Multiple Hybrid Clouds Kludged Together? — Cloud Architecture

With the diversity of cloud’s available today, data being sent from one to another could appear to be a hodge-podge of security. As one colleague put it recently when I asked what he was expecting to maintain integrity of data in motion between clouds:

… what kind of kludge can things end up being when you have multiple connections to multiple hybrid clouds all doing different things” — Steve Beaver

So how does data transfer between the clouds? Is it a kludge? or can it be done using a uniform security policy, procedures, and protocols while maintaining Integrity and Confidentiality and auditability?

The answer is not very straight forward, in 3/24 Virtualization Security Podcast we discussed Architectural is within the virtual environment and the cloud. The answer to this question depends on architecture of an environment as well as what Security as a Service protocols are required. So if we were to bundle Zscaler, Cloud Passage, with a Hybrid Cloud using vSphere, what inter-cloud connections would exist and how would we protect them?

  • For vSphere, transfer of data from one cloud to another is achieved using vShield Edge’s IPsec based Tunnel established between two clouds or use another solution like Afore Systems to achieve the same goal. Cloud to Cloud traffic is encrypted via some tunnel.
  • For Zscaler you could use standard protocols or an encrypted GRE tunnel.
  • For Cloud Passage there is an AES128 Tunnel from the Halo Daemon to the Halo Grid.

So when using these three components within an hybrid cloud (where 1 component of the cloud is within the enterprise domain and one component is within a cloud provider’s domain) there are at least 3 secure connections involved, all using different ports and protocols. But there could also be more! You need to also answer the following questions:

  • Where will customer/partner/employee’s be entering the cloud?
  • Will the customer/partner/employer require an encrypted access point?

For typical web traffic, this often implies use of SSL by customers, but could require a VPN for partner or employee access as they often have to access different data than customers. So the question then becomes how can these controls also flow between the components of the hybrid cloud? Which also leads to the question of where do you perform load balancing as very few enterprises have just one web server.  So now we have other questions to answer.

  • Is a VPN required for access to internal web data by partners and employees?
  • Is SSL required by customers?
  • Where does the back-end databases live? Is data encrypted going to these databases?
  • What is the latency of data moving between clouds, can this be improved?
  • Where is the primary load balancer located or is DNS load balancing going to be used to send data to regional clouds?
  • If a regional cloud is going to be used, how do we handle jurisdictional issues, such as someone who works in the EU, always connecting to an EU regional cloud instead of one with another country outside the EU when they travel?

This is quite a bit to think about and even more questions to ask, and it all stemmed from the question of

… what kind of kludge can things end up being when you have multiple connections to multiple hybrid clouds all doing different things” — Steve Beaver

When you plan on going to the cloud whether it be private, hybrid, or public. The key is to fully understand how your data will move between the clouds, and how you plan on handling different types of data and ultimately where that data will live, even temporarily. With the ultimate question being:

How to achieve Integrity and Confidentiality of your data when it is within the cloud?

You must start with a good Cloud Architecture that includes security concerns from the beginning. Understanding the technologies you wish to use will be crucial.


Posted in IT as a Service, SDDC & Hybrid Cloud, SecurityTagged , , , , , ,