Secure and Govern Integration between the Enterprise & the Cloud A Best Buy Case Study Thomas Kelly, Enterprise Architect, Best Buy Tom Stickle, Lead Solution Architect, Amazon Web Services Partner Programs Jaime Ryan, Partner Solutions Architect, Layer 7 November 17, 2011

Layer 7 Confidential 2

Housekeeping

Questions - Chat any questions you have and we’ll answer them at the end of this call

Twitter - Today’s event hashtag:

- #L7webinar

- Follow us on Twitter as well:

- @BestBuy

- @AWScloud

- @layer7

facebook.com/layer7

layer7.com/blogs

layer7.com/linkedin

Thomas Kelly, Enterprise Architect, Best Buy

Layer 7 Confidential 4

Best Buy Open API BBYOpen is at the heart of a cloud based infrastructure

- Composed of a group of APIs dedicated to the externalization of partner data

- Primary focus

- Products, Categories, Reviews, Stores

Design Objectives

- Highly scalable infrastructure that is responsive to the variation in retail systems.

- Extensible service layer that abstracts service location, both cloud and internal

- Core repository with faceting selection based on requirements

- Full end to end analytics supporting trending, behavioral, and statistical analysis.

- Extensive caching for low latency response creation

- Fully secured, identity based access to services and resources

- Support for both single and multi-tenancy application development.

Layer 7 Confidential 5

Cloud Scope BBYOpen is designed for extremely high utilization

- All members applications are strictly decoupled

- Interfacing between systems strictly enforced

- All applications are logically stateless

- Client side pagination supported

- Intelligent caching supported

- All member applications are load balanced and support autoscaling

- Rolling spike redundancy built into the monitoring system

- There is no standardized data model

- Additionally, there is no standardized data source

- All communication in and out of the cloud is via intermediary gateways

- Internal data center services are locally virtualized

Layer 7 Confidential 6

Architectural Challenges Areas of particular concentration

- Building a private virtual infrastructure in the cloud

- Applying virtual security to a virtual environment

- Coordinating interacting autoscaling layers

- Scoping dependencies on internal services and data

- Solving the EAV dilemma

- Document caching vs. fast changing data – avoiding the’ brute cache rebuild’

- Implementing a high speed bypass to the internal networks

- Parallel service calls and just in time composition

- Automating analytics based ETL for data distribution and pre-caching

- Securing a multitude of different varieties of cloud communication

- Designing services/data for dual cloud/datacenter deployment

Layer 7 Confidential 7

Technologies/Platforms Utilized Amazon Ec2

- Cloud infrastructure services

Gateway

- Layer7 SecureSpan Gateway

Document Composition

- Tibco ActiveMatrix Service Grid and Business Works

Caching

- Amazon Elasticache, Tibco Activespaces

Data Storage

- Amazon Data Services, Tibco ActiveSpaces

Data Migration/ETL

- SnapLogic Server

Layer 7 Confidential 8

Concept Solution

Layer 7 Confidential 9

AAA Solution

Layer 7 Confidential 10

Dynamic Composition

Layer 7 Confidential 11

Spike Redundancy – Problem Space

Layer 7 Confidential 12

Spike Redundancy – Solution

A Platform for Building Secure, Integrated Applications at Scale

November 17, 2011

AWS is a Computing Platform

AWS Global Reach

AWS Regions US East (Virginia) US West (Oregon) US West (N. California) AWS GovCloud (US) EU West (Ireland) Asia Pacific (Singapore) Asia Pacific (Tokyo)

AWS CloudFront Locations Ashburn Dallas Jacksonville Los Angeles Miami Newark New York

Palo Alto Seattle St. Louis

Sao Paulo

Amsterdam Dublin Frankfurt London Paris Stockholm

Hong Kong Tokyo Singapore

Designing Services at Scale

API

API API

www.partner.com

Elastic Load Balancer

Redundant Transit Providers Independent Power

Low Latency

Auto-Scaling

Dynamic Arbitrary Scale

ISO 27001 Certification

Commitment to info security at every level of AWS Validated by a third-party audit Implements ISO 27002 security controls Includes all AWS Regions

Implementing Operating Monitoring

Reviewing Maintaining Improving

SSAE 16 & ISAE 3402 Reports

Auditor to Auditor Communication of our controls Based on our ISO 27002 controls Covers EC2, S3, EBS and VPC Audit conducted by an independent accounting firm on a recurring basis

PCI DSS 2.0 Level 1 Compliance • The following AWS core infrastructure and services have

been validated by an authorized independent QSA and are currently PCI DSS 2.0 compliant:

• Amazon Elastic Compute Cloud (EC2) • Amazon Simple Storage Service (S3) • Amazon Elastic Block Storage (EBS) • Amazon Virtual Private Cloud (VPC)

• These are the core services for supporting the processing, storage and transmission

of cardholder data

How does this relate to my certification?

• Customers manage their own PCI certification • For portion of cardholder environment implemented

on AWS your QSA can rely on our validated service provider status.

• Your QSA can rely on our PCI compliance validation of our technology infrastructure

• You will be responsible for the compliance and testing efforts that aren’t related to the infrastructure

• If your QSA needs additional supporting information, they can reach out to us directly

Customer QSA Learns about AWS as a

Service Provider

QSA maps responsibilities of customer & AWS

QSA contacts AWS for AoC and Clarification

aws.amazon.com/security

AWS Architecture Center

aws.amazon.com/architecture White papers: Cloud architectures Building fault-tolerant applications Web hosting best practices Leveraging different storage options AWS security best practices

Shared Responsibility Model

Facilities Physical Security Logical Separation Network Threats

AWS Customer Operating Systems Application Security Groups OS Firewalls Anti-Virus Account Management

Jaime Ryan, Partner Solution Architect, Layer 7

Layer 7 Confidential 13

Agenda

Common security and governance layer for cloud integration

- Application Security

- API Management

- Application Performance Optimization

- Application Mediation

Layer 7 architectural differentiators

Layer 7 Confidential 14

Application Security

Single interface to reduce use of customer-specific VPNs

Standard protocols plus network security

Application-aware threat protection

Traffic inspection, filtering, and validation of requests

Secured mediation of external partner callouts

- Single Sign-on

- Request/response scanning

PCI DSS Compliance

Layer 7 Confidential 15

API Management

Managing API keys and user identities

Authentication/authorization of users and keys

Throttling peaks in traffic

Routing to load-balanced auto-scaling application instances

Monitoring and reporting of API usage

Layer 7 Confidential 16

Application Mediation

Message format transformation

- REST, SOAP, JSON, POX, others

Transport Protocol Bridging

- HTTP, HTTPS, JMS, EMS, FTP

Multiple messaging patterns

- pub/sub, sync/async, parallel execution

Service Bus Federation

Backend glue

Layer 7 Confidential 17

Unique Form Factors

Hardware

Software

VMware / Xen Amazon Machine

Image

Deploy Gateway In Any Format Supported form factors include:

Embedded

Layer 7 Confidential 18

Policy Flexibility and Workflow Operations

Predefined functional operations

Policy fragments

Global policies

Custom Assertion/Transport SDK

Split/Join

Sync/Async/Parallel/Serial

Looping

Logical constructs

Layer 7 Confidential 19

Manage Gateways Globally Across Networks & Cloud

Enterprise-scale global management provides a single view of the health and performance of

all gateways and associated services

Development Production (Enterprise) 6 (Cloud) dev01LDAP

prod01LDAP cloud01LDAP

Automated dependency validation when migrating policies between environments. Full rollback and approvals

Command line, API and dashboard controls for health and patch

Easily Manage Backups and Restores

Multi Datacenter, Cloud Dashboard

API and Command Line

DR & Backup Controls

Network Insulated Policy Migration

Layer 7 Confidential 20

Architecture Simplification

Remove VPNs

Minimize one-off application instances

On-box versioning, mediation, orchestration

Swiss Army Knife – fits multiple deployments/use cases

- Front door

- Partner API integration/SSO

- Secure tunnel between enterprise and the cloud

- Internal orchestration/mediation

Questions? To learn more about Layer 7 solutions …

- Visit http://layer7.com

- Download whitepapers, datasheets, tutorials

- Contact us – info@layer7.com