secure and govern integration between the enterprise & the cloud
TRANSCRIPT
Secure and Govern Integration between the Enterprise & the Cloud A Best Buy Case Study Thomas Kelly, Enterprise Architect, Best Buy Tom Stickle, Lead Solution Architect, Amazon Web Services Partner Programs Jaime Ryan, Partner Solutions Architect, Layer 7 November 17, 2011
Layer 7 Confidential 2
Housekeeping
Questions - Chat any questions you have and we’ll answer them at the end of this call
Twitter - Today’s event hashtag:
- #L7webinar
- Follow us on Twitter as well:
- @BestBuy
- @AWScloud
- @layer7
facebook.com/layer7
layer7.com/blogs
layer7.com/linkedin
Layer 7 Confidential 4
Best Buy Open API BBYOpen is at the heart of a cloud based infrastructure
- Composed of a group of APIs dedicated to the externalization of partner data
- Primary focus
- Products, Categories, Reviews, Stores
Design Objectives
- Highly scalable infrastructure that is responsive to the variation in retail systems.
- Extensible service layer that abstracts service location, both cloud and internal
- Core repository with faceting selection based on requirements
- Full end to end analytics supporting trending, behavioral, and statistical analysis.
- Extensive caching for low latency response creation
- Fully secured, identity based access to services and resources
- Support for both single and multi-tenancy application development.
Layer 7 Confidential 5
Cloud Scope BBYOpen is designed for extremely high utilization
- All members applications are strictly decoupled
- Interfacing between systems strictly enforced
- All applications are logically stateless
- Client side pagination supported
- Intelligent caching supported
- All member applications are load balanced and support autoscaling
- Rolling spike redundancy built into the monitoring system
- There is no standardized data model
- Additionally, there is no standardized data source
- All communication in and out of the cloud is via intermediary gateways
- Internal data center services are locally virtualized
Layer 7 Confidential 6
Architectural Challenges Areas of particular concentration
- Building a private virtual infrastructure in the cloud
- Applying virtual security to a virtual environment
- Coordinating interacting autoscaling layers
- Scoping dependencies on internal services and data
- Solving the EAV dilemma
- Document caching vs. fast changing data – avoiding the’ brute cache rebuild’
- Implementing a high speed bypass to the internal networks
- Parallel service calls and just in time composition
- Automating analytics based ETL for data distribution and pre-caching
- Securing a multitude of different varieties of cloud communication
- Designing services/data for dual cloud/datacenter deployment
Layer 7 Confidential 7
Technologies/Platforms Utilized Amazon Ec2
- Cloud infrastructure services
Gateway
- Layer7 SecureSpan Gateway
Document Composition
- Tibco ActiveMatrix Service Grid and Business Works
Caching
- Amazon Elasticache, Tibco Activespaces
Data Storage
- Amazon Data Services, Tibco ActiveSpaces
Data Migration/ETL
- SnapLogic Server
AWS is a Computing Platform
AWS Global Reach
AWS Regions US East (Virginia) US West (Oregon) US West (N. California) AWS GovCloud (US) EU West (Ireland) Asia Pacific (Singapore) Asia Pacific (Tokyo)
AWS CloudFront Locations Ashburn Dallas Jacksonville Los Angeles Miami Newark New York
Palo Alto Seattle St. Louis
Sao Paulo
Amsterdam Dublin Frankfurt London Paris Stockholm
Hong Kong Tokyo Singapore
Designing Services at Scale
API
API API
www.partner.com
Elastic Load Balancer
Redundant Transit Providers Independent Power
Low Latency
Auto-Scaling
Dynamic Arbitrary Scale
ISO 27001 Certification
Commitment to info security at every level of AWS Validated by a third-party audit Implements ISO 27002 security controls Includes all AWS Regions
Implementing Operating Monitoring
Reviewing Maintaining Improving
SSAE 16 & ISAE 3402 Reports
Auditor to Auditor Communication of our controls Based on our ISO 27002 controls Covers EC2, S3, EBS and VPC Audit conducted by an independent accounting firm on a recurring basis
PCI DSS 2.0 Level 1 Compliance • The following AWS core infrastructure and services have
been validated by an authorized independent QSA and are currently PCI DSS 2.0 compliant:
• Amazon Elastic Compute Cloud (EC2) • Amazon Simple Storage Service (S3) • Amazon Elastic Block Storage (EBS) • Amazon Virtual Private Cloud (VPC)
• These are the core services for supporting the processing, storage and transmission
of cardholder data
How does this relate to my certification?
• Customers manage their own PCI certification • For portion of cardholder environment implemented
on AWS your QSA can rely on our validated service provider status.
• Your QSA can rely on our PCI compliance validation of our technology infrastructure
• You will be responsible for the compliance and testing efforts that aren’t related to the infrastructure
• If your QSA needs additional supporting information, they can reach out to us directly
Customer QSA Learns about AWS as a
Service Provider
QSA maps responsibilities of customer & AWS
QSA contacts AWS for AoC and Clarification
AWS Architecture Center
aws.amazon.com/architecture White papers: Cloud architectures Building fault-tolerant applications Web hosting best practices Leveraging different storage options AWS security best practices
Shared Responsibility Model
Facilities Physical Security Logical Separation Network Threats
AWS Customer Operating Systems Application Security Groups OS Firewalls Anti-Virus Account Management
Layer 7 Confidential 13
Agenda
Common security and governance layer for cloud integration
- Application Security
- API Management
- Application Performance Optimization
- Application Mediation
Layer 7 architectural differentiators
Layer 7 Confidential 14
Application Security
Single interface to reduce use of customer-specific VPNs
Standard protocols plus network security
Application-aware threat protection
Traffic inspection, filtering, and validation of requests
Secured mediation of external partner callouts
- Single Sign-on
- Request/response scanning
PCI DSS Compliance
Layer 7 Confidential 15
API Management
Managing API keys and user identities
Authentication/authorization of users and keys
Throttling peaks in traffic
Routing to load-balanced auto-scaling application instances
Monitoring and reporting of API usage
Layer 7 Confidential 16
Application Mediation
Message format transformation
- REST, SOAP, JSON, POX, others
Transport Protocol Bridging
- HTTP, HTTPS, JMS, EMS, FTP
Multiple messaging patterns
- pub/sub, sync/async, parallel execution
Service Bus Federation
Backend glue
Layer 7 Confidential 17
Unique Form Factors
Hardware
Software
VMware / Xen Amazon Machine
Image
Deploy Gateway In Any Format Supported form factors include:
Embedded
Layer 7 Confidential 18
Policy Flexibility and Workflow Operations
Predefined functional operations
Policy fragments
Global policies
Custom Assertion/Transport SDK
Split/Join
Sync/Async/Parallel/Serial
Looping
Logical constructs
Layer 7 Confidential 19
Manage Gateways Globally Across Networks & Cloud
Enterprise-scale global management provides a single view of the health and performance of
all gateways and associated services
Development Production (Enterprise) 6 (Cloud) dev01LDAP
prod01LDAP cloud01LDAP
Automated dependency validation when migrating policies between environments. Full rollback and approvals
Command line, API and dashboard controls for health and patch
Easily Manage Backups and Restores
Multi Datacenter, Cloud Dashboard
API and Command Line
DR & Backup Controls
Network Insulated Policy Migration
Layer 7 Confidential 20
Architecture Simplification
Remove VPNs
Minimize one-off application instances
On-box versioning, mediation, orchestration
Swiss Army Knife – fits multiple deployments/use cases
- Front door
- Partner API integration/SSO
- Secure tunnel between enterprise and the cloud
- Internal orchestration/mediation
Questions? To learn more about Layer 7 solutions …
- Visit http://layer7.com
- Download whitepapers, datasheets, tutorials
- Contact us – [email protected]