Cloud Connection
A Cloud Case Study
Project Details
Client
Automotive Major Bank
Category
Financial Industry
Project Year
2021
Introduction
Initial Situation
The transition from a local to a cloud-based proxy prompted a client from the financial industry to create a new concept for the planned cloud connection of their data centre.
Objective
The existing data centre network segmentation architecture must be retained and extended to the cloud environment to ensure consistent security controls and operational integrity. In addition to the typical goals of increased flexibility, better scalability, and efficiency improvements, the customer also wanted to realise data protection and regulation.
Task
Challenges
In addition to AWS, Azure and GCP, there are numerous other clouds that operate with different vendor-specific connections. Direct peering, L2 or L3-based connections, and other options should not be implemented through lots of single solutions, but through a central instance that enables specific connections in each case.
The challenge was to develop a unified concept capable of integrating a wide range of diverse solutions. Differences between PaaS, IaaS, and SaaS models, as well as appropriate encryption methods, had to be carefully considered. Integrating heterogeneous systems such as databases, web front ends, and various software applications presented numerous architectural possibilities.
Key considerations included how subsidiaries should be connected and how end users would consume cloud-based remote access solutions in the future. A central aspect of the design process was determining whether a centralized or decentralized approach would be the most suitable architecture.
In addition, network segmentation requirements and varying regulatory frameworks further increased the complexity of the project. Furthermore, the rapid pace of innovation in cloud technologies required an agile and flexible solution capable of continuously adapting to evolving requirements and technological advancements.
Solution
Concept Based on Functional Building Blocks
In general, a building block-based approach to connectivity enables the integration of different technologies, such as Layer 2 and Layer 3 architectures. Depending on the specific solution requirements, routers, firewalls, and other essential components were combined in various ways to create a flexible and scalable design.
Network segmentation had to be implemented individually to accommodate the characteristics and constraints of the respective technologies. In addition, the existing security framework required adaptation to address the specific requirements of modern cloud environments.
During the initial phase of the project, no fewer than 17 different cloud platforms had to be evaluated and considered within the overall solution design.
Implementation
L2 and L3 Technologies
By leveraging standard Layer 2 and Layer 3 technologies, the majority of cloud environments could be integrated into the overall architecture. However, some cloud platforms required dedicated connectivity solutions, which were implemented using two distinct approaches within the connectivity framework.
To ensure robust security, high-performance routers and firewalls, Intrusion Detection and Prevention Systems (IDPS), and Application Layer Gateways (ALGs) were deployed on the specific requirements and architectural characteristics of each solution.
Encryption and NAT played a critical role, with dedicated implementations tailored to the unique requirements of each connection. In addition, data flows within cloud environments are often structured differently from traditional on premise infrastructures, further increasing complexity and necessitating compromises when integrating on-premise systems into cloud services.
Outcome
Project Success
The dynamic nature and continuous evolution of cloud solutions made a traditional implementation approach impractical. Consequently, agile methodologies were adopted, despite the inherent challenges of applying them to infrastructure-focused projects.
The overall success of the project was achieved through the effective design and implementation of numerous diverse connectivity solutions that met both technical and business requirements.
-
Increased Flexibility
-
Better Scalibility
-
Increased Efficiency
-
Data protection and Regulation
Conclusion & Recommendation
Cloud Strategy
Cloud connections can be implemented in compliance with applicable regulations, including those in the financial industry. However, documentation is more complex than in on-premise environments. A well-defined cloud strategy is essential to establish the required connectivity while maintaining flexibility for future changes.
In addition, regulatory requirements must be continuously reviewed and aligned with evolving cloud environments. Governance therefore requires particularly careful and comprehensive documentation.