Welcome podcast listeners to Day Two Cloud! Today we bring you a special panel conversation about the challenges of multicloud networking. This episode was recorded live in Las Vegas at AWS re:Invent in November of 2022.
Sponsor Prosimo has assembled this panel. Our guests are Neill Smith, Head of Infrastructure for the Scottish government; Ahmed Ali, Practice Lead at Intuitive Cloud; and Faraz Siddiqui, Head of Solutions Architecture at Prosimo.
We discuss:
- How multicloud happens—sometimes by design and sometimes not so much
- Handling cloud networking and cloud platform responsibilities among a team
- Prosimo’s approach to cloud networking
- Bringing zero trust network access (ZTNA) into cloud and multicloud environments
- How AWS and Prosimo partner on ZTNA
- The biggest cloud networking challenges
- More
Show Links:
Prosimo Joins Forces With AWS To Disrupt ZTNA Market – Prosimo
Transcript:
[00:00:04.490] – EthanWelcome, podcast listeners, to day two Cloud. Today we bring a special episode recorded live in Las Vegas, where Ned and I are in town for AWS reinvent. And welcome to all of you who are also in town and came here to watch the recording. You’re all awesome humans. Give yourselves a hand. Yeah, there we go. Alright, sponsor, probably asimo has made possible this discussion about the challenges of cloud networking and how to tackle them. And if challenges was too vague a word for you. Well, the core issues are centered around networking in the multicloud. I think I’m hitting that about right. Ned, what do you think? [00:00:38.400] – Ned
No, I think you’re wrong. Multicloud networking is very simple. No one has any trouble with it and we can all just eat some more and drink some more. That’s going to be a very short podcast. [00:00:49.780] – Ethan
Very short. [00:00:51.010] – Ned
Sweet. Now, obviously when you look at the various clouds that are out there, they’ve all kind of invented their own networking layer and there’s common components, but there’s not so common components. So putting those things together is not the easiest thing in the world. And also plumbing it into your existing data center and all your branch offices. Also not simple. So I’m speaking as a podcaster, but we actually have somebody here who’s trying to do this for real. So why don’t we introduce him? Neil. Neil Smith, you’re the head of infrastructure for the entire Scottish government. [00:01:28.600] – Neil
Not quite the entire Scottish government, yet one of the largest directorates inside the Scottish government. [00:01:34.990] – Ned
So first of all, thank you for being our first victim, I mean, guest. Can you tell us what the challenges, the main challenges are for you when it comes to multicloud networking? [00:01:50.370] – Neil
I think the main challenge originally was to try and get everyone on the same page. I think multiple cloud by a concept is still relatively new. When you try and go through your appropriate channels, the architecture teams, and you talk about multicloud and this is how we should design for multicloud, a lot of the responses that you get is actually, well, no, we’re just going to be in one cloud. It’s difficult enough to be in one cloud. Why do we want to be in three clouds? [00:02:18.350] – Ethan
No, you don’t want to be, but you are. [00:02:23.230] – Neil
You’ll notice that a lot of people just naturally move to multicloud, not by choice, by users coming up with solutions on different hyperscale cloud providers. Right. So multicloud, it can be difficult when you’re all in on one cloud and then you want to maybe re architecture your networking for multicloud and that becomes difficult. But the benefits far away, the kind of early negatives of rearchitecting your network, your cloud network. [00:02:50.880] – Ned
Yeah. What would you say, what are the benefits to embracing more of a multicloud scenario? Because I know we were talking earlier and you were saying everybody just wants to stay on one cloud, but I need to give them a good reason to potentially think about other clouds. And then you gave me a concrete example that actually happened. I don’t know if you can share that. [00:03:12.830] – Neil
We had a long discussion about having to renetwork our current AWS estate, but then design it for a multicloud network architecture. So we have that single cloud network architecture, which then gives us the ability to consume or pivot another cloud whenever we choose, whenever we wanted to. And ironically, we got the feedback again, as I mentioned, just there was, well, no, I don’t think we need to consume another cloud provider, okay? We’re happy in AWS and overall it reinvent, okay? But in reality, AWS doesn’t do the best product for everything, okay? There are hyper skill cloud providers out there that do some better features, right? And I think we’d all acknowledge that. And to reference back Ned that you mentioned there, I gave you that real world example. So we went through about a six month discussion about multicloud network and what the benefits are, et cetera. We managed to get it adopted, but then it was about two months there or there about we had the Bi team come in and say, hey, we’re going to use Power Bi. And I was like, well, multicloud, right? It’s like, here it is. And we’ve now got the ability to have that with the single cloud network architecture that we have to consume another hyperscale cloud provider with relative ease. [00:04:30.850] – Neil
Whereas if we didn’t have that, every hyperscale cloud provider’s networking constructs are all unique and different and they become challenging. But when you actually use a multicloud networking provider, you’ve already got that knowledge and it’s easy to consume any hyperscale cloud provider you choose. [00:04:46.620] – Ned
I want to pull the audience real quick and just see how many of you are only using a single cloud today. And don’t worry, we won’t tell AWS that you might be using more than one. But how many people are only using one public cloud provider today? [00:05:01.390] – Ethan
You only have one. You’re not multicloud, you’re a single cloud. At this point, we have one guy nodding his head. Is he the only one? [00:05:09.410] – Ned
Okay, how many people are using two? All right, see a couple of hands going up. Anybody using three? And we see a lot more hands going up. So I think this is kind of might be resonating with people a little bit. [00:05:23.800] – Ethan
So another question for the crowd. Since most of you, the vast majority of you are multicloud, how many of you it was by choice. And how many of you it was kind of forced upon you either through M and a activity or a dev did something and it’s like, yeah, it’s in azure. I know the rest of it’s AWS, but it’s an azure. How many of you were forced into it? So first off, it was by choice. You wanted to go multi cloud. Yeah, I see one kind of a hand. So the rest of you, you’d say it was forced upon you against your will. Yes. Okay. [00:05:58.040] – Ned
Or you didn’t have a say. Well, now we know. [00:06:02.600] – Ethan
So Neil, one question here. You mentioned about the basically having your cloud networking abstracted away from you because they’re all different to operate normally operationally. What is that solved for you? Having one way to deal with the network across multiple clouds, that’s one of. [00:06:23.000] – Neil
The key benefits, ethan, what it gives you, and I can’t load this phrase, but I’m going to say it, it gives you that single painting glass. All right, yeah, I think we all hear that phase, but it’s true. And also as well, if you look at AWS or Azure, a lot of the debugging for the network is like a black box, right. It’s difficult to actually be able to try and work out where the problem is. And other teams will point the finger elsewhere. You don’t have the traditional tools like paying or trace route, et cetera. So what you have with a multi cloud networking provider is they give you the visibility and they give you the ability to be able to investigate actually is it a network problem and where is that networking problem? So you can get the root cause analysis almost immediately, so you can actually fix the problem and then move on to whatever’s next. For me, that was huge. [00:07:16.520] – Ethan
So is it a networking function within your company, as in there’s a lot of silos in it, networking is one of them. Has this networking function for cloud stayed within that silo or has it changed how your organization looks at things? [00:07:30.100] – Neil
It’s changed, I always think since cloud came along, particularly in the government, you used to have all those silos. You had a backup team doing backup networking, team doing networking, security, team doing security, etc. Storage team doing storage, when in reality, when cloud engineers now you’re expected to understand to a great detail the amount of all those areas to a certain extent. So they’re now no longer siloed, Ethan. They’re more kind of cross team collaboration. We’re all one and the same. Network comes. Never one of my strong points when I used to be technical, but actually when we’re implementing the cloud networking solution, it’s like, okay, I need to but when we’re implementing our cloud solution, I had to understand networking far greater. It’s almost, I used the phrase as the Shakespeare praise in a merchant event. They want the pounded flesh. Now in cloud engineers, they want you to know it all. And the rate of change is crazy. And I feel really sorry for cloud engineers because they’re being expected to know most of those areas and keep on top of it with a high rate of change. And that’s extremely difficult. [00:08:40.020] – Ethan
Well, this is interesting because you’re saying cloud engineer, you’re not saying the network engineer. The network engineering team picked up cloud responsibilities. You’re flipping it around and saying, yes. The people that deal with cloud, is there still a networking team there dealing with, I don’t know, on premises here? [00:08:54.090] – Neil
Yes. In my team, they manage the network now with Cross collaboration. But there is a central government team just on the perimeter. That’s one single network team. But what I’m seeing across the board is it’s all getting absorbed into a cross collaboration teams. [00:09:10.490] – Ethan
Okay? Any of you out there willing to grab a microphone at basically the same question? This is big for everybody’s. Organizations, as you deal with the cloud, it changes how your It organizations are built, how they’re constructed and organized. Can any of you come up and grab a mic and comment in your own orgs? How that’s working? [00:09:31.750] – Ned
See a lot of finger pointing. [00:09:33.910] – Ethan
Someone gives somebody a push, bring them up. [00:09:36.470] – Neil
It’s easy. Yeah. [00:09:38.550] – Ahmed
My name is Ahmed Ali. I’m from Intuitive Cloud. We kind of do cloud networking solutions. We build network architectures, cloud architectures around AWS, Azure, GCP, right. We do this day in, day out. We help customers migrate, workloads and evacuate the data centers and also kind of build security around all that we do. Right, so these are like the push that we usually get from customers. But the challenges that customers start facing is after we move the workloads, right? Because as you said, there’s a requirement where we’ve been forced upon to go to Azure, for example, because we all kind of love or hate Microsoft, but we cannot be without it. Right. There’s a lot of staff based services. There are a lot of different services where we still want to have that connectivity there. And the problem with I come from a legacy background, right? From traditional networking with hubbinspoor, I mean, with BGP and whatnot, we do not see the same amount of easy way of onboarding a multicloud architecture that is not there. And another point I think one of you brought up is how do we debug once we start building the networks? [00:10:50.910] – Ahmed
The thing that I would not say AWS misses out, but usually what we do not find in cloud networking is the way to debug and to assess, hey, where is that packet getting dropped and how do I reroute things? How do I bring in self healing capabilities? These are the challenges that we see day in, day out when we start talking to customers and try to help them solve all these issues that we come across. And that’s where I think Prosimo and a few other players in the market are trying to fill that gap and trying to kind of address those concerns, right? [00:11:26.170] – Ned
Introducing some sort of cloud agnostic tool that can kind of span all these different domains and any new clouds that might arrive. Because I don’t think, believe it or not, Oracle Cloud is not terrible. I know I feel weird saying it, but it’s true. [00:11:47.090] – Ahmed
You have Oracle Cloud you have VMware cloud, you’ve got a lot of players in the market now. I think once we kind of fix this easy onboarding fast onboarding self healing capabilities, being able to do this, Dr capabilities where we can switch on and off, right. And as simple as that, that is where I think the market is going towards. And that’s where I think a lot of technology driven push is happening in the market. [00:12:10.160] – Ned
One of the things that I hear a lot about is this idea of application portability and being able to move to a different cloud if you want to a different region, a different data center, relatively easily based off of cost or regulations or whatever it is. How much of that do you think is a driver behind the multicloud networking simplicity? [00:12:31.700] – Ahmed
Yeah, when we started off with Legacy Data Center, we always knew where my workloads are going to be hosted from. Right. We knew that this is my DMZ and these are my web servers that I’m going to host from. But when you talk about cloud, it’s fluid, right. There’s nothing real even though it is real. But then you can actually onboard, you can have different architectures, like you can have a distributed architecture, you can have an ingress in your on prem and have your applications in the cloud or vice versa. Right, so there are a lot of challenges like this that we see. And to be able to cater and be able to provide to these business requirements, I think that’s the real challenge. We’re making sure we still have those different layers of security when we build these workloads and when we onboard these customer facing applications. For example, be it a travel or a business like that, where you have a lot of millions and millions of traffic that you can spike up or you can scale up and then scale down, these are the challenges that we see. [00:13:38.170] – Neil
So, yeah, that’s right. Mac wheel fieldhouse net. So the current tagline that we’re running with in Scottish government is an agnostic approach to multicloud. Okay. And you mentioned that portability, that if portability is key for your app, then you’re going to need some multicloud network and you’re going to need other pieces like how you’re managing the data layer and security compliance and monitoring and observability. But portability is key, then multicloud networking is key. But you mentioned it as well, Ned. Was the requirements, the phrase that I use is you should host your workloads based on the requirements. That requirements could be cost, it could be security, it could be compliance, it could be portability, it could be anything like that. But then what you do is you then work out if it’s portability, then I want the ability to move my workloads where I want, when I want. Then the only way to do that is through having a multicloud network architecture. [00:14:30.320] – Ned
How real do you think that is? Because the reason I say that is people talk about vendor lock in and I want to be able to go where I want to go and do what I want to do. But the reality is they’re never going to move that application. They want that option to exist in some theoretical capacity. Do you think there’s anybody actually shifting around applications between clouds and on Prem? I asked knowingly. [00:14:54.910] – Neil
I think right now it’s few and far between. I think the rise of Kubernetes, it’s growing and growing and growing. To get true, we can’t lift and shift an application from a cloud native service or a serverless service from one high skill cloud provider to another. But if you’ve got a Kubernetes containerized workload, then it’s very easy to lift and shift. And I think the rise of that, the container orchestration market helps that. So you can now have the ability to move those workloads where you want, when you want. Now, it is funny you mentioned that that can vendor lock in, but also there’s phrases that get put out like well, if you do multicloud, then you’re losing the capability of consuming cloud native services. If you’re just doing containers, and that’s true. However, that’s vendor lockout if you’re just going to go all in, one cloud provider, as I said earlier, is not one hyperscale cloud provider does the best service of everything. If it did, then it would only be one hyperscale cloud provider on the market. [00:15:57.540] – Ethan
But one of the drivers for multicloud adoption is there are unique capabilities within a cloud provider that you want to take advantage of. So you have that workload in that cloud and not in another one. If we homogenize all of the workloads that they’re that portable, why am I bothering with multicloud at all? [00:16:13.340] – Neil
Great question. No, you’re right, but again, it’s host your workloads based on the requirements. If you found a habitual cloud provider that delivers the service for what you require based on its requirements, but then you acknowledge that, you know what, we’re not going to have the ability to move that out or be portable, then you’re just going to have to acknowledge that. But the same argument applies is if you’ve got multicloud network and architecture in place but the networking piece is still a piece of cake to then consume all these different services. Whereas if you didn’t have multicloud networking, then you’re going to have to manage those cloud native constructs, networking constructs for each individual hypercode cloud provider and that’s going to be a pain. [00:16:58.570] – Ahmed
I mean, having applications in multicloud doesn’t mean that you have to have like your entire web layer as a replica in both clouds, right? It all depends upon what makes sense from a cost point of view and what a certain cloud provider does best. Because end of the day, even though you have services, similar services in all cloud providers. But there’s some edge when you talk about AWS has a certain edge on a certain services. Microsoft has an edge on a certain other services. So not necessarily. You should consider multicloud as your prod in AWS and your Dr in Azure or GCP, rather a combination of what makes sense from a business point of view, from a cost point of view, and things like that. Sometimes you’re tied up with your license as well. Some license portability is not so easy, right? You pay heavily for Microsoft’s licenses and you kind of married to Azure, for example. [00:17:53.700] – Neil
I mean, it’s natural, right? If you’ve got the ability to have more choice, you would want that all day, every day, right around saying, hey, I’ve only got one choice, then you’re pretty much then you have to use that choice. But if you’ve got multiple clouds that you’ve got the ability to pick and consume, then that’s a great place to be and you don’t have to be. But if you’ve got that option, then that’s a far better place to be in. [00:18:16.800] – Ethan
So then the networking challenge comes in with the different ways you’re dealing with networking in each cloud. So if you homogenize the networking so that it is common across all the platforms, the enablement to move workloads around becomes much easier. [00:18:29.510] – Neil
Yeah, correct. [00:18:30.210] – Ned
Harm said, I would posit another thing that’s super important. It’s not just moving an individual application because you want that portability. It’s connecting up the applications that are now running in your multiple clouds and doing it in a consistent way. [00:18:44.070] – Neil
Yeah, 100% or even even the utopia. You could have multiple services on multiple high scale cloud providers and all interlinked and consuming and moving on. Right. These are the capabilities. There’s not many people doing it, but you have the option. It goes back to actually why restrict yourself? You’re always better to have numerous options than one option. But yes, spawned. Yeah. [00:19:04.780] – Ethan
Okay, so I want to move the topic on to ZTNA Zero Trust network access. How many of you guys are familiar with this? Vtna is a technology. Yeah, several people. Okay, how many of you think that ZTNA is just another fancy way to say VPN? Is that all it is? [00:19:23.570] – Ned
Feels that way, doesn’t it? [00:19:24.840] – Ethan
There’s a bit more to it than that, right? Because Zero Trust is giving us the opportunity to evaluate the endpoint in a way that is detailed. We know what the security posture is, we get identity baked into this thing and now we know who it is and what their credentials are and what specifically they’re allowed to access on a resource by resource basis. Okay? How many of you are looking into ZTNA show of hands here as a possible replacement for whatever your remote VPN solution might be? Yes, a few hands. How many of you are happy with your remote VPN solution as is not the rest of you? So there was an announcement today at AWS Reinvent about what they are doing with Zpna and Proximo is a partner in this service. So I wanted to get the summary here from Faraz about what the announcement was and what the partnership is. [00:20:13.200] – Faraz
Sure sounds great. So today AWS has announced their zero trust solution for providing access to some of the web application. It’s called privileged verified privileged access. We’re just only talking about how you can securely access your applications without a VPN. Now working with AWS, having a long term partnership with them, what they are kind of trying to address is applications running in the cloud, mostly on the web protocols. There are still applications which you might have kind of access as developers, as administrators, which requires more than just a web protocol. This is where we are partnering with AWS, providing access to not just Http application, but more than that, like RDP, your tools, your SSH applications, any type of customized port applications you can access through prospect. On top of that, how would you provide the right level of performance if users are coming from different geolocations? You have applications running in certain geolocations. How would you provide them the best optimal path? How would you optimize that traffic? How would you kind of add optimization profiles depending on which applications your users are accessing? So those are all the areas that we are addressing with Proximo and partnership. [00:21:27.860] – Faraz
Partnership with AWS. [00:21:29.220] – Ethan
Yeah. Interesting to me, a guy that grew up with only BGT on the Internet and what you got was what you got. Now we have the ability to intelligently route on an application by application basis for a performance profile SLA that you’re looking for. [00:21:42.340] – Faraz
Absolutely correct. And every application requires certain traffic profiles, traffic requirements from the backbone connectivity. [00:21:48.760] – Neil
Right. [00:21:49.010] – Faraz
Https is looking at Http kind of get and post content caching. And whatnot if you compare that with a more of a streaming protocol like an RDP or some other like a very chatty protocol, it requires less latency, better performance, less jitter. So depending on the application profile, how would you kind of use AWS’s backbone to kind of connect them to a respective kind of performance profile? [00:22:12.420] – Ethan
Which is interesting. AWS as a cloud wants you to use the Internet for as long as possible until you get to their cloud. So if you can optimize things across their cloud, between regions and AZ correct. That’s an interesting ability. [00:22:24.520] – Faraz
And in addition to that, we are also leveraging some of the other capabilities like AWS global accelerator regions so that you spend less time on Internet and more on AWS backbone. So if I’m accessing an application, a region could be far away, maybe 20 milliseconds, 25 milliseconds maybe. AWS edge is probably across the road in one of the data centers. So I can cut down that latency while routing the traffic over eight of years back. [00:22:48.500] – Ned
I’m curious about the zero trust portion of it because I know a big part of zero trust is identity. [00:22:53.470] – Neil
Yes. [00:22:54.010] – Ned
So in what way is identity being used within the solution? [00:22:58.950] – Faraz
So in order to authenticate and authorize the traffic, you need an identity solution. Back in the days, in the data center days, people tried to use Active Directory or some of these LDP LDAP protocol, right? [00:23:11.280] – Ned
Right. [00:23:11.680] – Faraz
Now, when you move to cloud those Active directories, those LDAP protocols might not work for some of those cloud identities. For that you need an identity solution. So in order to work with those integrated with those identity solutions, we work with, let’s say things like Octoping One, some of these identity solution, which works on modern protocols, not just LDAP, but like Samuel Two, auto YDC. So how do you authenticate and authorize the user first? But it’s not just about authentication authorization. You have to provide continuous posture management. [00:23:42.940] – Ethan
Right? [00:23:43.450] – Faraz
So on the fly, if something changes, if I’m accessing an application right now from Vegas tomorrow, I fly out back to San Jose, I access the same application. The platform should be able to detect that something has changed. The user location has changed, the time has changed, the behavior has changed. Maybe I’m accessing probably 50 00 10,000 get request post request, certainly for my user ID is coming and I’m trying to download some s three buckets, 50,000 post requests, something like that, right? So the behavior change needs to be detected. So we are kind of working on top of AWS zero trust solution. We are providing the deeper posture management, posture assessment, posture enforcement based on different user behaviors. [00:24:24.370] – Ned
Okay? That’s almost a step up from what I would think of as typical zero trust, which is like, I don’t trust you, but you have gotten an identity. You’re proving your identity through some third party trusted source that we both believe in, and now I will let you access it based off of some policies that I have. But that continuous posture management. That’s a whole other level of absolutely I trust, but I’m going to verify, and then I’m going to verify, and then I’m going to verify again. [00:24:52.290] – Faraz
So it’s not just the initial trust that you build with an identity solution. It’s the continuous trust that you have to build with the solution. Like Prossimo. So if something changes in the behavior, is there a mechanism, is there a machine learning algorithm that can detect that behavior and prompt you for additional factor? It’s not just about detecting. You have to prevent that access. If it’s a legitimate compromise, how would you prevent that access if my ID is compromised? So, Prosimo, as part of our mechanism, we kind of do a step up authentication, or we kind of loosely call it speed bump. So before you access an application, create a speed bump, send me like additional multi factor authentication or check the client side certificates. If it’s not their block access, you ask user to first validate that is indeed the right authorized user. So those are the additional posture checks that you build on top of a zero trial, zero dose is more of a it’s more of a strategy. The multiple components of It identity is one part of it, then posture management, then EDRs, all of that comes and combines and make the zero trust strategy. [00:25:53.420] – Ned
Got you. [00:25:54.100] – Ethan
So, Neil, I want to get your reaction to this because if I’m frank with ZTNA as a technology broadly, I’m fairly cynical for a couple of reasons. One. We’ve tried this in the past in other lesser ways with Idsips, for example, we haven’t been doing like, mutual TLS all the time for client authentic services and back so much, but it’s always struggled to get those sorts of initiatives off the ground. Too hard to implement, too complicated. And for sake of convenience as a security team, we won’t want to implement something that is that detailed. Does ZTNA change the game now, from your perspective? [00:26:31.790] – Neil
For me, it definitely does. If you’re going to ask me the question there, Ethan, do you want it? Yes, but I think it’s getting people’s mind around it. And if we have more tools that make the ability to enable ZTNA, then why wouldn’t you want to? Right, but I believe you’re right with the IDs and IPS, et cetera. Right. We’ve never really matured. They’ve been around for a long time and I remember back in my early days, but what we’re just hearing there, it makes a compelling argument. It sounds good. So it’s definitely something to yeah, I think now with the threat landscape that everyone’s under, et cetera. Right. We’re all going to be exposed and we’re always going to be under attack. If you can put those extra layers of security, I think it only makes perfect sense because eventually we will all be attacked and it’s just to limit the blast radius effectively. [00:27:27.830] – Ethan
So then think about it. AWS an architect. If you’re a network or a security architect and you’re looking at ZTNA and you want to begin rolling it out incrementally in your organization, where do you start? [00:27:37.170] – Neil
Can you tell me? [00:27:39.730] – Ned
You start at the beginning, obviously, of course. [00:27:45.990] – Neil
Die in my area of expertise. [00:27:50.550] – Ethan
My take on this is you roll it out in a lower profile, lower hanging fruit area first. You start there because with a product that’s this capable, there is going to be complexity that comes with it. And so what you want to do is figure out where the specific policy tweaks are that you’re going to need to implement to make it work right for your environment and get that solved on something that’s less risky. You don’t take your VPN clients that have been working great for your executive team for the last five years, rip that out and say, New thing tomorrow. Good luck. Then. Hope to help desk and figure out the rest. You got to bring it in a little bit at a time and then. From there, once you’ve proven out your policy, then off you go. Which you’ve been there, I’m sure. [00:28:35.010] – Neil
Yeah, but annoyed. There Ethan. I should have said that that’s consistent with what we do for any new kind of projects or things like this, is we identify something small, relatively easy, but you do it, you get the process and then you take the momentum of that success and replicate it as you go out. That’s what I should have said. Thanks. [00:28:56.200] – Ethan
One other point, Neil, is gets into some of the details of ZTN implementation, which very often involves having to run your own certificate authority. I don’t know if that’s in your wheelhouse or not, but if it is, do you have an opinion on that when you think about that? [00:29:09.940] – Neil
Yes, it’s difficult. Security certificates has always been difficult and yeah, it’s still difficult for the certificates to be managed ourselves. [00:29:21.970] – Ethan
Yeah. Any of you manage your own CAS at any point? Have you done that? Yeah, a few of you did. You love the experience. [00:29:31.910] – Neil
You’Re hired some workers, government. [00:29:35.670] – Ethan
So another point then, as you’re evaluating ZTNA solutions, is how hard is it for me to deal with my certificate authority, having to manage that myself? Because you’re going to need that to be issuing certificates to clients and to servers and services and it is going to be crucial for MTLs authentication on both sides to make that work for you. That CA has got to be something you understand intimately, so that you can rely on it to provide the identification that you’re looking for, for the Ctana to do what it’s being paid to do. [00:30:03.120] – Ned
But if we want to bring that back to the multicloud conversation, I think you would want to pursue a certificate solution management solution that works across multiple clouds and there are some solutions out there that absolutely do that. But, yeah, when you’re thinking about the tool selection and the requirements, it’s again, that acknowledgement of, I’m probably going to have to do this everywhere, so wouldn’t it be real nice if I had one tool to do this everywhere. I’m not sure what your experience has been, Neil, in terms of certificate authority across multiple clouds or not at all yet. [00:30:38.250] – Neil
Not at all yet, Nick. But when you made that point, I was like, Damn. Yeah, that’d be a challenge. [00:30:45.230] – Ned
I guess the one nice thing is that certificate authorities is a standard that you can adhere to, so it’s not like all of your CAS, the issuing CAS and the intermediate CAS all have to be running the same exact operating system and be on the same hardware or from the same service. You can have a root CA that issuing certificates to other CAS that are hosted in the different clouds or different software. So you do have that because it’s a standardized set of protocols and cryptography. I can say words, you have that portability, you have that flexibility, which maybe that gets back to the networking conversation of because a lot of these clouds went off and built their own thing and there wasn’t the standardization across the clouds. We had to build additional abstractions and tools to get back the standards that we wanted in the first place. [00:31:39.780] – Neil
Yes, great point. [00:31:41.170] – Ethan
So we’ll throw this out to the, to the audience here. We’re looking ahead to 2023. Where do you anticipate your biggest cloud networking challenges to, to come from? Is it operations, is it connectivity or is it security? As you think about those three ops, connectivity or security, which is going to be your biggest multi cloud paint in the rear end. Anybody from the audience got an opinion? [00:32:05.510] – Ahmed
Sort of. So, yeah, I mean, observability is one thing that we, we kind of see that a lot of customers are struggling today. Right. Because you’ve got all sorts of services that you onboard based on the need, based on their business need, be it an application migration that we do or refactoring that we do from an onprem or a legacy application to cloud. But the challenges that the management or the Csuite has is if a certain link goes down, what will be the impact to my business? Right. How does it affect my business? It’s not just a link that is going down, but there could be a lot of traffic that is getting affected because of that, a certain amount of financial impact they’re going to have. Right. So how do we tie these critical issues and challenges to the impact that it can bring or it may bring to the business? [00:32:59.290] – Ethan
Right. So for the engineers in the room, we’re not talking about just observability from the red light, green light, performance and all that kind of stuff that we used to do. It is observability from that standpoint of this is down what is impacted in the business and how do I automatically clearly communicate that to the state cares about it? [00:33:15.950] – Ahmed
That’s right. How does it affect the business? Right? That’s what matters. End of the day, a link going down. I mean, what are the self healing capabilities that there are and when can I pull the switch to kind of take this from this stack to a dr, when do I take a call? Those sort of things is what I see the real challenges we’re going to have. And we are working towards a lot of customers trying to deal with these issues and these challenges. [00:33:42.310] – Ned
One of the big challenges around that is that the cloud providers don’t necessarily share what’s going on on their network. They don’t always tell you when there’s a link down and that could potentially cause some congestion and they have to prioritize traffic. They might not share that with you. So you need to be collecting your own metrics and observing what’s going on in that black box that is the various clouds that you’re consuming. [00:34:05.450] – Ahmed
That’s right. Exactly. [00:34:07.310] – Ethan
All right, folks, we want you to enjoy yourselves tonight. We’re going to bring this podcast to a close. First of all, thank you for being here. Much appreciated. And we’re here with Prossimo, so give them a talk, chat them up and see what’s going on. And our thanks to all of you that made an appearance today on Day Two Cloud. And to prosemo for sponsoring this special event here in beautiful Las Vegas, Nevada. OK, virtual high five to all of you that are listening for tuning in. If you have suggestions for future shows, ned and I would love to hear him hit either of us up on Twitter at Day Two Cloud Show or fill out the request form Day Two Cloud IO. And if you like engineering oriented shows like this one, visit packet, pushers net, subscribe. All of our podcasts, newsletters and websites are there. It’s all nerdy content designed for your professional career development. And until then, just remember, Cloud is what happens. Well, it is making other plans.
Podcast: Play in new window | Download
