Gartner Catalyst Savvis Cloud API Case Study

Moving Business to the Cloud: A Tale of Security andGovernanceRag Ramanathan

When is Cloud a Fit for Enterprises? •  Customer 1: Global financial institution – Variable, periodic demand – Internal resource constraints •  Customer 2: SaaS based enterprise feedback system – Focus on core business – Speed of provisioning is constraining business execution •  Customer 3: International educational publishing and technology company – Focus on core business – Variable, periodic or seasonal demand2Savvis Proprietary & Confidential

What Kind of Cloud is Right For You? •  SaaS Enablement •  Cloud Bursting •  Voice/Video •  Web Hosting •  Test/Development •  Sensitive Data •  Proof of Concept •  Peak Performance •  Production Bursting Applications •  Test/Development •  Traffic Management Hybrid Private Private Public Cloud Cloud Cloud Cloud Internet – Public IP Private – Private IP3Savvis Proprietary & Confidential

Cloud Use Case: Global Financial Institution Building private cloud on dedicated infrastructure in US and UK with public cloud bursting. Tenants are internal groups. •  Uses Virtual Private Data Center in dedicated infrastructure •  Able to create and manage multiple virtual data centers •  Uses a 3rd party, cloud aggregation software •  Integrates using APIs •  VPN integrates internal and external networks •  Manages their own user authentication and authorization •  Manages their own IP addresses (DHCP server) Enterprise connects to hybrid private/ public cloud4 EnterpriseSavvis Proprietary & Confidential Cloud

Challenges of Hybrid Cloud Integration Making external compute, cloud & applications look internal is often an integration challenge Security Whether opening up to public or outsourced private cloud you will encounter some repeat challenges in moving data and workloads Governance How do you define policies for how enterprise consumes & interacts with cloud services?5Savvis Proprietary & Confidential

The Secret to Hybrid Cloud: SOA & APIs APIs are the way SOA is the integration enterprise systems framework for access provisioning, connecting enterprise management & with private application systems & public cloud in cloud SOA Gateways designed for Cloud (e.g. Layer 7, Vordel, Apigee, SOA Software) is the best way to address security & governance challenges6Savvis Proprietary & Confidential

Why SOA / APIs? >> APIs to integrate >> APIs for management, operations & run-time >> APIs for automating provisioning >> APIs to expose/control the cloud services >> Strongest authentication & authorization >> Facility for compliance enforcement7Savvis Proprietary & Confidential

SOA / API Challenges Security Governance • Authorization • Availability • Basic firewall • Performance • DDos • Protection • SSL for each • Meeting SLAs service end points • Maintain QoS • Audit logs • Audit trails • Authentication • Data for investigation & reporting8Savvis Proprietary & Confidential

But SOA / API Security & Governance IsBigger Security Message Traffic Control Penetration Protection Protection •  Code •  XML •  Rate limit injection DOCTYPE •  Tiered •  Malformed insertion service requests •  XML levels •  SQL attacks document •  Automatic structure retries •  Limit message size And More.. >> Credential caching & expiration IP restrictions >> >> OAuth support >> Reporting and analytics >> Common authentication & authorization across all services9Savvis Proprietary & Confidential

…along with >> Common API security >> Common logging, and auditing >> Reporting and analytics >> Support for multiple versions >> Protocol transformation >> Delegated policy authoring >> Best practices based common policy libraries >> Centralized policy release and enforcement >> External system integration (OSS, BSS, CMDB)10Savvis Proprietary & Confidential

How Are We Addressing These Hybrid Cloud Integration Requirements for Biz? Common API and SOA Governance Layer Using a Cloud Gateway11Savvis Proprietary & Confidential

Common API / SOA Security & Governance Layer Using Layer 7 Gateway API / SOA / Cloud Governance Gateway Common API and SOA Policy • Throttling • Monitoring Governance for Cloud • Usage Reporting • Billing VPDC Portal OSS Storage • Authentication Security • Authorization12Savvis Proprietary & Confidential

Deployment of Layer 7 Cloud Gateway13Savvis Proprietary & Confidential

Specific Security Example •  Requirement: Provide multi-factor authentication for all APIs •  Options 1: –  Each service or product can implement their own solution –  Will require weeks to months of implementation and testing •  Option 2: –  Provide a common security service via a proxy –  Apply best practices based single solution across all the services –  Use Layer 7 policy for OAuth (2-legged) –  Integrate key/token management and distribution between Layer 7, Savvis Portal, BSS, and OSS14Savvis Proprietary & Confidential

Lessons Learned & Recommendations >> APIs drive more cloud traffic than web sites >> Take API-first design approach >> Drive toward a common framework > Configuration based and not development based > Supports flexible and distributed deployment models > Extensible >> Be prepared to handle special requests >> Do through testing of APIs for security >> Look at Security & Gov Gateway for Cloud15Savvis Proprietary & Confidential

Gartner Catalyst Savvis Cloud API Case Study

by Layer 7 Technologies

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 928

Statistics

Gartner Catalyst Savvis Cloud API Case Study Presentation Transcript