How to Securely Access Customer Networks With BYOC

As the need to manage data privacy, sovereignty, control, and cost grows, more Bring Your Own Cloud (BYOC) use cases will emerge.

Chad Tindel, Field CTO and VP of Worldwide Solution Architecture, ngrok., Field CTO and VP of Worldwide Solution Architecture

March 7, 2024

5 Min Read
How to Securely Access Customer Networks With BYOC
(Credit: Panther Media GmbH / Alamy Stock Photo)

To be successful, many SaaS solutions require access to their customers’ data. Consider a company like Databricks, which more than half of the Fortune 500 uses to process, analyze, and monetize data sets. To accomplish this, Databricks must connect to their customers’ cloud accounts to process and store data. And they have to do it with security and scale in mind.

However, sending data to vendors for processing poses various challenges. The explosion in volume and complexity of data makes this approach impractical, often incurring significant expenses for data processing and transfer for egress from the client’s cloud, ingress to the vendor’s cloud, or both. And perhaps most importantly, the loss of control creates concerns about data privacy, sovereignty, and security.

Enter BYOC

To address these challenges, a new architecture has emerged called Bring Your Own Cloud (BYOC). BYOC means that the data plane portion of the SaaS vendor’s software stack is deployed into their customers’ environment to store, process, and analyze customer data. The control plane consists of all the backend services and computational resources required to configure and manage data sets in the vendor’s network, and it runs in the SaaS vendor’s cloud environment while connecting to the BYOC data plane that runs in the customer’s network via APIs. BYOC software solves privacy, sovereignty, and cost issues, but SaaS vendors face many hurdles connecting to it in customer networks.

Challenges of getting customer network access to BYOC

Getting network access to the data plane deployed in a customer's environment can be a complex and time-consuming process. Vendors often grapple with VPNs, VPC peering, PrivateLink, and firewall configurations, which require extensive security reviews and approvals from multiple stakeholders, including the customer’s NetOps and SecOps teams. Each customer’s environment is unique, requiring bespoke network configurations, which prevents rapid scaling across accounts. This means that end users don’t experience quick time to value, resulting in poor onboarding experiences, general dissatisfaction early on in an engagement, and even churn.

In addition, the idea of granting vendors cloud access may give some enterprises pause. In 2022, cloud exploitation cases alone grew by 95%, which CrowdStrike Intelligence credits to threat actors using valid cloud accounts and public-facing applications to gain initial access. Companies can implement best practices to address these challenges to ensure network security and provide quick time to value.

Best practices for accessing customer networks with BYOC

Hassle-free connectivity is critical for implementing BYOC. Customers should not need to change any network configurations or enable inbound ports, site-to-site VPNs, VPC peering, or PrivateLink to give vendors access to the BYOC data plane in their network.

While it’s the job of both the vendors and the customers to ensure that their networks are secure, access to BYOC targets should be clearly defined with authentication policies. Customers should ensure that any vendor using BYOC supports policies for mutual TLS (mTLS), IP restrictions, OAuth, SAML, Open ID Connect (OIDC), and JWT authentication. For vendors, it’s important that only authorized traffic from their customers' environments can enter their network.

The future of BYOC

As the volume of data continues to grow, so does the need to access, process, and store it securely and cost-effectively. While dozens of use cases require vendors to securely access customer data, here are the top three that will leverage BYOC first:

  • Data insights and analytics. Companies like Databricks leverage BYOC to process, analyze, and monetize data sets in customers’ clouds. To eliminate data transfer costs and maintain data control for compliance reasons, more customers will require data analytics companies to offer BYOC.

  • Training large language models and artificial intelligence (AI). The next generation of AI companies are training their models on customer-held data sets. Transferring training data out of customer networks is a nonstarter because it risks data security and sovereignty, is expensive, and is slow. BYOC lets companies run AI software in customer networks where the data lives to train models on proprietary information without it ever leaving their cloud.

  • SaaS-based vulnerability management. To provide real-time vulnerability management, SaaS vendors must connect to customers' networks to scan, discover, and continuously monitor assets. They should also implement robust security measures to safeguard sensitive information and comply with organizational policies and regulations, as provided by BYOC.

As the need to manage data privacy, sovereignty, control, and cost grows, more use cases will emerge. As they do, customers will be more tactical about what data leaves their environments and who gets access to it. BYOC solutions with comprehensive security and authentication policies are the best way for vendors to get secure access to networks they don’t control while protecting themselves and their customers.

Chad Tindel is Field CTO and VP of Worldwide Solution Architecture at ngrok.

Related articles:

About the Author(s)

Chad Tindel, Field CTO and VP of Worldwide Solution Architecture, ngrok.

Field CTO and VP of Worldwide Solution Architecture, ngrok

Chad Tindel is the field CTO and VP of worldwide solution architecture at ngrok, the unified ingress platform for developers. He is a seasoned solution architect who has spent his career at leading companies, including Amazon, Elastic, MongoDB, and RedHat. Chad's expertise is multifaceted, encompassing customer engagement and technical pre-sales, with a strong foundation in operating systems, including notable contributions to the Linux kernel bonding driver. He has also played a key role in high-availability solutions, as evidenced by his architectural work on HP's Serviceguard product. Renowned for his technical acumen and unwavering dedication to innovation in the tech industry, Chad specializes in many domains, including cloud computing, high availability distributed computing, application security, NoSQL databases, storage, analytics, and big data. Connect with Chad on LinkedIn and tune into his podcast, Can I get the software in blue?

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights