Securing and Governing Cloud Services
A Savvis Case StudyBill Forsyth
VP Eng.
Savvis Proprietary & Confidential 2
Savvis
Global leader in cloud infrastructure and hosted IT solutions for enterprises
Key Metrics– Nearly 2,500 unique business and government clients, including more than 30 of
the top 100 companies in the Fortune 500
– More than 2,200 employees with deep expertise in technical operations, customer support, engineering and consulting
– $933 million in revenue in 2010
Services– Cloud – one of the industry’s broadest lines of enterprise-class cloud services
– Colocation, Managed Hosting and Utility Compute – facilities and operations; compute, storage and network
– Network – converged applications; community of interest networks; private lines; Internet
– Security – managed security services and consulting
– Industry Solutions – financial, government and Software-as-a-Service (SaaS)
– Professional Services – infrastructure, security, business continuity, compliance and program management
Savvis Proprietary & Confidential 3
Savvis Symphony Family
Savvis Symphony Dedicated: Hosted Private Cloud solution
Savvis Symphony Open: Flexible Multi-Tenant Cloud solution
Savvis Symphony VPDC: Virtual Private Data Center solution
Savvis Symphony VPDCComplete Virtual Private Data Centers
Savvis Symphony OpenMulti-Tenant virtual infrastructure
Savvis Symphony DedicatedDedicated, virtual infrastructure
Savvis Proprietary & Confidential 4
Customer Requirements
Enterprise customers wanting flexibility and cost benefits of multi-tenant public clouds, in a private secure fashion
APIs expose/control the VPDC (compute, storage, network, and security policy)
APIs may be private or public
For public APIs– Bad actors
– Accidental misuse
Compliance– FISMA
– PCI
Savvis Proprietary & Confidential 5
Cloud Definition
5
Essential Characteristics
ServiceModels
DeploymentModels
Savvis Proprietary & Confidential 6
Layer7 Detail
Savvis Proprietary & Confidential 7
VirtualServices POD
Cloud Services Firewall
(IN)
Cloud Services Firewall
(OUT)
Cloud Site
VPDC System Boundaries
Multitenant VirtualData Center (VDC)
Compute POD
Compute POD
Compute POD
Compute POD
Compute POD
Compute POD
ManagementServices POD
Virtualization
Manager
AD/LDAP
DNS
Security
Manager
Storage
Manager
Network
Manager
Back-up
ManagerMulti-Use
Server
NetworkServices POD
StorageServices POD
Management Network
Provisioning
Systems
Back Office Network
Orchestration
CMDB
DMZ Network
Middleware/ Business Services
Middleware/ Business Services
CorporateFirewall
CorporateFirewall
Management Bastion Servers
Services POD
AD/LDAP DNS
NTP Logging
Ticketing
Event Management
Portal
WAF
VPDC API
Layer7
Savvis Proprietary & Confidential 8
Securing the Cloud (out of box)
Require SSL
Audit calls
IDS
DDoS
Provide Security Penetration Protection– Code injection
– Malformed Requests
– SQL Attacks
– Limit request message size
– Check for XML, and reject DOCTYPE (prevents external XML element definition)
– Protect against XML document structure (limit depth of XML tree)
– Automatic retry on target service
Savvis Proprietary & Confidential 9
Securing the Cloud ( configured)
Authentication and Authorization
Credential Caching and Expiration
IP restrictions (white listing)
Provide rate limiting
Provide API Service Level Monitoring– Target service timeout alert to support
– Monitoring Overall Health
Savvis Proprietary & Confidential 10
Governing API Sets
Layer 7 SOA Governance
(api.savvis.net)
VPDC Portal OSS Storage
•Throttling
•MonitoringPolicy
•Usage
•BillingReporting
•Authentication
•AuthorizationSecurity
Savvis Proprietary & Confidential 11
Governance
Isolation of API types and dependencies
Reduce number of interface types
Protocol Translation
Centralization of control
Reporting (availability, billing, etc..)
Policy (hierarchy, push, promotion, rollback)
Delegation of administration and offloading of developers (security, auditing, throttling, etc..)
Perform HREF URL manipulation (replace target service URI with proxy/Internal URI e.g. replace api.symphonyvpdc.savvis.net with api.savvis.net)
Route based on URL, ip, content, etc….
External Integration– Logging
– OSS Event Management (faults, SLA violations, etc…)
– CMDB (entitlements, logical representations, meta-data, etc…)
Flexible deployment (physical device, appliance, multi-site, multi-environment, clustered)
Savvis Proprietary & Confidential 12
Business Enablers
Resellers
Billing
SLA
Tiered Usage
Partners
API extensions
Savvis Proprietary & Confidential 13
VPDC Service Levels
Savvis Proprietary & Confidential 14
Billing Use Case
Savvis Proprietary & Confidential 15
PaaS / Composite Operation Example
/VPDC_CreateVM
/PaaSFunction1 Layer7 /VPDC_ProcessData
/VPDC_DestroyVM
Savvis Proprietary & Confidential 16
developer.savvis.net
Phase 1– Site with discussion forums or e-mail alias support
– Webinar for partners and customers
– Invited developer accounts with restrictions
– Examples
– Usage reporting
Phase 2– Enhance site
– Sandbox
– Webinars
– More examples
– Voting on requirements/ideas
– Monetization (tiered usage, partner certification)
– Developer marketing
Phase 3– Ongoing improvements based on demand and feedback
17
Thank You