The below diagram demonstrates what the hybrid data center looks like from a customer's point of view. In this case, most of your stuff is outside of the network boundaries of the organization, such as a SaaS, IaaS and PaaS, and your currently deployed security solution has lost visibility of an infrastructure deployed on the other side of the world. In terms of network visibility, an IaaS model is more flexible than SaaS. On the other hand, a SaaS model does not allow infrastructure visibility behind the cloud application:
Let's take a look at what the cloud data center network looks like and why we lose total visibility for SaaS from a customer's point of view. Most big cloud service providers have a very agile and resilient fat-free network, which looks similar to the following diagram:
In this cloud design, all networking functions like firewall and load balancer have been moved to a server layer by taking advantage of network function virtualization (NFV). While this design supports increasing East-West traffic, the legacy model was based on traditional client-sever (North-South) traffic. These servers are also shared resources and virtual machines are allocated to customers. From one VM to another VM, service provider can use either GRE or Vxlan encryption:
In this model, resources can reside anywhere on server clusters. As a customer, we do not have the control to choose physical resources. From ISP to L3 Top-of-Rack switch (TOR) and from one physical server to another, communication is encrypted and controlled by service provider, so you have no way of looking at network traffic. IaaS services provide an option to configure virtual appliances such as firewall virtual appliance and virtual TAP. These can provide some visibility, but SaaS is going to be an absolutely zero visibility zone.