This post originally ran on LinkedIn.
Microsoft’s cloud-based application suite (Microsoft 365 or M365) provides all the regular apps for productivity such as Exchange, Word, PowerPoint, and Excel, and also includes online collaboration tools such as Skype for Business, Teams, SharePoint web-portal, and OneDrive. Microsoft 365 makes enterprise-wide licensing easier for CIOs to manage, and it solved the frequent and ongoing licensing issues that invariably crept up during Microsoft license audits—mitigating these pitfalls justified the cost of the SaaS platform.
Seems like a great solution. Except . . .
No one mentioned bandwidth
Large enterprises traditionally have a central headquarters supported by branch offices. In legacy networking environments, all those locations connect to a single corporate network and link to a central private data center. The network architecture is a “hub-and-spoke” model that routes all data back into the data center via expensive MPLS backhaul links.
This all worked fine when desktop apps all lived on-premises (or on-device). Microsoft 365 lives in the cloud, and its enterprise adoption creates a surge in cloud-bound data traffic that requires a huge amount of bandwidth. In a legacy hub-and-spoke environment, data traffic flows from the branch offices to the data center over MPLS networks, then outbound through the data center security stack to Microsoft clouds hosting M365. It then has to double back through the inbound security stack back into the data center, then back out to branch offices. This multi-hop, multi-security-check route introduces huge amounts of latency and ruins M365 performance.
Remote workers send data on an even more convoluted journey: their M365 traffic originates from a VPN client and flows into and out of the data center via a linear stack of appliances including load balancer, distributed-denial-of-service (DDoS) security, firewall, VPN concentrator, intrusion prevention system (IPS), SSL decryption, data loss prevention (DLP), and/or advanced threat protection (ATP). Again, the latency inherent in the traffic route means that M365 performance decreases (often to the point of unusability).
This complex and extended linear-processing path can introduce latency that affects application performance. (Picture a single tollbooth on an eight-lane highway. At rush hour.) At any point in this chain, some glitch can occur that can obstruct throughput. Every IT team member has a story of getting roused out of sleep in the dead of night by a frustrated CEO who can’t VPN into the company network.
Now, no one is using the expensive M365 solution.
Agile DevOps requires constant communication
IT departments are turning to DevOps practices to increase the pace of application development to match ever-changing business needs and priorities. They’re hiring new people with new skills (Scrum masters, application architects, Agile developers, UI/UX resources, etc.) and building new cross-functional teams. IT is implementing new business functions and new technologies such as chatbot integration, robotic process automation (RPA), artificial intelligence, and machine learning. These integrations require engagement with outside startups, vendors, and contractors while planning multiple PoCs. It’s busy, multifaceted, and everybody must effectively communicate.
Adopting DevOps means constant enterprise IT collaboration. It involves cross-functional teams that include outside resources such as startups and consultants. This is a perfect use case for Microsoft 365 collaboration tools like Teams, SharePoint, and OneDrive. But Microsoft 365 performance—and in particular, M365 collaboration-tool performance—deteriorates with extended data travel (e.g., corporate-network backhauling coupled with destination-based security processing). This travel dramatically impacts user experience, leading some users to consider bypassing security to improve connectivity. (Many a CISO has blocked direct Microsoft 365 connections for that reason.)
A faster, more secure solution
Microsoft 365 generates more data traffic and consumes more bandwidth than its desktop counterpart application suite. If the corporate network and security stacks aren’t provisioned to handle it, performance degrades and users cannot use the tools.
SaaS applications are moving out to the cloud, but network and security appliances remain rooted in the data center. It’s an untenable model. It’s time to replace hub-and-spoke networks with direct internet connectivity, and move security appliance stacks out of the data center and distribute them at the edge of the cloud.
Zscaler Internet Access (ZIA) is a globally distributed, multitenant, cloud security solution that hosts enterprise security policies and allows users to connect to SaaS applications via direct internet connections, no matter where users or their devices are located. ZIA provides a one-click Microsoft 365 setup that handles the complex and ever-expanding set of IPs and domains used by Microsoft. Zscaler has a peering arrangement with the Microsoft 365 cloud in multiple data centers worldwide. Security is delivered inline, close to each user, eliminating backhauling and optimizing Microsoft 365 connectivity.
- A better Microsoft 365 user experience: Zscaler connects directly to the Microsoft cloud. In this way, Zscaler secures data traffic for all Microsoft 365 apps, including bandwidth-intensive collaboration tools like Skype. Optimized data connectivity means a better user experience with no latency and fewer “drops.” Users stay connected with the full suite of Microsoft 365 tools.
- Significant reduction in WAN costs: Internet traffic goes directly to the Microsoft 365 cloud, with no backhauling through the corporate network for remote access. This significantly cuts backhaul traffic costs and allows for Microsoft 365 traffic to move over broadband links. Sunsetting costly MPLS networks can reduce overall enterprise traffic and WAN infrastructure costs.
- Centralized security policy management: ZIA manages M365 access policies centrally, and pushes out changes to any point on the network. This helps reduce IT workloads related to IP and DNS changes across a host of security appliances.
- Microsoft 365 usage visibility. ZIA offers monitoring and logging of all Microsoft 365 activity across the enterprise (which can often help showcase platform benefits to management).
Zscaler gets Microsoft 365 applications (and users) working
SaaS offerings such as Microsoft 365 help remote workers collaborate. But legacy network and security architectures were never designed for cloud applications: network latency impacts Microsoft 365 user experience, and hardware-based security cannot easily scale to meet Microsoft 365 bandwidth demands. Zscaler optimizes Microsoft 365 performance with direct peering, and secures direct-to-cloud connectivity with no impact on user experience. This, in turn, adds value to any Microsoft 365 deployment and provides ample evidence for CIOs to justify their Microsoft 365 investments.