Securing the WAN in multi-cloud deployments

Arthur Cole
Hand touching virtual cloud

The enterprise is quickly expanding its cloud environment to a hybrid multi-cloud architecture. Where once a single provider enabled little more than bulk storage and processing offload, today’s cloud encompasses numerous providers offering services as diverse as disaster recovery, advanced analytics and quantum computing.

According to Gartner, more than 80% of enterprises are already working with at least two providers, and by 2023 the top 10 cloud providers will control only half of the total marketplace as users seek to avoid vendor lock-in and craft customized solutions for individual use cases.

But this is leading to a number of challenges on the wide area network. Not only must today’s WAN provide the same flexibility as the traditional LAN, it must adopt new forms of security to accommodate the multiple platforms and application loads prevalent in this diverse new environment.

Time for a security update

At the moment, however, the two predominant means of securing privacy and data integrity across multiple clouds are IPSec encryption and application-level security solutions like SSL. However, neither of these is adequate for today’s production workloads.

While IPSec does have the advantages of user invisibility, application independence and full traffic monitoring, it also suffers from high CPU overhead, lack of full support among software developers and the fact that some of its algorithms have already been compromised. Meanwhile, SSL is very effective at maintaining encrypted communications across the internet but its elaborate data exchange mechanism to establish and authenticate connections can severely hamper performance in high-scale environments. 

What is needed is a highly flexible solution that maintains robust security and protection in high-scale, highly complex environments. As well, it should be easy to implement at a low price point and should lend itself to the kinds of automated traffic management and network provisioning operations that are coming to define the modern data universe.

Guarding connections

One approach that ADVA has adopted for the multi-cloud adaptation of its ConnectGuard™ platform is to utilize low-cost universal customer premises (uCPE) solutions to push encrypted content to remote workers and branch offices. In this way, the enterprise can leverage both a hosted cloud deployment and uCPE clients to encrypt traffic not just at Layers 2 and 3, but on the Layer 4 host-to-host transport as well. 

In this way, organizations maintain robust security between switches, routers and terminal equipment (Layers 2 and 3) while also protecting segmented virtual networks, which would otherwise be vulnerable to attack should hackers gain control of the access control list at the networking layer.

What’s more, as a full software solution, ConnectGuard™ can provide hybrid and multi-cloud protection on any COTS server deployment under a simple subscription or perpetual license basis. And as a transport independent and FIPS-compliant solution, it provides robust end-to-end encryption at a far lower price point than current appliance-based offerings. 

The enterprise can even take advantage of the system’s NFV capabilities to simplify day-to-day operations, integrate multiple cloud and other service-level platforms and streamline hardware footprints in centralized and remote locations. Using zero-touch provisioning, the system can be set up to automatically optimize network environments for individual applications based on the type of resources available at a given site – all within minutes. 

In this age of digital services and high customer demand for personalization and robust performance, data has become the most valuable commodity in the enterprise business model. But collecting and storing this data is of little value unless it can be shared and utilized properly.

A multi-cloud environment offers the best way to ensure peak performance and solid data protection, but only if the network between these disparate sites is outfitted with top-flight security. And as with any data infrastructure, the best time to ensure your security is adequate is before your data has been compromised, not after.

Related articles