Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud Expo 2011)


Published on

Presentation from Cloud Expo on Securing and Governing Cloud Service featuring Layer7's Scott Morrison and Savvis' Bill Forsyth

Learn More Fro Layer 7:


Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security & Governance for the Cloud: a Savvis Case Study (Presented at Cloud Expo 2011)

  1. 1. Securing and Governing Cloud Services Bill ForsythA Savvis Case Study VP Eng.
  2. 2. Savvis  Global leader in cloud infrastructure and hosted IT solutions for enterprises  Key Metrics – Nearly 2,500 unique business and government clients, including more than 30 of the top 100 companies in the Fortune 500 – More than 2,200 employees with deep expertise in technical operations, customer support, engineering and consulting – $933 million in revenue in 2010  Services – Cloud – one of the industry’s broadest lines of enterprise-class cloud services – Colocation, Managed Hosting and Utility Compute – facilities and operations; compute, storage and network – Network – converged applications; community of interest networks; private lines; Internet – Security – managed security services and consulting – Industry Solutions – financial, government and Software-as-a-Service (SaaS) – Professional Services – infrastructure, security, business continuity, compliance and program management2Savvis Proprietary & Confidential
  3. 3. Savvis Symphony Family  Savvis Symphony Dedicated: Hosted Private Cloud solution  Savvis Symphony Open: Flexible Multi-Tenant Cloud solution  Savvis Symphony VPDC: Virtual Private Data Center solution Savvis Symphony Open Multi-Tenant virtual infrastructure Savvis Symphony VPDC Savvis Symphony Dedicated Complete Virtual Private Data Centers Dedicated, virtual infrastructure3Savvis Proprietary & Confidential
  4. 4. Customer Requirements  Enterprise customers wanting flexibility and cost benefits of multi- tenant public clouds, in a private secure fashion  APIs expose/control the VPDC (compute, storage, network, and security policy)  APIs may be private or public  For public APIs – Bad actors – Accidental misuse  Compliance – FISMA – PCI4Savvis Proprietary & Confidential
  5. 5. Cloud Definition Essential Characteristics Service Models Deployment Models5 5Savvis Proprietary & Confidential
  6. 6. Layer7 Detail6Savvis Proprietary & Confidential
  7. 7. VPDC System Boundaries Cloud Site Management Network Management Multitenant Virtual Services POD Data Center (VDC) Services POD Virtualization Compute POD DNS Manager AD/LDAP DNS Compute POD Security AD/LDAP Manager Management Compute POD Bastion NTP Logging Servers Corporate Corporate Storage Network Compute POD Firewall Firewall Middleware/ Manager Manager Business Services Compute POD Back-up Multi-Use Manager Server Provisioning Compute POD CMDB Systems Layer7 WAF Virtual Orchestration Services POD Storage Services POD VPDC API Portal Middleware/ Cloud Business Services Services Firewall (IN) Network Services POD Ticketing Cloud Services Firewall (OUT) Event Management Back Office DMZ Network Network7Savvis Proprietary & Confidential
  8. 8. Securing the Cloud (out of box)  Require SSL  Audit calls  IDS  DDoS  Provide Security Penetration Protection – Code injection – Malformed Requests – SQL Attacks – Limit request message size – Check for XML, and reject DOCTYPE (prevents external XML element definition) – Protect against XML document structure (limit depth of XML tree) – Automatic retry on target service8Savvis Proprietary & Confidential
  9. 9. Securing the Cloud ( configured)  Authentication and Authorization  Credential Caching and Expiration  IP restrictions (white listing)  Provide rate limiting  Provide API Service Level Monitoring – Target service timeout alert to support – Monitoring Overall Health9Savvis Proprietary & Confidential
  10. 10. Governing API Sets Layer 7 SOA Governance •Throttling Policy •Monitoring ( Reporting •Usage •Billing •Authentication VPDC Portal OSS Storage Security •Authorization10Savvis Proprietary & Confidential
  11. 11. Governance  Isolation of API types and dependencies  Reduce number of interface types  Protocol Translation  Centralization of control  Reporting (availability, billing, etc..)  Policy (hierarchy, push, promotion, rollback)  Delegation of administration and offloading of developers (security, auditing, throttling, etc..)  Perform HREF URL manipulation (replace target service URI with proxy/Internal URI e.g. replace with  Route based on URL, ip, content, etc….  External Integration – Logging – OSS Event Management (faults, SLA violations, etc…) – CMDB (entitlements, logical representations, meta-data, etc…)  Flexible deployment (physical device, appliance, multi-site, multi- environment, clustered)11Savvis Proprietary & Confidential
  12. 12. Business Enablers Partners Resellers API Billing extensions SLA Tiered Usage12Savvis Proprietary & Confidential
  13. 13. VPDC Service Levels13Savvis Proprietary & Confidential
  14. 14. Billing Use Case14Savvis Proprietary & Confidential
  15. 15. PaaS / Composite Operation Example /VPDC_CreateVM /PaaSFunction1 Layer7 /VPDC_ProcessData /VPDC_DestroyVM15Savvis Proprietary & Confidential
  16. 16.  Phase 1 – Site with discussion forums or e-mail alias support – Webinar for partners and customers – Invited developer accounts with restrictions – Examples – Usage reporting  Phase 2 – Enhance site – Sandbox – Webinars – More examples – Voting on requirements/ideas – Monetization (tiered usage, partner certification) – Developer marketing  Phase 3 – Ongoing improvements based on demand and feedback16Savvis Proprietary & Confidential
  17. 17. Thank You 17