Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing and Governing Cloud APIs


Published on

A look at why APIs matter in the Cloud and their unique security challenges

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Securing and Governing Cloud APIs

  1. 1. Securing and governing cloud Rag Ramanathan APIs Director of Product Management, APIs
  2. 2. Nearly 2,500 unique clients, including more than 32 of the top 100 companies in the Fortune 500Savvis Proprietary & Confidential 2
  3. 3. Savvis is Positioned in the Leaders Quadrant The Gartner Magic Quadrant for Public Cloud Infrastructure as a Service Gartner, Inc., Magic Quadrant for Public Cloud Infrastructure as a Service, Lydia Leong, Ted Chamberlin, December 8, 2011. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartners research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Savvis.Savvis Proprietary & Confidential 3
  4. 4. Managed SaaS Business Content Proximity Applications Web Hosting Enablement Continuity Management Hosting Managed Savvis Symphony Intelligent Hosting (Dedicated and Colocation Monitoring (Dedicated) Multi-Tenant Clouds) Managed Storage and Backup Managed Security Managed Network Professional Services Intelligent Secure Facilities Enterprise Equipment Management ToolsSavvis Proprietary & Confidential 4
  5. 5. Virtual Private Data Center (VPDC) Savvis Symphony VPDC Orchestration and Provisioning VPDC Portal – Topology Designer Automated Provisioning Technical & Business End-User Self-Service Savvis Data Center Infrastructure ProvisioningSavvis Proprietary & Confidential 5
  6. 6. Architecture Overview Portal Proxy API Middleware Business Orchestration/Service Fulfillment Cloud Database Cloud Orchestration Cloud Infrastructure Network Systems Management Services – Service Support Security Storage Incident Services Resources Management Data Center Fabric SLA Management Event Management Compute ResourcesSavvis Proprietary & Confidential 6
  7. 7. Supporting multiple channels? Web Portal Smartphones API Tablets Savvis Web Portal Savvis Customer Apps ISV Partner Apps Reseller AppsSavvis Proprietary & Confidential 7
  8. 8. “Road to the Cloud is through APIs” Why APIs? Forester Analyst @chenxiwangSavvis Proprietary & Confidential @chenkxiwang 8
  9. 9. So we offer cloud APIs For IaaS based on vCloud API specification With additional Savvis feature specific APIs Initially, offered to a handful of customers as a beta offering Learnt and matured our APIs Customers did “pen tests” and requested enhancement requests More customers, and partners are using APIs and demand continues to growSavvis Proprietary & Confidential 9
  10. 10. API Challenges Security Governance • Availability • Authorization • Performance • Basic firewall • Protection • DDos • Meeting SLAs • SSL for service • Maintain QoS end points • Audit trails • Audit logs • ReportingSavvis Proprietary & Confidential 10
  11. 11. API Security & Governance Is Bigger Security Message Traffic Control Penetration Protection Protection • Code • XML • Rate limit injection DOCTYPE • Tiered • Malformed insertion service requests • XML levels • SQL attacks document • Automatic structure retries • Limit msg size And More.. >> Credential caching & expiration >> IP restrictions >> OAuth support >> Reporting and analytics >> Common authentication & authorization across all servicesSavvis Proprietary & Confidential 11
  12. 12. …along with >> Common API security >> Common logging, and auditing >> Reporting and analytics >> Support for multiple versions >> Protocol transformation >> Delegated policy authoring >> Best practices based common policy libraries >> Centralized policy release and enforcement >> Internal systems integration (OSS, BSS, CMDB)Savvis Proprietary & Confidential 12
  13. 13. API Security & Governance Layer Using Layer 7 Gateway API / SOA / Cloud Governance Gateway •Throttling Common API and SOA Policy •Monitoring Governance for Cloud Reporting •Usage •Billing •Authentication VPDC Portal OSS Storage Security •AuthorizationSavvis Proprietary & Confidential 13
  14. 14. Layer 7 DeploymentSavvis Proprietary & Confidential 14
  15. 15. Lessons Learned & Recommendations >> APIs drive more cloud traffic than web sites >> Take API-first design approach >> Drive toward a common framework > Configuration based and not development based > Supports flexible and distributed deployment models > Extensible >> Be prepared to handle special requests >> Do thorough testing of APIs for security >> Look at Security & Gov Gateway for CloudSavvis Proprietary & Confidential 15
  16. 16. Next steps • Add internal API gateway • OAuth for external APIs • Quota and rate-limit by specific APIs • Developer portalSavvis Proprietary & Confidential 16
  17. 17. Thank you. Want to work on cloud APIs? – We are hiring – Contact: Twitter: @ragramSavvis Proprietary & Confidential 17