5 Things to Know about IBM Security Access Manager V9.0 Deployment Patterns
vasfi 1200008QSY Comment (1) Visits (10317)
IBM Security Access Manager is a modular, integrated access management appliance that helps secure access to web, mobile, and cloud workloads. It is offered both as a physical appliance and as a virtual appliance image that runs on a number of popular hypervisors.
ITSO Redbooks team has recently published the IBM Redpaper IBM
Security Access Manager V9.0 comes as a platform, with two optional add-on modules
Security Access Manager is structured as a base appliance (called the platform) with optional add-on modules. All required code is included with the platform and organizations enable add-on module functionality by entering the appropriate activation keys. This allows users the flexibility to more easily support many usage scenarios while minimizing the additional software required. The add-on modules are:
Single appliance cluster pattern: More suitable for non-production test environments
A single clustered appliance model can be adopted in non-production test environments in order to enable developers and integration teams to quickly test end-to-end scenarios. This deployment requires the configuration of a minimal set of the Security Access Manager services on a single appliance.
You can also use this pattern in production environments where the availability requirements can cater for outages associated with scheduled maintenance and unplanned outages and also the emphasis is on minimal deployment footprint.
This use case assumes that a small number of replicated appliances are deployed in a DMZ. Note that deploying multiple Security Access Manager security components as a single cluster manifests some risks from both an availability and a threat perspective, for that reason this topology is more suited for non-production test environments.
Chapter 3 “Single appliance cluster pattern” of the IBM
Multiple appliances in a single location: Non-functional requirements determine the topology
Another deployment pattern is using multiple appliances in a single location. An example of this is the two-site topology, with two sites within a certain distance of each other and operated in either active/standby or active/active mode. In an active/standby configuration, production workload is placed in the primary (active) site and non-production workload, such as disaster recovery or development, is placed in the secondary (standby) site.
When considering the deployment of Security Access Manager appliances in a single location, a number of additional considerations and constraints, such as availability, virtualization, network security zones, monitoring, performance and scaling, need to be taken account. The Redpaper covers 3 different scenarios for this deployment pattern:
Refer to Chapter 4 “Multiple appliances in a single location” of the IBM
Twin Data Center topology: Allows disaster recovery
A third way of deploying Security Access Manager appliance is the Twin Data Center topology.
The Twin Data Center topology provides many benefits, in particular allowing for an adequate level of disaster recovery. The twin data center topology can be through an active/active configuration where each data center splits the production and development work and can failover the load to the other site in the event of a disaster. In this approach, the applications are split logically into two groups, each group being considered the primary application in one data center and the standby in the other data center. This architecture emulates a traditional Production Disaster Recovery site setup from the application point of view. This approach requires the Identity and Access Management framework to be synchronized between the data centers to allow for application single sign-on from an end user point of view.
You can find more details of this architecture in Chapter 5 “Twin Data Center pattern” of the IBM
IBM Security Access Manager and IBM DataPower integration patterns: Addressing security requirements in a “mobile and interconnected world”
The mobile requirements demand organizations expose data and services via application program interfaces (APIs) to potentially millions of devices. Invoking these APIs using lightweight protocols, such as REST, has driven new requirements for securing these protocols, with the initial entry point to an organization being deployable components in the appropriate network zone.
This demand has driven a new range of technology solutions around IBM API Management and from a security perspective, overlapping capabilities within IBM DataPower Gateway appliances and Security Access Manager are required. A convergence strategy has resulted in the release of Security Access Manager capabilities on the IBM DataPower Gateway product. The converged capability has delivered an add-on to the IBM DataPower Gateway, known as IBM Security Access Manager for DataPower. This capability allows both web and mobile traffic to be hosted through the same point of contact.
Three different use cases are discussed in Chapter 6 “IBM Security Access Manager and IBM DataPower integration patterns”. These are:
You can find a detailed coverage of these and additional topics in the IBM
Vasfi Gucer is an IBM Redbooks Project Leader with the IBM International Technical Support Organization. He has more than 18 years of experience in the areas of systems management, networking hardware, and software. He writes extensively and teaches IBM classes worldwide about IBM products. His focus has been on cloud computing for the last four years.