15 November 2022

How to set-up a closed user group

Many day-to-day operations of all kinds of organizations depend on data, and often these resources are outside the organization’s core network. For example, they could be in a public cloud or shared with partners, and accessed via the Internet. In this case, the organization has no control over the path taken by the data as routing decisions are taken autonomously by different networks. In addition, the data is exposed to multiple hacking vectors such as IP hijacking and DDoS attacks.

Enter closed user groups

With regards to network security, interconnection with important partners, suppliers, customers, and clouds should always take the form of a direct connection. One way of doing this is to group multiple partners together in a closed user group (CUG) – a service tailored specifically for this purpose, where an owner can define the rules for data sharing, data protection, and data routing, and verify compliance with then, and invite the required parties that it needs to exchange data with to become CUG members. The CUG should be established on an interconnection platform that is as resilient and distributed as possible.

So how to get started? Here are four steps you should think about when it comes to choosing your interconnection service provider for your CUG, and setting it up.

How to set up a closed user group

Step 1: Choose location

There are several elements that can influence the choice of an interconnection provider or an Internet Exchange for a CUG. These elements need to work in balance to get the most out of the ecosystem your company is building:

  • The shortest paths for the data to travel: The speed that data can travel is limited to the speed of light, meaning that if the data needs to travel too far, then a lag – the latency – becomes perceptible. Therefore, it is best is to choose a location that sits in between the locations of the majority of the critical stakeholders in the CUG, so that all of them can enjoy low-latency connections.
  • Jurisdiction: The CUG must be set up in accordance with local and regional law, meaning that sensitive data should be exchanged on an interconnection platform within the given jurisdiction, ensuring that the pathways that the data travels along do not cross the boundaries of this region.
  • Neutrality: Neutrality means that there is a wide diversity of not only networks, but also data centers, to partner with in order to connect to the platform. This makes it much easier for the participants of the CUG to find appropriate connectivity partners to transport the data. You also want to stay flexible and be able to change providers according to changing strategic business needs, and avoid vendor and provider lock-in.

Step 2: Choose connectivity partners

To connect to the CUG, the owner will need to engage the services of a telecom carrier. This carrier, for example the company’s Internet Service Provider, will offer connectivity from the location of the company (e.g. the headquarters, the on-premise data center, or the colocation data center where the data is stored) to the chosen platform. The same goes for each of the participants of the CUG – but this does not need to be the same carrier for all: each player can choose their own connectivity partner, depending on existing relationships and geographical coverage.

Large interconnection service providers can simplify this process by functioning as a one-stop shop for the connectivity needs of the CUG owner and the participants. They offer an extensive partner program to enable connectivity in many geographical locations and the CUG owner simply specifies the partners they want to connect with and the rules of the CUG. The interconnection provider can take care not only of connecting the owner to the CUG, but also, if required, managing the network and auditing and connecting each member to the CUG.

Step 3: Control access to data

This is a step which the owner of the CUG should take care of internally in collaboration with the individual CUG participants. This requires AAA (authorization, authentication and accounting) and decisions regarding which databases and APIs can be accessed by the other participants. Authentication should be dealt with internally, and products like firewalls can be used to ensure this kind of control.

On the network level, the interconnection service provider can ensure that only specific protocols are allowed, according to the needs and specifications of the CUG owner. For instance, the owner can establish a policy that only allows HTTPS traffic and disallows HTTP traffic, thus enforcing a greater level of security.

Step 4: Take it into operation

A CUG can be implemented in just a few weeks – days even, depending on the ISPs and carriers required. Ideally, the owner should start by setting up and testing a CUG in parallel to their existing systems. There is no need to dispose of the current system until everything is running effectively and resiliently. After testing, operations can be migrated over to the CUG with minimal impact on systems. To make the implementation even smoother, some interconnection providers offer a one-stop-shop approach to setting up a CUG, allowing you to outsource many of the tasks.

Once set up, a closed user group can be run with all necessary support in terms of security and operations. The interconnection provider can work together with CUG participants to set up their network connectivity, and also ensure that the security policy is implemented, and audit the participants for compliance. Many providers also offer additional simplification through APIs and portals, allowing fully automated scaling of the CUG bandwidth as necessary, at the press of a button.