Planes and clouds

Themen:

17. Juli. 2020

The control plane, data plane, and management plane are terms that come from the on-premises networking world, to explain in very simple terms how IP Packets move from A to Z. In the world of the cloud, the traditional network becomes amorphous: the cloud vendors perform these network functions as part of their cloud fabric. One would think they’re no longer relevant.

That’s not the case, unfortunately, and IT professionals working with the cloud need to understand how the concept of planes evolves in the cloud ecosystem, especially as they share certain aspects of security with the cloud vendors (the much-discussed Shared Security Model to which all major cloud providers adhere).

In the old, on-premises days, planes were fairly straightforward:

Data plane — all the functions and processes that forward packets/frames from one interface to another

Control plane — all the functions and processes that determine which path to use (such as LDP, Routing protocols, etc.)

Management plane — all the functions you use to control and monitor devices.

And IT would typically include firewalls as part of the management plane to provide a perimeter of security, since data in motion was the only real security issue.

How planes change in the cloud

What changes in the cloud? Pretty much everything. First, while the vendors manage key aspects of the data plane and control plane, the cloud itself makes these suddenly porous. For example, data can be passed from one cloud service to another. A classic case would be using artificial intelligence (AI) to mine customer relationship (CRM) data. This “mining” is occurring outside your network, in the cloud, between two services over which you don’t have a lot of control. How do you secure data and ensure only certain users access it, and only certain services can interact with it — and finally, how you treat the new data which is created.

Companies don’t migrate to the cloud for cheaper storage — in fact, some like Tim Crawford (“CIO in the Know” podcast host) suggest that companies’ own data storage may be ¼ the cost of storing data in the cloud. So if the cloud isn’t the ultimate repository, it often acts as a media server as data is manipulated, accessed, and moved in and out of the cloud. Suddenly, the control plane becomes a lot more interesting, as this is where policies and workflows can be designated to work in hybrid or even multi-cloud scenarios — it’s no longer just about the routing path.

So back to our on-premises scenario: Firewalls in the NextGen era quickly adapted to include control plane functionality (i.e., workflows, policy management, etc.) and some have adapted to the cloud era (CloudGen) to provide the same functionality in the cloud. But ….

Workflow visibility can be limited in the cloud, cloud services have their own way of convoluting well-architected controls, and how can you ensure this control is applied — and tracked — across multiple workloads, VPCs, even different clouds?

The answer is, you need a different solution. And there are several different categories of these solutions. In our next blog, we’ll start by looking at the original solution, Cloud Workload Protection Programs.

Free report: Future Shock - The Cloud Is the New Network

Rich Turner

Rich is the Director of Public Cloud Product Marketing at Barracuda. He joined the team as part of the acquisition of C2C Systems in 2014. Rich is one of Barracuda’s public cloud experts – he works directly with the cloud ecosystems and has been quoted in eBooks from Microsoft on public cloud security. He is also a frequent contributor to Barracuda’s own cloud blogs. For our cloud motions, he helps develop strategies and execution with our partners and sales teams.

If you'd like to get in touch with Rich, you can connect with him on LinkedIn and follow him on Twitter.

You can email Rich at rturner@barracuda.com.