Download - Gartner Catalyst Savvis Cloud API Case Study


Moving Business to the Cloud: A Tale of Security and Governance Rag Ramanathan

When is Cloud a Fit for Enterprises?

• Customer 1: Global financial institution – Variable, periodic demand – Internal resource constraints

• Customer 2: SaaS based enterprise feedback system – Focus on core business – Speed of provisioning is constraining business

execution • Customer 3: International educational publishing and technology company – Focus on core business – Variable, periodic or seasonal demand

What Kind of Cloud is Right For You?

Internet – Public IP Private – Private IP

•  SaaS Enablement

•  Web Hosting

•  Proof of Concept

•  Test/Development

Public Cloud

•  Cloud Bursting

•  Test/Development

•  Peak Performance Bursting

Hybrid Cloud

•  Voice/Video

•  Sensitive Data

•  Production Applications

•  Traffic Management

Private Cloud

Private Cloud

Cloud Use Case: Global Financial Institution

Enterprise connects to hybrid private/public cloud

Building private cloud on dedicated infrastructure in US and UK with public cloud bursting. Tenants are internal groups. •  Uses Virtual Private Data Center in dedicated infrastructure •  Able to create and manage multiple virtual data centers •  Uses a 3rd party, cloud aggregation software •  Integrates using APIs •  VPN integrates internal and external networks •  Manages their own user authentication and authorization •  Manages their own IP addresses (DHCP server)

Enterprise Cloud

Challenges of Hybrid Cloud

Integration Making external compute, cloud & applications look

internal is often an integration challenge

Security Whether opening up to public or outsourced private cloud you will encounter some repeat challenges in

moving data and workloads

Governance How do you define policies for how enterprise

consumes & interacts with cloud services?

The Secret to Hybrid Cloud: SOA & APIs

SOA is the integration framework for

connecting enterprise with private

& public cloud

APIs are the way enterprise systems access provisioning,

management & application systems

in cloud

SOA Gateways designed for Cloud (e.g. Layer 7, Vordel, Apigee, SOA Software) is

the best way to address security & governance challenges

Why SOA / APIs?

>> APIs to integrate >> APIs for management, operations & run-time >> APIs for automating provisioning >> APIs to expose/control the cloud services >> Strongest authentication & authorization >> Facility for compliance enforcement

SOA / API Challenges


• Authorization • Basic firewall • DDos • SSL for each

service end points • Audit logs • Authentication


• Availability • Performance • Protection • Meeting SLAs • Maintain QoS • Audit trails • Data for

investigation & reporting

But SOA / API Security & Governance Is Bigger

>> Credential caching & expiration >> OAuth support >> Common authentication & authorization across all services

Security Penetration Protection

• Code injection

• Malformed requests

• SQL attacks

Message Protection

• XML DOCTYPE insertion

• XML document structure

• Limit message size

Traffic Control

• Rate limit • Tiered

service levels

• Automatic retries

>> IP restrictions >> Reporting and analytics

And More..

…along with

>> Common API security >> Common logging, and auditing >> Reporting and analytics >> Support for multiple versions >> Protocol transformation >> Delegated policy authoring >> Best practices based common policy libraries >> Centralized policy release and enforcement >> External system integration (OSS, BSS, CMDB)

How Are We Addressing These Hybrid Cloud Integration Requirements for Biz?

Common API and SOA Governance Layer Using a

Cloud Gateway

Common API / SOA Security & Governance Layer Using Layer 7 Gateway

Common API and SOA Governance for Cloud

VPDC Portal OSS Storage

• Throttling • Monitoring Policy

• Usage • Billing Reporting

• Authentication • Authorization Security

API / SOA / Cloud Governance Gateway

Deployment of Layer 7 Cloud Gateway

Specific Security Example

•  Requirement: Provide multi-factor authentication for all APIs •  Options 1:

–  Each service or product can implement their own solution – Will require weeks to months of implementation and testing

•  Option 2: –  Provide a common security service via a proxy –  Apply best practices based single solution across all the services – Use Layer 7 policy for OAuth (2-legged) –  Integrate key/token management and distribution between Layer

7, Savvis Portal, BSS, and OSS

Lessons Learned & Recommendations

>> APIs drive more cloud traffic than web sites >> Take API-first design approach >> Drive toward a common framework

> Configuration based and not development based > Supports flexible and distributed deployment models > Extensible

>> Be prepared to handle special requests >> Do through testing of APIs for security >> Look at Security & Gov Gateway for Cloud