Managing Sensitive Information in an API and Microservices World. A presentation by Peter Miron (Apcera) and Joshua Norrid (Apigee) at Apigee's Adapt or Die, San Francisco 2016. See events.apigee.com
We like all of the companies here today, we’d hate to see any of you die before next year’s conference.
Joshua to elaborate on slide.
Pete: Apcera provides deployment and orchestration functionality, services management and nano-segmentation for any application on any infrastructure.
Joshua:
“We typically use the Digital Value Chain to get out of the Integration Center of Excellence.”
Main Points:
The path to extending to the Digital World is along the Mobile Value Chain.
Script:
The path to extending to the Digital World is along the Mobile Value Chain.
This mobile value chain is analogous to a physical value chain.
The API Team is like an internal “Partner Team” working with distributors and resellers of an enterprise.
They manage which product, in this case API Products, will be available to which partners based on what type of financial model.
Their job is also to sign-on and enable partners, to keep them engaged and to periodically do financial analysis of the relationship.
The API team has to understand the partners business well enough to know what other tools/products their partners may need.
This is also true in the digital world.
For an app to be engaging, it’s not always sufficient for existing backend services to be exposed.
Sometimes new services, such as geolocation or social connections of the app user needs to be applied.
In the digital world, the developers are your distributors and resellers.
They build your storefronts or your digital presence in the form of apps.
The app developer represents a brand new channel that enables expanding reach and revenue.
The better the developer’s product, the app, the more likely is the success of the engagement with your users.
To understand what is required to optimize your Mobile Value Chain, let’s dissect it:
API Layer which connects existing or new backend services to apps as enterprise APIs (represented by the red icons)
Developer Layer which connects the API team to developers and partners (represented by the gray people graphics)
Data Layer which connects the value chain end to end enabling two way flow of critical business data (two way red arrow that runs through the value chain)
Transition to Pete:
You all know the great things Apigee enables for your development and IT teams to manage external developers, measure their experience and secure your APIs.
Apcera’s Trusted Container Management Platform enables you to extend that trust, policy and management into your Data Center.
Giving a full view of chain of custody for your systems and each individual request.
Pete: Here are some more detail on those features
Whether you’re in healthcare, finance, telecom, or any other major industry, you have critical customer and business data that you need to share with 3rd parties. But, you don’t want that data in the hand's of anyone else.
Therefore, you want to explicitly define who can receive what data and ensure that only the right people received the right data.
Here’s an example of how you can trace your chain of custody through Apigee and Apcera.
This is your customers’ critical data. This happens to be telco call detail records, but imagine it’s a high net worth client’s trade data, or in healthcare it’s a Patient Record … or maybe 500 million patient records.
Someone printed it on a screen and 500 people saw it…
It’s a scary thought, but how did we get here? And how can we do better to control the production and consumption of this information?
Many teams still integrate with these and their associates, Well Known Ports.
You almost certainly have some firewalls in your systems where IP Addresses and Ports go in, but never come out. Or take a few tries to get right.
Also, many times this approach gives rise to Mullet Security – all business upfront and a party in the back.
On the Apcera platform, we give you granularity of access control down to the individual containers — we don’t implicitly trust anything …
Locked down ports, that can only opened through policy.
Shift policy to the Application and let you manage your applications instead of managing IP addresses and Ports.
Ephemeral Credentials for MySQL and PostGREs databases — so only this one container will have these credentials…
Both Apigee and Apcera love APIs. Everything you can do on the command line in Apcera you can do through an API. Here’s a simple example of how you can map together all of the services participating in transactions.
This allows you to see which service produced the report and what Apigee API Gateways it connects to.
Apigee gives us the ability to enrich web requests, to improve traceability of requests through the entire chain of custody.
With Apcera and Apigee you can dump all request logging to a standard syslog drain for aggregation (splunk, ELK).
Apigee also allows to enrich our requests with a unique message ID, that we can use to correlate requests.
Here’s an example of those correlated requests and the components that generated the requests.
Here are just a couple simple examples of how Apigee integrated with Apcera’s Trusted Container Management platform can help enrich your Chain of Custody from your users to your modernized back end systems.
If you’re interested in learning more, stop by the Apcera table downstairs and say, Hi!
Thanks!