S&P Global was in a transition to a 100% cloud strategy. With the help of Cilium, S&P Global was able to break down the silos between networking and developer teams. As a result, S&P Global could run its Kubernetes ecosystem securely and reliably in a multi-cloud environment. Listen to Guru Ramamoorthy telling the story at the eBPF Summit, or read the summary here.
eBPF, a road to invisible network
S&P Global's Network Transformation Journey at eBPF Summit by Guru Ramamoorthy
Watch the recording
Company Profile
Decision-makers need transparency and clarity to make decisions in a rapidly evolving economic landscape. S&P Global supports decision-makers by combining data, technology, and expertise to unlock expansive insights across markets and industries.
As a large, multi-billion dollar company focused on financial information and analytics, their developers need to be able to deploy applications anywhere, in any cloud ecosystem.
Journey to Cloud
S&P Global initiated its cloud journey in 2018, moving from being predominantly on-premises to a cloud-first approach, ultimately becoming a 100% cloud company. As part of this, S&P Global migrated its infrastructure to public cloud providers like AWS, Azure, and Alibaba and incorporated SaaS and PaaS solutions into the mix, creating a large ecosystem of cloud services.
They took a sequential approach to migrate the large number of apps to cloud:
- 2018-2021: Lift-and-shift applications into a single cloud provider, enabling seamless onboarding experience into multi-cloud, to drive strategy and cost reduction
- 2021-2022: Cost reduction through automation, optimization, and adoption of multi-cloud, modern & cloud native Kubernetes architecture
- 2022: A large merger multiplied the number of data centers and applications, rinse & repeat of previous approach to fast track the journey to the cloud for new assets. At the same time, applications already in the cloud began migrating into the Kubernetes architecture
What are the challenges of cloud-native, multi-cloud networking?
The lift-and-shift approach led to a swift app migration to the cloud but without the true benefits of cloud-native architecture, such as scale, agility, and cost savings.
Cost savings will come when apps are run as cloud native, as containers, in Kubernetes.
To address the growing costs, S&P Global moved to the next stage of its cloud-native journey: containerization. They wanted services to be simpler, faster, and lightweight. This journey led them to Kubernetes. However, using Kubernetes still brought challenges, for example, in high-level, multi-cloud network use cases.
When customers access apps hosted in two different clouds, an additional service provider is still needed to load-balance the access. Also, the application has to talk to other apps and services. This can be other applications hosted in the data center itself, in other software-defined data centers, or a SaaS, as indicated in the graphics below on the left side. In addition, the application needs to communicate with the infrastructure services like monitoring, logging, observability spaces, and so on, as the graphics below indicate on the right side.
Vendor-specific CNIs of the public cloud providers cannot fulfill these requirements. Instead, it is necessary to have a data plane in Kubernetes, allowing applications to communicate seamlessly with the on-prem, cloud, SaaS, and downstream systems alike. The data plane makes the experience smooth and reliable for app owners. The app developers should not have to re-think or re-do how they connect their applications to the data center, infrastructure services, etc.
Precisely, the following challenges were identified a common data plane across the cloud providers needed to address:
- Exhaustion of IP addresses
- No standard CNI for multi-cloud use cases
- Lack of network observability up to Layer 7
- Increased application latency due to sidecars
- Lack of granular network security policies
- Limited high availability capability
- Limited encryption capability
- Lack of multi-cluster capability
How to break the barriers between app developers and network engineers?
To better address these challenges, S&P Global increased the collaboration and communication between the app dev and the networking teams. The networking teams were swiftly able to help the app dev teams with capabilities such as multi-cloud service connectivity, high availability, and scale. By breaking the silos between these two teams, S&P Global was able to evaluate better how to run their Kubernetes ecosystem securely and reliably in a multi-cloud environment.
It is like mythbusters: the myth is that app teams can function independently in a Kubernetes world. The truth is that there needs to be an increased collaboration between both the application and the networking teams to run reliable, secure, and scalable apps in a multi-cloud environment. Myth, busted.
The teams’ research for a CNI in the cloud native space led them to the Linux kernel, which led them to eBPF, a revolutionary technology that provides advanced controls and insights. S&P Global’s research included feedback from their peers in the industry, like other financial companies of similar size and scale. This helped to understand how those solve comparable challenges with confidential data in the same regulatory environment. At the same time, S&P Global looked at large internet-scale companies with similar requirements regarding speed and scale of data transmission. In those discussions, others spoke highly about the benefits eBPF would provide.
What Advanced Network Capabilities does Isovalent Enterprise for Cilium offer?
S&P Global found Isovalent to be a great partner that could deliver Isovalent Enterprise for Cilium as an eBPF-powered Kubernetes data plane, combined with enterprise-level support and expertise.
Isovalent partnered with us, and we were able to deploy frictionless network experience and provide consistent ability for our developers to deploy applications anywhere in any cloud ecosystem.
Isovalent Enterprise for Cilium addressed the Kubernetes networking challenges mentioned above:
| Problem Statement | Solved using Cilium CNI |
| Exhaustion of IP addresses | Leverage In-built VXLAN technology to overcome IP address exhaustion |
| Lack of network observability up to layer 7 | Leveraged well integrated Hubble UI capability to deliver visibility up to layer 7 |
| Increased application latency due to side cars | Non-usage of sidecar at pod level improved the latency and enables better performance for apps with the POD |
| Lack of granular network security policies | Ability to enforce identity-based (labels), DNS-aware (FQDN), API-aware (URL path), and data protocol (Layer 4, TCP/UDP) aware controls using eBPF |
| Limited high availability capability | Leveraged cluster mesh to design apps for a global service or shared service use case |
| Limited encryption capability | Ability to enforce encryption between the worker nodes or clusters using inbuilt transparent encryption (IPsec) |
| Lack of multi-cluster capability | Leveraged cluster mesh to address multi-cloud / multi-cluster use cases |
Value for S&P Global
For S&P Global, Cilium simplified and standardized the underlying networking service of Kubernetes, providing consistency and reliability across clouds as they continue to scale.
This results in a frictionless network experience and provides S&P Global’s developers a consistent ability to deploy an application in AWS, Azure, or Google – anywhere, in any cloud ecosystem. The developers don’t have to deal with mundane networking tasks. Instead, they can focus their efforts on application enrichment and business-critical impact.
Today at S&P Global we have made the underlying networking service of Kubernetes simplified, standardized, seamless, consistent, and more reliable across the cloud. The experience of the developers is now focused on improving their application, putting their efforts into the application enrichment and development.
Onward, in their cloud-native journey
Isovalent will continue to support S&P Global in its multi-year cloud native journey as it sees an increasing need for a multi-cloud CNI. Isovalent Enterprise for Cilium will enable the business units to grow by providing the connectivity, observability, and security required for a multi-cloud environment.
For future projects, S&P Global has already identified the need to implement further levels of defense in depth. S&P Global is actively looking at using Isovalent Enterprise for Cilium to enforce micro-segmentation in the Kubernetes world.
Learn more
If you want to learn more about Isovalent Enterprise for Cilium, check out the resources at the bottom. If you want to try it out yourself, dive into our labs and discover what Cilium can do for you!
Roland Wolters is Head of Technical Marketing at Isovalent where he and his team are responsible for communicating the technical value of eBPF, Cilium, and Isovalent Cilium Enterprise to customers, prospects, and partners. His areas of expertise include security, automation, and open source. He is a keen driver of agile processes and would be lost without his Kanban boards. Outside of work, he is usually most remembered for trying to frantically keep up with his rambunctious young triplets.
