By Philip Griffiths and Kenneth Bingham
Superpower the Supercloud with networking inside the application
In part 2 of ‘How to Superpower the Supercloud’, we looked at how the ‘The network is not the computer’ as most superclouds have put in place a shared responsibility model with their customers when it comes to fully securing their offering. They rely on traditional and cloud networking models which they do not control for their customers to access their offering. But if superclouds are going to hide the underlying complexity of the infrastructure supporting their applications, they need to incorporate secure networking without incurring the common problems associated with most CASCE (or non-CASCE) vendors. If they do this, they will reduce complexity for their customers leading to more adoption and value will be realized by both customers and shareholders.
Dave Vellante’s ‘The Rise of the Supercloud’ did not talk about building secure networking inside the application as it is a recent innovation. The ability for supercloud operators or any other application builder, to include secure networking inside the application source code has surprising and broad implications including the ability to be multi-cloud-native, secure-by-design, develop-once-deploy-anywhere using automation using Infrastructure-as-Code tools and methodology. This in turn reduces complexity and burdens on users/customers while also making it more secure; at the same time, it allows superclouds to increase their revenue, reduce cost and lower risks and lock-in to the underlying hyperscalers and cloud providers. Giving superclouds superpowers is a boon for everyone, so how can we do this? Easy, they can get these superpowers by building OpenZiti into their product.
OpenZiti is an open-source, modern, programmable network overlay, and associated edge componentry for application-embedded, zero-trust networking. It was created by and is maintained by NetFoundry who also offer a SaaS platform to manage, host, monitor, automate, and support OpenZiti-powered applications. The open-source community has always had a time-honored tradition of mascots, so we chose to recognise that Ziti is both a delicious Italian pasta type as well as a programmable, private network overlay by creating Ziggy – you can read more on his backstory here.
Embedded networking and OpenZiti represent a shift in thinking about the relationship between the application and the network. Now, the application gains superpowers by bringing its own private overlay connectivity with a mutually-verifiable cryptographic identity on both ends. This has significant implications for the security of the application that can deploy and operate across any cloud environment in minutes using infra-as-code approach. Each app spawns private, programmable, app-specific, zero-trust overlays, specific to each session. Built-in replaces bolted-on, based on an open-source standard, creating enormous improvements in security, business velocity, and more. The underlay network – usually internet – is then responsible for what it is good at – delivering packets – and the app-specific overlay provides built-in, programmable security. Further technical details on how OpenZiti works can be found here.
This changes the shared responsibility model to enhance secure-by-design without putting all the burden on the customer. This is the “secure shared responsibility model” with 3 core principles:
- Secure – Private network as a service for any data flows based on zero trust principles, embeddable into anything including apps, databases, hosts/OS, browsers, virtual appliances using authenticate and authorize before any connectivity is established outbound-only at source and destination making applications ‘invisible’ to external network attacks (no inbound ports or link listeners required) with no possibility of lateral movement by an intruder. This massively reduces the attack surface. The supercloud enhances its security while reducing complexity for customers and users.
- Autonomous – API-first using an ‘as code’ approach to unify DevOps automation with SecOps. Private, programmable, and high-performance connectivity can be a native primitive into the supercloud application and service based on a ‘click to enable’ approach. Further, the supercloud controls the internet not just between the distributed app (server-to-server) but also to users (client-to-server) who are interacting with the supercloud. Embedded networking affords both control and visibility of the end-to-end network.
- Scalable – Superclouds built and deployed with OpenZiti easily scale on any cloud and can be consumed from anywhere across traditional network underlay (LTE, WiFi, internet) as well as private, authenticated DNS. Their solution is multi-cloud-native, develop-once, and deploy-anywhere including outside of hyper scalers to the edge and IoT. Customers and users no longer must take responsibility for DNS, public access controls, inter-cloud, intra-cloud, or user connectivity.
The new secure shared responsibility model allows superclouds and application developers to control secure networking while being abstracted from the underlying magic. Replacing bolted-on security and networking infrastructure with code means we get DevOps speed with SecOps security. Secure-by-design helps UX and adoption as customers of superclouds no longer need to take this responsibility. Ultimately this brings big benefits to customers through increased value and reduced workloads from using superclouds while enabling shareholders to increase their market share and profitability of their investments in superclouds.
As John observed, “The network is the computer”, now superclouds can gain superpowers by putting secure networking in their applications built on top of distributed computers (i.e., the cloud).