WAN and security transformation power a secure access service edge that maximizes the return on cloud investments.
As part of their digital transformation strategy, many enterprises are actively migrating applications to public cloud infrastructure and software-as-a-service offerings. Enterprise IT objectives and expected benefits of cloud migration include:
- Increased agility
- Higher application performance and availability
- Improved application accessibility for users
- Reduced data center footprint
- Lower costs
Unfortunately, the transformational promise of the cloud often falls short of meeting these expectations. Why? Because traffic patterns have changed. They have changed not only due to the migration of apps to the cloud, but also in response to today’s work-from-anywhere world. Users now access applications from anywhere, from any device and across diverse WAN transports including residential broadband. IT has quickly come to realize that making incremental investments in their legacy routers and firewalls didn’t yield the desired outcomes. Traffic bound for the internet was still backhauled to the corporate data center, adding unnecessary latency and negatively impacting application performance. What’s required is a complete transformation of the wide area network, and this transformation has fueled the biggest evolution of the WAN in two decades: the software-defined wide area network or SD-WAN.
The combination of workers accessing business applications from home and remote locations (e.g. airports, coffee shops), along with the explosive growth of IoT devices is rendering the traditional enterprise security perimeter ineffective. Today’s cloud-first enterprise must arm workers with a security service solution that follows them wherever they go. As we’ve already seen, continuing to use a hub-and-spoke architecture, backhauling internet-bound traffic to the data center for advanced security inspection, results in a sub-optimal user experience. What’s needed is a complete transformation of security infrastructure, and this has driven the rapid adoption of modern cloud-delivered security services.
WAN Transformation + Security Transformation = Digital Transformation
Only by transforming both the WAN edge and security architectures can the full promise of the cloud be fully realized. In a report published by Gartner in November 2019, they proposed a new model called the secure access services edge – SASE for short. The model describes the integration of core WAN edge capabilities such as SD-WAN, routing and WAN optimization at the branch locations with a comprehensive array of cloud-delivered security services such as secure web gateway (SWG), firewall-as-a-service (FWaaS), cloud access security broker (CASB), zero trust network access (ZTNA) and more. A key design principal of SASE is the transformation from complex hardware-laden branches to thin branches with cloud-native security services. The promises of the SASE model are many:
- Improved user experience by delivering better application performance by breaking out cloud traffic locally over the internet from the branch
- Operational efficiency by simplifying branch WAN infrastructure and through centralized orchestration of application, network and security policies
- Reduced risk with consistent, always-up-to date, business-driven security policy enforcement
- Increased business agility by significantly reducing the time to bring new sites and applications online or to update application and security policies
But simply adopting just any SD-WAN solution and cloud security offering is not enough to maximize the return on cloud investments described earlier. While those individual solutions might deliver on the app performance/availability and accessibility promises and enable shrinking the data center, that approach falls short of delivering increased business agility and lower costs. And it won’t address consistent security policy enforcement across all users, locations and devices to mitigate risk to the enterprise. What’s needed is fully automated orchestration of the WAN edge network functions and cloud-delivered security services. This is a 1 + 1 = 3 benefit for IT and the enterprise
Aruba and Zscaler Automate Orchestration of Cloud-delivered Security
In 2019, Aruba and Zscaler launched an API-based integration for the Aruba EdgeConnect SD-WAN platform that fully automates the configuration of cloud-delivered security from a centralized orchestration point. Aruba From Aruba Orchestrator, IT can define and apply security policies to hundreds of sites in just a few minutes. Not only does the automation save significant time for IT, it also provides more consistent security policy enforcement by virtually eliminating human errors during the configuration process.
Fast forward to May 2020, Aruba and Zscaler have introduced an enhancement that provides even finer granularity of application, user and device control. The new enhancement allows exceptions to general security policies to be enforced for sub-locations – or segments – within a branch. This is more easily understood with an example. ACME, Inc. might define the following set of policies:
- Enterprise traffic requires SSL inspection
- IoT devices accessing the network require SSL inspection but not user authentication, and
- Guest Wi-Fi access should not have SSL inspection enabled due to privacy concerns
With the new enhancement, SSL inspection will be enforced for all enterprise, cloud and IoT traffic, but not for traffic traversing the Guest Wi-Fi VLAN. Again, using Aruba Orchestrator, IT defines the policy exceptions for sub-locations and pushes them to all sites in a matter of minutes.
Aruba and Zscaler have also introduced a new capability that improves the performance and responsiveness of network and the security service if a degradation or failure is detected. With this enhancement, each EdgeConnect appliance continuously monitors the end-to-end health of branch connectivity to the Zscaler service. The health check includes all aspects of the end-to-end connectivity including the underlay network links, the IPsec tunnel and the Zscaler service itself. This comprehensive health check enables fully automated failover to secondary facilities when connectivity problems arise anywhere along the path from the branch office to the Zscaler security service.
Aruba and Zscaler Collaborative Support
In addition to the new product innovations, Aruba and Zscaler have established a formal collaborative support process (CSP) to expedite direct engagement between the respective support organizations. The objective of the CSP is to accelerate effective resolution of any issues that might arise with the joint solution. Customers can initiate a support case with either company at any time, and both support teams have the ability to escalate directly between one another. This eliminates the burden from the customer and provides the fastest path to root cause identification and issue resolution.
Industry-leading WAN and Security
Together, Aruba and Zscaler automated orchestration provides seamless WAN edge and cloud-delivered security integration, all managed from a central management system, Unity Orchestrator. Enterprises looking to adopt a SASE infrastructure require a “no compromise” WAN edge and security transformation strategy to realize a multiplier effect from their existing and ongoing cloud investments.
This blog was originally published by Silver Peak, which was acquired by Aruba, a Hewlett Packard Enterprise Company.
