Many companies have began to use multiple cloud services as usual. However, enterprise network has been built around the data center and it is a topology centered on the data center. The bandwidth of the Internet gateway on the data center becomes short. The access line from the site is also tight with massive data due to increase in use of SaaS such as O365 or Box.
Meanwhile, employees have worked in various places such as office, outside and home. Business partners also want to access the enterprise network to collaborate business with the company. They want to use enterprise applications on both on-premise and cloud as same procedure.
To solve above problems, we need to change our mind.
- The data center is no longer the center, but the network becomes the center.
- The Internet is dangerous, however if we use it well, it is cheap, we can build a strong network against failure or disaster
- Boundary protection is no longer able to protect enterprises from recent threats, it does not accept diverse usage patterns – beyond various boundaries
So, please look at the deck for understanding the solution
Network and Security Reference Architecture For Driving Workstyle Transformation
1. 1
Network and Security Reference
Architecture
For Driving Workstyle Transformation
Author: Matsuo Sawahashi
Division: GTS Japan, Solutioning, Chief Architect
Mail: matsuos@jp.ibm.com
Chief Architect Reference Architecture Asset Series
2. 2
Introduction
Many companies have began to use multiple cloud services as usual.
However, enterprise network has been built around the data center
and it is a topology centered on the data center. The bandwidth of the
Internet gateway on the data center becomes short. The access line
from the site is also tight with massive data due to increase in use of
SaaS such as O365 or Box.
Meanwhile, employees have worked in various places such as office,
outside and home. Business partners also want to access the
enterprise network to collaborate business with the company. They
want to use enterprise applications on both on-premise and cloud as
same procedure.
To solve above problems, we need to change our mind.
- The data center is no longer the center, but the network becomes
the center.
- The Internet is dangerous, however if we use it well, it is cheap, we
can build a strong network against failure or disaster
- Boundary protection is no longer able to protect enterprises from
recent threats, it does not accept diverse usage patterns – beyond
various boundaries
So, please look at the deck for understanding the solution
3. 3
Executive
Summary
• Background
• The way people work has diversified and it is becoming common to access from various places such as home and out side
office
• Interaction with collaborating business partners has become active and internal and external boundaries became uncertain
• Shifting from in-house development to using external services such as SaaS
• Especially shifting OA business application such as O365, Box and Concur, etc. to SaaS is actively performed
• Issues
• The limits of networks centered on data center as in the current situation
• Narrow Internet access bandwidth through a data center
• Waste of having to go through a distant data center to go to the Internet
• Narrow branches’ network bandwidth and extensive route and bandwidth change
• Vulnerable internal networks and devices to targeted e-mail attack
• A standard terminal that does not meet diversified user needs
• Access control and single sign-on have not been implemented despite the need for individual authentication to
access for each cloud service
• Solution
• Zero Trust Security
• Secure at terminal or device level without distinguishing between internal and external, and increase resilience against
threats
• SD-WAN
• Improve accessibility to cloud services by overlaying virtualized network without distinct between private leased line and
Internet
• It is possible to respond flexibly to addition and change of new service by changing bandwidth and routing from one place
• Cloud Exchange Service
• We can connect immediately to the new cloud services by using the cloud exchange service pre-connected to the cloud
services
• ID Federation
• Prepare an authentication infrastructure capable of linking cloud services and on-premise IDs, enabling single sign-on and
access control
4. 4
Current IT
State
• Data center centric
network structure
• The gateway to the
Internet and the
cloud is
consolidated in the
data center
• Instead of
thoroughly
defending the
boundary at the
data center, the
internal network is
considered safe and
sufficient security
measures are not
implemented
• The branch
networks have been
changed manually
Data Center
Head
Quarters
Branch
Office
Service
Office
Store Factory
WAN
Cloud
Services
Internet WAN
5. 5
Problems
under
Current IT
State
• Increasing use of
cloud(not only IaaS but
also PaaS and SaaS)
• Bandwidth shortage of
cloud connected network
• Authentication to the
cloud is managed
separately from the on-
premise environment
• Routing and bandwidth
change frequently occur
and cost rises
• Due to boundary defense,
conversely, weak internal
networks and devices
• Flexibility to change and
resistance to attack are
lacking, and it becomes a
burden of a new
challenge
Data Center
Head
Quarters
Branch
Office
Service
Office
Store Factory
WAN
Cloud
Services
Internet WAN
Bottleneck
Bottleneck
Increasing
Demand
Increasing
cost of change
work
Bottleneck
Bottleneck
Vulnerable
Vulnerable
Isolated ID
Management
6. 6
Background
• User view
• The way people work has diversified and it is becoming
common to access from various places such as home and out
side office
• Interaction with collaborating business partners has become
active and internal and external boundaries became uncertain
• Provider view
• Shifting from in-house development to using external services
such as SaaS
• Especially shifting OA business application such as O365, Box
and Concur, etc. to SaaS is actively performed
7. 7
Business
Problem
• Limit of data center centered network structure
• The doorway of the Internet is only in the data center
• Concentration of access to the Internet at the Internet access
gateway
• Waste of having to go through a distant data center to go out to
the Internet
• Narrow branches’ network bandwidth and extensive route and
bandwidth change
• Vulnerable internal networks
• Boundary defense is not effective against targeted e-mail attack
• Vulnerable terminal security relying too much on boundary
defense
• Early virus detection and spreading prevention function is poor
• No integrated, unsecure authenticating system
• Access control and single sign-on have not been implemented
despite the need for individual authentication to access for each
cloud service
• Dangerous authentication with ID and Password only
8. 8
Use Case List
• If we have a cheaper and more efficient cloud service than we
develop ourselves, we want to actively use it
• With the expansion of use of cloud services, we want to connect
from the site to the Internet or the cloud via a high-speed, wide-
capacity network
• We want to use the unified authentication system for both internal
and external systems to control access who can connect to what
system
• We want to minimize the cost and time for changing bandwidth or
route setting of router and firewall at the sites due to increase or
change cloud service providers
• We want to use internal and external systems in the same
procedure from the office, the outside and home
• We want to make business partners use internet and external
systems
• Based on the premise that targeted e-mail attack can not be
avoided, we want a mechanism that enables early detection and
early countermeasure in case of infection
9. 9
IT
Requirements
Category IT Requirement Priority
Network Direct access to the public cloud (IaaS / PaaS / SaaS)
without going through DC
Must
Network Since it is necessary to connect to various public cloud
services, instead of providing access routes to each cloud
service, using a cloud exchange service to make it simple
network structure
Must
Network Be able to optimize cost and performance by using not only
leased line but also the Internet to connect to the cloud and
DCs
Must
Network To be able to flexibly increase and decrease the network
bandwidth, it is easy to scale out lines by bundling multiple
leased lines and the Internet
Must
Network Make it easy to change network bandwidth and route by
center control
Should
Network In order to improve accessibility to the public cloud and not
to put a burden on existing infrastructure in the company, it
is necessary to be able to make an Internet breakout from
the sites as much as possible
Could
Network
10. 10
IT
Requirements
Category IT Requirement Priority
Security Encryption is required when Internet is used as access
network
Must
Security In case of using Internet breakout, it is necessary to
provide a packet filtering feature to protect against external
attack at the breakout sites
Must
Security Authentication and authorization to the applications not
only on on-premise DCs but also on the public cloud
services to be performed via a unified authentication
system
Must
Security Take necessary defense measures without concern that
internal network would be safe as active use of the Internet
and public clouds progresses
Must
Security For authentication to the applications on on-premise DCs
as well as on the cloud, multi-factor authentication and
device authentication should be applied
Should
Security Ensure endpoint security rather than boundary defense so
that detection and removal of threats can be performed
promptly
Must
Security Ensure security monitoring (SIEM) and action (CSIRT) so
that illegal access and attacks can be detected promptly
and measures can be taken
Must
Security Ensure log management to detect unauthorized access
and attacks
Must
Security Access to confidential data including personal information
can be audited when, who requested what
Must
Security
11. 11
Solution
Approach
• Software Defined Overlay Network
• Cloud Exchange Service
• Simple connectivity to public cloud
• Easy cloud connection bandwidth change
• Software Defined WAN (SD-WAN)
• Using bundled multiple leased lines and Internet
• Internet breakout feature
• Center console operation
• Zero Trust Security
• Endpoint security
• ID federation for the applications and public cloud services
• Multi-factor authentication and device authentication
• Log management and SIEM, CSIRT
• DB audit
12. 12
Architectural
Overview
Head
Quarters
Branch
Office
Service
Office
Store Factory
WAN
Cloud Services
Internet
Cloud
Exchange
Service
Cloud
Exchange
Service
On/Off premise
Data Center IaaS PaaS SaaS
Attack DetectionSIEM
Attack Detection
Protection
Recovery
Patch
Zero Trust Security
Action IDaaS
DC is considered as a type
of cloud service,
preventing load
concentration on DC and
increasing toughness
against disasters
Protect devices
and accesses
rather than
boundary defenses
and totally
enhances attack
tolerance
Realize diversification
of workplaces by
using the system
regardless of where
we work
Utilizing the Internet
as a route through
an encrypted
overlay network by
SD-WAN
High-speed, low-
cost cloud access
realized by
breakout from the
site to the Internet
Realization of simple
connection to multi
cloud by utilizing a
cloud exchange service
Software Defined
Overlay Network
Prepare an authentication
infrastructure that enables
federation between cloud
services and internal ID,
realizing single sign-on
and access control
Home
13. 13
Component
Model
High level component
relationship
Cloud
Exchange
Service
ID Federation
System
Application
On-premise
DC
Cloud Service
Terminal
Endpoint
security
User
SD-WAN
Overlay
Network
Internet Leased line
Internet
Internet
Breakout
Site
Deploy
Use
Use Authenticate
Authenticate
Deploy
Deploy
Connect
Connect
Connect
Connect
Connect
Connect
Configure
Connect
Log
ManagementTransfer
SIEM /
CSIRT
Transfer
Monitor
Confidential
Data
DB Audit
Audit
Use
Security
Networking
14. 14
Cloud Service Providers
HUB-DC West
CPE
Cloud
Exchange
Service
HUB-DC East
CPE
Cloud
Exchange
Service
Operational
Model
High level diagram
Data Center East
IaaS PaaS SaaS
WAN Internet
Site
CPE
Site
CPE
Internet
Breakout
Data Center West
CPE CPE
CPE – Customer Premise Equipment – here, it refers to a routing device that support SD-WAN technology
Endpoint
Security
SIEM /
CSIRTDB Audit
ID
Federation
Endpoint
Security
Log
Mgmt
DB Audit
Log
Mgmt
15. 15
Value
Proposition
Flexibility
Can promptly implement new installation, change,
and cancellation of cloud services safely and
inexpensively
Can diversify our way of working through system
use regardless of where we work
Can made cross-site network inexpensively
redundant
Can be single sign-on with the same ID for both
cloud and on-premise
Can discover targeted e-mail attack early, and
plan and implement countermeasures
Can speed up access from the site to cloud
services inexpensively
Can implement the work of changing the
bandwidth and the route of the inter-site network
Can increase the tolerance to data leakage and
quickly identify the range of impact in case
Can become easier to design a data exchange
system with business partners
Availability
Convenience
Safety
Cost
Reduction
Speediness DB Audit
ID Federation
Endpoint
Security
Log Management
/
SIEM / CSIRT
SD-WAN
Cloud Exchange
Service
Benefit Solution
16. 16
Migration Plan
First year Second year Third year
Milestone
Networking
Security
HUB-DC
Build
DC
SD-WAN
Build
Sites SD-WAN
Build and migration
ID Federation
Build
DB Audit
Build
Endpoint Security
Build
Log mgmt
Build
SIEM
Build
CSIRT
Build
Endpoint Security
Sites deployment
Security
Requirement
Definition
and
Macro design
Network
Requirement
Definition
and
Macro design
Network migration start Migration complete
17. 17
Architectural Decision Examples
Issue How to connect between on-premise DCs and multi cloud DCs
Decision We will develop HUB-DCs leveraging a cloud exchange service with SD-WAN technology
Status Decided
Category Infrastructure – Networking
Assumptions • Increasing use of multiple cloud services
• Adding, deleting, changing and replacing cloud services frequently
• Changing bandwidth, routing and access control of the network connection to the cloud
• Increasing the number of sites using Internet-breakout as of increasing the use of SaaS such as O365
and Box
Options 1. Use leased lines for each connection (Mesh topology)
2. Develop HUB-DCs with a cloud exchange service (Hub-Spoke topology)
3. Develop HUB-DCs with a cloud exchange service and SD-WAN (Hub-Spoke topology + SD-WAN)
Arguments (Rationale)
Risk • SD-WAN would be a rapid growing technology
• We have not experienced to develop SD-WAN
Implications • CPE (Customer Premises Equipment) needs to be deployed on HUB-DCs to realize SD-WAN
• HUB-DC must support Mega cloud services such as IBM Cloud, Azure and AWS
Notes
Option Flexibility Simplicity Security Stability Change Speed
1 Low Low Complex Low Low – few months
2 Medium Medium Complex Medium Medium – few weeks
3 High High Flexible High High – few hours