Your SlideShare is downloading. ×

Securing and Governing Cloud APIs

1,787
views

Published on

A look at why APIs matter in the Cloud and their unique security challenges

A look at why APIs matter in the Cloud and their unique security challenges

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,787
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Savvis is a global leader in infrastructure outsourcing.We have nearly 2,500 unique clients, more than 32 of the top 100 companies in the Fortune 500 and some of the world’s most recognizable brands. One of the world’s premier IT infrastructure services providersPortfolio built to support real-time commercial / enterprise requirementsHighly AvailableHighly SecureMission CriticalFinancially strongOver $1B annual revenuesNet positive cash flow2300 employee’s worldwideServing Financial , Media , Federal, Consumer Brands / E-Commerce, Software
  • Why APIs need to have better availability, error handling? APIs are used for automation through system integration. Portals are used by users who can easily understand availability conditions and errors.
  • Transcript

    • 1. Securing and governing cloud Rag Ramanathan APIs Director of Product Management, APIs
    • 2. Nearly 2,500 unique clients, including more than 32 of the top 100 companies in the Fortune 500Savvis Proprietary & Confidential 2
    • 3. Savvis is Positioned in the Leaders Quadrant The Gartner Magic Quadrant for Public Cloud Infrastructure as a Service Gartner, Inc., Magic Quadrant for Public Cloud Infrastructure as a Service, Lydia Leong, Ted Chamberlin, December 8, 2011. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Savvis.Savvis Proprietary & Confidential 3
    • 4. Managed SaaS Business Content Proximity Applications Web Hosting Enablement Continuity Management Hosting Managed Savvis Symphony Intelligent Hosting (Dedicated and Colocation Monitoring (Dedicated) Multi-Tenant Clouds) Managed Storage and Backup Managed Security Managed Network Professional Services Intelligent Secure Facilities Enterprise Equipment Management ToolsSavvis Proprietary & Confidential 4
    • 5. Virtual Private Data Center (VPDC) Savvis Symphony VPDC Orchestration and Provisioning VPDC Portal – Topology Designer Automated Provisioning Technical & Business End-User Self-Service Savvis Data Center Infrastructure ProvisioningSavvis Proprietary & Confidential 5
    • 6. Architecture Overview Portal Proxy API Middleware Business Orchestration/Service Fulfillment Cloud Database Cloud Orchestration Cloud Infrastructure Network Systems Management Services – Service Support Security Storage Incident Services Resources Management Data Center Fabric SLA Management Event Management Compute ResourcesSavvis Proprietary & Confidential 6
    • 7. Supporting multiple channels? Web Portal Smartphones API Tablets Savvis Web Portal Savvis Customer Apps ISV Partner Apps Reseller AppsSavvis Proprietary & Confidential 7
    • 8. “Road to the Cloud is through APIs” Why APIs? Forester Analyst @chenxiwangSavvis Proprietary & Confidential @chenkxiwang 8
    • 9. So we offer cloud APIs For IaaS based on vCloud API specification With additional Savvis feature specific APIs Initially, offered to a handful of customers as a beta offering Learnt and matured our APIs Customers did “pen tests” and requested enhancement requests More customers, and partners are using APIs and demand continues to growSavvis Proprietary & Confidential 9
    • 10. API Challenges Security Governance • Availability • Authorization • Performance • Basic firewall • Protection • DDos • Meeting SLAs • SSL for service • Maintain QoS end points • Audit trails • Audit logs • ReportingSavvis Proprietary & Confidential 10
    • 11. API Security & Governance Is Bigger Security Message Traffic Control Penetration Protection Protection • Code • XML • Rate limit injection DOCTYPE • Tiered • Malformed insertion service requests • XML levels • SQL attacks document • Automatic structure retries • Limit msg size And More.. >> Credential caching & expiration >> IP restrictions >> OAuth support >> Reporting and analytics >> Common authentication & authorization across all servicesSavvis Proprietary & Confidential 11
    • 12. …along with >> Common API security >> Common logging, and auditing >> Reporting and analytics >> Support for multiple versions >> Protocol transformation >> Delegated policy authoring >> Best practices based common policy libraries >> Centralized policy release and enforcement >> Internal systems integration (OSS, BSS, CMDB)Savvis Proprietary & Confidential 12
    • 13. API Security & Governance Layer Using Layer 7 Gateway API / SOA / Cloud Governance Gateway •Throttling Common API and SOA Policy •Monitoring Governance for Cloud Reporting •Usage •Billing •Authentication VPDC Portal OSS Storage Security •AuthorizationSavvis Proprietary & Confidential 13
    • 14. Layer 7 DeploymentSavvis Proprietary & Confidential 14
    • 15. Lessons Learned & Recommendations >> APIs drive more cloud traffic than web sites >> Take API-first design approach >> Drive toward a common framework > Configuration based and not development based > Supports flexible and distributed deployment models > Extensible >> Be prepared to handle special requests >> Do thorough testing of APIs for security >> Look at Security & Gov Gateway for CloudSavvis Proprietary & Confidential 15
    • 16. Next steps • Add internal API gateway • OAuth for external APIs • Quota and rate-limit by specific APIs • Developer portalSavvis Proprietary & Confidential 16
    • 17. Thank you. Want to work on cloud APIs? – We are hiring – http://www.Bit.ly/savvis_pm Contact: Rag.Ramanathan@savvis.com Twitter: @ragramSavvis Proprietary & Confidential 17