gartner catalyst savvis cloud api case study
TRANSCRIPT
Savvis Proprietary & Confidential 2
When is Cloud a Fit for Enterprises?
• Customer 1: Global financial institution – Variable, periodic demand – Internal resource constraints
• Customer 2: SaaS based enterprise feedback system – Focus on core business – Speed of provisioning is constraining business
execution • Customer 3: International educational publishing and technology company – Focus on core business – Variable, periodic or seasonal demand
Savvis Proprietary & Confidential 3
What Kind of Cloud is Right For You?
Internet – Public IP Private – Private IP
• SaaS Enablement
• Web Hosting
• Proof of Concept
• Test/Development
Public Cloud
• Cloud Bursting
• Test/Development
• Peak Performance Bursting
Hybrid Cloud
• Voice/Video
• Sensitive Data
• Production Applications
• Traffic Management
Private Cloud
Private Cloud
Savvis Proprietary & Confidential 4
Cloud Use Case: Global Financial Institution
Enterprise connects to hybrid private/public cloud
Building private cloud on dedicated infrastructure in US and UK with public cloud bursting. Tenants are internal groups. • Uses Virtual Private Data Center in dedicated infrastructure • Able to create and manage multiple virtual data centers • Uses a 3rd party, cloud aggregation software • Integrates using APIs • VPN integrates internal and external networks • Manages their own user authentication and authorization • Manages their own IP addresses (DHCP server)
Enterprise Cloud
Savvis Proprietary & Confidential 5
Challenges of Hybrid Cloud
Integration Making external compute, cloud & applications look
internal is often an integration challenge
Security Whether opening up to public or outsourced private cloud you will encounter some repeat challenges in
moving data and workloads
Governance How do you define policies for how enterprise
consumes & interacts with cloud services?
Savvis Proprietary & Confidential 6
The Secret to Hybrid Cloud: SOA & APIs
SOA is the integration framework for
connecting enterprise with private
& public cloud
APIs are the way enterprise systems access provisioning,
management & application systems
in cloud
SOA Gateways designed for Cloud (e.g. Layer 7, Vordel, Apigee, SOA Software) is
the best way to address security & governance challenges
Savvis Proprietary & Confidential 7
Why SOA / APIs?
>> APIs to integrate >> APIs for management, operations & run-time >> APIs for automating provisioning >> APIs to expose/control the cloud services >> Strongest authentication & authorization >> Facility for compliance enforcement
Savvis Proprietary & Confidential 8
SOA / API Challenges
Security
• Authorization • Basic firewall • DDos • SSL for each
service end points • Audit logs • Authentication
Governance
• Availability • Performance • Protection • Meeting SLAs • Maintain QoS • Audit trails • Data for
investigation & reporting
Savvis Proprietary & Confidential 9
But SOA / API Security & Governance Is Bigger
>> Credential caching & expiration >> OAuth support >> Common authentication & authorization across all services
Security Penetration Protection
• Code injection
• Malformed requests
• SQL attacks
Message Protection
• XML DOCTYPE insertion
• XML document structure
• Limit message size
Traffic Control
• Rate limit • Tiered
service levels
• Automatic retries
>> IP restrictions >> Reporting and analytics
And More..
Savvis Proprietary & Confidential 10
…along with
>> Common API security >> Common logging, and auditing >> Reporting and analytics >> Support for multiple versions >> Protocol transformation >> Delegated policy authoring >> Best practices based common policy libraries >> Centralized policy release and enforcement >> External system integration (OSS, BSS, CMDB)
Savvis Proprietary & Confidential 11
How Are We Addressing These Hybrid Cloud Integration Requirements for Biz?
Common API and SOA Governance Layer Using a
Cloud Gateway
Savvis Proprietary & Confidential 12
Common API / SOA Security & Governance Layer Using Layer 7 Gateway
Common API and SOA Governance for Cloud
VPDC Portal OSS Storage
• Throttling • Monitoring Policy
• Usage • Billing Reporting
• Authentication • Authorization Security
API / SOA / Cloud Governance Gateway
Savvis Proprietary & Confidential 14
Specific Security Example
• Requirement: Provide multi-factor authentication for all APIs • Options 1:
– Each service or product can implement their own solution – Will require weeks to months of implementation and testing
• Option 2: – Provide a common security service via a proxy – Apply best practices based single solution across all the services – Use Layer 7 policy for OAuth (2-legged) – Integrate key/token management and distribution between Layer
7, Savvis Portal, BSS, and OSS
Savvis Proprietary & Confidential 15
Lessons Learned & Recommendations
>> APIs drive more cloud traffic than web sites >> Take API-first design approach >> Drive toward a common framework
> Configuration based and not development based > Supports flexible and distributed deployment models > Extensible
>> Be prepared to handle special requests >> Do through testing of APIs for security >> Look at Security & Gov Gateway for Cloud