carloscastilla - Fotolia
Most security practitioners do not work for "cloud-native" organizations. There are few fully externalized organizations that employ only resources in the cloud and nowhere else. Instead, most security teams protect organizations that employ resources both in the cloud and on premises.
Even in cloud-leaning IT strategy situations that heavily favor cloud-based resources, most organizations have numerous assets that cannot be moved. These assets may include on-premises data centers, legacy applications, mainframes, or private and hybrid cloud deployments. This can create architectural challenges for organizations in a few different ways.
Complex IT environments create new security challenges
First, most organizations operate multi-cloud environments. Instead of a single set of defined and well-organized internal assets, security teams must contend with a complicated, interconnected web of resources. Some resources may be on-site, some hosted by a variety of cloud partners and some managed by business partners or third parties. Often, these resources need to communicate with each other. Establishing secure communication pathways between them -- particularly when they span multiple cloud providers, as well as on-premises data centers -- can quickly become a challenge.
Second, cloud migrations do not happen all at once. Organizations that intend to move a subset of the environment to the cloud often proceed slowly with this transition. Before this can be accomplished, they must plan, test, validate and test again to ensure that workloads will perform as expected post-migration. As cloud migration occurs and connectivity paths are potentially disrupted, network connectivity between critical resources may temporarily span multiple environments, such as an IaaS and a virtual data center.
Keep in mind that users still need access during this period, too. When critical workloads migrate to the cloud, applications and services may live outside the corporate network that typically would have lived internally. To ensure that users have the same ability to remotely access those services, organizations require a strategy to ensure users can gain network connectivity similar to what they had before those workloads were rehomed.
Protect cloud, on-premises resources with cloud VPN
One strategy that can help address the challenges of protecting resources both in the cloud and on premises is enterprise cloud VPN, sometimes called VPN as a service or VPNaaS. Delivered via the cloud, this service is targeted to provide VPN capability to, from and via cloud environments.
Cloud VPN can help security teams ensure that the resources, components and other critical pieces of technology in the technology portfolio can communicate with each other when necessary. It can also help ensure that the correct individuals can gain access to resources with less configuration and less overhead than would otherwise be the case.
Enterprise cloud VPN can connect different environments together, which can help security teams protect resources in complex IT environments. This is achieved by enabling transparent "unfiltered" connectivity between environments, such as an on-premises network and an IaaS virtual private cloud. There might be any number of firewalls, routers, gateways or other filtering technologies between a workload in the cloud and an on-premises resource. Often, there are applications or services that rely on direct connectivity between components and systems.
Understanding how cloud VPN works
To help understand how cloud VPN works, consider a hypothetical example. Think of a traditional n-tier application with a UI (web) tier, an application tier responsible for providing business logic and a relational database back end. Depending on the organization's unique cloud migration situation, a portion of the application -- the server farm that comprises the UI tier, for example -- may move to the cloud as virtual workloads, but the rest of the application stays where it is in an on-premises virtual data center.
This case presents a potential issue: The application was written based on the assumption that there would be unfiltered connectivity between tiers. Now that one of the tiers is moved to a new environment, intervening networks and firewalls are now in the way. How can security teams enable the application to function, while ensuring that both the cloud and internal environments stay appropriately secured? One option is enterprise cloud VPN. Traditional VPN is configured so that it appears that the devices in the cloud are on the same network as the web tier servers and the application servers. Enteprise cloud VPN can achieve this configuration between an on-premises network and the cloud.
Enterprise cloud VPN can also help organizations service users directly. For example, users may need to be on the same "network" to access a particular resource in the cloud. Cloud VPN can provide those users access to the resource in the cloud, thus providing them with secure remote access capabilities.
Using cloud VPN, security practitioners can connect environments together, despite logical barriers between the environments. Cloud-delivered VPN services also conserve bandwidth on the network and shift some of the operational legwork to the service provider, potentially leading to cost savings.
Whether an organization uses the built-in VPN of its cloud providers or a service from a vendor specializing in cloud VPN, the model can play a big role in securing its cloud connectivity strategy.