Is there an unsecured wireless network near you?
When digital transformation is the goal, network renovation isn’t good enough
Thursday, 25 November 2021 19:30

Paid Feature Networks are supposed to make the world smaller. But in many ways, the traditional MPLS-based enterprise network created a galaxy of atomised, walled-off worlds.

This was fine when the applications and data most users needed for their day-to-day work lived inside their organisation’s network – as indeed were all, or nearly all, of the users. If that meant that staff working from home (or just in a smaller, branch office), were stuck with broadband and a VPN, well so be it.

But cloud-based services and applications are a fundamental part of the “digital transformation” that most organisations are today under pressure to achieve. Even before the pandemic, the vast majority of network traffic was terminating outside enterprise networks, typically inside the data centres of Microsoft, AWS, Salesforce and all the other cloud infrastructure and SaaS providers. The pandemic simply confirmed the central role of cloud-based services for collaboration and productivity apps.

This seems unlikely to change, with large numbers of corporate workers still working from home. Many have no intention of returning to the office.

How does traditional network architecture support this new, evolving, ever-transforming world? Not very well, unfortunately.

Those digital services that organisations and users want to consume “don't exist inside the traditional network … between a secure router, a data centre and maybe a firewall,” as Chris Fallon, product manager at UK managed services and cloud provider iomart, explains. “The user and their identity and potentially the data that they transfer goes out to the services over the internet.”

However, the robust, secure corporate network is not the secure, unassailable perimeter that its designers planned. Furthermore it may act as a rigid, inflexible bottleneck, especially now that Remote workers are the centre of gravity of many organisations moving towards hybrid working. Furthermore, the shortcomings of VPN are suddenly looming much larger, both in terms of connectivity and in terms of security.

From iomart’s point of view, one answer to these problems is SD-WAN, or software-defined wide area networking.

A traditional WAN usually connects a single high performance Ethernet circuit to a business site. But SD-WAN is different. It might be delivered in a physical device, but it’s simply software that dictates how your physical circuits are used, organising all of your data traffic into the right lanes. Low priority traffic - like YouTube - uses slower, less expensive circuits, while important traffic such as voice, CRM and Microsoft 365 use a less congested, speedy circuit.

SD-WAN can be mapped to your specific users’ needs. And it can easily evolve with your business needs as they change. This capability means you are never forced to conform to a vision set from when the network was originally designed and deployed.

SD-WAN as a concept has been around for a while but the initial wave tended to focus on extending the connectivity of a traditional MPLS network, adding some intelligence and orchestration. Or, as Fallon describes it, “network renovation - they would be connectivity solutions with maybe a basic firewall capability built into the device.”

Transformation, not renovation

iomart’s managed SD-WAN offering does focus on intelligent connectivity. For example, MPLS can be reserved for “critical apps” and the internet for lower priority traffic. Traditional networks can do something similar, but SD-WAN knows the parameters for a good user experience, monitors these targets, and moves application-specific traffic when necessary. Fallon adds that when it comes to broadband, “I think it’s better than most people give it credit for today.”

The security we have built into SD-WAN protects essentially all of the other aspects of the network

But even if your broadband isn't the best, SD-WAN can bolster your connection while keeping you secure. SD-WAN uses multiple internet links with forward error correction (FEC) to deliver similar or better performance than MPLS. The result is: “SD-WAN delivers the ability to get to those applications and services over the internet with some assurance the end user will get an appropriate level of quality.”

But connecting to those cloud services is only part of the story. Doing so securely is, arguably, all of it. SD-WAN is a foundational requirement for any strategy that might consider itself SASE-aligned. So let’s just assume the organisation as a whole is working on SASE and zero trust principles.

“The security we have built into SD-WAN protects essentially all of the other aspects of the network, including the journey through the different points of presence and ultimately, anything that goes out to and comes back from the internet once a user gets there,” Fallon says.

iomart’s offering is built on Barracuda’s technology, which also underpins the SASE-aligned secure connectivity portfolio of products, zero trust and firewall managed services.

“For SD-WAN, that service is actually deployed natively on a firewall appliance. So rather than running security on connectivity appliances, we do it the other way around,” Fallon explains. “We have a next generation firewall, and on that device, we run all of the network security capabilities, but we also terminate all of our customers' connections onto those devices.”

The device could be something that can go to a home worker, with two broadband connections, and if necessary, 4G/5G as a backup circuit. “And then we'll deploy SD-WAN, by connecting that appliance to the rest of the sites that are within the customer's network. So it's all connected and terminated to that firewall.”

In other use cases, he adds, there doesn’t have to be anything at all on the customer premises. “We can also deploy this firewall in the cloud…. we can do that as a private virtual appliance in a data centre, or we can deploy it in Azure, for example.”

Combining networking and security into one box means fewer boxes to fail. Running the service in the cloud means no boxes to fail. Either option means less power, less cooling, and fewer management headaches than traditional enterprise networking approaches.

Providing all of this as a single managed service, on a common platform, reduces the potential points of failure, the potential for feature dilution, and the chance that capabilities might not “translate” across the entire network.

No more second class

Organisations can now ensure a consistent, secure connectivity experience for their users, wherever they might be. This means workers in remote offices, or working at home, are no longer stuck in second-class citizen status, and the attack surface they may present is radically reduced.

When the question is ‘Do you have a hybrid working strategy?’ The answer will almost always be ‘No, but we are hybrid working’

This levelling up between remote and on-prem users informs iomart’s entire conversation with customers around SD-WAN and how the technology can enable digital transformation:

The rapid connectivity delivered by SD-WAN is arguably more secure than MPLS which does security through isolation rather than encryption. SD-WAN improves technical agility by allowing changes like bandwidth increases or traffic prioritisation to be made on the “overlay” or “orchestration layer”, leaving the rigid underlay to keep doing its job of passing data.

SD-WAN improves operational agility by moving users closer to the applications and services they need to get their job done, and removing the data centre or local hub from that journey.

“The primary thing iomart wants to know is what is it a business wants to achieve. So if businesses want to achieve ihybrid and remote working, then they will need some element of SD-WAN,” says Fallon.

Indeed one of the first questions is to establish the customer’s approach to hybrid working, he explains. “When the question is ‘Do you have a hybrid working strategy?’ The answer will almost always be ‘No, but we are hybrid working’.”

When scoping customer requirements, iomart works hard to establish how the business really operates, and designs the SD-WAN overlays accordingly,

“You can't separate the parts of your business and distinguish them if everything is literally just running over the internet. You do have places, you have rules that your business must follow. You have people that can do certain things on your network, and you have different locations that speak to each other. And different locations have different requirements,” Fallon says.

But this process also provides the starting point for considering a large set of questions about long term transformation requirements. For example, if the customer is using web-based services - perhaps application platforms such as Salesforce or simply web-based data protection services - this might prompt them to consider the removal of the data centre as part of transit. This in turn then might prompt the question of removing it altogether.

And if we’re really talking transformation, SD-WAN is likely to be supplemented by 5G before long, Fallon notes. “5G is going to put real confidence behind the move to not only internet-based service, but mobile-based service. It’s a robust alternative that provides access to the internet.”

But wherever the digital transformation conversation heads, security has to be considered along with connectivity throughout.

As Fallon says, “Security is no longer this thing that sits in a corner, it’s applied to everything you do. Every piece of IT you consume should have a security consideration.”

Sponsored by iomart.

Source: https://bit.ly/3CLvJvn