Meet the Cloud API The New Enterprise Control Point

Transcription

1 Meet the Cloud API The New Enterprise Control Point Presented by: Katrina Kehlet Intel Application Security and Identity Products 1

2 Agenda Why Intel & McAfee- Security Connected Cloud Promise & Threat Environment Why APIs are Central to Control for Cloud Cloud API Fundamentals Cloud API Deployment Models Intel & McAfee Solutions 2

3 Intel & McAfee: Security Connected Extended Enterprise Security Continuum Devices & Infrastructure Security Layers Cross Hardware & Software Cloud APIs App Services Data OS/VM Chip/CPU On-Prem to Cloud Private, Public, Hybrid SaaS, PaaS, IaaS Unique insight into hardware, client, server platform security Driving Innovation through Ecosystem Security Connected! Endpoint, DLP, Threat, App Identity Security Network Edge & SaaS Delivery Security is no longer a siloed discipline for the Extended Enterprise. Security & Identity establish trust across the continuum 3

4 Creating an Explosion of Internet Growth Today 2015 More Users Only 25% of the world is Internet connected today 1 New technologies will connect over 1 billion additional users to the cloud 2 More Devices ~80% of Internet connected devices are computers & phones 3 Cars, TVs, households, etc. to increase connected devices 2.5x to >10 billion globally 3 More Content 2.5B photos on Facebook 4 30B videos viewed/mos 5 Google indexes >1T pages 6 8X network, 16X storage & 20x compute capacity needed 7 Exponential growth driving need for a Billion Virtual Server Cloud 7 4

5 Cloud Models & Players 5

6 The Promise of the Cloud-Scale out on Demand 6

7 The Power of Cloud Computing Business agility Cost efficiencies Enhanced innovation Improved IT services However, security remains the roadblock Data loss Authentication, Authorization and Audit Information governance Data control 7

8 Big Impact, Big Challenge, Big Opportunity Q: How concerned are you about each of the following potential security threats to your IT environment? (1=not at all concerned, 7= very concerned)1 Q: On average, how many virus or malware attacks are you thwarting each month? Identity Theft: $37 billion, 8.1 Million US Adults affected (2010) 2010 Identity Fraud Survey Report, Javelin Research Group Feb, , 2 Source: Intel Primary Research, August 2011 Q: On average, how many virus or malware attacks are you thwarting each month?2 2010: $7.24M ($213 per record) Ponemon Institute Annual Study: Cost of a Data Breach. March 2011 Average Organizational Cost of a Data Breach in Intel Confidential 8

9 Key Trends Affecting Security Malware Explosion Threat Sophistication Targeted Attacks Exponential Growth In Connected Devices Multiple Access Points Manageability Q3/Q4-2009: million samples Q1/Q2-2010: million samples Q3/Q4-2010: million samples Q1/Q2-2011: million samples Source: McAfee Malware Database July 2011 Cloud = Changing Perimeters SLAs New Security Models Compliance Concerns 9

10 Goal? Build the Secure,Connected Chain to the Cloud WHO WHAT WHERE Text here Users and Devices Text here Data and Apps Private Hybrid Public Tied to Asserted/ Federated Cloud Traffic Channels Digital Identities On-Behalf of Enterprise Web Authentication How? The Cloud API 10

11 Cloud API Growth Exploding Top 5 API Types 1. Social 2. Internet 3. Mapping 4. Search 5. Mobile 1/3 of Enterprise Traffic Today is API based 11

12 Cloud Application & API Security Adoption Cloud Security Hype Cycle 2011 App Security as a Service Private Cloud Computing Cloud Security Gateways Cloud Service Brokerage OAuth Security & Risk Standards Tokenization Security as a Service Secure Web Gateways Phone based AuthN Federated Id Mgt /Encryption Technology Trigger Peak of Inflated Expectations Trough of Disillusionment Slope of Enlightenment Plateau of Productivity Time 12

13 Evolution to the Cloud API Control Change: SOA > Services > APIs 13

14 Primary Challenges to Exposing Applications & APIs in the Cloud One-off API Mgt V1 API Gateway V2 Proxy Single App Service V3 Custom Developed Security custom code var JS_KeepTrying = "Keep Trying"; var JS_TryAgain = "Try Again"; var js_0001 = "Please select at least one vendor from the list."; var js_0002 = "Please choose dates in the future."; var js_0003 = "Please choose a checkout date that is at least one day later than your check-in date."; Var var IS_DDPU_ js_0004 = "Please choose dates that ENABLED are less than = 330 false days away."; var js_0005 = "Searching for deals... this may take Security a few moments"; var js_0006 = "Your selections have Hole not changed."; var js_0010 = "Please click again to open each window or adjust browser settin "Update"; var js_0012 = "Show next offer"; var COTs Standards WS* WS-Trust WSDL OAuth Encryption etc Standards based XML Security??? What function call? Complexity Abstraction Point To Shield Dev App Retooling for APIs Fast Changing Cloud APIs Costs at Scale Don t use API Broker to Interface to 3 rd Party Cloud APIs Can t Migrate to Cloud Changes Versioning, Governance, Lifecycle Mgt Short Relationships Immature Provider APIs Repeatable Model Packaged Integration Governance Security API Monetization & Service Brokers Offset costs with way to make $? 14

15 How Cloud Changes the Security Deployment Model to Focus on APIs Traditional Web App Security Model Web IPS WAF IPS Ent Apps Data Store IaaS Cloud Security Model Enterprise Apps must be re-tooled to work with 3 rd Party Provider APIs SAN 15

16 Cloud API Essentials Abstraction General programming interface accessible over HTTP Implementation (REST, SOAP, JSON) not important it s how to scale, secure, manage, audit Keep security & management close to API but abstracted to achieve scale New I/O to interact with: smart phones, apps, browsers, middleware, legacy Encapsulate functions & shield from back end complexity 16

17 Enterprise vs Social APIs Enterprise class security, policy lifecycle management Re-useable by large # of developers Discovery, key & service management Mediation-protocol & token translation Scale high performance across global data centers. Basic security typically REST Speed to implement is priority Monetization & scaling not a priority Publishing focused Enterprise Social Today s API Management Must Bridge Both Concerns 17

18 From SOA Service Governance to API Management Focus on Service Lifecycle Management to Share in One Domain Focus on Policy Lifecycle Management for API to Share Across Many Clouds Enterprise SOA Design Test Business Service Repository Service Retire Production Pre- Production Policy API Service Tracking Versioning, usage, metering, performance Promote APIs- dev, test, prod Storage, meta data, discovery Approval, rollback, upgrade, source control Endpoint update API Consumption Policies Tracks how accessed, changed, tracked, translation Based on identity Transaction context & partner capabilities SLA or subscription agreements sfidentity Is Glue to Establish Cloud Trust Cloud API Governance manages terms for 3 rd party consumption 18

19 Costs Manual API Mgt Driving Cost Increases Avg 10 Today V.1 V.2 Exploding Costs Support Multi-Channel Traffic Dynamically Changing Providers Cloud Provider APIs Immature = Frequent Changes Versioning # of APIs Must have an API monetization strategy to offset costs Must have a way to Auto Manage APIs for scale 19

20 APIs are Strategic Control Points for Cloud Core Apps CRM Workflow Doc Mgt IAM ERP/Mainframe API Broker API Broker API Management Control Performance Management Integration & Service Lifecycle Management Enforce Access & ID Token Translation Threat Protection - DoS, Content Threats Visibility, Auditing, Usage Apps SaaS CRM Partner B2B Social Mashups Xxx takeaway 20

21 What can an Enterprise Control Across Cloud Models with an API? Cloud Provider Enterprise Software as a Service (SaaS) Total Control Application Middleware Operating System Hardware e.g.,.net Identity AuthN, SSO, Metering Platform as a Service (PaaS) Admin Control Total Control Application Middleware Operating System Hardware API Control: Data, Threat Protection, Mediation to on-prem SOA Infrastructure as a Service (IaaS) Admin Control Total Control Application Middleware Operating System Hypervisor Hardware Total API Control Throttle Requests Lower Software down Available the stack Today the provider can Enable stops, IT the more security or the Cloud enterprise Providers is responsible to be a for CSB implementing 21

22 Rise of Cloud Service Broker - Widely Recognized as Key Capability For Cloud Security Privacy NIST - USG Cloud Computing Reference Architecture Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Service Layer IaaS PaaS SaaS Resource Abstraction and Control Layer Physical Resource Layer Hardware Cloud Provider Cloud Service Management Business Support Provisioning/ Configuration Portability/ Interoperability Cloud Broker Service Intermediation Service Aggregation Service Arbitrage Performance Audit Facility By 2015, at least 20% of all cloud services will be intermediated via CSBs Daryl Plummer, Managing VP, Gartner Fellow 22

23 Capabilities Available Today Using Gateway Cloud Service Broker Appliance Software CSB On Prem CSB 3 rd party Intermediary Value added processing Packaged API Level Policies Security, Governance, Integration Solves Complexity, Overhead Identity as a Service Security as a Service Trust as a Service IT Departments Can Run On-prem 23

24 New Primary Usage Models for CSBs & API Control Enterprise Middleware Gateway Gateway Gateway Gateway Enterprise Enterprise (Partner) Enterprise Edge Security B2B & mobile to partners Provider Customer or Developers Cloud Provider API Security AuthN, mediation, & QOS packaged services Provider Enterprise Hybrid Cloud-Data & Control Gateway Security to platform provider e.g. storage Security for VM spin up EC2 Provider Enterprise (Partner) Hybrid Cloud-Hosted Edge Security Secure enterprise services on cloud 24

25 Adoption phases IT Tips to Move to API Centric World Retrofit Apps to Leverage API Broker Model as they are moved to cloud Retrofit Ungoverned Apps Service Proxy Targeted Runtime Governance Time 25 25

26 Adoption phases IT Tips to Move to API Centric World Target SaaS. Widespread Adoption Will Drive Immediate ROI Broker IDs for Delegated API Level Auth STS Token Translation, OAuth, SAML, Open ID SaaS Gateway Retrofit Apps Targeted Runtime Governance Time 26 10/17/

27 Adoption phases IT Tips to Move to API Centric World SOA is not Dead - Evolve Services & Governance from Siloed Internal Domains to Cloud Enable the Hybrid Cloud Model by deploying Gateway on Prem Hybrid Mediation SaaS Gateway Retrofit Apps Targeted Runtime Governance Policy Driven SOA Time 27 10/13/

28 Adoption phases IT Tips to Move to API Centric World Leverage Your On-prem Gateway to Interact with 3 rd Party CSBs as they Emerge Cloud Service Brokerages Hybrid Mediation SaaS Gateway Retrofit Apps Targeted Runtime Governance Time 28

29 McAfee Cloud Security Platform Build the Identity Driven Cloud Across Cloud Traffic Channels Unify App APIs, Collaboration, and Policy With Intel & McAfee Modules 2 29

30 Service Gateway FIPS Level 3 Crypto Common Criteria EAL4+ DoD STIG Ready & PKI Certified HSM PKI key storage Cavium crypto acceleration Form factors: software, virtual, and tamper resistant Protocol Agnostic Performance No Programming Flexible CODING REST.,SOAP XML, Non-XML HTTP, FTP, TCP 2x hard appliances Tie-in to chip roadmap Efficient XML parsing at machine level Simple visual environment Routing Transform Validation Service Call-outs Firewall rules 30

31 Your Path to Monetizing APIs and Apps in the Cloud API API Management API Throttling, metering, rate limits Data encryption, tokenization, translation PCI compliant APIs Id token translation and authn Policy lifecycle governance & enforcement Alerts API Management Value Governance Value Chargeback on usage or throughput SLA wait time violations by partner Correlate to web purchases, traffic, dev registrations Restrict search API queries Geo restriction & visibility- by partner Track most active services Enforce SLAs for middleware Partner reports-usage, problems accessing service 31

32 Complete API Security & Visibility - Tied to McAfee Platform Products McAfee epo Integrate API monitoring to central console McAfee Web Gateway Leverages anti virus and web filtering McAfee Data Loss Prevention Provides data leak protection for APIs McAfee Global Threat Intelligence Provides URL and connection reputation 32

33 More Info Free Gartner Report on Cloud Service Brokerage 5 Core API Use Cases Video Cloud API Resource Page More Info 33