Securing, managing and orchestrating APIs
This leading global publisher of science and health information provides their customers and partners with access to scientific publications, medical journals, legal libraries, newspaper and magazine archives, as well as risk and business information – all presented as independent, subscription-based services.
By the Numbers
- Hundreds of thousands of authors
- Hundreds of thousands of reviewers
- Tens of thousands of editorial board members
- Thousands of employees
- Thousands of journal editors
Core markets include the medical profession, where reference materials, clinical decision support and professional education are key, but also academia with its huge appetite for information and need for efficient research. In fact, it’s growth in scientific R&D and healthcare that are driving demand for an integrated experience across what’s being researched; what’s under development; and what’s being practiced. And with more and more of these third parties wanting to embed the Publisher’s content and solutions into their own workflows, there is an opportunity to create new revenue streams by exposing information services publicly to partners and customers.
But making their application and service APIs available online raised a number of red flags, not only for the Publisher’s security officers, but also for their IT group who would bear the brunt of repackaging internal APIs for third-party consumption. Remapping, recomposing or even reprogramming APIs wholesale in order to create personalized subsets or filtered views of APIs for each class of customer or partner – and then maintaining and updating them over time – can quickly become unmanageable. Additionally, moving APIs between environments or deploying new versions of APIs can expose hidden dependency issues or break existing integrations, causing downtime or even SLA violations.
When it came to security, granting direct access to information services that are responsible for a large portion of their revenues made the Publisher’s security group nervous. They recognized that with the growing threat of cyber attacks their existing network firewalls were just not good enough. While firewalls can provide protection from standard, Web-based attacks, they lack the ability to inspect XML-based messages and check for XML-specific threats. And when APIs get called in combination or sequentially, message integrity and privacy concerns arise. Conventional network-based VPNs using SSL or IPSec can’t provide a message level audit trail or support non-repudiation across a service transaction. Enter Layer 7 CloudSpan
While the Publisher examined many different solutions, they settled on Layer 7 CloudSpan CloudControl because it provided the closest fit to their business requirements in a single product. Previously, customers had to submit multiple queries to multiple information services and manually aggregate the results. CloudSpan’s flexible and extensible policy engine not only allowed the Publisher to create their business logic in policy (rather than code) simplifying and speeding time to implementation, but also allowed for orchestration and aggregation across multiple information services, providing customers with rich results from a single query.
Additionally, because CloudSpan features true clustering capabilities, the Publisher was able to implement cluster-wide rate limiting, allowing them to meter service usage in order to block access to a service if the customer’s contractual quota was exceeded. Because the clustered devices maintain and update a shared counter, metering is always accurate. This capability also allows CloudSpan to provide effective protection against replay attacks. Finally, CloudSpan’s ability to translate between incoming REST-based queries and the Publisher’s SOAP-based back-end information services meant that customers and partners could use their preferred client (Google Apps/Gadgets) to access information.
CloudControl is deployed in the Publisher’s DMZ, protecting and providing access to virtualized instances of the Publisher’s services. When a customer or partner attempts to gain access to their subscription(s), CloudControl intercepts the incoming query, and calls out to the Publisher’s internal access control system in order to authorize the user. At this point, CloudControl not only checks to ensure the user has not exceeded their contractual usage quotas, but is also able to enforce fine-grained authentication in order to grant the user access only to those information services (or individual service operations) they are allowed to access. In this way, the Publisher was able to create personalized API views for each user. Customers can submit sophisticated queries that can be orchestrated across multiple services, automatically aggregating results. Partners can remap and recompose APIs across the range of information services, allowing them to create new service offerings that not only better address their requirements, but can also be more easily integrated into their existing workflows. Finally, usage is tracked and metered, allowing the Publisher to extract billing information, validate SLA conformance and check usage for capacity planning.
Academics are voracious consumers of information, limited only by the constraints of their R&D budgets. For them, the Publisher’s CloudSpan-based solution was a godsend, providing richer, more complete results faster. Other customers and partners now have the capabilities they require to better integrate their information service subscriptions directly within their own organization’s processes, streamlining research and improving efficiency.
As a result, customer satisfaction and retention rates are expected to improve. For the Publisher, creating and managing their business logic in policy rather than code resulted in faster deployment and simplified maintenance, all of which has resulted in a lower total cost of ownership than comparable, multi-product solutions.