Securing and Governing Cloud APIs

Securing and governing cloud APIs

Rag RamanathanDirector of Product Management, APIs

Savvis Proprietary & Confidential 2

Nearly 2,500 unique clients, including more than 32 of the top 100 companies in the Fortune 500


Savvis is Positioned in the Leaders Quadrant

The Gartner Magic Quadrant for Public Cloud Infrastructure as a Service

Gartner, Inc., Magic Quadrant for Public Cloud Infrastructure as a Service, Lydia Leong, Ted Chamberlin, December 8, 2011. Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Savvis.


Secure Facilities Enterprise Equipment Intelligent Management Tools

Managed Storage and Backup

Managed Security

Managed Network

Professional Services

ProximityHosting

ManagedApplications Web Hosting

SaaSEnablement

BusinessContinuity

ContentManagement

ColocationIntelligentMonitoring

ManagedHosting

(Dedicated)

Savvis Symphony(Dedicated and

Multi-Tenant Clouds)


Virtual Private Data Center (VPDC)

VPDC Portal – Topology Designer

Technical & Business End-UserSelf-Service Provisioning

Savvis Data Center Infrastructure

Savvis Symphony VPDCOrchestration and Provisioning

Automated Provisioning


Compute Resources

Data CenterFabric

NetworkServices

SecurityServices

StorageResources

Portal

Business Orchestration/Service Fulfillment

Cloud Orchestration

Cloud Infrastructure

Cloud Database

API

SLA Management Event

Management

Incident Management

Middleware

Systems Management – Service Support

Proxy

Architecture Overview


Supporting multiple channels?

SavvisWeb Portal

AP

I

Web Portal

Smartphones

Tablets

Customer Apps

ISV Partner Apps

Reseller Apps

Savvis


Why APIs?

Forester Analyst @chenxiwang

“Road to the Cloud is through APIs”

@chenkxiwang

• Benefits of the Cloud is driven by automation• Automation needs integration• APIs are the only way to do cloud integration• Customers, and partners are demanding more

APIs• ISVs, CSBs, SaaS Marketplace need APIs• APIs help in quicker internal and external

application delivery


So we offer cloud APIs

· For IaaS based on vCloud API specification· With additional Savvis feature specific APIs

· Initially, offered to a handful of customers as a beta offering· Learnt and matured our APIs· Customers did “pen tests” and requested enhancement

requests

· More customers, and partners are using APIs and demand continues to grow


API Challenges

Security

• Authorization• Basic firewall• DDos• SSL for service

end points • Audit logs

Governance

• Availability• Performance • Protection• Meeting SLAs• Maintain QoS• Audit trails• Reporting


API Security & Governance Is Bigger

>> Credential caching & expiration

>> OAuth support

>> Common authentication & authorization across all services

Security Penetration Protection

• Code injection

• Malformed requests

• SQL attacks

Message Protection

• XML DOCTYPE insertion

• XML document structure

• Limit msg size

Traffic Control

• Rate limit• Tiered

service levels

• Automatic retries

>> IP restrictions

>> Reporting and analytics

And More.. And More..


…along with

>> Common API security

>> Common logging, and auditing

>> Reporting and analytics

>> Support for multiple versions

>> Protocol transformation

>> Delegated policy authoring

>> Best practices based common policy libraries

>> Centralized policy release and enforcement

>> Internal systems integration (OSS, BSS, CMDB)


API Security & Governance Layer Using Layer 7 Gateway

Common API and SOA Governance for Cloud

VPDC Portal OSS Storage

•Throttling•MonitoringPolicy

•Usage•BillingReporting

•Authentication•AuthorizationSecurity

API / SOA / Cloud Governance Gateway


Layer 7 Deployment


Lessons Learned & Recommendations

>> APIs drive more cloud traffic than web sites

>> Take API-first design approach

>> Drive toward a common framework

> Configuration based and not development based> Supports flexible and distributed deployment models> Extensible

>> Be prepared to handle special requests

>> Do thorough testing of APIs for security

>> Look at Security & Gov Gateway for Cloud


Next steps

• Add internal API gateway• OAuth for external APIs• Quota and rate-limit by specific APIs• Developer portal


Thank you.

· Want to work on cloud APIs?– We are hiring– http://www.Bit.ly/savvis_pm

Contact:[email protected]: @ragram

http://www.Bit.ly/savvis_pm




mailto:[email protected]

Technology

Securing and Governing Cloud APIs