Zero Trust Security with Ververica's Bring Your Own Cloud Deployment: Part One

In the first blog of this series, we introduced Ververica’s Bring Your Own Cloud Deployment option, offering a high-level overview of why BYOC was created and the benefits users can expect when utilizing this deployment option. The second blog explored “The Dilemma” businesses encounter when trying to find an ideal balance to ensure that a chosen deployment provides the appropriate level of flexibility, efficiency, and security required.

In this third blog, the focus is entirely on security, and is divided into two parts. Part One covers the evolution of the connectivity landscape and the pressures businesses face in a world that is interconnected via the internet with no clear physical boundaries. It also introduces the variations of BYOC in the market and how well they support security measures, including Zero Trust strategies.

Part Two explains exactly how Ververica’s BYOC deployment option helps businesses to address ever-growing issues of connectivity, solution complexity, and the capability to adhere to strict security measures when utilizing Ververica’s Unified Streaming Data Platform. It also explores how Ververica ultimately allows data streaming and processing projects as a cloud deployment that aligns and supports Zero Trust strategies.

Figure 1: "The Dilemma": How to choose a deployment that best balances the needs of security, efficiency, and flexibility

Change Is On The Horizon...

As cloud adoption accelerates, businesses today are continuously faced with the challenge of balancing flexibility, scalability, and security in their solution deployments. In particular, the cloud deployment landscape is becoming more complex as multi-cloud and hybrid cloud environments continue to evolve, with remote connectivity and interconnectivity over the internet becoming the preferred standard.

Evolution of the Connectivity Landscape

Until recently, connecting businesses and people was done by simply extending corporate and private network infrastructures. This was an effective solution as network perimeters are relatively easy to guard and defend. As shown in Figure 2, the business network domain, (pictured on the right side) is connected with outside 3rd party IaaS/PaaS/SaaS service providers, (shown on the left) via a corporate firewall. The firewall acts as a security boundary, allowing only those who are authorized to access inside the business network. While this is an effective solution that provides a good balance of accessibility and security, the cloud and business landscape requires greater connectivity, and modern businesses have duties, work, and data that exist outside of clear walls and boundaries, and still needs to be protected.

Figure 2: Traditional cloud infrastructure and security

Global Connectivity Via the Internet Rises

Businesses today require global connectivity that morphs easily, in an ever-growing environment where there are no distinct networks or physical boundaries, and the connection requests may change often. Currently, the world is interconnected via the internet, not extensions of sprawling corporate networks. In this model, businesses (including their users, applications and data) are connected with 3rd party vendors, business critical infrastructure, and corporate users/partners from anywhere. (See Figure 3.)

Figure 3: Modern connectivity is global and lacks clear parameters

Driving Changes in Connectivity

There are multiple factors and use cases that drive the connectivity change, including varied cloud adoption rates, remote or hybrid workforces, enhancement in connectivity (5G) technology, and complicated business use cases that demand access and security from anywhere at any time. In addition, different departments of the same business may have different security requirements and different cloud adoption speeds. Also, migration from legacy application architectures toward cloud native architectures is an incremental evolution with long transition periods.

Additional complexities include:

• As the business landscape expands over multiple hyperscale cloud providers, organizations seek more efficiency and escape from vendor lock-in.
• Cloud native transformation rates and adoption are often different across separate business units.
• Work is often spread across different public/private or hybrid clouds within the same organization.
• Application architectures within the same organization often vary from legacy to fully cloud native.
• “Lift and shift” is often the first step, which causes a non-ideal blend of partial cloud and partial on-premise infrastructures that are hard to protect.

As a result, there is no fixed network perimeter for business users, applications, or data. This is incredibly hard to defend, and means that security strategies are complex and difficult to achieve. (See Figure 4.)

Figure 4: Business applications spread across both hybrid and public clouds

Shifts in Security

Simultaneously, security breaches are increasing in frequency and sophistication, compelling organizations to prioritize the protection of their most sensitive data and workloads. As connectivity demands and complexity grows, traditional security measures become inadequate. Now, businesses must operate under the assumption that intruders and threats may already be inside, and trust can no longer be implicit.

Figure 5 depicts a security landscape in which multiple credentials and users are breached.

Business domains, (shown on the right side of external access network defense perimeter) are being guarded with network defense best practices. This includes a no-trust zone, often called a “demilitarized zone” (DMZ) which exists between the external network and private network domain. Businesses must assume and be ready to deal with intruders that break trust and breach the private / trusted zone. If not properly handled, such threats can cause wide damage, endangering multiple business tenants.

Figure 5: Always assume a breach

The cybersecurity community acknowledges that traditional network perimeter defenses are no longer effective, prompting the emergence of new strategies and architectures like Zero Trust Architecture (NIST 800-207).

It's a Road, Not a Destination

Aligning additional cybersecurity and Zero Trust initiatives with existing business technology and transition stages can be complicated. Organizations have often already made substantial investments in their current end-to-end security frameworks, (whether cloud-based or on-premise,) along with various organizational and operational policies. These investments include existing infrastructure, dedicated security and operational teams, and accumulated expertise and team knowledge that would be detrimental to change significantly or too quickly.

One thing is certain: it is essential to build upon these existing assets and evolve strategies that maximize the value of these prior investments, as demonstrated in Figure 6. In most cases, rip and replace is not a viable or cost effective solution, and instead it's important to carefully thread new strategies into existing workflows. Past decisions, tools and investments must be considered when introducing Zero Trust implementation roadmap.

Figure 6: Consider past investments when building new strategies

The Problem with Current Deployment Models

The traditional fully managed cloud service model offers undeniable value, but maintaining control over security policies enforcement, observability, and having operational and data governance has become a significant concern. On the other hand, the traditional self-managed software model is not flexible enough to sustain business needs for leveraging usage based consumption model (PAYG), self-service approach, streamlined delivery and centralized management. In order to stay competitive, businesses must seek the best of different cloud options, including Bring Your Own Cloud deployment models that marry the benefits of fully managed service and self-managed software models.

Variations of BYOC

Bring Your Own Cloud (BYOC) deployment models have gained traction across many industries, promising to combine the advantages of existing deployment approaches. Typically, these models feature a control plane managed by the vendor in their cloud, while the data plane resides within the customer's cloud.

However, with no established design best practices, different vendors' BYOC solutions vary in terms of design, architecture, and shared responsibility models. In addition, they vary in how effectively they embrace Zero Trust strategies.

Some vendors build BYOC using the traditional network perimeter trust approach, which is reminiscent of traditional managed environments. This model of BYOC suffers from the same risks introduced by network perimeter based defense, as trust is implicit, and therefore exposure to risk is higher.

Other vendors' BYOC variations use a cloud provider cross-accounts approach to manage user services in user trusted zones. This approach introduces several security concerns when viewed through Zero Trust architecture guidelines, including:

• Cloud cross-accounts and policies are usually permanent, thus more prone to breach.
• Vendor management is done by issuing commands from the vendor cloud account toward the user cloud account (sometimes called the ‘push’ model). This strips users of operational and connectivity governance.
• Vendors manage a set of IaaS services (Compute, Network, Storage) in the user cloud, which requires elevated and wide privileges. In this model, trust is implicit and shared responsibilities are very entangled.

Newer BYOC designs try to increase operational governance by using an agent that pulls commands from the vendor cloud account to execute in the user cloud account. However, this may involve the management of substantial parts of the customer’s infrastructure on top of primary vendor services, which requires elevated privileges and roles and exposes large parts of the business to potential breach.

Each of these variations of BYOC try to blend accessibility with security, and demonstrate how difficult finding this appropriate balance can be. The variations of BYOC designs are further illustrated on Figure 7.

Figure 7: Variations of BYOC designs

When building Ververica’s BYOC deployment option, we were very mindful of the variations of BYOC available in the market, and purposefully built our option from the ground up to best combine connectivity and security needs. Stay tuned for Part Two, where we explore Ververica's BYOC offering and dive into exactly how Ververica's architecture follows Zero Trust design principles.

Additional Resources

Catch up on the entire BYOC Blog Series:

• Read Blog One: "Introducing Ververica's Bring Your Own Cloud (BYOC) Deployment Offering" Blog
• Read Blog Two: "Your Cloud: Your Rules Ververica’s Bring Your Own Cloud Deployment: Introducing “The Dilemma"
• Ready to get started? Explore the deployment options.
• Not sure which deployment method is best for you? Contact us.
• Want to learn more about Ververica’s Bring Your Own Cloud deployment offering of Ververica’s Unified Streaming Data Platform? Log into Ververica Academy to watch Ben Gamble and Igor Kersic onstage at Flink Forward Berlin 2024.