This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
As organizations move more of their infrastructure to the cloud, they are ending up with hybrid cloud applications. Part of the application runs in the traditional data center, and part runs in a cloud infrastructure such as Amazon Web Services, Microsoft Azure or Google Cloud Platform. In addition, organizations often need to connect SaaS services to resources that continue to reside inside their datacenters.
Applications that run in this mode typically use a connecting software gateway between the data center component and the cloud component, for example, Mule ESB or OneSaaS. This gateway allows the components to share data and work together seamlessly.
+ Also on Network World: How to make hybrid cloud work +
For convenience, most organizations today tend to run these gateway applications in their data center alongside the associated applications. This deployment model allows the teams managing the applications to move quickly, but it creates a security problem where the gateway often connects directly from the cloud service through an encrypted tunnel, bypassing much of the security controls.
Effectively securing these gateways requires them to be run at the edge of the network in the DMZ, but this creates an agility problem because of all the complexity of the firewall policy changes needed. Solving this difficult trade-off requires a new approach, but few enterprises have rearchitected their networking infrastructure to support an efficient and secure hybrid cloud deployment.
In a typical network architecture, the firewall at the network edge becomes a choke point for the hybrid apps. The application traffic passing through the gateways goes through the firewall, which inspects the traffic for policy compliance. In most organizations, these firewalls have thousands if not tens of thousands of policies creating a lot of complexity when changes need to occur. If a DevOps team or application owner needs to add a new policy or change an existing one, it can take weeks to gain approval and implementation of the policy, thus creating an agility gap. This dilemma is illustrated in the image below.
Sometimes an application owner “cheats the system” to regain agility and takes a shortcut by using a VPN between the data center app and the cloud app. This creates an encrypted tunnel for the application traffic. The downside here is that the traffic between the gateway and the cloud system can’t be viewed by the firewall because it’s encrypted. This VPN could be connecting a vulnerable application sitting in the cloud to another application in the heart of the enterprise data center. Some organizations can end up with dozens or even hundreds of these cloud-to-ground VPNs. This creates a big security gap.
Skyport Systems rearchitects the flow of application gateway traffic
Skyport Systems aims to solve both the agility gap and the security gap by putting in a new edge device that basically rearchitects the flow of this application gateway traffic. Skyport creates a secure edge zone where the enterprise can host these application gateways outside the main firewall where they can interact with services on the inside and the outside of the enterprise environment in a secure and fast manner. Skyport distributes the security policy and moves the enforcement to individual applications, which makes policy management much more scalable and manageable.
The Skyport Systems solution for a hybrid enterprise consists of two main parts. One is a server that runs virtual machines. It’s a hyperconverged system in that it includes storage, compute, a virtualization hypervisor and a range of services. The other part of the solution is a subscription management service that runs from Skyport’s cloud. An organization can receive the server from Skyport and plug it in, and the self-setup is done in about 30 minutes.
The services on this system are similar to what the organization would get from Amazon. Computing is delivered through a virtualization environment. Storage comes with services such as high availability and backup. From a networking perspective, the device provides routing and microsegmentation. It is all included in a software-defined infrastructure. The subscription management service provides automatic patching and software upgrades.
The system includes other essential services. Two that are particularly relevant to both the cloud edge as well as the critical infrastructure are security and analytics. Security is offered for three domains: network, host and data. For network-based security, the Skyport solution is a proxy and a NextGen firewall, and it supports segmentation and policy control. The host-based security serves to secure the applications that run on this device through white listing. The data security aspect provides encryption for the data traveling from and through the system.
On the analytics side, this system can log an extraordinary amount of information, which can be analyzed to provide compliance and audit reporting, as well as system health information.
This solution, called the SkySecure Hybrid Cloud Edge, becomes the edge where the application gateways are run. The traditional DMZ gets replaced by one or more Skyport servers, which run software-defined versions of proxies and firewalls. The result is that each gateway gets its own firewall and set of policies, thus making it far more agile and secure to manage hybrid applications. The new model looks more like the image below.
Here’s an example of how this solution is used by a financial services customer that provides a service to consumers. That service leverages both the company’s internal data center as well as Amazon Web Services. They run Splunk in their data center to do logging of the applications that run there, then they send those logs to AWS for storage. In Amazon, they use Splunk to log the applications running in the cloud, then send those logs to the on-premise storage back at their headquarters. This gateway, called a Splunk heavy forwarder, sits in the edge of their environment and forwards an enormous amount of data back and forth between their data center and the cloud.
As this company’s business scales up around tax time and then scales down again, they need to be able to very rapidly expand capacity at the edge of their environment for these Splunk heavy forwarders. This couldn’t be done with the old architecture because it took too long to change policies in the enterprise firewall. So, instead they deployed the Splunk forwarders on Skyport at the edge of their network and gave the application owner the control. When he wants more capacity, he just adds more systems to the environment by scaling up those gateways. When he needs less capacity, he scales it down. And he can do that without having to go through a massive amount of change control.
This company started with the application using Splunk and has since moved on to deploying a Salesforce.com application in the same fashion using MuleSoft, as well as dozens of other applications.
Skyport provides the flexibility to make hybrid cloud environments more agile and secure. This solution accelerates the adoption of the cloud and enables infrastructure teams to empower DevOps teams to deploy quickly while controlling and reducing risk.
What’s more, given the shared responsibility management model where Skyport maintains, patches and supports the underlying platform as part of the service, the effort to install and maintain the Skyport solution is minimal. As organizations move more to the cloud, this approach delivers a more balanced approach to agility and security at the edge of the network.