View Only

DataPower Security Capabilities

By Divya Koppolu posted Mon September 14, 2020 11:50 AM


IBM DataPower gateway is the industry-leading Security & Integration gateway that helps provide Security, Control, Integration, and Optimized access to a full range of API, Mobile, Web, SOA, B2B, and Cloud workloads. 


In this blog, let’s take a deep dive into the Security capabilities of DataPower. 


DataPower offers deep and sophisticated security capabilities like authentication, authorization, message & transport protection and threat protection. It uses modern industry standard protocols like OAuth, SAML, XACML, JWT, WS-Security (for IBM style applications), LTPA and Kerberos (for Microsoft) to secure access to applications. Data power is the convergence point for security enforcement, allowing for token translation to easily integrate between many of these security protocols. It offers message protection with digital signature and encryption capabilities. Transport protection is offered with SSL/TLS Processing.  


Data and End Point protection



With DataPower you are able to protect data and other resources on the appliance and protected servers. It offers protection against unwanted access, denial of service attacks, and other unwanted intrusion attempts from the networks, only allowing “valid” messages through. It can Identify and authorize the network users and provides authorization to protect data and other system resources from unauthorized access.  


How does DataPower protect data in the network? It offers 

  1. Data End Point Authentication verifies who the secure end point claims to be
  2. Data Origin Authentication verifies that data originated from the claimed sender
  3. Message Integrity verifies contents were unchanged in transit
  4. Data Confidentiality conceals clear-text using encryption
  5. Threat Protection  via Incoming/outgoing data validation, Data schema validation (XML and binary), XML threat protection, Single message XDoS protection, Multiple message XDoS protection, Message tampering protection, Protocol threat protection, XML virus protection, Dictionary attack protection, SQL injection protection.


Security - Authentication, Authorization, and Auditing (AAA)


When a payload or transaction comes into DataPower, it extracts the identity coming from the HTTP headers, basic auth or other protocols and also extracts the resource it is going to from the URL, XPath etc. Once extracted, it checks for authentication against the various industry standard protocols. Also if needed, we can map the identity and resource so we can do mappings or normalizations of that information as a convergence tool. After the mapping is done, we authorize using the standard protocols. Do note that authentication and authorization are two separate processes because many times a gateway is used for authentication but the backend services will do their own authorization. Hence we keep them as discreet areas within this framework to use it as appropriate for your backend services. Final step is the auditing and post processing where we have the ability to mix and match the authorization protocols.