The internet is disrupting industries and business models, fundamentally changing the way we live and work in the process. The cloud has also ignited a wave of disruption, which when considered in conjunction with the proliferation of mobile devices, has rendered traditional network and security best practices obsolete.
Indeed, as the workplace of the future moves into view, driven by ever-increasing user demand for flexible access to data and applications — regardless of where they are kept and from which location or device they are accessed — more businesses are embarking on digital transformation initiatives than ever before. According to McKinsey, cloud spending is expected to grow at more than six times the rate of general IT spending through 2020. The emergence of cloud computing as a viable and practical means of delivering apps, servers, desktops, and other core IT components has the potential to change everything for businesses—for the better.
However, these changes also necessitate a change in network architecture. Traditionally, organisations stored their data and applications in a central data centre, and most user traffic was destined for that data centre. Organisations relied on a “hub-and-spoke” architecture whereby remote offices were connected back to the central office (data centre) and all network traffic flowed to and then out of the central office. Today, with companies hosting their data and business applications in the cloud, and users becoming increasingly mobile, the majority of corporate traffic is internet bound. It would be entirely inefficient to channel all of the network traffic to a central office only to send the traffic out to the cloud, then have it return and sent back to the remote office or mobile device.
Networks: A brief history
Back in the nineties, branch offices were connected to the central office hub via dedicated connections such as frame relay circuits. With the frame relay model, the remote office had no means of reaching networks outside of the central office. This approach provided the central office complete control in monitoring, securing, and managing communications.
On the flip side, frame relay limited how far from the central office the remote office could be located and introduced significant latency into the communication. It also represented a single point of failure; if the spoke connection went down, the remote location was left stranded. The cost of implementing this infrastructure and maintaining it was substantial. Between the cost of the solution, the single point of failure, and the development of new technologies, direct point-to-point connections such as frame relays have been superseded in most organizations.
With the advent of the internet and public networks, frame relay gave way to Multiprotocol Label Switching (MPLS). MPLS allowed for much “smarter” network management and gave remote offices the ability to communicate with others outside of the central office. MPLS could be used to leverage frame relay as well as other protocols to deliver point-to-point connectivity across a variety of networks. It was much more flexible, redundant, and scalable than single point-to-point protocols.
However, while providing many benefits, MPLS was not any cheaper than single frame relay, ATM, or any number of other protocols in use. Perhaps more importantly, the ability of remote offices to communicate without routing through the central office introduced new issues due to lack of control. As a result, ensuring security and compliance with corporate policy across all offices and users became much more complex.
Another innovation to the remote office connectivity dilemma was VPN technology. The IPsec VPN allowed the remote office to have direct internet access while being able to “tunnel” to the central office when required by creating an encrypted point-to-point connection. VPN was less costly than MPLS and far less complicated. However, it posed challenges on quality-of-service and required more network horsepower. Moreover, like MPLS, it gave the remote office the opportunity to connect to the outside world without routing to the central office, thereby introducing security and oversight concerns.
The hub-and-spoke model is broken
As branch and satellite offices become more distant, and more and more employees use mobile devices to access corporate data from outside the office, backhauling to the central office via MPLS, VPN, or direct connectivity has become too burdensome and expensive. Latency is a real obstacle to doing business at today’s high velocity. And a poor user experience just encourages employees to circumvent corporate procedures.
As mobility and cloud technologies become the norm, network architecture must effectively support remote and mobile users without compromising on performance or security. The rapid transition has left CIOs and CISOs with the unenviable task of enabling their organisation to embrace all the new opportunities while retaining control of security and reducing costs. As a result, we’re seeing the traditional hub-and-spoke model give way to a direct-to-cloud approach, whereby networks enable users to access the internet and cloud applications from anywhere, anytime, using any device, while ensuring security and compliance with corporate policies and providing IT administrators complete visibility and control over user traffic.
Networks were designed to connect users to apps in the data centre, and perimeters were then built around networks to keep those users and apps safe from the outside. But with apps moving to the cloud, and users connecting from everywhere, the perimeter is long gone. It’s, therefore, time to decouple security from the network and use policies that are enforced anywhere apps reside and everywhere users connect. Put simply, as applications move to the cloud, security needs to move there as well. After all, the internet has become the new corporate network—and if you don’t own and can’t control the network, how can you secure it?
- - - - - - - - - - - - - - - - - - - - - - -
Yogi Chandiramani is Technical Director for Zscaler EMEA