The cloud holds enormous promise for improving agility, availability, and cost for app deployments. Amazon’s EC2 is especially attractive given the investments they have made in building out capacity around the world, allowing apps to be deployed where they are being used, minimizing latency. However, some enterprises are unsure about cloud deployments because of security concerns. In this post I will talk about how to enhance EC2 security to allow APIs to be deployed in the AWS cloud in a way that delivers enterprise-grade policy enforcement while fully realizing many of the cloud’s benefits. To learn more, join me on July 24th at 10:00a Pacific / 1:00p Eastern for a webinar with Amazon’s Ryan Holland.
Cloud App Deployment – Best Practices
As I noted in an earlier post, the Open Data Center Alliance has laid out some great ideas in constructing cloud-aware applications. One of their recommendations is to make the most of the cloud by decomposing apps into self-contained modules, which are implemented as RESTful APIs. These smaller building blocks are easier to replicate for resiliency and elasticity: additional performance and availability can be delivered when and where it is needed using the most economical instance types.
The ODCA also recommends implementing security at every layer. This is critical given the move to modular web services, as the increased number of web services greatly increases the application’s attack surface. Enterprises moving to the public cloud can no longer depend upon their trusted DMZ to shield these web services from attackers, so they must implement additional layers of security to compensate.
Beyond the ODCA recommendations, EC2 offers up an ideal platform for innovating with APIs. A prototype can be quickly built and deployed using a smaller instance type, minimizing cost while delivering basic functionality. Once the basic idea has been proven, production use can be supported by an appropriately-sized instance, scaling out as needed to meet demand. New functionality can be tested out in other instances, which can be created on demand. A dev sandbox can be created in minutes; the path to production can be arbitrarily deep but need not persist any longer than it is needed. This self-service, fungible compute model allows developers access to as much capacity as is needed at any given time while only paying for what is actually required. By elastically scaling the API management and security layer, seasonal demand spikes can be absorbed without upfront or ongoing capital investment.
Cloud Integration & API Mashups
Another benefit of EC2 hosting is the close proximity to SaaS APIs that can be used to implement the utility portions of an app. The API economy has resulted in incredible innovation, delivering functionality that is readily consumable by any developer and any app. By integrating with these APIs, a new app (or API) can be developed more quickly, as the developers can focus only on new functionality. Or in the emerging Backend as a Service (BaaS) model generic mobile services such as location, user management, or other services that can be “mashed up” at runtime with custom enterprise apis. A Cloud hosted API management and security layer can assemble this level of sophistication at a much lower cost and faster time to market than custom coding. Scale is the key.
For some enterprises, however, the benefits of SaaS integration can come with a tradeoff in terms of enterprise integration. When deploying to EC2, security mechanisms such as identity management and access controls may not be consistent with those deployed in the enterprise. Cloud apps using social identity require integration with the corporate back end to ensure that entitlements are enforced correctly. Other policies related to perimeter defense may also be difficult to replicate in the public cloud, owing to differences between corporate standards and EC2 security offerings.
The Facade Proxy
As Craig Burton described in his blog a few months ago, the facade proxy pattern can be used to integrate and secure back-end APIs. This is particularly effective in the public cloud, as it greatly reduces the attack surface by routing API traffic through a cluster of specialized gateways. As Burton’s blog illustrates, the facade proxy pattern also facilitates mashups and other integrations across APIs.
Deploying a facade layer in the cloud allows the enterprise to avoid round trips back to their own data center, improving performance. It also simplifies network configuration, and allows for elastic scaling of this key portion of the API management layer.
An EC2 Security Appliance (and more)
Intel® Expressway API Manager (EAM) is the first self-service, Enterprise class API management product available in the AWS marketplace. It can be used to integrate, mash up, and secure enterprise APIs as a bridge between internal islands of enterprise data and the new world of ubiquitous mobile connectivity.
Robust security policies including XSS and SQL injection prevention can neutralize external threats before they reach the underlying framework hosting the API. This means that enterprises can evaluate their gateway policy and tune it as necessary rather than rushing through a quick-turn QA cycle to validate that a new dot release of Rails, node.js, PHP, etc didn’t break their app. New framework releases can then be rolled in with the next code release, improving overall quality and reliability.
EAM also integrates with enterprise identity providers such as Active Directory or LDAP, and can provide a mapping to OAuth, API keys, or other mobile-friendly mechanisms.
Summary
Available now through Amazon’s AWS Marketplace, Expressway API Manager can simplify public cloud deployments and augment the standard EC2 security controls for APIs. To learn more, check out my webinar with Ryan Holland of Amazon Web Services – July 24th at 10:00a Pacific / 1:00p Eastern.
The post EC2 Security: Bridging Enterprise Cloud Apps to the Mobile Mainland appeared first on Application Security.