Welcome!

@CloudExpo Authors: Liz McMillan, Pat Romanski, Mehdi Daoudi, Elizabeth White, Rene Buest

Related Topics: @CloudExpo, Microservices Expo

@CloudExpo: Article

Demilitarized Cloud (DMC) Pattern

DMC is a simple pattern to start with on the path to cloud adoption

The traditional web hosting architecture is built around a common three-tier web application model that separates it into presentation (web servers), application (application servers) and persistence (database servers) tiers. From the security perspective, while database and applications servers almost always reside in the secure internal network, web servers could possibly go into DMZ if external access needs to be provided to the application from the untrusted network.

We are all very much familiar with what a Demilitarized Zone (DMZ) is. Wikipedia defines it as a physical or logical sub-network that contains and exposes an organization’s external services to a larger untrusted network, usually the internet.  Its purpose is to segregate the highly sensitive infrastructure into a secure internal network leaving only the publicly accessible services outside. While this does not mean in any way that services in DMZ are not secure, it certainly implies that sensitivities attached to these services are not as high as those hosted within the secure internal network – a key point that will be elaborated further down in the article for identifying candidates for cloud migration.

Typically, services that reside in a DMZ are those that need to be publicly accessible from the untrusted network. Web servers, web emails, proxy servers, file access (e.g. FTP), VPN services and DNS are some such examples. Putting web servers in DMZ ensures that internal web services cannot be compromised by providing direct access to them from the untrusted network. Similarly, with the increasing number of remote and mobile users, it has become necessary to employ email frontends and reverse proxy servers in DMZ to ensure that the primary email server is never directly exposed to the untrusted network. Motivations for other services listed above are not different.

Having elaborated the concept of DMZ, it needs to be emphasized at this point that the purpose of this article is not to discuss DMZ architecture or replicate it in the cloud, but to utilize it for identifying appropriate candidates for cloud migration. It should help enterprise architects in setting up policies and coming up with architecture blueprints for their publicly accessible applications.

When it comes to public cloud adoption, security is the primary concern of most of the senior IT leaders I talk to. Since this has more to do with the fear of the unknown (a new public platform) than anything else, the solution I propose as a cloud strategist is aimed at gradually increasing their comfort level with it. That is, instead of taking a lift and shift approach of moving an entire platform (e.g. email, document sharing, etc.) or an application in one shot, it is advisable to move one component or tier at a time. The former is a case of vertical partitioning of the organization’s IT environment which may seem to be a logical approach towards cloud migration because of the perceived standalone nature of that particular platform or application. But, as we all know, today’s IT environment is not siloed. All the systems and data repositories are interlinked in some way or the other. Thus, moving a platform or an application to the cloud does come with the overhead of modifications to its interfaces to different systems, if not entirely rebuilding them.

The horizontal partitioning approach of moving one tier at a time does have its own share of modifications of interfaces as well. But, it has the advantage of being gradual while going along the path of increasing level of comfort of the senior management. Migrating smaller logical components of the application involves lesser number of risks than those for the entire platform. It involves lesser amount of testing after the migration, and makes it easy to roll out and roll back because of its smaller size as compared to the entire application. Building and maintaining redundancy (parallel environments) during any migration effort is highly critical. Since it is more economical to build a parallel environment for a smaller piece than the entire application, chances of service disruption due to lack of sufficient infrastructure are practically eliminated.

The question now becomes where to start. A good way to kick off this approach is to start with the migration of the outermost tier that has the least stringent security requirements. As seen above, this outermost tier comprises of services hosted in DMZ. They have restricted access to the internal network. And, they all interface with the external untrusted network at the other end. By moving these services to the cloud, we are essentially creating our DMZ in the cloud giving rise to a new architectural pattern that I call Demilitarized Cloud (DMC). We now have a hybrid computing environment that spans across both the on-premise network and the cloud.

Surrounding the migrated services with a security envelope such as a Virtual Private Cloud, maintaining the same level of limited access to the secure internal network, and interfacing with the untrusted network at the other end helps create a DMZ-like secure logical sub-network within the cloud. Integration with the on-premise systems gives us the same application environment that is now hybrid in nature and which retains trade secrets, proprietary data or any other highly sensitive assets in the same secure internal network.

With DMC as the starting point, cloud migration roadmap can evolve along the lines of multi-tiered web application architecture. Having moved the presentation tier to the cloud, we can then focus on moving application tier in the next iteration. By then, IT departments would have gained sufficient public cloud security knowledge to feel comfortable about migration of more components in there. We can move app servers, service buses, databases or any combination or subset of those assets based on technical and business priorities.

To summarize, DMC is a simple pattern to start with on the path to cloud adoption. It helps in identifying less security-sensitive services that could be good first candidates for cloud migration. Because of the horizontal partitioning approach, it paves the way for migrating other tiers of the application stack in the future. The pace of this migration can be easily controlled by the IT leadership depending upon their comfort-level. Unlike the vertical partitioning approach, this approach provides the flexibility even to roll-back the migration gradually and without major disruptions. It is a good first step to get you feet wet without the fear of drowning.

More Stories By Ravi Bhangley

Ravi is an accomplished IT leader with 20 years of work experience, and strong concentration and success in management, strategy and vision. Before launching BizEnablers, a consulting firm specializing in enterprise cloud strategy and implementation, Ravi was Chief Architect at Dun & Bradstreet, world’s leading source of commercial information and insights into businesses. For last 10 years of working for corporate IT, he held several senior leadership positions spearheading diverse programs and organizations. He currently sits on the IT Advisory Board of New Jersey Technology Council (NJTC), the foremost organization of technology companies in New Jersey. He is actively engaged in cloud computing thought leadership through publications and frequent participations as a speaker or a panelist. He holds a Masters in Computer Science from Michigan State University.

@CloudExpo Stories
"We're a cybersecurity firm that specializes in engineering security solutions both at the software and hardware level. Security cannot be an after-the-fact afterthought, which is what it's become," stated Richard Blech, Chief Executive Officer at Secure Channels, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chie...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. Jack Norris reviews best practices to show how companies develop, deploy, and dynamically update these applications and how this data-first...
Intelligent Automation is now one of the key business imperatives for CIOs and CISOs impacting all areas of business today. In his session at 21st Cloud Expo, Brian Boeggeman, VP Alliances & Partnerships at Ayehu, will talk about how business value is created and delivered through intelligent automation to today’s enterprises. The open ecosystem platform approach toward Intelligent Automation that Ayehu delivers to the market is core to enabling the creation of the self-driving enterprise.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
As more and more companies are making the shift from on-premises to public cloud, the standard approach to DevOps is evolving. From encryption, compliance and regulations like GDPR, security in the cloud has become a hot topic. Many DevOps-focused companies have hired dedicated staff to fulfill these requirements, often creating further siloes, complexity and cost. This session aims to highlight existing DevOps cultural approaches, tooling and how security can be wrapped in every facet of the bu...
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., discussed how these tools can be leveraged to develop a lasting competitive advantage ...
Connecting to major cloud service providers is becoming central to doing business. But your cloud provider’s performance is only as good as your connectivity solution. Massive Networks will place you in the driver's seat by exposing how you can extend your LAN from any location to include any cloud platform through an advanced high-performance connection that is secure and dedicated to your business-critical data. In his session at 21st Cloud Expo, Paul Mako, CEO & CIO of Massive Networks, wil...
The question before companies today is not whether to become intelligent, it’s a question of how and how fast. The key is to adopt and deploy an intelligent application strategy while simultaneously preparing to scale that intelligence. In her session at 21st Cloud Expo, Sangeeta Chakraborty, Chief Customer Officer at Ayasdi, will provide a tactical framework to become a truly intelligent enterprise, including how to identify the right applications for AI, how to build a Center of Excellence to ...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
SYS-CON Events announced today that Massive Networks will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Massive Networks mission is simple. To help your business operate seamlessly with fast, reliable, and secure internet and network solutions. Improve your customer's experience with outstanding connections to your cloud.
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
Because IoT devices are deployed in mission-critical environments more than ever before, it’s increasingly imperative they be truly smart. IoT sensors simply stockpiling data isn’t useful. IoT must be artificially and naturally intelligent in order to provide more value In his session at @ThingsExpo, John Crupi, Vice President and Engineering System Architect at Greenwave Systems, will discuss how IoT artificial intelligence (AI) can be carried out via edge analytics and machine learning techn...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
As businesses adopt functionalities in cloud computing, it’s imperative that IT operations consistently ensure cloud systems work correctly – all of the time, and to their best capabilities. In his session at @BigDataExpo, Bernd Harzog, CEO and founder of OpsDataStore, presented an industry answer to the common question, “Are you running IT operations as efficiently and as cost effectively as you need to?” He then expounded on the industry issues he frequently came up against as an analyst, and ...
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
FinTechs use the cloud to operate at the speed and scale of digital financial activity, but are often hindered by the complexity of managing security and compliance in the cloud. In his session at 20th Cloud Expo, Sesh Murthy, co-founder and CTO of Cloud Raxak, showed how proactive and automated cloud security enables FinTechs to leverage the cloud to achieve their business goals. Through business-driven cloud security, FinTechs can speed time-to-market, diminish risk and costs, maintain continu...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
SYS-CON Events announced today that Pulzze Systems will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems Inc, provides the software product "The Interactor" that uniquely simplifies building IoT, Web and Smart Enterprise Solutions. It is a Silicon Valley startup funded by US government agencies, NSF and DHS to bring innovative solutions to market.