Welcome!

@CloudExpo Authors: Liz McMillan, Elizabeth White, Don MacVittie, Mehdi Daoudi, Shelly Palmer

Related Topics: @CloudExpo, Microservices Expo

@CloudExpo: Article

Demilitarized Cloud (DMC) Pattern

DMC is a simple pattern to start with on the path to cloud adoption

The traditional web hosting architecture is built around a common three-tier web application model that separates it into presentation (web servers), application (application servers) and persistence (database servers) tiers. From the security perspective, while database and applications servers almost always reside in the secure internal network, web servers could possibly go into DMZ if external access needs to be provided to the application from the untrusted network.

We are all very much familiar with what a Demilitarized Zone (DMZ) is. Wikipedia defines it as a physical or logical sub-network that contains and exposes an organization’s external services to a larger untrusted network, usually the internet.  Its purpose is to segregate the highly sensitive infrastructure into a secure internal network leaving only the publicly accessible services outside. While this does not mean in any way that services in DMZ are not secure, it certainly implies that sensitivities attached to these services are not as high as those hosted within the secure internal network – a key point that will be elaborated further down in the article for identifying candidates for cloud migration.

Typically, services that reside in a DMZ are those that need to be publicly accessible from the untrusted network. Web servers, web emails, proxy servers, file access (e.g. FTP), VPN services and DNS are some such examples. Putting web servers in DMZ ensures that internal web services cannot be compromised by providing direct access to them from the untrusted network. Similarly, with the increasing number of remote and mobile users, it has become necessary to employ email frontends and reverse proxy servers in DMZ to ensure that the primary email server is never directly exposed to the untrusted network. Motivations for other services listed above are not different.

Having elaborated the concept of DMZ, it needs to be emphasized at this point that the purpose of this article is not to discuss DMZ architecture or replicate it in the cloud, but to utilize it for identifying appropriate candidates for cloud migration. It should help enterprise architects in setting up policies and coming up with architecture blueprints for their publicly accessible applications.

When it comes to public cloud adoption, security is the primary concern of most of the senior IT leaders I talk to. Since this has more to do with the fear of the unknown (a new public platform) than anything else, the solution I propose as a cloud strategist is aimed at gradually increasing their comfort level with it. That is, instead of taking a lift and shift approach of moving an entire platform (e.g. email, document sharing, etc.) or an application in one shot, it is advisable to move one component or tier at a time. The former is a case of vertical partitioning of the organization’s IT environment which may seem to be a logical approach towards cloud migration because of the perceived standalone nature of that particular platform or application. But, as we all know, today’s IT environment is not siloed. All the systems and data repositories are interlinked in some way or the other. Thus, moving a platform or an application to the cloud does come with the overhead of modifications to its interfaces to different systems, if not entirely rebuilding them.

The horizontal partitioning approach of moving one tier at a time does have its own share of modifications of interfaces as well. But, it has the advantage of being gradual while going along the path of increasing level of comfort of the senior management. Migrating smaller logical components of the application involves lesser number of risks than those for the entire platform. It involves lesser amount of testing after the migration, and makes it easy to roll out and roll back because of its smaller size as compared to the entire application. Building and maintaining redundancy (parallel environments) during any migration effort is highly critical. Since it is more economical to build a parallel environment for a smaller piece than the entire application, chances of service disruption due to lack of sufficient infrastructure are practically eliminated.

The question now becomes where to start. A good way to kick off this approach is to start with the migration of the outermost tier that has the least stringent security requirements. As seen above, this outermost tier comprises of services hosted in DMZ. They have restricted access to the internal network. And, they all interface with the external untrusted network at the other end. By moving these services to the cloud, we are essentially creating our DMZ in the cloud giving rise to a new architectural pattern that I call Demilitarized Cloud (DMC). We now have a hybrid computing environment that spans across both the on-premise network and the cloud.

Surrounding the migrated services with a security envelope such as a Virtual Private Cloud, maintaining the same level of limited access to the secure internal network, and interfacing with the untrusted network at the other end helps create a DMZ-like secure logical sub-network within the cloud. Integration with the on-premise systems gives us the same application environment that is now hybrid in nature and which retains trade secrets, proprietary data or any other highly sensitive assets in the same secure internal network.

With DMC as the starting point, cloud migration roadmap can evolve along the lines of multi-tiered web application architecture. Having moved the presentation tier to the cloud, we can then focus on moving application tier in the next iteration. By then, IT departments would have gained sufficient public cloud security knowledge to feel comfortable about migration of more components in there. We can move app servers, service buses, databases or any combination or subset of those assets based on technical and business priorities.

To summarize, DMC is a simple pattern to start with on the path to cloud adoption. It helps in identifying less security-sensitive services that could be good first candidates for cloud migration. Because of the horizontal partitioning approach, it paves the way for migrating other tiers of the application stack in the future. The pace of this migration can be easily controlled by the IT leadership depending upon their comfort-level. Unlike the vertical partitioning approach, this approach provides the flexibility even to roll-back the migration gradually and without major disruptions. It is a good first step to get you feet wet without the fear of drowning.

More Stories By Ravi Bhangley

Ravi is an accomplished IT leader with 20 years of work experience, and strong concentration and success in management, strategy and vision. Before launching BizEnablers, a consulting firm specializing in enterprise cloud strategy and implementation, Ravi was Chief Architect at Dun & Bradstreet, world’s leading source of commercial information and insights into businesses. For last 10 years of working for corporate IT, he held several senior leadership positions spearheading diverse programs and organizations. He currently sits on the IT Advisory Board of New Jersey Technology Council (NJTC), the foremost organization of technology companies in New Jersey. He is actively engaged in cloud computing thought leadership through publications and frequent participations as a speaker or a panelist. He holds a Masters in Computer Science from Michigan State University.

@CloudExpo Stories
Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...
"Infoblox does DNS, DHCP and IP address management for not only enterprise networks but cloud networks as well. Customers are looking for a single platform that can extend not only in their private enterprise environment but private cloud, public cloud, tracking all the IP space and everything that is going on in that environment," explained Steve Salo, Principal Systems Engineer at Infoblox, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventio...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, provided a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to oper...
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
In his session at 21st Cloud Expo, James Henry, Co-CEO/CTO of Calgary Scientific Inc., introduced you to the challenges, solutions and benefits of training AI systems to solve visual problems with an emphasis on improving AIs with continuous training in the field. He explored applications in several industries and discussed technologies that allow the deployment of advanced visualization solutions to the cloud.
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
"ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, addressed this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of the ...
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
"NetApp is known as a data management leader but we do a lot more than just data management on-prem with the data centers of our customers. We're also big in the hybrid cloud," explained Wes Talbert, Principal Architect at NetApp, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
"We're focused on how to get some of the attributes that you would expect from an Amazon, Azure, Google, and doing that on-prem. We believe today that you can actually get those types of things done with certain architectures available in the market today," explained Steve Conner, VP of Sales at Cloudistics, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.