How to Securely Access Customer Networks With BYOC
As the need to manage data privacy, sovereignty, control, and cost grows, more Bring Your Own Cloud (BYOC) use cases will emerge.
March 7, 2024
To be successful, many SaaS solutions require access to their customers’ data. Consider a company like Databricks, which more than half of the Fortune 500 uses to process, analyze, and monetize data sets. To accomplish this, Databricks must connect to their customers’ cloud accounts to process and store data. And they have to do it with security and scale in mind.
However, sending data to vendors for processing poses various challenges. The explosion in volume and complexity of data makes this approach impractical, often incurring significant expenses for data processing and transfer for egress from the client’s cloud, ingress to the vendor’s cloud, or both. And perhaps most importantly, the loss of control creates concerns about data privacy, sovereignty, and security.
Enter BYOC
To address these challenges, a new architecture has emerged called Bring Your Own Cloud (BYOC). BYOC means that the data plane portion of the SaaS vendor’s software stack is deployed into their customers’ environment to store, process, and analyze customer data. The control plane consists of all the backend services and computational resources required to configure and manage data sets in the vendor’s network, and it runs in the SaaS vendor’s cloud environment while connecting to the BYOC data plane that runs in the customer’s network via APIs. BYOC software solves privacy, sovereignty, and cost issues, but SaaS vendors face many hurdles connecting to it in customer networks.
Challenges of getting customer network access to BYOC
Getting network access to the data plane deployed in a customer's environment can be a complex and time-consuming process. Vendors often grapple with VPNs, VPC peering, PrivateLink, and firewall configurations, which require extensive security reviews and approvals from multiple stakeholders, including the customer’s NetOps and SecOps teams. Each customer’s environment is unique, requiring bespoke network configurations, which prevents rapid scaling across accounts. This means that end users don’t experience quick time to value, resulting in poor onboarding experiences, general dissatisfaction early on in an engagement, and even churn.
In addition, the idea of granting vendors cloud access may give some enterprises pause. In 2022, cloud exploitation cases alone grew by 95%, which CrowdStrike Intelligence credits to threat actors using valid cloud accounts and public-facing applications to gain initial access. Companies can implement best practices to address these challenges to ensure network security and provide quick time to value.
Best practices for accessing customer networks with BYOC
Hassle-free connectivity is critical for implementing BYOC. Customers should not need to change any network configurations or enable inbound ports, site-to-site VPNs, VPC peering, or PrivateLink to give vendors access to the BYOC data plane in their network.
While it’s the job of both the vendors and the customers to ensure that their networks are secure, access to BYOC targets should be clearly defined with authentication policies. Customers should ensure that any vendor using BYOC supports policies for mutual TLS (mTLS), IP restrictions, OAuth, SAML, Open ID Connect (OIDC), and JWT authentication. For vendors, it’s important that only authorized traffic from their customers' environments can enter their network.
The future of BYOC
As the volume of data continues to grow, so does the need to access, process, and store it securely and cost-effectively. While dozens of use cases require vendors to securely access customer data, here are the top three that will leverage BYOC first:
Data insights and analytics. Companies like Databricks leverage BYOC to process, analyze, and monetize data sets in customers’ clouds. To eliminate data transfer costs and maintain data control for compliance reasons, more customers will require data analytics companies to offer BYOC.
Training large language models and artificial intelligence (AI). The next generation of AI companies are training their models on customer-held data sets. Transferring training data out of customer networks is a nonstarter because it risks data security and sovereignty, is expensive, and is slow. BYOC lets companies run AI software in customer networks where the data lives to train models on proprietary information without it ever leaving their cloud.
SaaS-based vulnerability management. To provide real-time vulnerability management, SaaS vendors must connect to customers' networks to scan, discover, and continuously monitor assets. They should also implement robust security measures to safeguard sensitive information and comply with organizational policies and regulations, as provided by BYOC.
As the need to manage data privacy, sovereignty, control, and cost grows, more use cases will emerge. As they do, customers will be more tactical about what data leaves their environments and who gets access to it. BYOC solutions with comprehensive security and authentication policies are the best way for vendors to get secure access to networks they don’t control while protecting themselves and their customers.
Chad Tindel is Field CTO and VP of Worldwide Solution Architecture at ngrok.
Related articles:
About the Author
You May Also Like