8/2/2019 Leading Global Publisher - API Orchestration

1/2

This leading global publisher of science and health information provides their

customers and partners with access to scientific publications, medical journals, legal

libraries, newspaper and magazine archives, as well as risk and business information

all presented as independent, subscription-based services.

Core markets include the medical profession, where reference materials, clinical

decision support and professional education are key, but also academia with its huge

appetite for information and need for efficient research. In fact, its growth in scientific

R&D and healthcare that are driving demand for an integrated experience across

whats being researched; whats under development; and whats being practiced. And

with more and more of these third parties wanting to embed the Publishers content

and solutions into their own workflows, there is an opportunity to create new revenue

streams by exposing information services publicly to partners and customers.

API Publication Challenges

But making their application and service APIs available online raised a number of red flags, not only for the

Publishers security officers, but also for their IT group who would bear the brunt of repackaging internal APIs for

third-party consumption. Remapping, recomposing or even reprogramming APIs wholesale in order to create

personalized subsets or filtered views of APIs for each class of customer or partner and then maintaining and

updating them over time can quickly become unmanageable. Additionally, moving APIs between environments

or deploying new versions of APIs can expose hidden dependency issues or break existing integrations, causing

downtime or even SLA violations.

When it came to security, granting direct access to information services that are responsible for a large portion of

their revenues made the Publishers security group nervous. They recognized that with the growing threat of cyberattacks their existing network firewalls were just not good enough. While firewalls can provide protection from

standard, Web-based attacks, they lack the ability to inspect XML-based messages and check for XML-specific

threats. And when APIs get called in combination or sequentially, message integrity and privacy concerns arise.

Conventional network-based VPNs using SSL or IPSec cant provide a message level audit trail or support non-

repudiation across a service transaction.

Enter Layer 7 CloudSpan

While the Publisher examined many different solutions, they settled on Layer 7 CloudSpan CloudControl because it

provided the closest fit to their business requirements in a single product. Previously, customers had to submit

multiple queries to multiple information services and manually aggregate the results. CloudSpans flexible and

extensible policy engine not only allowed the Publisher to create their business logic in policy (rather than code)

simplifying and speeding time to implementation, but also allowed for orchestration and aggregation across

multiple information services, providing customers with rich results from a single query.

Additionally, because CloudSpan features true clustering capabilities, the Publisher was able to implement cluster-

wide rate limiting, allowing them to meter service usage in order to block access to a service if the customers

contractual quota was exceeded. Because the clustered devices maintain and update a shared counter, metering is

always accurate. This capability also allows CloudSpan to provide effective protection against replay attacks.

Leading Global PublisherSecuring, Managing and Orchestrating APIs with CloudSpan

By the Numbers

100,000s of authors

100,000s of reviewers

10,000s of editorial board

members

1,000s of employees

1,000s of journal editors

8/2/2019 Leading Global Publisher - API Orchestration

2/2

Leading Global Publisher Case Study

Copyright 2011 Layer 7 Technologi

trademarks of Layer 7 Technologies I

Finally, CloudSpans ability to translate

back-end information services meant t

Apps/Gadgets) to access information.

The Solution

CloudControl is deployed in the Publis

Publishers services. When a customer

intercepts the incoming query, and call

the user. At this point, CloudControl n

quotas, but is also able to enforce fine-

information services (or individual serv

able to create personalized API views f

Customers can submit sophisticated q

aggregating results. Partners can rema

them to create new service offerings t

integrated into their existing workflow

billing information, validate SLA confor

The Results

Academics are voracious consumers of

them, the Publishers CloudSpan-base

Other customers and partners now hasubscriptions directly within their own

a result, customer satisfaction and ret

For the Publisher, creating and managi

deployment and simplified maintenan

comparable, multi-product solutions.

ies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies de

nc. All other trademarks and copyrights are the property of their respe

between incoming REST-based queries and the Publishe

hat customers and partners could use their preferred cli

ers DMZ, protecting and providing access to virtualized

or partner attempts to gain access to their subscription(

ls out to the Publishers internal access control system in

t only checks to ensure the user has not exceeded their

grained authentication in order to grant the user access

ice operations) they are allowed to access. In this way, t

or each user.

eries that can be orchestrated across multiple services,

p and recompose APIs across the range of information s

at not only better address their requirements, but can a

s. Finally, usage is tracked and metered, allowing the Pu

mance and check usage for capacity planning.

information, limited only by the constraints of their R&

solution was a godsend, providing richer, more comple

e the capabilities they require to better integrate their iorganizations processes, streamlining research and imp

ntion rates are expected to improve.

ng their business logic in policy rather than code resulte

e, all of which has resulted in a lower total cost of owne

sign mark are

ctive owners. 2

rs SOAP-based

nt (Google

instances of the

s), CloudControl

order to authorize

contractual usage

only to those

e Publisher was

automatically

rvices, allowing

lso be more easily

lisher to extract

budgets. For

e results faster.

nformation serviceroving efficiency. As

in faster

rship than