The document discusses the strategic considerations for moving businesses to the cloud, highlighting different cloud models suitable for varying demands, such as SaaS and hybrid cloud solutions. It emphasizes the importance of SOA (Service-Oriented Architecture) and APIs for effective integration, management, and security within hybrid cloud environments. Key challenges include security, governance, and the need for a common API governance layer to manage interactions between services and enforce compliance.

1. Moving Business to the Cloud: A Tale of Security and
Governance
Rag Ramanathan

2. When is Cloud a Fit for Enterprises?
• Customer 1: Global financial institution
– Variable, periodic demand
– Internal resource constraints
• Customer 2: SaaS based enterprise feedback
system
– Focus on core business
– Speed of provisioning is constraining business
execution
• Customer 3: International educational
publishing and technology company
– Focus on core business
– Variable, periodic or seasonal demand
2
Savvis Proprietary & Confidential

3. What Kind of Cloud is Right For You?
• SaaS Enablement • Cloud Bursting • Voice/Video
• Web Hosting • Test/Development • Sensitive Data
• Proof of Concept • Peak Performance • Production
Bursting Applications
• Test/Development
• Traffic Management
Hybrid Private
Private
Public Cloud Cloud
Cloud
Cloud
Internet – Public IP Private – Private IP
3
Savvis Proprietary & Confidential

4. Cloud Use Case: Global Financial Institution
Building private cloud on dedicated infrastructure in US and UK
with public cloud bursting. Tenants are internal groups.
• Uses Virtual Private Data Center in dedicated infrastructure
• Able to create and manage multiple virtual data centers
• Uses a 3rd party, cloud aggregation software
• Integrates using APIs
• VPN integrates internal and external networks
• Manages their own user authentication and authorization
• Manages their own IP addresses (DHCP server)
Enterprise connects to hybrid private/
public cloud
4
Enterprise
Savvis Proprietary & Confidential Cloud

5. Challenges of Hybrid Cloud
Integration
Making external compute, cloud & applications look
internal is often an integration challenge
Security
Whether opening up to public or outsourced private
cloud you will encounter some repeat challenges in
moving data and workloads
Governance
How do you define policies for how enterprise
consumes & interacts with cloud services?
5
Savvis Proprietary & Confidential

6. The Secret to Hybrid Cloud: SOA & APIs
APIs are the way
SOA is the integration
enterprise systems
framework for
access provisioning,
connecting enterprise
management &
with private
application systems
& public cloud
in cloud
SOA Gateways designed for Cloud (e.g.
Layer 7, Vordel, Apigee, SOA Software) is
the best way to address security &
governance challenges
6
Savvis Proprietary & Confidential

7. Why SOA / APIs?
>> APIs to integrate
>> APIs for management, operations & run-time
>> APIs for automating provisioning
>> APIs to expose/control the cloud services
>> Strongest authentication & authorization
>> Facility for compliance enforcement
7
Savvis Proprietary & Confidential

8. SOA / API Challenges
Security Governance
• Authorization • Availability
• Basic firewall • Performance
• DDos • Protection
• SSL for each • Meeting SLAs
service end points • Maintain QoS
• Audit logs • Audit trails
• Authentication • Data for
investigation &
reporting
8
Savvis Proprietary & Confidential

9. But SOA / API Security & Governance Is
Bigger
Security Message Traffic Control
Penetration Protection
Protection
• Code • XML • Rate limit
injection DOCTYPE • Tiered
• Malformed insertion service
requests • XML levels
• SQL attacks document • Automatic
structure retries
• Limit
message
size
And More.. >> Credential caching & expiration IP restrictions
>>
>> OAuth support >> Reporting and analytics
>> Common authentication & authorization across all
services
9
Savvis Proprietary & Confidential

10. …along with
>> Common API security
>> Common logging, and auditing
>> Reporting and analytics
>> Support for multiple versions
>> Protocol transformation
>> Delegated policy authoring
>> Best practices based common policy libraries
>> Centralized policy release and enforcement
>> External system integration (OSS, BSS, CMDB)
10
Savvis Proprietary & Confidential

11. How Are We Addressing These Hybrid Cloud
Integration Requirements for Biz?
Common API and SOA
Governance Layer Using a
Cloud Gateway
11
Savvis Proprietary & Confidential

12. Common API / SOA Security & Governance
Layer Using Layer 7 Gateway
API / SOA / Cloud Governance
Gateway
Common API and SOA Policy
• Throttling
• Monitoring
Governance for Cloud • Usage
Reporting
• Billing
VPDC Portal OSS Storage • Authentication
Security
• Authorization
12
Savvis Proprietary & Confidential

13. Deployment of Layer 7 Cloud Gateway
13
Savvis Proprietary & Confidential

14. Specific Security Example
• Requirement: Provide multi-factor authentication for all APIs
• Options 1:
– Each service or product can implement their own solution
– Will require weeks to months of implementation and testing
• Option 2:
– Provide a common security service via a proxy
– Apply best practices based single solution across all the services
– Use Layer 7 policy for OAuth (2-legged)
– Integrate key/token management and distribution between Layer
7, Savvis Portal, BSS, and OSS
14
Savvis Proprietary & Confidential

15. Lessons Learned & Recommendations
>> APIs drive more cloud traffic than web sites
>> Take API-first design approach
>> Drive toward a common framework
> Configuration based and not development based
> Supports flexible and distributed deployment models
> Extensible
>> Be prepared to handle special requests
>> Do through testing of APIs for security
>> Look at Security & Gov Gateway for Cloud
15
Savvis Proprietary & Confidential