Automatically Defined Perimeter (Cope, Erl)
How can a perimeter be protected that is dynamic and extends from on-premise to multi-vendor cloud resources?
ProblemIn cloud architecture, IT boundaries are dynamic and can scale into multiple clouds from on-premise resources, which creates challenges when establishing and securing perimeters.
SolutionA system is established that provides protected communications between consumers and providers whereby each provider either accepts or rejects communications based on privileges securely granted automatically by a perimeter controller.
ApplicationCloud consumers authenticate to an automatically defined perimeter (ADP) controller which, if they are authorized, notifies the appropriate cloud provider services to respond to the authenticated consumer’s requests. Otherwise, protected providers do not respond to any communications.
Compound PatternsBurst In, Burst Out to Private Cloud, Burst Out to Public Cloud, Cloud Authentication, Elastic Environment, Infrastructure-as-a-Service (IaaS), Isolated Trust Boundary, Multitenant Environment, Platform-as-a-Service (PaaS), Private Cloud, Public Cloud, Resilient Environment, Resource Workload Management, Secure Burst Out to Private Cloud/Public Cloud, Software-as-a-Service (SaaS)
ADP cloud services can either be: cloud consumers requesting a single service, multiple services, or a service orchestration (A), cloud providers that initially only respond only to the ADP controller and then only to cloud consumers that have been authorized by the ADP controller (B), access managed by requests to ADP controllers which rely on the organization’s IAM (C).
The participating cloud resources authenticate to the ADP and register with it when they are initially brought online.