The document discusses Best Buy's integration with cloud services through their BBYOPEN API, emphasizing the importance of scalability, security, and performance. It details the architectural challenges faced, the technologies utilized, and solutions for secure cloud integration and application management. The presentation also highlights compliance with security standards like PCI DSS and the shared responsibility model for governance in cloud environments.

1. Secure and Govern Integration between the Enterprise &
the Cloud
 A Best Buy Case Study
Thomas Kelly, Enterprise Architect, Best Buy
Tom Stickle, Lead Solution Architect, Amazon Web Services Partner Programs
Jaime Ryan, Partner Solutions Architect, Layer 7
November 17, 2011

2. Housekeeping
 Questions
- Chat any questions you have and we’ll answer them at the end of this call
 Twitter facebook.com/layer7
- Today’s event hashtag:
layer7.com/linkedin
- #L7webinar
layer7.com/blogs
- Follow us on Twitter as well:
- @BestBuy
- @AWScloud
- @layer7
Layer 7 Confidential 2

3. Thomas Kelly, Enterprise Architect, Best Buy

4. Best Buy Open API
 BBYOpen is at the heart of a cloud based infrastructure
- Composed of a group of APIs dedicated to the externalization of partner data
- Primary focus
- Products, Categories, Reviews, Stores
 Design Objectives
- Highly scalable infrastructure that is responsive to the variation in retail systems.
- Extensible service layer that abstracts service location, both cloud and internal
- Core repository with faceting selection based on requirements
- Full end to end analytics supporting trending, behavioral, and statistical analysis.
- Extensive caching for low latency response creation
- Fully secured, identity based access to services and resources
- Support for both single and multi-tenancy application development.
Layer 7 Confidential 4

5. Cloud Scope
 BBYOpen is designed for extremely high utilization
- All members applications are strictly decoupled
- Interfacing between systems strictly enforced
- All applications are logically stateless
- Client side pagination supported
- Intelligent caching supported
- All member applications are load balanced and support autoscaling
- Rolling spike redundancy built into the monitoring system
- There is no standardized data model
- Additionally, there is no standardized data source
- All communication in and out of the cloud is via intermediary gateways
- Internal data center services are locally virtualized
Layer 7 Confidential 5

6. Architectural Challenges
 Areas of particular concentration
- Building a private virtual infrastructure in the cloud
- Applying virtual security to a virtual environment
- Coordinating interacting autoscaling layers
- Scoping dependencies on internal services and data
- Solving the EAV dilemma
- Document caching vs. fast changing data – avoiding the’ brute cache rebuild’
- Implementing a high speed bypass to the internal networks
- Parallel service calls and just in time composition
- Automating analytics based ETL for data distribution and pre-caching
- Securing a multitude of different varieties of cloud communication
- Designing services/data for dual cloud/datacenter deployment
Layer 7 Confidential 6

7. Technologies/Platforms Utilized
 Amazon Ec2
- Cloud infrastructure services
 Gateway
- Layer7 SecureSpan Gateway
 Document Composition
- Tibco ActiveMatrix Service Grid and Business Works
 Caching
- Amazon Elasticache, Tibco Activespaces
 Data Storage
- Amazon Data Services, Tibco ActiveSpaces
 Data Migration/ETL
- SnapLogic Server
Layer 7 Confidential 7

8. Concept Solution
Layer 7 Confidential 8

9. AAA Solution
Layer 7 Confidential 9

10. Dynamic Composition
Layer 7 Confidential 10

11. Spike Redundancy – Problem Space
Layer 7 Confidential 11

12. Spike Redundancy – Solution
Layer 7 Confidential 12

13. A Platform for Building Secure, Integrated
Applications at Scale
November 17, 2011

14. AWS is a Computing Platform

15. AWS Global Reach
AWS Regions
US East (Virginia)
US West (Oregon)
US West (N. California)
AWS GovCloud (US)
EU West (Ireland)
Asia Pacific (Singapore)
Asia Pacific (Tokyo)
AWS CloudFront Locations
Ashburn Palo Alto Sao Paulo Amsterdam Hong Kong
Dallas Seattle Dublin Tokyo
Jacksonville St. Louis Frankfurt Singapore
Los Angeles London
Miami Paris
Newark Stockholm
New York

16. Designing Services at Scale
Redundant Transit Providers
Independent Power
Low Latency
API
Auto-Scaling
Elastic Load
API Balancer API
Dynamic
Arbitrary Scale
www.partner.com

17. ISO 27001 Certification
Implementing Reviewing
Operating Maintaining
Monitoring Improving
Commitment to info security at every level of AWS
Validated by a third-party audit
Implements ISO 27002 security controls
Includes all AWS Regions

18. SSAE 16 & ISAE 3402 Reports
Auditor to Auditor Communication of our controls
Based on our ISO 27002 controls
Covers EC2, S3, EBS and VPC
Audit conducted by an independent accounting
firm on a recurring basis

19. PCI DSS 2.0 Level 1 Compliance
• The following AWS core infrastructure and services have
been validated by an authorized independent QSA and
are currently PCI DSS 2.0 compliant:
• Amazon Elastic Compute Cloud (EC2)
• Amazon Simple Storage Service (S3)
• Amazon Elastic Block Storage (EBS)
• Amazon Virtual Private Cloud (VPC)
• These are the core services for supporting the
processing, storage and transmission
of cardholder data

20. How does this relate to my certification?
• Customers manage their own PCI certification
• For portion of cardholder environment implemented
on AWS your QSA can rely on our validated service
provider status.
• Your QSA can rely on our PCI compliance validation
of our technology infrastructure
• You will be responsible for the compliance and
testing efforts that aren’t related to the infrastructure
• If your QSA needs additional supporting information,
they can reach out to us directly
Customer QSA QSA maps
QSA contacts AWS for
Learns about AWS as a responsibilities of
AoC and Clarification
Service Provider customer & AWS

21. aws.amazon.com/security

22. AWS Architecture Center
aws.amazon.com/architecture
White papers:
 Cloud architectures
 Building fault-tolerant applications
 Web hosting best practices
 Leveraging different storage options
 AWS security best practices

23. Shared Responsibility Model
AWS Customer
Facilities Operating Systems
Physical Security Application
Logical Separation Security Groups
Network Threats OS Firewalls
Anti-Virus
Account Management

24. Jaime Ryan, Partner Solution Architect, Layer 7

25. Agenda
 Common security and governance layer for cloud integration
- Application Security
- API Management
- Application Performance Optimization
- Application Mediation
 Layer 7 architectural differentiators
Layer 7 Confidential 13

26. Application Security
 Single interface to reduce use of customer-specific VPNs
 Standard protocols plus network security
 Application-aware threat protection
 Traffic inspection, filtering, and validation of requests
 Secured mediation of external partner callouts
- Single Sign-on
- Request/response scanning
 PCI DSS Compliance
Layer 7 Confidential 14

27. API Management
 Managing API keys and user identities
 Authentication/authorization of users and keys
 Throttling peaks in traffic
 Routing to load-balanced auto-scaling application instances
 Monitoring and reporting of API usage
Layer 7 Confidential 15

28. Application Mediation
 Message format transformation
- REST, SOAP, JSON, POX, others
 Transport Protocol Bridging
- HTTP, HTTPS, JMS, EMS, FTP
 Multiple messaging patterns
- pub/sub, sync/async, parallel execution
 Service Bus Federation
 Backend glue
Layer 7 Confidential 16

29. Unique Form Factors
Deploy Gateway In Any Format
Supported form factors include:
Amazon Machine
Hardware VMware / Xen Image
Software Embedded
Layer 7 Confidential 17

30. Policy Flexibility and Workflow Operations
 Predefined functional operations
 Policy fragments
 Global policies
 Custom Assertion/Transport SDK
 Split/Join
 Sync/Async/Parallel/Serial
 Looping
 Logical constructs
Layer 7 Confidential 18

31. Manage Gateways Globally Across Networks & Cloud
Multi Datacenter, Cloud Dashboard Network Insulated
Policy Migration
cloud01LDAP
prod01LDAP
Development Production (Enterprise) 6
dev01LDAP (Cloud)
Enterprise-scale global management provides
a single view of the health and performance of Automated dependency validation when migrating policies
all gateways and associated services between environments. Full rollback and approvals
API and Command Line DR & Backup Controls
Command line, API and dashboard
controls for health and patch
Easily Manage Backups and
Restores
Layer 7 Confidential 19

32. Architecture Simplification
 Remove VPNs
 Minimize one-off application instances
 On-box versioning, mediation, orchestration
 Swiss Army Knife – fits multiple deployments/use cases
- Front door
- Partner API integration/SSO
- Secure tunnel between enterprise and the cloud
- Internal orchestration/mediation
Layer 7 Confidential 20

33. Questions?
 To learn more about Layer 7 solutions …
- Visit http://layer7.com
- Download whitepapers, datasheets, tutorials
- Contact us – info@layer7.com