Going from in-house to cloud solutions, how SCION helps to realize a secure network

Andrea Tulimiero
Post by Andrea Tulimiero
June 16, 2020
Going from in-house to cloud solutions, how SCION helps to realize a secure network

The benefits of cloud environments

A clear trend appeared among companies worldwide: moving from in-house solutions to cloud environments. These environments are infrastructures managed by a third-party entity (such as Amazon AWS or Microsoft Azure), which offer computational and storage solutions. The benefits that sparked so much interest in a lot of companies are several, however, the two most noteworthy are agility and cost-effectiveness. Unlike enterprises’ premises, cloud environments can quickly scale and adapt to a company’s needs. This cloud flexibility frees businesses from the burden of over-provisioning, yet avoiding service disruptions, which translates in both monetary and time savings.

Although the cloud is very appealing, companies should be careful when outsourcing their services and data; they must consider the security threats that arise, especially concerning the network technology chosen to join a cloud environment.

What are the current options to join a cloud environment?

The most convenient and obvious solution to join a cloud environment is the public internet. Although internet infrastructures have improved recently -- finding a fiber grade connection in a house is common nowadays, the service is still best-effort based. This means that a customer's traffic is not guaranteed to reach the destination when needed; service disruptions can be caused by deliberate cyber-attacks (such as Border Gateway Protocol (BGP) hijacking) or unpredictable malfunctions on the network.

A more secure and reliable option is offered by cloud on-ramps, such as Microsoft Azure ExpressRoute or Amazon AWS Direct Connect. These ramps are virtual private connections connecting a customer's office to a cloud environment, guaranteeing last link availability. Ramps are provided in collaboration with Internet Service Providers (ISPs), Internet Exchange Points (IXPs) and colocation data centers partners, which take care of powering the connection.

Although they are valid solutions, they do not scale well to multi-cloud setups, as a dedicated connection is needed for each cloud environment.

To summarize, dedicated solutions offer better security guarantees than the public internet, but they are in contrast with the very reasons that push a company to move to a cloud environment: agility and cost-effectiveness.

The SCION-Internet comes to the rescue!

Is there a solution that offers strong security guarantees while being flexible and pervasive? The answer is yes, and its name is SCION-Internet, the next-generation internet focusing on B2B communications.

The secret sauce of the SCION-Internet is a network architecture engineered from the ground up to meet 21st-century security and reliability needs.

The SCION Network

First, this next-generation internet is a public infrastructure, thus inherits the agility of the public internet. Second, traffic control is a first-class citizen in the SCION-Internet: in fact, although being public, users are in full control of the pathing of their traffic.

Then, thanks to the cryptographic authentication of the paths, the traffic of two entities communicating together is immune to BGP hijacking.

Together with Isolation Domains (ISDs), traffic can be geographically confined. This means traffic can avoid crossing certain countries or remain inside a certain jurisdictions. The result is the ability to enforce compliance for sensitive data (e.g. providing UE patients with electronic records that must stay within European networks and clouds).

Another benefit of such fine-grained traffic control is multipath. This technology supplies multiple path options to reach your services so that there is always a suitable route. Moreover, thanks to a blazing fast fail-over in case of a network disruption, traffic shifts from one path to another without any hiccup.

Finally, the solution offers a decentralized trust system that can guarantee state sovereignty at the network level. This means that a region can deploy local trusted cloud and internet service providers to, together with a locally managed ISD, set up an ecosystem independent of outside policies.

Anapaya’s vision: join a cloud environment securely through the SCION-Internet

As previously mentioned, cloud ramps are a convenient way to ensure reliable connections to cloud environments but are not easily scalable to multi-cloud environments.

Anapaya believes this can be solved and is discussing with several cloud service providers to connect them to the SCION-Internet. With the EDGE, the gateway to the next-generation internet, which is already available in a virtualized form-factor, this will offer a robust, secure and controllable way to exchange data with multiple clouds over a public network.

This means an independent choice of the ISP and support for multi-cloud IaaS solutions as well as access of many B2B end-customers, to a single B2B service, provided via the cloud (e.g. hosted unified communication platform).

Moreover, all the SCION-Internet goods are included, such as geofencing (for compliancy reasons) and multipathing (for to increase the business continuity).

A new hope

In conclusion, cloud environments offer great flexibility and cost-effectiveness to companies, although exposing them to network-related threats. Existing solutions try to remedy employing outdated approaches, failing at following the said principles, which are the foundation of cloud environments benefits. Thanks to a novel approach to the problem, Anapaya will manage to provide both security and reliability to connections with cloud environments, consistently with cloud principles and bringing about a whole new level of traffic control for customers.

Andrea Tulimiero
Post by Andrea Tulimiero
June 16, 2020