Planes and clouds
The control plane, data plane, and management plane are terms that come from the on-premises networking world, to explain in very simple terms how IP Packets move from A to Z. In the world of the cloud, the traditional network becomes amorphous: the cloud vendors perform these network functions as part of their cloud fabric. One would think they’re no longer relevant.
That’s not the case, unfortunately, and IT professionals working with the cloud need to understand how the concept of planes evolves in the cloud ecosystem, especially as they share certain aspects of security with the cloud vendors (the much-discussed Shared Security Model to which all major cloud providers adhere).
In the old, on-premises days, planes were fairly straightforward:
- Data plane — all the functions and processes that forward packets/frames from one interface to another
- Control plane — all the functions and processes that determine which path to use (such as LDP, Routing protocols, etc.)
- Management plane — all the functions you use to control and monitor devices.
And IT would typically include firewalls as part of the management plane to provide a perimeter of security, since data in motion was the only real security issue.
How planes change in the cloud
What changes in the cloud? Pretty much everything. First, while the vendors manage key aspects of the data plane and control plane, the cloud itself makes these suddenly porous. For example, data can be passed from one cloud service to another. A classic case would be using artificial intelligence (AI) to mine customer relationship (CRM) data. This “mining” is occurring outside your network, in the cloud, between two services over which you don’t have a lot of control. How do you secure data and ensure only certain users access it, and only certain services can interact with it — and finally, how you treat the new data which is created.
Companies don’t migrate to the cloud for cheaper storage — in fact, some like Tim Crawford (“CIO in the Know” podcast host) suggest that companies’ own data storage may be ¼ the cost of storing data in the cloud. So if the cloud isn’t the ultimate repository, it often acts as a media server as data is manipulated, accessed, and moved in and out of the cloud. Suddenly, the control plane becomes a lot more interesting, as this is where policies and workflows can be designated to work in hybrid or even multi-cloud scenarios — it’s no longer just about the routing path.
So back to our on-premises scenario: Firewalls in the NextGen era quickly adapted to include control plane functionality (i.e., workflows, policy management, etc.) and some have adapted to the cloud era (CloudGen) to provide the same functionality in the cloud. But ….
Workflow visibility can be limited in the cloud, cloud services have their own way of convoluting well-architected controls, and how can you ensure this control is applied — and tracked — across multiple workloads, VPCs, even different clouds?
The answer is, you need a different solution. And there are several different categories of these solutions. In our next blog, we’ll start by looking at the original solution, Cloud Workload Protection Programs.