A Cloud-First Strategy—Cloud Security & SD-WAN
Cloud security + SaaS performance, agility and control
Imagine a global engineering services company based in Europe with 200 locations requiring cloud connectivity and security.
It’s essential that its business model be consistently replicated everywhere, and employees—mobile and remote—work together reliably and effortlessly. Legacy solutions for networking and security in over 200 locations no longer make sense in a cloud-paced world. They’re rigid and cumbersome to maintain and cannot cost-effectively access, accelerate or secure apps and data when workers are constantly “on the road” or in remote locations.
The goal of going datacenter-less or deciding to adopt a cloud-first strategy is no longer an unusual choice. According to Gartner “Predicts 2017: Cloud Computing Enters Its Second Decade,” by 2020, anything other than a cloud-only strategy for new IT initiatives will require justification for 30% of organizations.”
These cloud-first businesses need a novel, extremely easy way to embrace and connect to cloud and SaaS applications in a secure fashion. When businesses choose cloud-enabled networks and SD-WAN, a cloud-delivered security architecture, in many cases, is also the best possible choice. What businesses need then is a unified networking fabric and orchestrated services, including security. They must move away from device-centric technologies and their taxing CLI-coding. They require network-wide and automated systems that can deliver the rapid change management needed by those far-flung workers.
In the global economy today, 60-90% of all traffic is now destined for the Internet—a network the business does not control, digital transformation is driving cloud adoption, and the era of hybrid IT is being transformed and, in many cases, rapidly outmoded. Cloud-first strategies are fast becoming cloud-only IT.
What did the global engineering company decide to do with its legacy networking? This company decided to become a cloud-first business with Riverbed SteelConnect for SD-WAN and Zscaler for direct and secure access to the Internet and SaaS.
What does it mean to be cloud-first?
To be cloud-first, you are ready to move or are moving your apps and data across the Internet, which has become your networking backbone, rather than MPLS networks. Online app services like GoogleApps, Box or O365 Online are now pervasive in your environment, and connectivity to Amazon Web Services and other Clouds is a must for users. And cloud is not just an application strategy; it now includes app delivery, networking and security.
Riverbed SD-WAN: The perfect fit for a cloud-first strategy
Riverbed SteelConnect is a cloud networking solution that delivers the agility you need to be a cloud-first business.
It provides a unified connectivity fabric that spans your wireless and wired LAN, WAN and cloud—all managed through a central cloud console with a cloud-centric workflow that allows you to easily set policies and orchestrate services based on your business needs. The solution is full featured with integrated WAN Optimization for application latency and integrated, industry-leading, end-to-end network and application visibility.
SteelConnect SD-WAN empowers a cloud-first strategy. SteelConnect helps your business to:
- Offload MPLS on the Internet with an automated IPSec tunnel to save bandwidth costs and achieve total control and visibility over the SD-WAN
- Use local or regional Internet breakouts to maximize SaaS security and secure the user experience
- Mitigate latency and lack of control through cloud-based optimization and visibility
- Enable local or regional direct access to IaaS to optimize user experience
- Enable LAN to WAN to cloud unified network segmentation
- Align your network to DevOps and other business initiatives
With SteelConnect SD-WAN, businesses have different ways of handling SaaS traffic and security:
- Treat SaaS traffic like any other Internet traffic and direct it to a one or multiple centralized or regionalized Internet breakouts. There the traffic is inspected using the company standardized security chain before being delivered to the Internet
- Use local Internet breakouts where the Internet traffic on a given site exits directly to the Internet. There the traffic is inspected using either the standard security chain replicated on site or a simplified security chain blocking all inbound traffic and focusing on outbound traffic
- Add to local breakouts the ability to use cloud-based security solutions like with our partner Zscaler
The Zscaler cloud security platform was purpose-built as a multi-tenant architecture and is architected for performance and scale, with a focus on maintaining user privacy. Zscaler provides security as a cloud service, with cloud sandboxing, cloud firewall, data loss prevention (DLP), and more. There are no on-premises security appliances, thus eliminating IT costs for maintaining appliances at the edge. You simply need to redirect Internet inbound-traffic to Zscaler to instantly secure branches and remote locations. Located between users and the Internet, Zscaler inspects every byte of traffic—even if it’s encrypted or compressed—and users are secure wherever they connect.
When you combine Riverbed SteelConnect and Zscaler, the resulting architecture simplifies the branch by eliminating the complexity of traditional routing operations and security appliances. In addition to WAN optimization and integrated Visibility, SteelConnect provides easy traffic steering and network path control, application and user identification, a centralized management policy, local network services such as DNS and DHCP and a perimeter firewall with VPN and NAT capabilities.
Thus, with SteelConnect at the branch, outbound traffic can flow across the best available network, including low-cost Internet connections. You can also direct traffic flow on an application-by-application basis. By establishing a secure IPsec tunnel between Zscaler and SteelConnect, you can route Internet-bound traffic to Zscaler to inspect, secure and protect your data.
With a “Single-Z-Click” within SteelConnect Manager, you can easily discover and connect to Zscaler’s robust security offering, including:
- Threat prevention: Malware Detection, Sandbox, Content Scrubbing
- Access control: Next Gen Firewall, URL/DNS Filtering, Bandwidth control
- Inline data protection: Data Loss Prevention (DLP), Cloud Access Security Broker (CASB)
- Acceptable use policy enforcement, other InfoSec Compliance Requirements
SteelConnect makes cloud security easy
Most importantly, for easy access to Zscaler’s cloud-delivered security, SteelConnect provides a dedicated secure Internet breakout capability for Zscaler that abstracts away the complexity of connecting to the cloud security service.
- This capability first automates the association between sites and Zscaler data center. Hundreds of branches can be configured to connect to Zscaler’s distributed footprint in just a few clicks! SteelConnect monitors the latency at the setup of the tunnels between sites and Zscaler data centers and dynamically performs optimal associations for each site. The solution also supports HA setup where an automated failover is performed in case of failure.
- The connection between SteelConnect and the Zscaler data center is performed using IPSec directly from the SteelConnect gateway. The SteelConnect gateway in that approach often acts as the perimeter next-generation firewall that blocks all the inbound traffic and tunnels the outbound traffic toward the Zscaler data center. Such a setup represents an extremely streamlined, yet state-of-the art, implementation of branch security.
- The SteelConnect–Zscaler integration is compatible with the business-intent policies of SteelConnect, thus making it easier to implement per application security. Business policy based on Layer 7 rules using SteelConnect First Packet DPI can be easily set within the easy-to-use, intuitive management console to decide which traffic must go to Zscaler and which traffic is either backhauled or sent directly to the Internet.
One of SteelConnect’s unique differentiators is the combination of First Packet Deep Packet Inspection (DPI), gateway-based IPSec service chaining and end-to-end, user-based network segmentation—for handling SaaS application security and Internet routing.
Today per application selection of Internet-bound traffic can be done using only ACLs (rather than classic DPI techniques) that utilize lists of IP addresses associated with selected SaaS or Internet applications. Classic DPI techniques do not work, since at least 3 packets of a given flow are required to dynamically recognize the Internet application behind the flow. It’s not possible, however, to wait 3 packets and “take back” an Internet-bound flow from its default initial path. While ACLs are preferable, ACLs also can limit the ability to perform granular management of Internet-bound traffic.
SteelConnect solves this challenge by using its First Packet DPI technology that uses smart DNS querying and caching. Internet-bound applications are identified from the very first packet, and Layer 7 policies can be applied to decide where each application should go—backhauled to a central breakout, directed to cloud security, or directed locally. SteelConnect also provides end-to-end, user-based network segmentation, enabling the secured identification of users and things, the ability to segregate traffic into secured segments by application and user criteria, and consistent segmentation policies across W/LAN, WAN and cloud.
Cloud-first business + cloud-first architecture
A cloud-first business requires a cloud-first architecture with cloud-based software-defined networking and single-click cloud connectivity and cloud-delivered, direct-to-the-Internet security to secure your data and business—from the end user straight to the cloud.
The combined solution from Riverbed and Zscaler can help drive your business strategy today by enabling you to:
- Securely transform to a cloud-First enterprise
- Increase IT agility and responsiveness
- Simplify branch operations and reduce costs
- Provide fast, secure user experiences
- Enforce security policies that follow users, no matter where they connect
Riverbed SteelConnect with integrated Zscaler security and end-to-end visibility is a complete SD-WAN solution for securely connecting users and businesses to the applications they need, wherever they reside—on a remote LAN/WLAN, in a data center, or in the cloud.