The VPN paradigm shift toward cloud computing
By Hery Zo Rakotondramanana
From its conception, a VPN was meant to secure a connection that has to transit through a public network, making the IT managers' challenge simply to find the best encryption method for tunneling data through the VPN. They had to choose the protocols, as well as the device (or software) that they should put at each endpoint of the VPN tunnel. And all of this was typically dealt with in-house, giving IT managers control over both endpoints of the VPN tunnel.
But with the advent of cloud computing, things dramatically changed. Part of the IT infrastructure has moved to the cloud, introducing a third-party into the equation. As a result, IT managers are "losing control" over some parts of their infrastructure and are now having to deal with a third-party to setup a secure connection to access their IT resources in the cloud. So what exactly are your options in this new world where VPNs and the cloud collide? Let’s dig a bit deeper and find out.
- Extend in-house network infrastructure to the cloud. Cloud services in this category include, Amazon EC2, GoGrid, IBM Smartcloud, VMWare/Terremark vCloudExpress. At this stage, depending on the cloud provider, proprietary API are used for connecting to these cloud applications. As they become more popular, such cloud services are expected to provide more open and secured API connection. On top of this, Amazon, for example, has a VPN solution called Amazon VPC for accessing your cloud resources. Amazon VPC accepts third-party VPN implementations to access their cloud, provided that they implement IPsec
- Build a virtual network on top of the cloud provider's infrastructure. Connections from outside of the cloud are made via IPsec and SSL, while OpenVPN is used in and across the cloud. This approach ties IT managers to only one cloud provider. Then, they can decide to create their own virtual network by connecting different units in the cloud to their in-house data-center. Connections between those units in the cloud are hence managed by provider, limiting the involvement of any other third-party vendors. However, connecting the cloud virtual network to the corporate’s datacenter requires a secure connection via IPsec that can be implemented by a third-party VPN provider.
- Build a direct private pipe between the enterprise network and the cloud. The main goal here is to remove any public transit through the Internet. Amazon has partnered with Equinix so that the client’s data center can be directly connected to the closest Equinix network presence. While Amazon Direct Connect’s concept emphasizes the “straight” connection, it’s expected that customers would add their own security implementation on top of that network.
Overall, it’s important to set up standard connection from the in-house datacenter to the cloud. And for this, IPsec is still the de facto standard protocol used. But of course, the story of VPN and the cloud is still being written, so stay tuned for more.