It’s not news that organizations are increasingly turning to public, private and hybrid clouds to run their businesses. Over the past few years, we’ve seen adoption skyrocket.  95% of respondents to RightScale’s 6th annual “2017 State of the Cloud” survey indicated they are now using the cloud.  Verizon found that 87 percent of organizations are using cloud-based tools to run mission-critical workloads, in their “2016 State of the Market: Enterprise Cloud” report.

This growth shows no signs of slowing. Gartner predicts the worldwide public cloud services market will grow 18 percent this year, from $209.2 billion in 2016 to 246.8 billion at the end of 2017. This is echoed in Intel’s recent report, “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,” that discovered that 80% of all IT budgets will be committed to cloud solutions, in 15 months.

The cloud’s elasticity, scale and efficiency is becoming indispensable to the modern enterprise. 69 percent of enterprises touted the cloud’s usefulness in helping them revolutionize business processes. But for all the good the cloud enables, it can also introduce risks that, if left unmitigated, can inflict both short and long-term damage to the business. Just look at the crippling effects of the recent WannaCry,  exPetr  and Google Docs attacks.

Effectively securing cloud deployments, however, is easier said than done – 49% of businesses are delaying cloud deployment due to a cybersecurity skills gap. So, how can organizations build out a secure cloud? We have developed an architecture – what we like to call the full stack private cloud – that enables all the benefits of the cloud, with all the security of a private environment. It’s based on the thousands of hours our engineers have spent working with partners to identify and close the security gaps in the cloud deployments of hundreds of end customers.

Figure1. Full Stack Private Cloud Architecture

Figure1. Full Stack Private Cloud Architecture

Virtualized infrastructure is the core of this architecture.

At the core of this architecture is the virtualized infrastructure. In our stack, we use Nutanix, which creates a hyperconverged infrastructure that includes native security services to protect against both internal and external attacks. If you wanted to, you could virtualize the entire environment (the stuff within the dotted square line, including Rubrik) and run it directly on a Nutanix cluster, with multiple nodes. Note, the Acropolis hypervisor makes virtual machine creation and management extremely easy.

At the perimeter, we have the Palo Alto Networks Security Platform. Their Next-Generation Firewall, along with other components of the Platform, such as Panorama, can be deployed virtually in public, private and hybrid clouds (within a multitude of private cloud hypervisors). It offers a lot of power, providing up to 9 Gbps of threat prevention throughput speed and, in many cases, can be used to replace existing perimeter routers/switches and fully segregate the network, so we have control over data, no matter where it flows.

Sitting in front of our web presence is Imperva, which adds another layer of protection for our important web servers and services. It enables us to control inbound connections to the web server and protect against distributed denial of service (DDoS) attacks that often use web traffic to wreak havoc. We can also use Imperva’s database access management to control the underlying database architecture on the backend that are being run in the environment. Instances can be clustered to increase the power and workload, so we can scale to meet the growing demands of our web traffic.

We use Infoblox for DNS, DHCP and IP address management (IPAM) for the virtual environment. This allows us to control and protect all our other servers, for example providing IP address management for our Windows desktops and servers, and segregate our virtual architecture to help us better manage traffic flow and contain threats. Via a ‘grid’, in which you can place virtual devices and key network segments, you can easily manage an extremely dynamic environment.  Infoblox also provides a lot of actionable intelligence on the flow of traffic that can ease the move from private to hybrid clouds.

Rubrik is deployed to provide backup and disaster recovery (DR). This helps us ensure, in the event of a catastrophe (cyberattack or natural disaster), our business can continue to operate without disruption. We can have a virtual or physical appliance running in our data center and replicating to Microsoft Azure, Amazon Web Services, or some sort of other DR site. If our entire virtual architecture goes down, Rubrik has the power to reboot everything directly and have it back up and running at the DR site in a matter of moments.

One thing to note, is there is a lot of flexibility in this architecture. The key behind all of it is that every solution within the stack is easy to use and 100 percent scalable, so they can accommodate a deployment that is as small or as large as you need. Together, they create an environment that you can lock down to allow only what you want to create a secure, private cloud that you can confidently use to run your business.

If you would like to see this environment in action, please reach out to us at