Author: Gary Dudbridge
Copyright Gary Dudbridge 2019
In my first two blog posts, we defined Secure Access Service Edge (SASE) as the melding of both network and security into a means of the IT end-user seamlessly being protected no matter their location while being able to leverage circuits that do not need to be dedicated or private resulting in cost savings for the enterprise.
In this blog entry, we will look more at the security considerations as an organization looks to kick off their SASE journey.
Many of the conversations that we are having today concerning SASE are focused on the underlying hardware and software. Xalient’s view of SASE is not that it is a single technology partner solution, but best in class solutions that can be integrated via APIs to evolve with a focus on reduction in the target attack areas while allowing for secure public internet access.
Zero Trust Networking Access (ZTNA) – At the heart of the SASE model lies ZTNA. ZTNA represents an evolution from a legacy VPN architecture where users, once authenticated, could traverse an enterprise’s network unchallenged once they had established a VPN tunnel. In more simplistic terms, if you were an employee then you were trusted, and outsiders were not trusted. As enterprise requirements changed to include developers, contractors, interns etc., this policy did not provide adequate controls to truly secure the organization and its intellectual property against insider threats. Zero Trust effectively segments the users to trust absolutely nobody (employee or not) without proper access granted.
Ideally, a ZTNA is made up of Identity Access (IAM or IdAM), Privileged Access Management (PAM) and Identity Governance.
ZTNA solutions can be used to easily onboard new employees/contractors and grant them access only to the applications they require to do their job. As that same employee changes roles within the enterprise, ZTNA allows for an evolution of applications to do their new role without just layering in software licensing costs on top of what was initially provisioned for that employee when they joined the organization. Finally, as that employee leaves the organization, it provides the enterprise with a means to eliminate their access. A great example of where ZTNA comes into play is with the Public Cloud providers. When the employee needs to spin up infrastructure on the Public Cloud, they are initially granted access via their domain to an AWS, GCP or Azure. If the enterprise does not police their access after the employee leaves the organization then they can continue to spin up resources via their old domain credentials leaving the enterprise exposed from a security perspective but also on the hook for the costs of those resources. ZTNA gives the enterprise the controls to readily disable that access when the employee has left the organization.
Things to consider around ZTNA are, can the underlying vendor support both on-premise and cloud-based solutions? How many API integrations exist today to make the application support and onboarding a check the box activity rather than a large development effort?
Next-Generation Firewalls (NGFWs) – One of SASE’s main premises is that the end-users should traverse the internet from the Edge to reach SaaS or cloud-based applications rather than that traffic being backhauled over a private/dedicated network to an enterprise datacenter. Applications like Microsoft 365, Salesforce etc. should allow the end-user to avoid the latency and cost of a backhauled, dedicated network by accessing the internet at the edge itself. But how do you protect that end-user where historically there may not even be a firewall in place at the edge itself? Many SD-WAN vendors have embedded that Next Generation FW into their physical/virtual appliances or a stateful firewall. For those vendors with a stateful firewall in place at the edge, it makes sense to steer that traffic to a cloud-based NGFW before reaching the internet.
Cloud Access Security Broker (CASB) – A CASB solution is either a premise-based or cloud-based security policy enforcement tool where network traffic is directed between a public cloud consumer and the Public Cloud service provider to layer in the enterprise security policies as the public cloud resources are accessed. Effectively it allows an enterprise to enforce its security policies into any public cloud facing interactions to reduce its threat surface. The right CASB tools will also allow you to also inspect firewall proxy logs for further insight into the usage of cloud applications. CASB will allow an enterprise to enforce security, compliance and governance policies for cloud applications.
Secure Web Gateway (SWG) – A SWG protects an enterprise’s end users from web-based threats in addition to applying and enforcing enterprise acceptable use policies. Instead of the enterprise end-user directly accessing a website, traffic is diverted through an SWG to the desired website and performing URL inspection and filtering, malicious content inspection, web access controls and other security policies. SWGs allow an enterprise to block access to inappropriate websites, enforce security policies, and help protect data from unauthorized access.
As you can see, there are many things to be considered as you begin the network transformation journey from a Security perspective. Reducing the threat landscape is paramount for an enterprise to consider as Cloud First strategies continue to evolve. The good news is that there is a myriad of solutions today that greatly reduce the threat surface areas that can be used for both premise-based applications and Public Cloud applications. A single vendor approach does not exist today but with the right partners and the pre-existing API integrations that exist today, you can greatly enhance your security posture, allow appropriate access to applications required for an employee to do their job, and to provide secure network access using the tools defined above. The right partner can help bring SASE-as-a-Service to life.
Xalient was ‘born in the cloud’ where rapid deployment and remote management of new software-defined networks, cloud-driven security, access and communication solutions are the norm. We’re independent of solution providers and carriers, so our clients have choice and we offer tailored, not standard solutions.
The COVID-19 pandemic took the world by surprise, no question. Just a few months ago, most organisations could not have imagined closing their operations down completely, switching their manufacturing from cars and designer clothes to respirators and face masks, or asking entire workforces to work remotely.
As organisations wrestled with drastically changing circumstances, many digital transformation programs were put on hold while a whole set of new and unprecedented challenges were tackled.
Nowhere has the pressure been felt more than within IT departments, with CIO’s centre-stage, tasked with making remote working happen as fast as possible to ensure their organisations could continue to function. The corporate network has never been as pressured as it has in recent months where gaining secure and reliable access to company resources has been absolutely critical to allow people to continue doing their jobs. Remote working brought with it the need for urgent and secure access to both cloud and datacentre resources, and new video-based collaboration apps such as Skype, Teams, Zoom – all expected to operate seamlessly, at the same quality as we expect from our TV’s – all putting massive pressure on corporate networks and, importantly, on network security.
Many organisations reacted quickly, rolling out VPNs at scale, sourcing new collaboration and communication tools, and adding bandwidth to cope with new, exceptional levels of demand. At the same time steps were taken, from patching through to training, to ensure that organisations, their corporate assets and their employees, were not going to suddenly be at increased risk of cyber-attack. CIOs and their IT teams rose to the challenge and put in place many and varied measures to tackle this immediate crisis.
Post-COVID-19, time for long-term actions?
But what now? How do organisations get their technology transformations back on track in the new and different world that will undoubtedly emerge post-pandemic? Many of the solutions put in quickly may last, but for most organisations, they represent short-term fixes or sticking plasters that addressed the urgent, short-term need. Policies were often circumvented and security procedures less robust than usual as new solutions were put in place – all vital in the quest for speed and the even bigger need to keep organisations operating.
Priorities for businesses, and therefore for IT, are likely to be different now as we emerge. Boards are going to demand an even sharper focus on business continuity, security, and more than anything, will want cast-iron assurances that their organisations are well equipped, with the right technology solutions now in place for the long term, properly prepared for any similar crisis should it happen. And that in itself is now a much higher and more believable risk than any of us might have imagined just six months ago.
Time for Accelerated Transformation
We believe that for most organisations the aftermath of the COVID-19 crisis will represent an opportunity to re-start and then accelerate digital transformation, starting with networks. Applications were for most, already shifting to the cloud of course and that strategy certainly helped as remote working became the norm. But much more can and must be done at the network level to reduce corporate risk and meet this heightened demand for future preparedness.
Forward-thinking CIOs should take this opportunity to accelerate their transformation plans – and ensure that the right foundations for the future are put in place – by designing new, cloud-centred networks that are both flexible and secure, ready to adapt to any future circumstance. In the same way you wouldn’t build a house on a bed of sand, you wouldn’t build a business today on an outdated MPLS network, with security designed for traditional corporate locations and a datacentre world; you’d want the most flexible and secure network possible, designed for the cloud and adaptable for the future.
Software-Defined Solutions and Zero-Trust
By flexible we mean software-defined – dynamic and elastic, able to manage both huge volumes of data whilst maintaining high quality, able to cope with spikes in demand, with zero-touch provisioning, global consistency and full resilience. And by secure, we mean not only securing applications and business systems, regardless of where they reside, but also securing access to those systems. We firmly believe in the concept of zero-trust, a model that meets today’s need for trusted access from anywhere and any device regardless of location, with identity at its core – trusting no-one unless authenticated by policy-based access rules.
At Xalient we are expert in software-defined network and zero-trust security technologies, which when converged and delivered as a single cloud service is together increasingly known as SASE -Secure Access Service Edge. We design deliver and manage complete solutions that enable enterprises to operate in an agile, efficient and secure manner, ensuring, more important now than ever, they are fully prepared for the demands and uncertainties of a ‘post-COVID-19’ world.
We work with large and complex organisations including major global brands. With our help, many of these innovative businesses are already reaping the benefits of our partnership and expertise. And that’s exactly why they were so well prepared when the pandemic hit: with the right software-defined network foundations and a zero-trust security posture firmly in place, they were able to meet the recent challenges, specifically those of safe, remote working at scale, rapidly and effectively.
We believe that the majority of organisations have passed the “react” phase of the COVID-19 challenge. Now, as they take time to reflect, reassess and plan for the longer term, we can help CIO’s, CISO’s and their teams. Our portfolio of solutions ranging from SD-WAN to identity management, cloud security and unified communications, is perfectly suited to address many of the longer-term challenges they will be facing at this crucial time.
We bring expertise and experience of helping large and complex organisations, such as Kellogg’s, Keurig Dr Pepper, DWF, Govia Thameslink Rail and WSP, transform their networks and move to zero-trust; we also have very recent examples of how we’ve helped clients overcome specific challenges that have arisen as a result of the pandemic.
The time to act is now
Never has the time been more right than now to start rethinking those traditional network approaches that were designed for a datacentre rather than a cloud-centric world, to ensure reliable and resilient global connectivity, ultimate network flexibility and zero-trust security for your organisation.
Xalient is the trusted, independent, partner that can help you.
Security, performance, transformation: Solving the legal conundrum with a software-defined SASE foundation for the future
No law firm worth its salt is going to risk its reputation by failing to protect confidential and client information from the risk of a cyber-attack. To limit the risk, the temptation may be to keep your IT and networking infrastructure locked down — but that approach tends to be incompatible with the way the law firms operate today, and certainly not aligned to the post-Covid shift to long term remote working and a paperless offices.
Although protecting your firm and its information is a top priority, you’re doubtless trying to balance that requirement against an array of competing imperatives, such as rapid global expansion, rising M&A activity, mobile working and the digital transformation of your business, which inevitably involves an accelerating shift towards cloud-based apps and services.
If your current infrastructure is holding you back from achieving those aims — because of insufficient bandwidth, lack of flexibility, or out-of-date approaches to security — it’s clearly time for a rethink. If you’ve put in a series of fast fixes in recent months, VPN roll-outs for example, now is the time to rethink whether they’re suitable for the long haul.
Is your infrastructure fit for the future?
To assess whether your existing networking and security infrastructure is right for your firm now, and ready to support it into the future, ask yourself a few key questions:
If the answers to those questions don’t fill you with confidence, you could do what other law firms are doing: consider an alternative, coherent and cloud-based approach to networking, security and identity.
What’s the best way forward?
The best way forward resides at the intersection of three key technology areas: software-defined networking, cloud security and identity management – Mid 2019 Gartner coined the term ‘Secure Access Service Edge’, or SASE, bringing cloud security and edge computing together reflecting the importance of these technologies as organisations accelerate their cloud journeys. Skilfully designed around your firm’s operations and business priorities, this combination can accelerate your digital transformation agenda while delivering the agility you need to grow, and the security capabilities you need for effective protection against attacks and threats.
Software-defined networking: underpinning transformation
Compared with the traditional MPLS WANs that have served many firms well over the past decade or so, a software-defined WAN (SD-WAN) offers many benefits that help to accelerate transformation, including:
Zero Trust: reduce cyber risk and simplify compliance
Traditional security models assume that everything inside your firm’s network can be trusted. But the sophistication of modern attacks and insider threats means this is no longer the case. For a security posture that’s fit for a cloud-enabled firm, consider a cloud-based, software-defined approach to managing your security perimeter.
The software-defined perimeter (SDP) goes beyond perimeter protection by supporting the zero-trust approach of ‘never trust, always verify’ — but without the cost and complexity of multiple firewalls, and without compromising the user experience. In addition, it integrates seamlessly with SD-WAN, protecting your firm all the way from your sites to the public internet.
In addition to SDP, law firms are embedding security intelligence and event monitoring (SIEM) solutions into their overall network security approach. By automating network threat identification, SIEM lets you switch your focus from detection to remediation. As well as helping you reduce the impact of any attack, SIEM allows you to comply with relevant industry and audit requirements.
Identity and access management: access made easy and secure
As your firm migrates towards the cloud, lawyers will increasingly expect secure, straightforward access to apps and information from any device or location. New starters need access to be productive quickly; equally, access for leavers needs to be promptly revoked to reduce the potential for fraud or data loss. Your challenge is to protect identities both within and beyond the firewall.
A cloud-based identity and access management system will help you do this efficiently and effectively by taking each employee’s unique identity as its foundation. Your firm will also benefit from:
Enhance security, accelerate transformation
With SD-WAN connecting your locations and providing dynamic bandwidth, cloud security simplifying secure app access via the internet, and identity management ensuring that individuals accessing apps are authorised to do so, your firm can confidently pursue its digital transformation, safe in the knowledge that its information — and therefore its reputation — are protected.
Because these solutions are designed for the cloud, they bring the benefits of flexibility, affordability, performance, speed and remote operation. In addition, they can work with your existing infrastructure in hybrid or full cloud scenarios. So rapid post-merger integration and cross-firm case collaboration are simplified, and the billability of your lawyers is maximised. And as all three technologies work together, they can be integrated into a seamless solution designed around your firm’s needs and ambitions.
Ready for the future? To find our more, or to request an exploratory meeting, email us at firstname.lastname@example.org n +44 (0)207 096 3100.
In the first part of my blog series, I provided some background on what Secure Access Service Edge (SASE) is – effectively, IT leadership teams are looking to provide their clients (IT end users) with ultimate mobility to work from home, coffee shops or a traditional office environment and to do so in a completely secure fashion. This has accelerated the melding of the traditional Network and Security teams into a single entity.
In this blog entry, I will look more into the traditional elements to consider, from a network perspective, as an organisation adopts SASE.
The majority of organisations I speak to day-to-day are looking to transform their traditional, expensive, dedicated network infrastructure into a blended model. Many have already adopted a Cloud-First strategy where their end users can access cloud-based applications straight from where they reside, rather than transporting all traffic to a traditional hub and spoke MPLS architecture to reach the internet. Applications, like O365, Salesforce.com, Oracle Cloud can be accessed by the end user at the edge.
This allows IT organisations to “right-size” their expensive MPLS networks and eliminate the latency introduced to the end user by backhauling that traffic across the country/globe.
When going through a network transformation, it is imperative to understand the applications that are paramount to the end user’s success. For those organisations that are still heavily voice dependent – choosing an underlying SD-WAN partner with dynamic path selection, path conditioning and WAN acceleration capabilities is extremely important. We have seen this need accentuated now more than ever with the recent COVID-19 pandemic. Organisations are requiring their employees to work from home and tools like Skype for Business and Teams meetings are now more than ever the norm. Choosing the underpinning technology to support these requirements is paramount for an IT organisation.
It is also important to consider; does the technology have inherent next generation firewall (NGFW) capabilities? And can an IT organisation’s policies be easily applied to the SD-WAN environment, via a central orchestration management interface that provides full visibility into the network?
Lastly, it is important to consider scale. Many SD-WAN technologies are sufficient and certainly less costly dependent upon the number of locations that makeup the transformation. Once the number grows above 10-15 locations, the underlying SD-WAN technology needs to be able to scale. It’s within this scalability, or lack thereof, where a network transformation typically fails. The SD-WAN infrastructure must be able to grow and support the number of tunnels required for branch mesh tunnel configurations.
One of the most elementary considerations in a SASE enabled environment is the ability to leverage the most prevalent and often least expensive network links at the edge where an IT organisation’s clients reside.
Partnering with a traditional network carrier flies in the face of the basic SD-WAN premise of leveraging network links (broadband, ADSL, DIA, 4G, 5G) provided by the local cable company, LEC, or wireless carrier provides ultimate flexibility. Choosing a traditional MSP to provide this flexibility can result in the carrier looking to minimise their revenue write-downs by providing solutions that do not always meet the end client’s requirements. By maintaining a carrier agnostic approach, an IT organisation can meet the bandwidth requirements for their users at the Edge, with SLA backed network links that are orders of magnitude less expensive than a traditional MPLS network.
Typically, I have found that application performance for the end user improves significantly provided you are using the right SD-WAN technology over these less expensive network links.
Many prospects or clients are looking to outsource their network transformations. This ranges from SD-WAN management, SD-WAN and carrier management via letter of authorisation, or a fully managed environment that includes carrier selection and management in addition to the SD-WAN.
It is important for an IT organisation to look for a partner that understands each IT organisations business drivers, applications, and existing capabilities to help define the managed service. It’s also important to partner with someone who understands the business drivers, as well as the different underlying technologies, and is able to marry the two together to help achieve the desired outcomes. Understanding the business drivers, how much involvement your IT staff want to take on and can your preferred partner support the current means of running your business (ITSM integration).
Finally, I would recommend choosing an SD-WAN managed service provider who has a proven track record with global deployments, to meet any future international growth requirements.
In the next blog entry, I will look at the Security elements that when combined with the network elements above, provide a robust SASE environment that provides a Secure experience for your IT end users over a “right-sized” network infrastructure.
Many in IT are familiar with Software-Defined – Wide Area Networks (SD-WAN) or have significant investments in digital transformation. Originally coined by Gartner, SASE: Secure Access Service Edge is the simplification and convergence of wide area networking and security. Delivering both as a cloud service directly to where the end user resides, rather than bringing that traffic back and centralising everything at a corporate data centre level.
The convergence of Network and Security groups that is driving this newfound SASE requirement. SASE is driven by the need for mobility and flexibility for the end user. It must however, equally secure the legacy hub and spoke architectures of a traditional MPLS network. Enabling the end user at the edge also improves application performance. The end user accesses the nearest point of presence for the application. This means that application latency is minimised vs a traditional, centralised, MPLS network where all of the traffic is brought back to a single point (many times across the globe) before traversing out to the internet.
With many enterprises embracing Cloud-First solutions (SaaS applications, Hyperscale infrastructure, Office365 etc.) there isn’t the need to have traffic route back to the Corporate datacenter over expensive, traditional MPLS networks. Rather, enterprises are looking to enable those end users to directly access the internet at the edge. Reaching those applications and using their more expensive network circuits for internal self-managed applications. This means that many clients can “right size” their MPLS environments. And in many cases replace expensive, dedicated circuits with much less expensive broadband or internet circuits. But how do you ensure that those edge locations and the end users are secure?
Cloud-based next generation Firewalls (NGFW), or inexpensive but feature rich embedded NGFWs into the SD-WAN appliances can offer the same level of enterprise security as traditional premise-based FW technologies. Identity Access, Zero Trust, Cloud Access Services Broker (CASB), and Software-Defined Perimeters are additional security solutions which can be layered onto those edge circuits/end user devices to ensure that enterprises maintain an aggressive security posture. These technologies are cloud-based and can easily scale; important considerations for companies heavily vested in mergers & acquisitions or dynamic application requirements.
SASE is a new acronym to many folks. As digital transformation and secure SD-WAN network transformations continue to take place the convergence of IT’s network and security teams will meld. Expect SASE to become an industry-accepted acronym.
In the next two blog articles, I will look more at the intricacies of the network and then the elements around Security in greater detail.
Dave McGrail, Principal Consultant, Xalient
One of the compelling reasons to switch from an MPLS network to a Software-Defined WAN (SD-WAN) is the affordability of access circuits. Typically, internet access circuits can be more cost effective, allowing some organisations to achieve notable savings, increase performance by making more effective use of bandwidth and improving business continuity.
SD-WAN is also a game-changer for digital transformation and an enabler for using cloud services.
It changes the way you deliver internet breakout to your organisation. With a conventional WAN, internet breakout is typically centralised at a hub site, where a traditionally-monolithic security stack protects the organisation against cyber threats.
In contrast, SD-WAN can provide local internet breakout for each branch site. Users can enjoy a greatly improved experience when accessing cloud services, with none of the latency associated with backhauling to the hub.
Consequently, you cannot count on the centralised security stack for protection. You need to secure each local internet breakout point.
Historically, that would have demanded investment in security appliances at every site — for many organisations, especially those with large numbers of branch sites this is not an economical option. Neither does this scale effectively with the increased uptake in cloud services and web traffic.
Fortunately, there’s an alternative way to secure local internet breakout at the branch: shift to cloud-based security.
Advanced Cloud Security solutions tend to be those that were purpose-built as cloud platforms, rather than adapted from on-premises offerings. They leverage elastic scalability and benefit from utility-based consumption models that do away with capital investment.
Compared with onsite firewalls and security appliances, Cloud Security also offers additional benefits:
With a predominantly desk-based workforce, access to resources was typically controlled based on IP address or LAN segment. However, as mobility increasingly becomes the norm — especially with BYOD — this approach is no longer sufficient.
The protection provided by on-premise security doesn’t extend beyond the enterprise perimeter. Cloud Security solutions, however, deliver security policy where access to resources can be driven by not only network location, but also a user’s identity and device posture.
The policy follows the user, and provides protection that’s appropriate to the environment they’re in:
• Logging on from the office means less rigorous challenges for access and inspection.
• Logging on from a coffee shop means more access challenges (eg Multi-factor authentication) and more restricted access to sensitive data.
Cloud Security solutions can also offer secure alternatives to traditional VPN-based remote access solutions. Access is governed by a ‘cloud broker’ that allows connectivity between the end user’s device and the corporate resource. All traffic is outbound, and is securely tunnelled via a secure cloud, which prevents the end-resource from being exposed to inbound threats from the internet.
On top of that, sophisticated Cloud Security solutions are starting to use AI and machine learning to protect organisations against zero-day threats.
Organisations adopting SD-WAN often begin their transformation with a gradual switch to internet access circuits, typically as their MPLS circuits contracts expire. But here’s the thing: as soon as you implement the first internet access circuit at one of your sites, your organisation’s security posture changes. The site is no longer reaching cloud resources via the central hub and security stack, but via local internet breakout.
Our recommendations are:
1. Think bigger picture – Plan for both network and security transformation as part of the process. Consider what other projects could be delivered through the adoption of SD-WAN and Cloud Security – eg UC and other cloud-migration initiatives.
2. Consider making security the starting point of your SD-WAN journey. Shift your security stack to the cloud and nail down identity and access management.
With Cloud Security and a solid Identity and Access Management platform/strategy, and the confidence that your organisation is protected by a robust and scalable security platform, you should be able to capitalise on all the benefits of SD-WAN — including reduced connectivity and cloud costs, higher quality collaboration and improved network performance/visibility.
According to IDC, over the 5-year period from 2017, it’s forecast that SD-WAN sales will grow at a 69% CAGR, hitting upwards of $8.05 billion in 2021. A third of all enterprises will be renegotiating contracts for WAN services within the next 3 years as existing agreements come up for renewal. Unsurprisingly, SD-WAN is now a key consideration amongst these decisions.
As the industry matures, two distinct SD-WAN delivery models have emerged: “managed overlay” offerings, that are deliberately disaggregated from the underlying transport, and more recently, “carrier-based” offerings. Within these two groups there are further important distinctions, but the crucial difference between the two is the ownership of the transport: is the SD-WAN service provider invested in the transport, or not?
These traditional telco companies have held the high ground with MPLS networks for a long time with most large corporates locked into multi-year contracts. As MPLS loses favour and SD-WAN becomes the de-facto cloud solution for enterprise networking, carriers, albeit rather late to the party, are now offering SD-WAN and Hybrid WAN managed services too. And not surprisingly, given the high levels of interest an adoption of SD-WAN, are keen to hang on to their customers. Most have bought or designed their own SD-WAN products, so will typically offer one, or at best two, alternative technologies.
These companies, like Xalient, are the new kids on the block that have disrupted the marketplace and emerged to challenge traditional carriers – with the distinct advantage of being independent, ‘born in the cloud’ so no legacy to worry about, nor need to cannibalise existing contracts, and often with experience in successful SD-WAN deployments ahead of many of the traditional players
A recent Gartner US-based survey showed that SD-WAN early adopters (of which the US has a much higher number than Europe to date) found that getting SD-WAN services from their traditional carrier didn’t actually deliver the highest returns – only 30 percent of respondents said they preferred SD-WAN delivery through a carrier or network service provider. So why is this?
The answer lies in the very essence of SD-WAN technology. It’s designed to meet the ever-increasing demands for bandwidth, the reducing reliance on private networks and associated increase in the use of the public internet, and to provide that connectivity at the best rate, wherever in the world it’s needed. It provides the ability to aggregate links from diverse carriers into a single WAN. This gives more choice than ever in how you can provision connectivity into a branch as well as paving the way to connectivity that is both redundant/resilient and affordable, in more locations, faster than ever before.
That means for a global enterprise it’s possible to have over 20 or so carriers at any one time, dynamically selected to match your organisation’s footprint and business demands. An MSP can select the best carrier based on cost, performance and outages and dynamically select which route to choose to get you from one point to another – without your knowledge or involvement. They manage this for you, taking out any complexity, manage migration from old to new contracts, and can take on management of existing MPLS contracts as many companies won’t want to move lock, stock and barrel to SD-WAN in one go. Transport savings can be made – something carriers are less incentivised to want perhaps? Transport, now disaggregated, becomes a commodity. A single carrier-based service can offer its own transport of course, and in a single seamless service, but you may find your carrier relies on resellers, for example, to supplement its network as it’s unlikely to have suitable high-grade connectivity in every location worldwide.
Well, it depends. If you’re a single country operation, with sites that match readily with local carriers, and have no plans to move outside of that territory, then transport may not be a consideration. It may be that you still want the other advantages SD-WAN delivers. If this is the case, can a ‘managed overlay’ partner, like Xalient, add value through its independence?
The answer is yes it can. They can help you navigate the whole transformation journey, utilising deep knowledge of the solutions on offer, and of the carriers’ marketplace, guide you through the entire design, product and carrier selection, POC’s, contracts, implementation, and finally, management of your new solution. Their independence sets these providers apart and enables them to build a customised global network solution and deployment path that’s right for each customer.
For global enterprises, the situation is fundamentally different. In our view, buying a global network service from a carrier, even a “modern” hybrid network with SD-WAN, if it’s attached to a commitment to buy private bandwidth or utilise a single carrier, will have its pitfalls. Primarily, enterprises need less private bandwidth than ever, yet demand more overall bandwidth than ever – being tied to a single traditional global carrier severely limits options. Where private bandwidth is needed, there are better ways to buy it.
The bandwidth market is increasingly dynamic. Using in-country broadband products allows the enterprise to tap into the constant price reductions and bandwidth increases that are available with these offerings. As new technology offerings become available (5G mobile for example) these can simply be swapped out of the underlay without impacting the network design.
So, if you’re a dispersed, global enterprise then the “managed overlay” provider route is compelling; allowing you to fully realise the benefits of SD-WAN whilst letting you still use private connectivity where it’s needed by leveraging carrier independent services. If you’re an in-country local organisation, all the benefits, other than those relating to multi-carrier transport, remain and are equally compelling.
Ultimately, having the ability to choose the best SD-WAN vendor to meet requirements, without being restricted by the carrier’s offering will offer all companies the best commercial and technological advantage.
Author: Gary Dudbridge
Copyright Gary Dudbridge 2019
One of the greatest challenges facing large multi-site organisations in the construction and engineering sectors, when it comes to implementing new locations, is the lead time it takes to get a site up and running and connected to the corporate network. Add to this the challenges of providing enterprise-grade connectivity to enable access to data-heavy and cloud-based applications. Waiting weeks or even months for a fixed-line connection has, in the past, brought unwanted delays and ultimately additional project cost.
The answer to these challenges now lies in the clever application of SD-WAN technology – and it’s already transforming business performance in the construction and engineering services industries, unlocking what we’ve seen until now as unrealisable productivity and cost gains. When integrated with 4G, it negates the costs of using expensive MPLS leased line services, adds a whole new level of security to your network and, through a managed service, can offer a whole new level of actionable, real-time performance monitoring.
If these challenges are facing your organisation, then the time is right for you to look seriously at SD-WAN technology – when it’s skilfully deployed and managed, it really is a game changer.
At Xalient, where we specialise in managed SD-WAN services, we’re seeing clients’ businesses benefit significantly and fast – delays and frustrations are gone, full access to video and voice can happen regardless of location, corporate cloud-based apps can be accessed readily direct to site and costs of MPLS lines removed. And, most importantly for this sector, new sites can be commissioned and decommissioned in just hours rather than the typical weeks and months that our clients had previously experienced.
Read on to learn more about the feature-rich technology below or contact Xalient to hear how you can reap the SD-WAN benefits for your company.
Path Conditioning: Provides private-line-like performance over the public Internet. Includes techniques to overcome the adverse effects of dropped and out-of-order packets that are common with broadband Internet and MPLS connections to improve application performance.
Tunnel Bonding: Configured from two or more physical WAN transport services, bonded tunnels form a single logical overlay connection, aggregating the performance of all underlying links. If a link fails, the remaining transport links continue to carry all traffic avoiding application interruption.
Dynamic Path Control (DPC): Real-time traffic steering is applied over the 4G connection based on company- defined policies based upon business intent. In the event of an outage or brownout, DPC automatically switches-over to a secondary connection.
QoS Policies: As per traditional routers and WAN architectures, all of the usual queueing techniques are available to ensure traffic is prioritised in an appropriate manner.
Virtual WAN Overlays: The SD-WAN solution is built upon an application-specific virtual WAN overlay model. Multiple overlays may be defined to abstract the underlying physical transport services from the virtual overlays, each supporting different QoS, transport, and failover characteristics. Applications are mapped to different overlays based upon business intent. Virtual WAN overlays may also be deployed to extend micro-segmentation of specific application traffic from the data center across the WAN to help maintain security compliance mandates.
WAN Hardening: Each WAN overlay is secured edge-to- edge via 256-bit AES encrypted tunnels. No unauthorized outside traffic can enter the branch. With the option to deploy the solution directly onto the Internet, WAN hardening secures branch offices without the appliance sprawl and operating costs of deploying and managing dedicated firewalls.
Application Visibility and Control: The SD WAN device identifies applications on the first packet to deliver SaaS and trusted web application traffic directly to the Internet while directing unknown or suspicious traffic to the data center firewall or IDS/ IPS. First packet application identification is especially important when branches are deployed behind Network Address Translation (NAT); the correct path must be selected based on the first packet to avoid session interruption.
Internet Breakout: Intelligently steer trusted Internet bound application traffic from the branch directly to the Internet, eliminating inefficient backhaul of all HTTP traffic to the data center. First
packet application identification directs other applications and unknown traffic to corporate security firewall and IDS/IPS services.
Stateful Firewall: An extension of WAN hardening, stateful firewall integrated with the SD WAN device ensures no unauthorized outside traffic can enter the branch, but branch-initiated sessions are allowed enabling secure Internet Breakout.
Routing: The solution supports standard Layer 2 and Layer 3 open networking protocols such as VLAN (802.1Q), LAG (802.3ad), IPv4 and IPv6 forwarding, GRE, IPsec, VRRP, WCCP, PBR, BGP (version 4).
Cloud Intelligence: Real-time updates on the best performing path to reach hundreds of Software-as-a- Service (SaaS) applications, ensuring users connect to those applications in the fastest, most intelligent way available.
Sherry Vaswani, Chief Executive Officer and founder of Xalient recently shared her top 5 tips for success to female entrepreneurs at a WeConnect event.
I started my first business, Worldstone, in 1994, not long afer graduating. 17 years later we sold it to a major telecoms player. I learned so much during that journey – about myself, business, leadership – that I couldn’t wait to do it all again when, 3 years ago, I founded Xalient Group, a provider of network services to a fast-growing global customer base.
So what were the most important lessons? Here’s my top 5:
And, once you’ve built your business, use your knowledge and experience to mentor and advise other female entrepreneurs. Giving back in this way is so rewarding and you’ll never stop learning and growing.