Making systems talk to each other is one of the most challenging parts of any software implementation. Despite many advances in technology, it can still be very time consuming to map field by field to enable communication between systems. Advances in API standards are making it easier, but there's a burning question to many people when it comes to integrating systems in the cloud: how do SaaS business platforms communicate securely with your private network?
And we're not talking about the actual nuts and bolts of mapping field 123 to field ABC (again, that can be a challenge, although it is a problem that PorterLogic can solve). Assuming you can systematically send data from one solution to another, how do you securely transmit that data? In a world where data breaches are all too common, what techniques can your company employ to stop hackers from stealing in-transit data? Continue reading to find out.
There are multiple strategies that technology providers employ to ensure security when it comes to data integration between cloud services and on-premise networks. These strategies are often utilized together based on specific business conditions and requirements.
Just about every company has a VPN, or virtual private network. Most professionals have connected to a VPN, but very few actually understand what is happening under the hood.
A VPN essentially performs two major tasks: ensures the data coming and going from your personal computer is safe and encrypted, as well as allows external resources to access internal services in a protected, encrypted way.
Take a look at the diagram below:
When you connect to a VPN from an external computer, the data between your computer and the VPN server is encrypted and unaccessible to anyone potentially watching your network traffic (hackers, governments, etc.).
The VPN server is the only part of the network exposed to external traffic. In other words, all of your other business applications are hidden from the public internet and only accessible on your private network (sometimes called an intranet). Because the VPN server sits within your internal network, it is able to access internal resources, but only allows authenticated traffic from the outside to continue into the internal network.
Furthermore, as mentioned before, once you connect to a VPN, all of the traffic between your computer and the VPN server is encrypted. Once the data hits the VPN server, it is decrypted and passed on to the appropriate resource within your company's network.
So what does all this have to do with integrating cloud applications?
Typically when employing a VPN-based strategy, cloud services are accessed on your company's domains only available to your internal network. Despite being in the cloud, the resources are still only visible after users connect to your VPN (or when accessed directly from your corporate network, like the wifi in your warehouses). In this way, data is kept secure because all traffic is first authenticated by the VPN, but your users can still access your cloud-based apps from anywhere. Additionally, the data traveling between personal computers is safe because it is encrypted until it hits your internal network.
A DMZ server or bastion server conceptually serves a similar purpose as a VPN server, but accomplishes security in a few different ways. A DMZ or bastion server sits within your company's internal network, but is also accessible to the wider internet (similar to a VPN server). It is typically one of the only part of your internal network accessible from the outside.
Because you have control over this bastion server, you can employ a number of strategies to clean and secure traffic before allowing it into the rest of the internal network. For example, you can use a firewall only allow traffic from certain IP address to continue, or you can even employ MAC address filtering to only let traffic from certain computers through. Contrast this with exposing your internal services directly to the public internet, which would mean those services would have to all employ their own firewall or other security measures, which increases the surface area for potential attacks.
DMZ's are useful when you need to allow traffic to access internal resources from anywhere, but for whatever reason it is infeasible to require VPN authentication prior to access. While DMZs are often used for two systems talking to each other, a tangible example of this could be an appointment scheduling portal for your carriers. You want your carriers to be able to access your portal from their computers, but you don't want to issue VPN certificates to all of your carriers. By simply whitelisting your carrier's networks in your bastion server's firewall, you can securely allow traffic from your carriers network to access your portal.
An even more secure way to achieve this result would be to employ MAC address filtering. A MAC address is a unique identifier assigned to every network connected device, typically assigned by the manufacturer of the device. Using a MAC address, you can identify traffic from individual machines when it hits your DMZ. By filtering out traffic and only allowing access from trusted machines, you can keep your internal resources secure from external threats.
In addition to access control strategies, company's can also take advantage of various network configurations to aid in their security practices.
Virtually all consumer apps communicate using the public internet, for the sheer fact that consumer services need to be accessible from anywhere. In contrast, business systems need to be tightly controlled to avoid loss of data. However, with proper configuration, the public internet can be a safe way to transmit business data.
For example, you can employ a VPN server to only allow authenticated users access into your internal network. Your cloud services can then still sit outside of your network (i.e. in your vendor's private network), but your vendor's network can be configured to only allow access from your company's network (i.e. from your company's IP address).
In this way, traffic between your internal network and your vendor's systems can still utilize the public internet for communication, but only traffic that has been pre-authenticated and allowed into your internal network can access your vendor's systems. Furthermore, traffic can be encrypted before it leaves your internal network for an additional layer of security.
For companies that want even more protection and security, and especially for companies that operate in data-sensitive industries (think pharmaceutical, healthcare, etc.), it can be necessary to avoid the public internet altogether.
Dark fiber networks have risen to meet those needs. While the name "dark fiber" sounds intense and futuristic, it's not as sinister as it sounds. When large network providers (e.g. Comcast, AT&T, etc.) are laying network fiber, they often lay much more than they actually need. Because it is so costly and expensive to install fiber network cables, it is more cost effective for these companies to lay sometimes 3x-5x the current demand worth of cable, in order to future proof their networks.
This practice has lead to extra capacity in the fiber networks not currently being used by public internet connections. Service providers have emerged that allow companies to lease this extra fiber capacity, giving them a private, direct network line between their locations. While this is not a feasible strategy for supporting lots of disparate connections (e.g. for remote employees), dark fiber networks can be used to securely connect companies' locations (e.g. your warehouses to your central office).
In this way, computers and services in multiple locations can securely communicate without your data ever actually traveling through the public internet. Your company's data remains within your internal network at all times.
Additionally, a dark fiber strategy can be combined with VPNs, DMZs, and other encryption technologies to securly connect your networks with off-premise cloud-based SaaS applications.
There are positive and negative aspects to any approach to security. In reality, the right strategy for your company is heavily dependent on your individual needs. Most companies will need to employ a combination of techniques in order to achieve the most optimal security setup. For example, using both a VPN for user access and a DMZ for system access can allow for seamless communication with minimal latency and maximum security. Your company really needs an expert to analyze your specific integration needs before recommending the best strategies.
Keep in mind, all of these strategies are for naught without a focus on security with your people. Humans are often considered the weakest point in any network, and company's can see untold benefits by employing security training for their associates. You can find more information in our post You Should Be Pen Testing Your Network.
We employ industry best practicies in all of our implementations, but we also are very open to working with your internal IT teams and external security consultants to achieve the safest set up for your company's unique requirements.
There are many strategies your company can employ to take advantage of cloud-based solutions and integrate those services with your internal resources, while still maintaining a safe and secure environment. To stay competitive, companies need to take advantage of modern SaaS technologies, but with security in mind (especially when it comes to in-transit data) in order to avoid external threats.
Want to stay informed? Subscribe to PorterLogic’s newsletter, and you’ll get bimonthly analysis and rundowns of the supply chain’s latest trends and challenges in your inbox.