3. You try to replicate your on-premises network topology
to the cloud
We have spent years perfecting our networking craft in data centers. We take
incredible pride in how we architected our DMZ, how we divided the network
into Class B and Class C blocks and how effective we are at managing routers
between different subnets. So when we start designing our cloud footprint, our
first reaction is to apply all that knowledge to the cloud. Yet that is plain wrong,
as the cloud is not just another data center in a galaxy far far away. For one
thing, networking design in the cloud should take advantage of the software-de-
fined networking (SDN) capabilities that cloud allows. It should also take into
consideration the organizational structure and the application workloads you
plan to move to the cloud.
4. You think cloud is where the pictures are stored, and even
those are not secure
If you still have concerns about public cloud security, then you are not aware of
all of the capabilities public cloud has to offer. As much as we think we are more
protected in our own data centers, the reality is that when it comes to security,
it is virtually impossible to match the capabilities of the likes of AWS, Azure and
Google. That does not mean you should blindly trust your local public cloud
provider; instead, you should understand the shared responsibility model and
take advantage of all your provider’s capabilities. In fact, the majority of
high-profile breaches have been against on-premises data centers, and when
implemented correctly, public cloud is perfectly safe for storing even the most
sensitive data. You might be surprised at some of the highly sensitive workloads
currently operating in cloud environments.
5. You want to put your firewall between every subnet
Time and again we hear requests from companies to route all “north-south”
traffic between subnets through a firewall so it can be inspected. In addition,
companies insist on implementing their own firewall (Check Point, Palo Alto
Networks or equivalent) instead of relying on security groups to address some
of these concerns. These requests come from outdated policies that state
“stateful firewall with packet inspection capabilities must be deployed between
subnets.” Or sometimes they come from the plain justification that network
administrators already know their on-premises firewalls and will find it easier
to manage them in the cloud if they match. Neither of those reasons justify
simply implementing on-premises firewalls in the cloud and routing all traffic
through them — this just does not make sense. Use the cloud capabilities to
their full potential and design your networks and routing to only allow traffic
between subnets and instances as necessary. You can still implement a third-
party firewall if needed, but make sure there is a good reason for it.
12 | THE DOPPLER | FALL 2018