Secure and Govern Integration between the Enterprise & the Cloud


Published on

Secure, govern and mediate integrations between enterprise applications and Cloud services

For Best Buy, the public Cloud provides a strategic way to dynamically scale consumer and partner-facing Web and API assets. The Cloud lets Best Buy accommodate peaks in demand without overbuilding, while isolating sensitive data from the public.

Best Buy also needs a consistent way to control what information is shared with applications in the Cloud, while simultaneously insulating development teams from the vagaries of security, management and mediation challenges that arise when implementing a hybrid Cloud solution.

This Webinar, presented by Best Buy, Amazon Web Services and Layer 7 Technologies, looks at a specific example of the Best Buy API Developer Portal and share best practices for security, governance and mediation of enterprise services with applications in the Cloud.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure and Govern Integration between the Enterprise & the Cloud

  1. 1. Secure and Govern Integration between the Enterprise &the Cloud A Best Buy Case StudyThomas Kelly, Enterprise Architect, Best BuyTom Stickle, Lead Solution Architect, Amazon Web Services Partner ProgramsJaime Ryan, Partner Solutions Architect, Layer 7November 17, 2011
  2. 2. Housekeeping Questions - Chat any questions you have and we’ll answer them at the end of this call Twitter - Today’s event hashtag: - #L7webinar - Follow us on Twitter as well: - @BestBuy - @AWScloud - @layer7 Layer 7 Confidential 2
  3. 3. Thomas Kelly, Enterprise Architect, Best Buy
  4. 4. Best Buy Open API BBYOpen is at the heart of a cloud based infrastructure - Composed of a group of APIs dedicated to the externalization of partner data - Primary focus - Products, Categories, Reviews, Stores Design Objectives - Highly scalable infrastructure that is responsive to the variation in retail systems. - Extensible service layer that abstracts service location, both cloud and internal - Core repository with faceting selection based on requirements - Full end to end analytics supporting trending, behavioral, and statistical analysis. - Extensive caching for low latency response creation - Fully secured, identity based access to services and resources - Support for both single and multi-tenancy application development. Layer 7 Confidential 4
  5. 5. Cloud Scope BBYOpen is designed for extremely high utilization - All members applications are strictly decoupled - Interfacing between systems strictly enforced - All applications are logically stateless - Client side pagination supported - Intelligent caching supported - All member applications are load balanced and support autoscaling - Rolling spike redundancy built into the monitoring system - There is no standardized data model - Additionally, there is no standardized data source - All communication in and out of the cloud is via intermediary gateways - Internal data center services are locally virtualized Layer 7 Confidential 5
  6. 6. Architectural Challenges Areas of particular concentration - Building a private virtual infrastructure in the cloud - Applying virtual security to a virtual environment - Coordinating interacting autoscaling layers - Scoping dependencies on internal services and data - Solving the EAV dilemma - Document caching vs. fast changing data – avoiding the’ brute cache rebuild’ - Implementing a high speed bypass to the internal networks - Parallel service calls and just in time composition - Automating analytics based ETL for data distribution and pre-caching - Securing a multitude of different varieties of cloud communication - Designing services/data for dual cloud/datacenter deployment Layer 7 Confidential 6
  7. 7. Technologies/Platforms Utilized Amazon Ec2 - Cloud infrastructure services Gateway - Layer7 SecureSpan Gateway Document Composition - Tibco ActiveMatrix Service Grid and Business Works Caching - Amazon Elasticache, Tibco Activespaces Data Storage - Amazon Data Services, Tibco ActiveSpaces Data Migration/ETL - SnapLogic Server Layer 7 Confidential 7
  8. 8. Concept Solution Layer 7 Confidential 8
  9. 9. AAA Solution Layer 7 Confidential 9
  10. 10. Dynamic Composition Layer 7 Confidential 10
  11. 11. Spike Redundancy – Problem Space Layer 7 Confidential 11
  12. 12. Spike Redundancy – Solution Layer 7 Confidential 12
  13. 13. A Platform for Building Secure, IntegratedApplications at Scale November 17, 2011
  14. 14. AWS is a Computing Platform
  15. 15. AWS Global ReachAWS RegionsUS East (Virginia)US West (Oregon)US West (N. California)AWS GovCloud (US)EU West (Ireland)Asia Pacific (Singapore)Asia Pacific (Tokyo)AWS CloudFront LocationsAshburn Palo Alto Sao Paulo Amsterdam Hong KongDallas Seattle Dublin TokyoJacksonville St. Louis Frankfurt SingaporeLos Angeles LondonMiami ParisNewark StockholmNew York
  16. 16. Designing Services at ScaleRedundant Transit Providers Independent Power Low Latency API Auto-Scaling Elastic Load API Balancer API Dynamic Arbitrary Scale
  17. 17. ISO 27001 Certification Implementing Reviewing Operating Maintaining Monitoring Improving Commitment to info security at every level of AWS Validated by a third-party audit Implements ISO 27002 security controls Includes all AWS Regions
  18. 18. SSAE 16 & ISAE 3402 Reports Auditor to Auditor Communication of our controls Based on our ISO 27002 controls Covers EC2, S3, EBS and VPC Audit conducted by an independent accounting firm on a recurring basis
  19. 19. PCI DSS 2.0 Level 1 Compliance• The following AWS core infrastructure and services have been validated by an authorized independent QSA and are currently PCI DSS 2.0 compliant: • Amazon Elastic Compute Cloud (EC2) • Amazon Simple Storage Service (S3) • Amazon Elastic Block Storage (EBS) • Amazon Virtual Private Cloud (VPC)• These are the core services for supporting the processing, storage and transmission of cardholder data
  20. 20. How does this relate to my certification?• Customers manage their own PCI certification • For portion of cardholder environment implemented on AWS your QSA can rely on our validated service provider status. • Your QSA can rely on our PCI compliance validation of our technology infrastructure • You will be responsible for the compliance and testing efforts that aren’t related to the infrastructure • If your QSA needs additional supporting information, they can reach out to us directly Customer QSA QSA maps QSA contacts AWS for Learns about AWS as a responsibilities of AoC and Clarification Service Provider customer & AWS
  21. 21.
  22. 22. AWS Architecture Center White papers:  Cloud architectures  Building fault-tolerant applications  Web hosting best practices  Leveraging different storage options  AWS security best practices
  23. 23. Shared Responsibility Model AWS CustomerFacilities Operating SystemsPhysical Security ApplicationLogical Separation Security GroupsNetwork Threats OS Firewalls Anti-Virus Account Management
  24. 24. Jaime Ryan, Partner Solution Architect, Layer 7
  25. 25. Agenda Common security and governance layer for cloud integration - Application Security - API Management - Application Performance Optimization - Application Mediation Layer 7 architectural differentiators Layer 7 Confidential 13
  26. 26. Application Security Single interface to reduce use of customer-specific VPNs Standard protocols plus network security Application-aware threat protection Traffic inspection, filtering, and validation of requests Secured mediation of external partner callouts - Single Sign-on - Request/response scanning PCI DSS Compliance Layer 7 Confidential 14
  27. 27. API Management Managing API keys and user identities Authentication/authorization of users and keys Throttling peaks in traffic Routing to load-balanced auto-scaling application instances Monitoring and reporting of API usage Layer 7 Confidential 15
  28. 28. Application Mediation Message format transformation - REST, SOAP, JSON, POX, others Transport Protocol Bridging - HTTP, HTTPS, JMS, EMS, FTP Multiple messaging patterns - pub/sub, sync/async, parallel execution Service Bus Federation Backend glue Layer 7 Confidential 16
  29. 29. Unique Form Factors Deploy Gateway In Any Format Supported form factors include: Amazon Machine Hardware VMware / Xen Image Software Embedded Layer 7 Confidential 17
  30. 30. Policy Flexibility and Workflow Operations Predefined functional operations Policy fragments Global policies Custom Assertion/Transport SDK Split/Join Sync/Async/Parallel/Serial Looping Logical constructs Layer 7 Confidential 18
  31. 31. Manage Gateways Globally Across Networks & CloudMulti Datacenter, Cloud Dashboard Network Insulated Policy Migration cloud01LDAP prod01LDAP Development Production (Enterprise) 6 dev01LDAP (Cloud) Enterprise-scale global management provides a single view of the health and performance of Automated dependency validation when migrating policies all gateways and associated services between environments. Full rollback and approvals API and Command Line DR & Backup Controls Command line, API and dashboard controls for health and patch Easily Manage Backups and Restores Layer 7 Confidential 19
  32. 32. Architecture Simplification Remove VPNs Minimize one-off application instances On-box versioning, mediation, orchestration Swiss Army Knife – fits multiple deployments/use cases - Front door - Partner API integration/SSO - Secure tunnel between enterprise and the cloud - Internal orchestration/mediation Layer 7 Confidential 20
  33. 33. Questions? To learn more about Layer 7 solutions … - Visit - Download whitepapers, datasheets, tutorials - Contact us –