To be successful, many SaaS solutions require access to their customers’ data. Consider a company like Databricks, which more than half of the Fortune 500 uses to process, analyze, and monetize data sets. To accomplish this, Databricks must connect to their customers’ cloud accounts to process and store data. And they have to do it with security and scale in mind.
However, sending data to vendors for processing poses various challenges. The explosion in volume and complexity of data makes this approach impractical, often incurring significant expenses for data processing and transfer for egress from the client’s cloud, ingress to the vendor’s cloud, or both. And perhaps most importantly, the loss of control creates concerns about data privacy, sovereignty, and security.
To address these challenges, a new architecture has emerged called Bring Your Own Cloud (BYOC). BYOC means that the data plane portion of the SaaS vendor’s software stack is deployed into their customers’ environment to store, process, and analyze customer data. The control plane consists of all the backend services and computational resources required to configure and manage data sets in the vendor’s network, and it runs in the SaaS vendor’s cloud environment while connecting to the BYOC data plane that runs in the customer’s network via APIs. BYOC software solves privacy, sovereignty, and cost issues, but SaaS vendors face many hurdles connecting to it in customer networks.
Getting network access to the data plane deployed in a customer's environment can be a complex and time-consuming process. Vendors often grapple with VPNs, VPC peering, PrivateLink, and firewall configurations, which require extensive security reviews and approvals from multiple stakeholders, including the customer’s NetOps and SecOps teams. Each customer’s environment is unique, requiring bespoke network configurations, which prevents rapid scaling across accounts. This means that end users don’t experience quick time to value, resulting in poor onboarding experiences, general dissatisfaction early on in an engagement, and even churn.
In addition, the idea of granting vendors cloud access may give some enterprises pause. In 2022, cloud exploitation cases alone grew by 95%, which CrowdStrike Intelligence credits to threat actors using valid cloud accounts and public-facing applications to gain initial access. Companies can implement best practices to address these challenges to ensure network security and provide quick time to value.
Hassle-free connectivity is critical for implementing BYOC. Customers should not need to change any network configurations or enable inbound ports, site-to-site VPNs, VPC peering, or PrivateLink to give vendors access to the BYOC data plane in their network.
While it’s the job of both the vendors and the customers to ensure that their networks are secure, access to BYOC targets should be clearly defined with authentication policies. Customers should ensure that any vendor using BYOC supports policies for mutual TLS (mTLS), IP restrictions, OAuth, SAML, Open ID Connect (OIDC), and JWT authentication. For vendors, it’s important that only authorized traffic from their customers' environments can enter their network.
As the volume of data continues to grow, so does the need to access, process, and store it securely and cost-effectively. While dozens of use cases require vendors to securely access customer data, here are the top three that will leverage BYOC first:
As the need to manage data privacy, sovereignty, control, and cost grows, more use cases will emerge. As they do, customers will be more tactical about what data leaves their environments and who gets access to it. BYOC solutions with comprehensive security and authentication policies are the best way for vendors to get secure access to networks they don’t control while protecting themselves and their customers.
Chad Tindel is Field CTO and VP of Worldwide Solution Architecture at ngrok.
Related articles:
With many enterprises new to NaaS, service providers can differentiate themselves from competitors by prioritizing superior customer service and experiences.
Unlocking the full potential of telecom in the SaaS era relies on comprehensive strategies and a constant commitment to evolving security practices.
Eliminating complexity by standardizing with a platform approach is the way to put the brakes on the complexity cycle.
