repository infrastructure. In contrast,
cloud and modern SOA is about the realization that enforcement and monitoring tools are where the real value
resides. This technology is the cornerstone of cloud governance.
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 13
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
Setup Policy Enforcement Points (PEPs) in DMZ – Start by protecting the resources you already have. Placing PEPs
in the DMZ allows you to manage access to internal resources, whether partners or cloud applications use them.
This also provides the base infrastructure you need to manage outgoing access to cloud resources. Starting in a
familiar environment, such as your own DMZ, gives staff valuable experience in managing this infrastructure
before you begin to deploy it into the cloud.
Deploy Virtual PEPs into the Cloud – Next, begin to deploy virtual PEPs. You can optionally begin by deploying these
throughout your organization, creating a robust defense-in-depth strategy in your application network. As you
move applications and services into the cloud, bind them to virtual PEPs that also reside in the cloud, giving you
policy-driven control over security and monitoring of every service you host.
Integrate Heavy Components Later – Modern PEPs provide all the functionality you need for a governance story,
including local persistence and lifecycle management of all-important assets like policy and service descriptions. As
your usage expands, look to centralized management products that integrate seamlessly with the PEPs. This might
also be a cloud service.
Refine and Repeat – Cloud governance is an ongoing process. Set up a steering committee that meets regularly to
evaluate the state of the project and to institute change when necessary.
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 14
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
Email:
info@layer7tech.com
Web Site:
www.layer7tech.com
Phone:
(+1) 604-681-9377
1-800-681-9377 (toll free within North America)
Fax:
604-681-9387
Address:
Layer 7 Technologies
1200 G Street, NW, Suite 800
Washington, DC 20005
Layer 7 Technologies
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada
Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 15