Multi-cloud environments provide enterprises with the ability to mix and match private clouds with multiple public clouds. The “multi” in multi-cloud raises the importance of connectivity between and among those clouds, and of securing that connectivity. The “cloud” aspect also adds complexity to achieving that security. You can’t march into a data center owned by Amazon Web Services (AWS), Microsoft Azure, or IBM and demand to install your encryption appliance to protect your links.
Relying on application-level security is another option, but it puts the onus on developers to adhere to security standards. Furthermore, these developers may not be security experts, the security is not easily testable, and it may not be controlled by your IT team.
A better approach is to be more systematic and provide software-based encryption at the network layer. That means leveraging virtualization to host a software encryption solution in the cloud infrastructure.
What is Multi-Cloud?
Before we get too deep, let’s establish exactly what is meant by “multi-cloud.”
Multi-cloud is the combination of multiple public, private, and onsite cloud resources, all connected to public internet and/or private links. Multi-cloud enables enterprises to combine the low-latency of onsite clouds with the scalable, resilient, and on-demand resources found in the public cloud. With multi-cloud, customers can move workloads from cloud to cloud, with decisions based on the availability, performance, and cost of those resources. In short, multi-cloud is the next logical step in the evolution of cloud computing. However, this move is not without complications.
Multi-Cloud Requires Connectivity
The drawback of multi-cloud is the need for connectivity between the constituent clouds. And not just any connectivity: it must be fast, reliable, and secure. In practice, the first two requirements are increasingly easy to meet. Data center interconnect (DCI) has grown to make fast and reliable connections ubiquitous, at least for private and directly connected links.
The direct connect model is a popular option, when available. This is where a communications provider has a connection to a cloud provider that bypasses the public internet. The connection can be at either Layer 2 or Layer 3, depending on the cloud operator. MPLS or Carrier Ethernet (CE) are often supported. Note that CE is of particular interest for two reasons: the cost advantages, and Layer 2 transparency supports native cloud networking. Note that direct connections are usually transparent, and as such they are not secured.
Internet connectivity is another matter entirely. It is true that internet connections have significantly improved over the years, especially regarding speed and reliability. It can also reach just about any location on the planet. But they are not secure, and securing them is not trivial. Appliance-based encryption is a popular solution for customer-based endpoints. However, data centers don’t allow customer-provided equipment, so this approach won’t work when either end of the connection lands in a data center.
An example multi-cloud network is shown below. It includes a variety of public and private clouds, as well as different access methods.
To achieve the benefits of multi-cloud, enterprises need a security solution that fits into the network scenarios listed and shown above. A suitable solution must meet these requirements:
- Work with on-net and off-net connections
- Work with wired and wireless connections
- Work when connected at Layer 2 and Layer 3, and provide Layer 2 transparency when needed
- Support deployment in the customer site and the data center
- Provide efficient management — both for networking and encryption
- Be cost effective — both for an initial deployment and at scale
How can we secure these connections, meet the requirements listed above, and provide Layer 2 transparency for efficient cloud networking?
Advances in Software-Based Encryption
Fortunately, there is an answer: software-based encryption.
The move to network functions virtualization (NFV) has driven rapid advances in the availability and performance of virtual network functions (VNFs). VNFs can now replace network appliances, including those that provide security and encryption. Now it is possible to host network-level encryption functions in a virtual machine (VM) or in a container running in a cloud, whether local or public. For improved performance, the encryption could be part of the transport Layer of the VNF hosting software.
The availability of a virtualized solution means that we can now create secure transport wherever needed, as shown below.
With software-based encryption, we can place the endpoints in the public cloud, providing an end-to-end solution. With an appropriate feature set, we can also provide for connectivity at Layer 2 or Layer 3, regardless of the available transport.
The ideal approach is to implement the software encryption as a software VNF, or as a plug-in to the NFV infrastructure software. That way, the encryption functionality can be combined with other VNFs, such as software-defined wide area networking (SD-WAN), to form a complete virtualized service.
Cloud-Based Security Provides an End-To-End Solution
Multi-cloud is a powerful new option for enterprise customers, but it has its complexities — especially regarding security. Users need a simple and consistent way to protect the data-in-motion going between the clouds. Now, with virtualized security solutions, enterprises can take advantage of multi-cloud while protecting their data. Even better, this protection extends from end to end, and from VM to VM. Cloud computing has opened new opportunities for scalable and on-demand computing. Now we can use the cloud to protect the cloud, and ensure the safety of mission-critical applications and data.