Historically, and to this day, the Wide Area Network (WAN) has been all about physical locations. Branches, remote offices, retail stores, hospitals, and manufacturing sites all needed to be connected to a central location – the data-center.
The process of deploying connectivity to all locations and ensuring service levels and proper response times has not evolved much either. Customers have had to choose between 2 basic connectivity models: MPLS or VPN tunnels over the internet.
These models have distinct pros and cons.
With MPLS, a service provider delivers SLA-backed end-to-end connectivity from all locations to the data-center. The provider controlled the last mile (the connection from each location to the provider) and the middle mile (the provider’s backbone). Internet-based WANs, on the other hand, have no “master”. The WAN is formed by establishing encrypted VPN tunnels between distributed firewalls. The availability, capacity and latency are subject to the internet’s network behavior at any given point in time and the service levels of the ISPs that provide Internet access. It’s a best-effort system, and it still works for many organizations.
What is common to both architectures is the fundamental design assumption that the organization owns and controls both sides of each connection, and there is a uniform approach to adding new locations.
The cloud is challenging this assumption. When I refer to the “cloud”, I mean two distinct elements:
- Public cloud infrastructure (also known as Infrastructure as a Service (IaaS)). Platforms such as Amazon AWS, Microsoft Azure, Google Cloud and IBM SoftLayer are all providing on-demand compute and storage services. These extend existing on-premise data-centers.
- Public cloud application (Software as a Service (SaaS)). These are packaged applications, like Salesforce.com or Office 365, that require no direct management of the end customer.
The way to connect a cloud data-center to the corporate network isn’t as straightforward as connecting yet another physical location. MPLS providers need to establish special links from their backbones to the cloud providers. Enterprises need to consider using free basic firewalls from the cloud provider (and fragment their security and connectivity architecture), or deploy virtual firewalls from their vendors of choice (which has cost and performance implications). SD-WAN solutions, designed for physical branches, are starting to offer hardware and virtual appliance for the cloud.
While cloud data-centers have several connectivity options, optimizing connectivity and enforcing security for SaaS is even trickier. There is no way to control both ends of the links (nothing can be installed within the SaaS provider datacenter). Connectivity can’t be optimized with appliance-based solutions, and security must be enforced with a standalone offering (like a Cloud Access Service Broker (CASB)) or by forcing traffic through the main data-center firewalls.
The first option fragments security policy and introduces management overhead for IT security. The latter option goes against the ease of access and dynamic nature of cloud apps. Instead of just going to the applications, users must be forced through a choke-point, often a physical firewall, to make sure they comply with corporate access policies. This creates multiple challenges, including increased latency for remote users.
Ofir Agasi is Director of Product Marketing at Cato Networks with over 12 years of network security expertise in systems engineering, product management, and research and development. Prior to Cato Networks, Ofir was a product manager at Check Point Software Technologies, where he led mobile security, cloud security, remote access and data protection product lines. Ofir holds a B.Sc. degree in Communication Systems Engineering.