Today, cloud computing is part of the fabric of the modern work environment across industries. Many of our customers don’t just work in the cloud, they operate multicloud environments, sometimes leveraging more than 55 special-use software as a service (SaaS) applications in order to run their critical operational workloads.
According to a Gartner® report, “by 2026, 75% of organizations will adopt a digital transformation model predicated on cloud as the fundamental underlying platform.”1 My concern is: in migrating to cloud-based models, many enterprises have built their cloud networks incrementally, taking a patchwork approach—database by database—to their complex, heterogeneous environments, often without the oversight of a network architect.
While it can be effective in the short term, the complexity and discontinuity of this approach has left enterprises increasingly vulnerable to both prohibitive operational costs and a bevy of security threats. I believe the unstable state of cloud networking today represents no less than the biggest attack vector of the last five years.
But it’s not all doom and gloom. To understand where we go from here, we need to take a closer look at the context.
The unstable state of cloud networking today represents the biggest attack vector of the last five years.
A (very brief) history of the cloud
The fundamental concept behind the cloud begins with the mainframe. As far back as the 1950s—in part due to the prohibitive costs of buying and maintaining mainframes—multiple users gained access to the central computer through so-called dumb terminals: rudimentary monitors with extremely basic processing powers that primarily served as input/output devices.
By the 1960s, computing pioneers such as J.C.R. Licklider were helping to push computing into the future by conceptualizing a truly global computer network. These ideas would later become the Advanced Research Project Agency Network, the first wide-area packet-switched network, which aspired to connect people and data worldwide.
By the late 1990s, the onset of virtualization software—such as VMware®—and SaaS applications heralded the first real building blocks of a cloud-based internet, one which facilitated access to advanced functions independent of physical infrastructure. Then, in 2006, Amazon launched Simple Storage Service (or Amazon S3) and the Elastic Computer Cloud (EC2)—and just like that, the commercial cloud was born.
The services themselves were both products of kismet and a bit of wily bean-counting. By the time the millennium rolled around, Amazon had become an industry leader in compute, storage, and database services. In fact, the company boasted one of the most robust computing infrastructures in the world, with data centers sprinkled across the globe and with computing capacity to spare. So, they began to explore what it might look like to resell some of that power and simultaneously answer the market need for an infrastructure service for developers. What began as a tool primarily for Server Message Block (SMB) capabilities soon grew, feature by feature, until it resembled an early version of the cloud we know today.
Within a few years, the other big tech competitors—from Microsoft® to IBM®—had followed suit. Enterprises around the world eagerly jumped on the bandwagon, giving their developers the resources to scale their businesses at breakneck speeds and their employees the flexibility of a virtual workplace.
The great misstep was this: while cloud-based services evolved with increasing speed over the years, enterprise network architecture did not.
While cloud-based services evolved with increasing speed over the years, enterprise network architecture did not.
Database networking the old-fashioned way
Let’s say you’re a multinational hospitality company that has an AWS footprint of 40 databases. Each of these databases likely was set up by a different member of your database team and with varying sets of defaults.
When the databases need to talk to one another—like in the case of an online booking, when the customer database and invoices database need to connect—the data exchange costs are exorbitantly high. And because this network is so heavily siloed, you also run into the danger of duplicating services. As a result, some invoices are accidentally generated twice, or else generated a month later. Meanwhile, the network itself has become painstaking to maintain and monitor, leaving it and your customers’ data vulnerable to breaches.
And this is all before considering the users who need access to this cloud.
Many of our clients maintain tens, if not hundreds of user accounts. Up until roughly three years ago, for one account to communicate with another, users either needed to utilize VPNs or hairpin traffic by sending their data to a data center first, in order to send it back to the same cloud and to a different account. Not only did this result in a costly process in terms of time, but also in terms of computing power.
What a mess, right?
MPLS and SD-WAN
In the past, companies relied on multiprotocol label switching, or MPLS, to connect remote branch offices to their data centers. MPLS is a networking technology that has helped run enterprise networks since the late 1990s—and is still used to this day. The problem is, to access cloud-based services by way of an MPLS connection, traffic needs to be backhauled to an enterprise’s central data center, rather than by way of direct access to the cloud itself.
Around a decade ago, the industry started adopting a new model. A software-defined wide area network (SD-WAN) utilizes software to enable multi-point connectivity and services between data centers as well as remote branches. Even with this improvement, the licensing fees remained high and communication between databases and accounts remained poor.
In 2018, AWS released Transit Gateway to address these lingering shortcomings, and to allow for inter-account communication in the cloud. But even that action didn’t completely solve the problem. The solution still did not offer the flexibility of dynamic policy control. Overlays—in which one resource gains access to another and then, once the exchange is complete, is revoked of its access—stayed beyond our grasp. And this state is where we’ve been for the past few years. Solutions on top of solutions, to try and wrangle the beast that is the multicloud, multi-SaaS environment.
So where do we go from here?
Throughout the last decade, I’ve had a front row seat to these developments. I’ve helped some of the giants of cloud computing develop their products, from AWS to Microsoft Azure®. I’ve also worked directly with numerous clients to assure they are getting the most out of the cloud every single day.
Right now, what organizations need from their cloud environments is maximum efficiency—without security compromises. To achieve this, many look to outsource some of the monitoring and management of cloud to managed backbone services capable of controlling such complex cloud environments.
For example, say your hospitality business runs payroll twice a month. Clearly there’s no reason to have these services up 24/7, with unlimited access. Today we have at our disposal services—such as F5 Distributed Cloud or AWS’s Cloud WAN—that can help your enterprise achieve a secure edge model, a SaaS-driven model. Through Cloud WAN, for example, you can now spin up your applications when you need them and spin them back down when they don’t. In short: the ability to do things dynamically, operating by the true principle of elasticity.
Managing cloud complexities and loopholes
The modern landscape of cloud networking is one riddled with complexities and loopholes. So that while enterprises have relied on these multicloud, multi-SaaS environments to run and grow, many struggle to manage them while trying to improve automation, control, security, and visibility. Yet there are many innovations to help secure, streamline, and ease the management of multicloud architecture.
With recent advances in cloud features and networking technology, such as hyperscaling, network and edge services, private wireless, SDN, Cloud WAN, and others, organizations have the unique chance to simplify and better secure their infrastructure overall. This means running complex environments more effectively and with greater resilience, all while reducing costs and maximizing automation.
Robert DeWeese is Director of Cloud Networking at Kyndryl.
1 Gartner, Predicts 2023: The Continuous Rising Tide of Cloud Lifts All Boats, 9 March 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.