Johannesburg, 27 Jan 2020
The world has changed…
The new objective is digital transformation: how companies leverage cloud and the network to lower costs, improve user experience and drive simplicity.
The benefits are clear. Business application deployment is a process that can either take several months (ordering hardware, shipping, racking, loading OS, deploying applications), or just a couple of hours if opting for a service through IaaS and PaaS, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform. Companies are nimbler, focused and cost efficient with cloud application delivery.
Network transformation was developed to embrace the new world of cloud by leveraging the Internet as opposed to expensive MPLS, which historically was built to access applications located within your network. Transformative companies like Aryaka and VeloCloud built their SD-WAN networks with cloud as the centre point which removes the need to backhaul to a DC, improves SaaS performance and reduces MPLS costs. Companies can now deploy new sites in days as opposed to months, and reduce their network’s cost by 50% while improving the user experience.
But the gain via application and network transformation is undone when companies fail to transform their security. The legacy castle and moat architecture, used by customers for the last two decades, is still in play today and breaks the benefits and design of cloud and SD-WAN. This is because you have to backhaul all your traffic back to the on-site centralised gateway to apply security processes. Why then are companies so slow to transform their security?
Cloud security allows organisations to decentralise and uplift security processes to the cloud, removing the need for on-premises security appliances in favour of security everywhere in exactly the same way you would move an application from your DC to AWS and Azure.
However, unlike AWS and Azure, cloud security automatically distributes your security to hundreds of enforcement locations around the world, ensuring low latency regardless of where your branch or user is.
“This shift is key as digital business and edge computing have inverted access requirements, with more users, devices, applications, services and data located outside of an enterprise than inside” – Gartner Secure Access Service Edge (SASE).
The question is why companies continue to maintain their security services within the DC when the applications, users and data are increasingly outside of the trusted network.
Castle and moat security architectures remain the most common design for large organisations, even when considering SD-WAN due to the complexity and cost of decentralising a comprehensive security stack. But with a growing mobile workforce, threats are easily finding their way back to the corporate network by targeting users and resources no longer sitting in the trusted WAN.
Network IT is grappling with the reality that 1 000 users in real terms means 1 000 Internet break-out points to the corporate network. Addressing this requires a fundamental change in security architecture from the DC to the endpoint. Today’s security needs to follow the user regardless of location, device or network, without impacting the end-users' experience.
To deal with this new reality, organisations are attempting to force the user and SD-WAN branch to trombone the DC where security resides before going to the Internet. While this works in theory, it does not scale, and it adds latency, removing the performance gains expected from application and network transformation.
Gartner’s SASE advocates that security will have to shift from the network to the endpoint. As a result, security process will have to shift into the cloud – the same location you will find your users and your applications.
Today, a true cloud security offering like Zscaler offers a mature and comprehensive security capability that can replace an organisation's complete DC security footprint. Its key differentiator to castle and moat security is its ability to seamlessly adapt to your application and network strategy all the way down to the user, without affecting performance of the network or user machine.
Imagine a world where your user leaves the corporate network, and the traffic leaving their machines destined for the Internet is automatically forwarded to cloud security services, where all the processes you had in the DC are applied. All this, without affecting the performance of the end point, as it's only responsible for routing. That’s cloud security.
A very sad statistic in the SD-WAN market is that 70% of large companies with hundreds of distributed sites are using SD-WAN to backhaul all branch traffic to the DC (including 0365). The main reason is that security sits in the DC as it's too expensive and complex to decentralise. That means a branch in Cape Town has to route back to the Johannesburg DC to get to an application. That would be 40ms faster if it was available over direct Internet. It also doubles the cost of Internet.
Cloud security as outlined in Gartner’s SASE model, or the emerging Zero Trust model, is developed to overcome these challenges.
If the myths around bandwidth performance of 5G are anything to be believed, companies should be concerned that their DC and security will become the inevitable bottleneck for their branches and users. In fact, many users could have more bandwidth available for mobile 5G than whole organisations, through a centralised Internet breakout at the DC.
To leverage this exciting opportunity and get lightning speed to applications that sit in private and public cloud, you need to avoid backhauling at all costs.
There is a certain inevitability when we consider cloud security in the same way that we are now certain that cloud application delivery is an unavoidable future.
By the time customers move all their applications to cloud it will become increasingly apparent that their entire reasoning for building a WAN will have collapsed. WANs were built to connect branches to applications that sat in the network, as they do still today in almost all cases. But, when there are no more applications in the network, the WAN will have lost its function.
All that will remain is a security framework that will help customers and partners determine which users have the authority to connect to which applications.
For more information, contact Stuart Hardy or go to www.acceleratesp.co.za.
Share