Secure, govern and mediate integrations between enterprise applications and Cloud services
Overview
For Best Buy, the public Cloud provides a strategic way to dynamically scale consumer and partner-facing Web and API assets. The Cloud lets Best Buy accommodate peaks in demand without overbuilding, while isolating sensitive data from the public.
Best Buy also needs a consistent way to control what information is shared with applications in the Cloud, while simultaneously insulating development teams from the vagaries of security, management and mediation challenges that arise when implementing a hybrid Cloud solution.
This Webinar, presented by Best Buy, Amazon Web Services and Layer 7 Technologies, looks at a specific example of the Best Buy API Developer Portal and share best practices for security, governance and mediation of enterprise services with applications in the Cloud.
Powerful Google developer tools for immediate impact! (2023-24 C)
Secure and Govern Integration between the Enterprise & the Cloud
1. Secure and Govern Integration between the Enterprise &
the Cloud
A Best Buy Case Study
Thomas Kelly, Enterprise Architect, Best Buy
Tom Stickle, Lead Solution Architect, Amazon Web Services Partner Programs
Jaime Ryan, Partner Solutions Architect, Layer 7
November 17, 2011
2. Housekeeping
Questions
- Chat any questions you have and we’ll answer them at the end of this call
Twitter facebook.com/layer7
- Today’s event hashtag:
layer7.com/linkedin
- #L7webinar
layer7.com/blogs
- Follow us on Twitter as well:
- @BestBuy
- @AWScloud
- @layer7
Layer 7 Confidential 2
4. Best Buy Open API
BBYOpen is at the heart of a cloud based infrastructure
- Composed of a group of APIs dedicated to the externalization of partner data
- Primary focus
- Products, Categories, Reviews, Stores
Design Objectives
- Highly scalable infrastructure that is responsive to the variation in retail systems.
- Extensible service layer that abstracts service location, both cloud and internal
- Core repository with faceting selection based on requirements
- Full end to end analytics supporting trending, behavioral, and statistical analysis.
- Extensive caching for low latency response creation
- Fully secured, identity based access to services and resources
- Support for both single and multi-tenancy application development.
Layer 7 Confidential 4
5. Cloud Scope
BBYOpen is designed for extremely high utilization
- All members applications are strictly decoupled
- Interfacing between systems strictly enforced
- All applications are logically stateless
- Client side pagination supported
- Intelligent caching supported
- All member applications are load balanced and support autoscaling
- Rolling spike redundancy built into the monitoring system
- There is no standardized data model
- Additionally, there is no standardized data source
- All communication in and out of the cloud is via intermediary gateways
- Internal data center services are locally virtualized
Layer 7 Confidential 5
6. Architectural Challenges
Areas of particular concentration
- Building a private virtual infrastructure in the cloud
- Applying virtual security to a virtual environment
- Coordinating interacting autoscaling layers
- Scoping dependencies on internal services and data
- Solving the EAV dilemma
- Document caching vs. fast changing data – avoiding the’ brute cache rebuild’
- Implementing a high speed bypass to the internal networks
- Parallel service calls and just in time composition
- Automating analytics based ETL for data distribution and pre-caching
- Securing a multitude of different varieties of cloud communication
- Designing services/data for dual cloud/datacenter deployment
Layer 7 Confidential 6
7. Technologies/Platforms Utilized
Amazon Ec2
- Cloud infrastructure services
Gateway
- Layer7 SecureSpan Gateway
Document Composition
- Tibco ActiveMatrix Service Grid and Business Works
Caching
- Amazon Elasticache, Tibco Activespaces
Data Storage
- Amazon Data Services, Tibco ActiveSpaces
Data Migration/ETL
- SnapLogic Server
Layer 7 Confidential 7
15. AWS Global Reach
AWS Regions
US East (Virginia)
US West (Oregon)
US West (N. California)
AWS GovCloud (US)
EU West (Ireland)
Asia Pacific (Singapore)
Asia Pacific (Tokyo)
AWS CloudFront Locations
Ashburn Palo Alto Sao Paulo Amsterdam Hong Kong
Dallas Seattle Dublin Tokyo
Jacksonville St. Louis Frankfurt Singapore
Los Angeles London
Miami Paris
Newark Stockholm
New York
16. Designing Services at Scale
Redundant Transit Providers
Independent Power
Low Latency
API
Auto-Scaling
Elastic Load
API Balancer API
Dynamic
Arbitrary Scale
www.partner.com
17. ISO 27001 Certification
Implementing Reviewing
Operating Maintaining
Monitoring Improving
Commitment to info security at every level of AWS
Validated by a third-party audit
Implements ISO 27002 security controls
Includes all AWS Regions
18. SSAE 16 & ISAE 3402 Reports
Auditor to Auditor Communication of our controls
Based on our ISO 27002 controls
Covers EC2, S3, EBS and VPC
Audit conducted by an independent accounting
firm on a recurring basis
19. PCI DSS 2.0 Level 1 Compliance
• The following AWS core infrastructure and services have
been validated by an authorized independent QSA and
are currently PCI DSS 2.0 compliant:
• Amazon Elastic Compute Cloud (EC2)
• Amazon Simple Storage Service (S3)
• Amazon Elastic Block Storage (EBS)
• Amazon Virtual Private Cloud (VPC)
• These are the core services for supporting the
processing, storage and transmission
of cardholder data
20. How does this relate to my certification?
• Customers manage their own PCI certification
• For portion of cardholder environment implemented
on AWS your QSA can rely on our validated service
provider status.
• Your QSA can rely on our PCI compliance validation
of our technology infrastructure
• You will be responsible for the compliance and
testing efforts that aren’t related to the infrastructure
• If your QSA needs additional supporting information,
they can reach out to us directly
Customer QSA QSA maps
QSA contacts AWS for
Learns about AWS as a responsibilities of
AoC and Clarification
Service Provider customer & AWS
22. AWS Architecture Center
aws.amazon.com/architecture
White papers:
Cloud architectures
Building fault-tolerant applications
Web hosting best practices
Leveraging different storage options
AWS security best practices
23. Shared Responsibility Model
AWS Customer
Facilities Operating Systems
Physical Security Application
Logical Separation Security Groups
Network Threats OS Firewalls
Anti-Virus
Account Management
25. Agenda
Common security and governance layer for cloud integration
- Application Security
- API Management
- Application Performance Optimization
- Application Mediation
Layer 7 architectural differentiators
Layer 7 Confidential 13
26. Application Security
Single interface to reduce use of customer-specific VPNs
Standard protocols plus network security
Application-aware threat protection
Traffic inspection, filtering, and validation of requests
Secured mediation of external partner callouts
- Single Sign-on
- Request/response scanning
PCI DSS Compliance
Layer 7 Confidential 14
27. API Management
Managing API keys and user identities
Authentication/authorization of users and keys
Throttling peaks in traffic
Routing to load-balanced auto-scaling application instances
Monitoring and reporting of API usage
Layer 7 Confidential 15
31. Manage Gateways Globally Across Networks & Cloud
Multi Datacenter, Cloud Dashboard Network Insulated
Policy Migration
cloud01LDAP
prod01LDAP
Development Production (Enterprise) 6
dev01LDAP (Cloud)
Enterprise-scale global management provides
a single view of the health and performance of Automated dependency validation when migrating policies
all gateways and associated services between environments. Full rollback and approvals
API and Command Line DR & Backup Controls
Command line, API and dashboard
controls for health and patch
Easily Manage Backups and
Restores
Layer 7 Confidential 19
32. Architecture Simplification
Remove VPNs
Minimize one-off application instances
On-box versioning, mediation, orchestration
Swiss Army Knife – fits multiple deployments/use cases
- Front door
- Partner API integration/SSO
- Secure tunnel between enterprise and the cloud
- Internal orchestration/mediation
Layer 7 Confidential 20
33. Questions?
To learn more about Layer 7 solutions …
- Visit http://layer7.com
- Download whitepapers, datasheets, tutorials
- Contact us – info@layer7.com