Gartner Catalyst Savvis Cloud API Case Study


Published on

By allowing Savvis to deliver APIs in a secure and stable manner, CloudControl has empowered the company to deliver a streamlined solution for creating hybrid public/private Cloud deployments. This has proved to be a key differentiating factor for Savvis in an increasingly competitive market space.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Gartner Catalyst Savvis Cloud API Case Study

  1. 1. Moving Business to the Cloud: A Tale of Security andGovernanceRag Ramanathan
  2. 2. When is Cloud a Fit for Enterprises? •  Customer 1: Global financial institution – Variable, periodic demand – Internal resource constraints •  Customer 2: SaaS based enterprise feedback system – Focus on core business – Speed of provisioning is constraining business execution •  Customer 3: International educational publishing and technology company – Focus on core business – Variable, periodic or seasonal demand2Savvis Proprietary & Confidential
  3. 3. What Kind of Cloud is Right For You? •  SaaS Enablement •  Cloud Bursting •  Voice/Video •  Web Hosting •  Test/Development •  Sensitive Data •  Proof of Concept •  Peak Performance •  Production Bursting Applications •  Test/Development •  Traffic Management Hybrid Private Private Public Cloud Cloud Cloud Cloud Internet – Public IP Private – Private IP3Savvis Proprietary & Confidential
  4. 4. Cloud Use Case: Global Financial Institution Building private cloud on dedicated infrastructure in US and UK with public cloud bursting. Tenants are internal groups. •  Uses Virtual Private Data Center in dedicated infrastructure •  Able to create and manage multiple virtual data centers •  Uses a 3rd party, cloud aggregation software •  Integrates using APIs •  VPN integrates internal and external networks •  Manages their own user authentication and authorization •  Manages their own IP addresses (DHCP server) Enterprise connects to hybrid private/ public cloud4 EnterpriseSavvis Proprietary & Confidential Cloud
  5. 5. Challenges of Hybrid Cloud Integration Making external compute, cloud & applications look internal is often an integration challenge Security Whether opening up to public or outsourced private cloud you will encounter some repeat challenges in moving data and workloads Governance How do you define policies for how enterprise consumes & interacts with cloud services?5Savvis Proprietary & Confidential
  6. 6. The Secret to Hybrid Cloud: SOA & APIs APIs are the way SOA is the integration enterprise systems framework for access provisioning, connecting enterprise management & with private application systems & public cloud in cloud SOA Gateways designed for Cloud (e.g. Layer 7, Vordel, Apigee, SOA Software) is the best way to address security & governance challenges6Savvis Proprietary & Confidential
  7. 7. Why SOA / APIs? >> APIs to integrate >> APIs for management, operations & run-time >> APIs for automating provisioning >> APIs to expose/control the cloud services >> Strongest authentication & authorization >> Facility for compliance enforcement7Savvis Proprietary & Confidential
  8. 8. SOA / API Challenges Security Governance • Authorization • Availability • Basic firewall • Performance • DDos • Protection • SSL for each • Meeting SLAs service end points • Maintain QoS • Audit logs • Audit trails • Authentication • Data for investigation & reporting8Savvis Proprietary & Confidential
  9. 9. But SOA / API Security & Governance IsBigger Security Message Traffic Control Penetration Protection Protection •  Code •  XML •  Rate limit injection DOCTYPE •  Tiered •  Malformed insertion service requests •  XML levels •  SQL attacks document •  Automatic structure retries •  Limit message size And More.. >> Credential caching & expiration IP restrictions >> >> OAuth support >> Reporting and analytics >> Common authentication & authorization across all services9Savvis Proprietary & Confidential
  10. 10. …along with >> Common API security >> Common logging, and auditing >> Reporting and analytics >> Support for multiple versions >> Protocol transformation >> Delegated policy authoring >> Best practices based common policy libraries >> Centralized policy release and enforcement >> External system integration (OSS, BSS, CMDB)10Savvis Proprietary & Confidential
  11. 11. How Are We Addressing These Hybrid Cloud Integration Requirements for Biz? Common API and SOA Governance Layer Using a Cloud Gateway11Savvis Proprietary & Confidential
  12. 12. Common API / SOA Security & Governance Layer Using Layer 7 Gateway API / SOA / Cloud Governance Gateway Common API and SOA Policy • Throttling • Monitoring Governance for Cloud • Usage Reporting • Billing VPDC Portal OSS Storage • Authentication Security • Authorization12Savvis Proprietary & Confidential
  13. 13. Deployment of Layer 7 Cloud Gateway13Savvis Proprietary & Confidential
  14. 14. Specific Security Example •  Requirement: Provide multi-factor authentication for all APIs •  Options 1: –  Each service or product can implement their own solution –  Will require weeks to months of implementation and testing •  Option 2: –  Provide a common security service via a proxy –  Apply best practices based single solution across all the services –  Use Layer 7 policy for OAuth (2-legged) –  Integrate key/token management and distribution between Layer 7, Savvis Portal, BSS, and OSS14Savvis Proprietary & Confidential
  15. 15. Lessons Learned & Recommendations >> APIs drive more cloud traffic than web sites >> Take API-first design approach >> Drive toward a common framework > Configuration based and not development based > Supports flexible and distributed deployment models > Extensible >> Be prepared to handle special requests >> Do through testing of APIs for security >> Look at Security & Gov Gateway for Cloud15Savvis Proprietary & Confidential