If it would be that simple

[Update 2017 May 05 ]

One succinct text on what constitutes good VPN architecture might be found here.

[Original post]

Amazon has (at last) released Virtual Private Cloud (VPC). An integral part of its successful Amazon Web Services Cloud platform.  I too have skimmed through this one article.

There is a lot of marketing blurb in there (of course), but here is one comment, in particular, I need to make. And one detail I would like to comment on. It is about this “Secure VPN Connection over the Internet” (on the diagram bellow, taken from the article itself).

Amazon Virtual Private Cloud
Amazon Virtual Private Cloud

This is an “SPOF” aka Single Point of Failure over there. For me, this (Secure VPN) is not the solution of the real IaaS kind. This is just infrastructure used to implement secure VPN, between two data centres: corporate and Cloud.  This is not a safe and transparent link from IaaS to/from data centre. This is not secure bridge as a service. This is just an infrastructure at the mercy of its more or less risk aware users.

This little devilish detail is, over what the whole initial BPOS (these days called Azure) shiny tower has fallen “into the crunchy heap” (circa 2010). Why? Simply because no enterprise, in the world, wanted to use it without a comprehensive application level security solution for a safe connection between enterprise and cloud data centre  Secure VPN, on its own, was (and still is) nowhere near enough. Therefore, circa 2011, everyone had at least one “Pilot Project” using Azure Cloud, but nobody committed to releasing it for general usage.

Active Directory: the core issue and the core Solution

The core of the issue was and is, Active Directory (AD). Enterprise needs a safe and transparent bridge between its own legacy applications (aka On Premises apps) and its OWN applications and data migrated to the cloud.

The core (of the core) of the issue is that migrating legacy IT systems to the cloud, in one “jump to the Cloud” is impossible.

Classical enterprise legacy systems are big bushes of organically grown poison ivy. Simply too intertwined for that. To start first, you have to isolate and then migrate your legacy data, hopefully leaving the logic and front tier where they have been growing for the last 20+ years. You can not afford to redevelop everything and release it in one “big bang” and NOT seriously disrupt the enterprise at the same time.

Have some other plan? I doubt it. You simply have to migrate in carefully orchestrated steps. Here is your plan.

Legacy system with data layer moved to the Cloud.

So you present this hybrid solution, to the board. And ask few millions to implement it. And the board need it all to work seamlessly and above all SAFELY.

Today, no CxO is disputing advantages of cloud storage. And migration to it which always reveal at least 50% of legacy data that can be archived and future system lightened. The problem is that that rest of the apparently “tried and tested” legacy mission critical system (1) needs to proceed to serve the enterprise SEAMLESSLY. Using the new storage layer which is migrated to the Cloud. How?

Application Level Security is where the Action is

This is all doable on the application level and this is where  Amazon ACP and Azure are probably both shining. But.  Here the key problem is APPLICATION LEVEL SECURITY (ALS). Not the infrastructure, or bold offerings of safe tunnelling protocols and a such. ALS is perhaps a key requirement for Cloud migrations, and what Azure Active Directory solves. (AAD) Why is it so important and what is it?

Why is it so important and what is  AAD solving on a non-technical (aka political) level?

The story is this. Cue to approx 2010. M$FT has  BPOS and corporations are busy with Pilot Projects. But. No medium to large enterprise wanted to start moving to the Microsoft BPOS (aka Azure these days) before AAD was delivered (approx Sep 2012). Why? These already mentioned “Pilot Projects” were waiting around for the approval of Security Architects, which was not coming. All two years before AAD release, there was this period of a tricky and risky game between MSFT and large corporations data centres: “… will they (the Corporations) or will they not” … move to the Cloud. Thanks to AAD,, at last, all these Pilot Projects could proceed without the word “Pilot”, attached to them.

So I am wondering today, exactly how is Amazon APC going to overcome the very same hurdle?  Are they going to support the Microsoft AAD?  Or are they going to offer some Amazon specific solution, possibly a replacement? The latter would be very difficult. AD is absolute crown jewel technology. There is nothing very “open” about its internals. Also. This AAD is not about authentication. Or AD federation.

AAD is all about extending a single corporate AD forest into the cloud.

Yes, we know there are already mature ways to federate AD forests etc. But believe me, this is not a situation you will find in large corporations of today. I have seen more than once “single domain, single forest” AD monstrosities in corporations having more than 50 thousand windows desktops. And with that AD support teams of 100+  people, working 24×7, constantly pruning and grafting the AD jungle, all day every day.

Now it seems (with AAD) these IT Services people, have a way to sync this AD jungle with Amazon Cloud Apps. Please note that here we are not talking usual, personal .onmicrosoft.com domains. Here we are talking special contracts between Microsoft and corporations for their thecorporation.com global domains. All supported with nice big juicy SLA’s. For lawyers to sink their fangs into if need be.

Very long pos. And I just would like everyone to be at the point where Mr Scott Sandell bold claims (from the article): “…it [VPC] means all enterprise technology in a data centre is obsolete”; are true.  But sadly, certainly and definitely the are not. Even now: 2014 December.

Conclusion: OK, but When?

Cloud services have their place in Enterprise business. Saying that there is no guarantee of their central position. Companies are not going to shut down their IT infrastructure and data warehouses, in order to jump onto AWS, Azure, iCloud, etc. Not now, and not anytime soon. Application level safety being the primary reason.

There is a huge amount of on-site legacy data that will perhaps forever, be hosted by on-site data centres and solutions. For ever? Yes forever. Largely due to privacy, IP, legal, or compliance reasons. Truth to be told, in some cases, that all boils down to sheer paranoia. And thanks to recent high-profile on-line security breaches, that is only getting WORSE, not better. Federated authentication (SAML, etc.) is supposed to be a solution. But again we are hitting this legacy wall. Only this time AD is a legacy system(2).

Both Azure and AWS are amazing systems that can host a lot of complex Cloud migrations in the right areas for Enterprise. But.  Looking at the big picture, the enterprise scope they solve is still limited. Likely to be that way for some time. For better or for worse.


(1) Isn’t it funny how every legacy system becomes suddenly “critical” when it has to be migrated to the Cloud?

(2) Most of the leading identity management vendors provide the ability to do identity authentication federation using SAML.  The recent changes in Microsoft away from Passport to the Infocard herald a sea change in how Microsoft views identity.  It no longer believes it should own the identities and instead is using identity federation as the core building block for its future security infrastructures.