Key Trends from F5 State of Application Strategy Report

Get your copy: www.f5.com/stateofappstrategy

We all know how much the world has changed in the last year. And, the results of the most recent #F5​ State of Application Strategy survey make it clear, the pandemic has vastly accelerated a global digital transformation that was already underway. Progress that might normally have taken a decade has leapt forward in a single year—with respondents maturing in their journeys toward digital expansion. So let’s start the clock and take a look at the astonishing progress apparent through several key markers revealed in our seventh annual survey. #SOAS

F5 Cloud Services Early Access Program

F5's Cloud Services Team is excited to share an opportunity for customers test two new technologies! Essential App Protect is an instant, out-of-the-box protection from common web exploits, malicious IPs and coordinated attack types. Bot Protect is a bot management SaaS solution that identifies bots’ intent and prevents attacks, while maintaining access for the good bots that help your business.

Visit: https://www.f5.com/preview to help shape our roadmap and influence feature development!

Your Applications Deserve iApps

F5 iApps are user-customizable frameworks for deploying applications that enables you to ‘templatize’ sets of functionality on your F5 gear. You can automate the process of adding virtual servers or build a custom iApp to manage your iRules inventory.

Application ready templates were introduced in BIG-IP v10 and the goal was to provide a wizard for the often deployed applications like Exchange, SharePoint, Citrix, Oracle, VMware and so forth. This allowed the abstraction some of the configuration details and reduced the human error when following the pages of the thick deployment guides for those applications. Application templates were great but there was no way to customize the template either during the deployment or adjust it after.

Then came iApps^®.

Introduced in TMOS v11, iApps is the current BIG-IP system framework for deploying services-based, template-driven configurations on BIG-IP systems. iApps bundles all of the configuration options for a particular application together.

Roughly a third of F5 customers use iApps and they are especially popular for more complex configurations, like Microsoft Exchange, for example, which requires up to 1200 mouse clicks to configure manually and only 50 mouse clicks to configure with the iApp. iApps are also often used to roll out similar configurations to multiple BIG-IP's. Some customers run hundreds of iApps, some run none--the choice is yours.

Here is one example of iApp customization and its evolution. When we released SAML support in v11.3, many customers wanted to use BIG-IP APM as a SAML Identity Provider (IdP) for Office365 but there are a few steps to configure that in BIG-IP. Configure Active Directory, then SAML, then the access policy and so forth. One of our very smart Security Architects, Michael Koyfman, wanted to make that task simple, repeatable and accurate.

He decided to write an O365 iApp and posted it to DevCentral where there was immediate interest from the community. From that, Product Development engineers rewrote it to follow their libraries and best practices and then moved to the supported status.  You can now use this F5 supported iApp template to configure the BIG-IP system as a SAML IdP to Microsoft Office 365 applications, such as Exchange and SharePoint. This template configures the BIG-IP APM system as an IdP for Office 365 to perform single sign-on (SSO) between the local Active Directory user accounts and Office 365-based resources such as Microsoft Outlook Web App and Microsoft SharePoint.

But we didn’t stop there.

Since it is the same framework and easily extensible to add more services to an iApp, they took it a step further. With the O365 iApp as the basis, the team then built a SaaS Federation iApp which allows you to configure BIG-IP APM as SAML IdP to 11 commonly used SaaS applications including Salesforce, Concur, WebEx, O365 and others. Now, with a single iApp, you can federate your employees to many SaaS applications easily, efficiently and securely. This iApp also went through a beta period on DevCentral and was recently released as a F5 supported iApp.

UI configurations for the SaaS iApp

Summary of configurations for the SaaS iApp

So if you need quick and easy way to deploy your applications, look no further than F5 iApps. You can use the F5 built iApps, you can customize F5 built iApps or you can build your own iApps. Your applications, infrastructure and business will thank you.

ps

Would You Put Corporate Applications in the Cloud?

There once was a time when organizations wouldn’t consider deploying critical applications in the cloud. It was too much of a business risk from both an access and an attack perspective—and for good reason, since 28 percent of enterprises have experienced more security breaches in the public cloud than with on-premises applications. This is changing, however. Over the last few years, cloud computing has emerged as a serious option for delivering enterprise applications quickly, efficiently, and securely. Today almost 70 percent of organizations are using some cloud technology. And that approach continues to grow. According to the latest Cisco Global Cloud Index report, global data center IP traffic will nearly triple over the next five years. Overall, data center IP traffic will grow at a compound annual growth rate of 25 percent from 2012 to 2017.

This growth is to support our on-demand, always connected lifestyle, where content and information must be accessible/available anytime, anywhere, and on any screen. Mobility is the new normal, and the cloud is the platform to deliver this content. No wonder enterprises are scrambling to add cloud components to their existing infrastructure to provide agility, flexibility, and secure access to support the overall business strategy. Applications that used to take months to launch now take minutes, and organizations can take advantage of innovations quickly. But most IT organizations want the cloud benefits without the risks. They want the economics and speed of the cloud without worrying about the security and integration challenges.

Use of the corporate network itself has become insecure, even with firewalls in place. Gone are the days of “trusted” and “untrusted,” as the internal network is now dangerous. It'll only get worse once all those IoT wearables hit the office. Even connecting to the corporate network via VPN can be risky due to the network challenges. Today, almost anything can pose a potential security risk, and unauthorized access is a top data security concern.

Going against the current trend, some organizations are now placing critical applications in the cloud and facing the challenge of providing secure user access. This authentication is typically handled by the application itself, so user credentials are often stored and managed in the cloud by the provider. Organizations, however, need to keep close control over user credentials, and for global organizations, the number of identity systems can be in the thousands, scattered across geographies, markets, brands, or acquisitions. It becomes a significant challenge for IT to properly authenticate the person (whether located inside or outside the corporate network) to a highly available identity provider (such as Active Directory) and then direct them to the proper resources. The goal is to allow access to corporate data from anywhere with the right device and credentials. Speed and productivity are key.

Authentication, authorization, and encryption help provide the fine-grained access, regardless of the user’s location and network. Employee access is treated the same whether the user is at a corporate office, at home, or connected to an open, unsecured Wi-Fi network at a bookstore. This eliminates the traditional VPN connection to the corporate network and also encrypts all connections to corporate information, even from the internal network.

In this scenario, an organization can deploy the BIG-IP platform, especially virtual editions, in both the primary and cloud data centers. BIG-IP intelligently manages all traffic across the servers. One pair of BIG-IP devices sits in front of the servers in the core network; another pair sits in front of the directory servers in the perimeter network. By managing traffic to and from both the primary and directory servers, the F5 devices ensure the availability and security of cloud resources—for both internal and external (federated) employees. In addition, directory services can stay put as the BIG-IP will simply query those to determine appropriate access.

While there are some skeptics, organizations like GE and Google are already transitioning their corporate applications to cloud deployments and more are following. As Jamie Miller, President & CEO at GE Transportation, says, 'Start Small, Start Now.'

ps

Related:

• CIOs Face Cloud Computing Challenges, Pitfalls
• Google Moves Its Corporate Applications to the Internet
• GE's Transformation... Start Small, Start Now
• Ask the Expert Why Identity and Access Management?

Technorati Tags: cloud,big-ip,authentication,saas,f5

Connect with Peter:	Connect with F5:

Ask the Expert – Why Identity and Access Management?

Michael Koyfman, Sr. Global Security Solution Architect, shares the access challenges organizations face when deploying SaaS cloud applications. Syncing data stores to the cloud can be risky so organizations need to utilize their local directories and assert the user identity to the cloud. SAML is a standardized way of asserting trust and Michael explains how BIG-IP can act either as an identity provider or a service provider so users can securely access their workplace tools. Integration is key to solve common problems for successful and secure deployments.

ps

Related:

• Ask the Expert – Are WAFs Dead?
• Ask the Expert – Why SSL Everywhere?
• Ask the Expert – Why Web Fraud Protection?
• Application Availability Between Hybrid Data Centers
• F5 Access Federation Solutions
• Inside Look - SAML Federation with BIG-IP APM
• RSA 2014: Layering Federated Identity with SWG (feat Koyfman)

Technorati Tags: f5,iam,saas,saml,cloud,identity,access,security,silva,video,AAA

Connect with Peter:	Connect with F5:

Collaborate in the Cloud

Employee collaboration and access to communication tools are essential for workplace productivity. Organizations are increasing their use of Microsoft Office 365, a subscription-based service that provides hosted versions of familiar Microsoft applications. Most businesses choose Exchange Online as the first app in Office 365 they adopt.
The challenge with any SaaS application such as Office 365 is that user authentication is usually handled by the application itself, so user credentials are typically stored and managed in the cloud by the provider. The challenge for IT is to properly authenticate the employee (whether located inside or outside the corporate network) to a highly available identity provider (such as Active Directory).
Authentication without complexity

Even though Office 365 runs in a Microsoft-hosted cloud environment, user authentication and authorization are often accomplished by federating on premises Active Directory with Office 365. Organizations subscribing to Office 365 may deploy Active Directory Federation Services (ADFS) on premises, which then authenticates users against Active Directory.
Deploying ADFS typically required organizations to deploy, manage, and maintain additional servers onsite, which can complicate or further clutter the infrastructure with more hardware. SAML (security assertion markup language) is often the enabler to identify and authenticate the user. It then directs the user to the appropriate Office 365 service location to access resources. SAML-enabled applications work by accepting user authentication from a trusted third party—an identity provider. In the case of Office 365, the BIG-IP platform acts as the identity provider.
For example, when a user requests his or her OWA email URL via a browser using Office 365, that user is redirected to a BIG-IP logon page to validate the request. The BIG-IP system authenticates the user on behalf of Office 365 and then grants access. The Office 365 environment will recognize the individual and provide their unique Office 365 OWA email environment. The BIG-IP platform provides a seamless experience for Office 365 users and with the federated identity that the BIG-IP platform enables, the IT team is able to extend SSO capabilities to other applications.
The benefit of using the BIG-IP platform to support Office 365 with SAML is that organizations can reduce the complexity and requirements of deploying ADFS. By default, when enabling Office 365, administrators need to authenticate those users in the cloud. If an IT administrator wants to use the corporate authentication mechanism, ADFS must be put into the corporate infrastructure. With the BIG-IP platform, organizations can support authentication to Office 365 and the ADFS requirement disappears, resulting in centralized access control with improved security.
Secure collaboration
Because email is a mission-critical application for most organizations, it is typically deployed on premises. Organizations using BIG-IP-enhanced Microsoft Exchange Server and Outlook can make it easier for people to collaborate regardless of their location. For example, if a company wanted to launch a product in Europe that had been successfully launched in the United States, it needs workers and contractors in both locations to be able to communicate and share information.
In the past, employees may have emailed plain-text files to each other as attachments or posted them online using a web-based file hosting service. This can create security concerns since potentially confidential information is leaving the organization and being stored on the Internet without any protection or encryption. There are also concerns about ease of use for employees and how the lack of an efficient collaboration tool negatively impacts productivity.
Internal and external availability 24/7
To solve these issues, many organizations move from the locally managed Exchange Server deployment to Microsoft Office 365. Office 365 makes it easier for employees to work together no matter where they are in the world. Employees connect to Office 365 using only a browser, and they don’t have to remember multiple usernames and passwords to access email, SharePoint, or other internal-only applications and file shares.
In this scenario, an organization would deploy the BIG-IP platform in both the primary and secondary data centers. BIG-IP LTM intelligently manages all traffic across the servers. One pair of BIG-IP devices sits in front of the servers in the core network; another pair sits in front of the directory servers in the perimeter network. By managing traffic to and from both the primary and directory servers, the F5 devices ensure availability of Office 365—for both internal and external (federated) users.
Ensuring global access
To provide for global application performance and disaster recovery, organizations should also deploy BIG-IP GTM devices in the perimeter network at each data center. BIG-IP GTM scales and secures the DNS infrastructure, provides high-speed DNS query responses, and also reroutes traffic when necessary to the most available application server. Should an organization’s primary data center ever fail, BIG-IP GTM would automatically reroute all traffic to the backup data center. BIG-IP GTM can also load balance the directory servers across data centers to provide cross-site resiliency.
The BIG-IP platform provides the federated identity services and application availability to allow organizations to make a quick migration to Office 365, ensuring users worldwide will always have reliable access to email, corporate applications, and data.
ps
Related:

• Leveraging BIG-IP APM for seamless client NTLM Authentication
• Enabling SharePoint 2013 Hybrid Search with the BIG-IP
• (SCRATCH THAT! Big-IP and SAML) with Office 365

Technorati Tags: office 365,o365,big-ip,owa,exchange,employee,collaborate,email,saml,adfs,silva,saas,cloud

Connect with Peter:	Connect with F5:

Oracle OpenWorld 2014: Identity & Access Management in the Cloud (feat Deang)

Rubyanne Deang, F5 Global Field Systems Engineer, shares some insight on many identity and access challenges organizations face when deploying applications in the cloud. Multiple directories, orphaned accounts and business risk all make the list. Not to leave you hanging however, she also guides on how organizations can solve this dilemma with BIG-IP.

 

ps

Related:

• Oracle OpenWorld 2014: Find F5
• Oracle OpenWorld 2014: F5 & Oracle Integration (feat Gauthier)
• Oracle OpenWorld 2014: Delivering Oracle Apps from the Cloud (feat George)
• Oracle OpenWorld 2014: Partner Architectural Solutions (feat Wallace)
• F5 at OOW14
• F5 YouTube Channel

 

Technorati Tags: f5,oow14,oracle,oow,big-ip,silva,video,cloud,sddc,security,iam,access,identity,saas,saml

Connect with Peter:	Connect with F5:

A Living Architecture

You often hear people say, 'oh, this is a living document,' to indicate that the information is continually updated or edited to reflect changes that may occur during the life of the document. Your infrastructure is also living and dynamic. You make changes, updates or upgrades to address the ever changing requirements of your employees, web visitors, customers, partners, networks, applications and anything else tied to your systems.

This is also true for F5's Reference Architectures. They too are living architectures.

F5's Reference Architectures are the proof-points or customer scenarios that drive Synthesis to your data center and beyond.

When we initially built out these RA's, we knew that they'd be continuously updated to not only reflect new BIG-IP functionality but also show new solutions to the changing challenges IT faces daily. We've recently updated the Intelligent DNS Scale Reference Architecture to include more security (DNSSEC) and to address the highly hybrid nature of enterprise infrastructures with Distributed DNS.

F5’s end-to-end Intelligent DNS Scale reference architecture enables organizations to build a strong DNS foundation that maximizes the use of resources and increases service management, while remaining agile enough to support both existing and future network architectures, devices, and applications. It also provides a more intelligent way to respond and scale to DNS queries and takes into account a variety of network conditions and situations to distribute user application requests and application services based on business policies, data center conditions, network conditions, and application performance. It ensures that your customers—and your employees—can access your critical web, application, and database services whenever they need them.

In this latest DNS RA rev, DNSSEC can protect your DNS infrastructure, including cloud deployments, from cache poisoning attacks and domain hijacks. With DNSSEC support, you can digitally sign and encrypt your DNS query responses. This enables the resolver to determine the authenticity of the response, preventing DNS hijacking and cache poisoning.

Also included is Distributed DNS. Meaning, all the DNS solution goodness also applies to cloud deployments or infrastructures where DNS is distributed.  Organizations can replicate their high performance DNS infrastructure in almost any environment. Organizations may have Cloud DNS for disaster recovery/business continuity or even a Cloud DNS service with signed DNSSEC zones. F5 DNS Services enhanced AXFR support offers zone transfers from BIG-IP to any DNS service allowing organizations to replicate DNS in physical, virtual, and cloud environments. The DNS replication service can be sent to other BIG-IPs or other general DNS servers in Data Centers/Clouds that are closest to the users.

In addition, Organizations can send users to a site that will give them the best experience. F5 DNS Services uses a range of load balancing methods and intelligent monitoring for each specific app and user. Traffic is routed according to your business policies and current network and user conditions. F5 DNS Services includes an accurate, granular geolocation database, giving you control of traffic distribution based on user location.

DNS helps make the internet work and we often do not think of it until we cannot connect to some resource. With the Internet of Nouns (or Things if you like) hot on our heels, I think Port 53 will continue to be a critically important piece of the internet puzzle.

ps

Related:

• Intelligent DNS Scale Resources
• F5 Synthesis
• DNS Reimagined keeps your Business Online
• DNS Does the Job
• The DNS of Things
• DNS Doldrums
• The Internet of Things and DNS

 

Technorati Tags: f5,big-ip,dns,reference architecture,dnssec,iot,things,name_resolution,silva,security,cloud,synthesis

 

Connect with Peter:	Connect with F5:

RSA 2014: Layering Federated Identity with SWG (feat Koyfman)

While protecting employees from rogue sites and productivity hogs is critical, the employee’s ability to access SaaS applications is also critical for productivity. Sr. Global Security Solutions Architect Michael Koyfman shows how to layer SAML federated identity to Secure Web Gateway.

ps

Related

• RSA 2014: Find F5
• RSA 2014: Anti-Fraud Solution (feat DiMinico)
• RSA 2014: Secure Web Gateway (feat Moses)
• RSA 2014: DDoS Protection (feat Bocchino)
• RSA 2014: High Performance IPS (feat Blair)
• RSA 2014 Customer Spotlight: CARFAX
• RSA 2014: API Integration (feat Marshall)
• F5 at RSA 2014
• F5 Expands Synthesis Architecture with Advanced Web and Fraud Protection Services for Worry-Free Application and Internet Access
• F5 YouTube Channel

Technorati Tags: f5,rsa,rsac,federation,saml,swg,security,protection,saas,cloud,authentication,silva,video,apm,access

 

Connect with Peter:	Connect with F5:

AWS re:Invent 2013 – Cloud Federation Reference Architecture (feat. Pearce)

Nathan Pearce and I yuck it up on camera again, this time commiserating about Cloud Federation and the challenges associated with identity and access management in the cloud.

 

ps

Related:

• AWS re:Invent 2013 – Find F5
• AWS re:Invent 2013 - Cloud Bursting Reference Architecture (feat. Pearce)
• AWS re:Invent 2013 – Cloud Migration Reference Architecture (feat. Pearce)
• AWS re:Invent 2013 – F5 AWS Solutions (feat. Pearce & Huang)
• F5 Adds Pay-Per-Use Billing and New Solutions for Amazon Web Services
• F5 and Amazon Web Services | Partnership Overview [PDF]
• F5 and Amazon Web Services (Video)
• Deploying a BIG-IP Virtual Edition HA Pair into AWS (Video)
• Now Playing on Amazon AWS - BIG-IP
• F5 BIG-IP Virtual Edition for AWS (BYOL)
• F5 BIG-IQ Virtual Edition for AWS (BYOL)
• F5 Synthesis: The Reference Architectures

 

Technorati Tags: f5,big-ip,aws,aws re:invent,find f5,synthesis,cloud,federation,saml,identity,amazon,silva,video,byol,reference architecture,saas

 

Connect with Peter:	Connect with F5: