Intel, Amazon Deliver Enhanced EC2 Security, Mobile Enablement for Enterprise Apps in the Cloud
This month, Intel made its Expressway API Manager available on Amazon’s EC2 cloud service. The move could expand how IT thinks about APIs, using them as a powerful way to deliver enhanced EC2 security and control over how mobile workers connect to sensitive company data and apps, use cloud storage and even support customers. IDN speaks with Intel senior product manager Blake Dournaee.
senior product manager
“Enterprises can use APIs to let workers access enterprise apps and data [securely] from a public cloud, and not have to write tons
of new code.”
This month, Intel made its Expressway API Manager available on Amazon’s EC2 cloud service. The move could expand how IT thinks about APIs, using them as a powerful way to deliver enhanced EC2 security and control over how mobile workers connect to sensitive company data and apps, use cloud storage and even support customers.
Intel Expressway API Manager v 5.1, available in the AWS (Amazon Web Services) Marketplace, is a cloud-enabled version of Intel’s enterprise class API security and management gateway with enhanced EC2 security controls.
“We took our existing Expressway gateway soft appliance and optimized it for Amazon. Except for a few fine-tune tweaks, it is the same main code base. It also has all our self-correcting abilities, alarms and alerts so it works just as dependably as a hardware gateway,” Intel senior product manager Blake Dournaee told IDN.
Intel’s latest offering aims to help enterprises deploy secure and scalable mobile applications using the public cloud, without too many headaches or reservations. “Our service means enterprises can now use APIs to let workers access all sorts of enterprise apps and data from a public cloud, and not have to write tons of new code from scratch,” Dournaee said.
It also alleviates many lingering security concerns, he added. When deploying apps to EC2, the cloud’s ability to provide security mechanisms (identity management, access controls, encryption, etc.) may not be consistent with those deployed in the enterprise. Intel’s API gateway for EC2 looks to remove that concern, he added.
Dournaee detailed some enhanced EC2 Security capabilities:
- Mobile-Ready. Add OAuth, API Key authentication and native JSON support for existing APIs, enabling simple access from apps with support for enterprise-grade identity management systems to enhance EC2 Security
- API mediation and metering. Securely broker APIs to apps, mobile devices or partners with superior performance, scalability and quality of service
- API perimeter defense and application level security. Apply enterprise-grade perimeter security, denial of service (DoS), attack protection and authentication to APIs deployed on EC2
Moreover, enterprise IT can also streamline its entire mobile app dev lifecycle, because rather than build apps from scratch, Intel suggests IT build a simple front-end using HTML5 and use APIs to connect to any necessary back-end services (data security, authentication, etc.), he added.
How HTML5 Can Ease Mobile-Enablement, Security
Using HTML5 for the client leverages what Dournaee called “façade proxy” patterns. “These simplify the ability to integrate and secure back-end services to the client front-end using the API gateway,” he said. The approach also reduces potential attack targets because they route API traffic through a cluster of specialized gateways. These facade proxy patterns also make it easier to do mashups and other integrations across APIs and they can even boost app performance because the patterns avoid round trips back to the on-premise datacenter and support elastic scaling, he added.
Architecturally, Intel’s approach of combining a cloud-based gateway with client patterns has its roots in an updated version of a long-trusted, client-server computing model. “We’re saying, use APIs on the server side, which will be supported in the cloud, and then put a facacde in front on the client side with HTML5,” Dournee said. Taking this approach means the public cloud has gateway capabilities that let it serve as a secure broker to a rich set of already-proven enterprise services.
Aside from adding control and security to writing and testing mobile apps, the approach also will speed up mobile deployments.
“A tested app using [Amazon] and the API gateway can basically deploy in place in the cloud. After a successful test, the app is ready to go live and will meet enterprise security and scalability requirements,” Dournaee said. “Architecturally, Intel’s API gateway is crucial here: The piece facing the mobile device is the API Manager and that is where the security services can be throttled to meet demand, including authentication, data protection and prevention against DoS attacks,” he added.
Importantly, Intel’s API manager provides IT a way to more safely and efficiently use the cloud as a bridge to connect workers to governable on-premise resources.
Having such an efficient and reliable bridge in the cloud offers numerous benefits, including:
- Quickly migrate legacy applications to be mobile-ready in a public cloud environment, using APIs to access data and logic, as well as security and policy infrastructure
- Speed up delivery of prototypes and short-lived applications with an improved, cloud-ready DevOps model
- Support enterprise-class apps, especially those not suitable for 100% public cloud deployment, using hybrid apps that can obtain security, elastic scaling and connectivity to enterprise resources.
How Intel/Amazon Supports Stakeholders in the Mobile App Lifecycle
The Intel/Amazon partnership supports all stakeholders – devs, operations, admins and even business users, Dournaee said. This vision to use APIs to help IT better react to, plan for and control the new “extended enterprise” lifecycle includes features for easy access (by IT and business users), central IT control, elastic and automatic scaling, high performance and enterprise-class security that adheres to an organization’s existing and well-crafted policies.
A prototype can be quickly built and deployed using a smaller instance type that keeps costs low while delivering basic functionality. From AWS, a sandbox to design and test the API-driven app can be created in minutes, he said. Once the proof of concept is proven and tested, devs can take the app right into production from EC2, and IT operations has control to provision an appropriately-sized instance and scale out as needed, Dournaee added.
Dournaee cited another example many in IT looking at mobile apps can relate to: “Let’s say a sales manager needs to use their tablet to access retail info from SAP as a query. We offer a REST-enabled gateway to support that access via the cloud,” he said, but without the need to migrate the actual data or app in the cloud. Further, Intel’s API gateway uses APIs to provide an innovative way to enforce security on that data. “We’re also using APIs to enforce data protection,” Dournaee said. “An API call goes over SSL and before it’s stored, we encrypt those fields and data types.”
Another use case would be to help IT regain control over data storage practices, such as stopping workers from using DropBox (or other cloud-based storage services). Using Intel’s Expressway API Manager on EC2, IT can use the cloud as a secure broker, where users access storage via their cloud log-ons but are actually accessing and storing data using the company’s existing identity management and storage.
For a quick on-ramp, Intel and Amazon have also made it easy for devs and operations pros to get started using the AWS-based API Manager.
“When a dev slides his [credit] card for Amazon and clicks the button, he gets the AWS console and that includes an instance of the API Manager gateway that’s already fired up,” Dournaee said. To help IT get started quickly, Intel also provides sample security policies, as well as a demo video that shows deep details about how to configure and launch the API Manager service, (including IP address, port number, configuring the URI and even wiring in their on-premise LDAPs and OAuths into the cloud-based gateway), he added. .
The Intel API management service costs $3.78 per hour flat (regardless of whether the EC2 instance is a standard XL or a High I/O 4XL) with an expected capacity of up to 10,000 requests per second, he said.
How APIs May Drive The Next-Gen Data Center
Add it all up, and Intel’s latest AWS-optimized API gateway offering may be breaking some long-held barriers to many in IT considering how (or whether) to use public clouds for critical enterprise projects. Previously, an enterprise would need to obtain and host a new security infrastructure and be prepared to handle load management. Intel aims to provide IT the needed support to meet security and scalability.
In an even bigger picture, Intel’s cloud-based API gateway is the latest reflection of the company’s broader vision to craft products and partnerships that will modernize the corporate data center, Dournaee added. Over the past five years, Intel’s SOA and software integration expertise has closely blended with its gateway and security portfolios – all under Intel’s Datacenter Software Division, he noted.
“With these components coming together, we have new insights for what we see is a next-generation data center approach, where APIs and layered services, such as security, will open a new chapter,” Dournaee told IDN. In this insight, APIs and secure gateways combine to create a seamless, dynamic and secure data center that uses public cloud options where appropriate, but also lets IT use private clouds or keep resources on-premise, as performance and policy compliance dictate, he said.
Intel’s vision for the modern data center comes even clearer in a recent blog post by Travis Broughton, an Intel enterprise architect. In his blog, Broughton wrote: “Enhancing EC2 security allows APIs to be deployed in the AWS cloud in a way that delivers enterprise-grade policy enforcement while fully realizing many of the cloud’s benefits.”
He also noted the Open Data Center Alliance (ODCA), of which Intel is a member, recommends implementing security at every layer – another reason to like APIs in public clouds, Broughton added. “[G]iven the increased number of web services greatly increases the application’s attack surface, enterprises moving to the public cloud can no longer depend upon their trusted DMZ to shield these web services from attackers, so they must implement additional layers of security to compensate,” he wrote.
He also noted ODCA seems to endorse the power of APIs, as the group recommended decomposing apps into self-contained modules that can be implemented as RESTful APIs. “These smaller building blocks are easier to replicate for resiliency and elasticity; additional performance and availability can be delivered when and where it is needed using the most economical instance types,” Broughton added.
Intel has technical tutorials and quickstart guides here on EC2 Security and API layer configuration. Intel and Amazon are offering limited time $135 credits at the Amazon Marketplace page and are holding a joint webinar July 24.