This article originally appeared on LinkedIn.
No longer do employees work within the confines of an office, or for that matter, a corporate network. Those employees use applications hosted outside of the data center, access them from outside of the office, and do most of their work outside the view of traditional monitoring tools. The new way of work is cloud- and mobile-first, and relying on a “hub-and-spoke” branch-office-to-data-center network architecture and a “castle-and-moat” security perimeter is no longer tenable for IT organizations.
Secure Access Service Edge (SASE) architecture defines the future of network and security at the edge, and extols a thin-branch/heavy-cloud architecture that leverages security functions in the cloud. SASE architecture moves security from the network to the end user, and defines it through policies based on identity and context. The tenets of SASE guarantee depth, performance, and scale for enterprise networks that need agility, performance, and security.
As enterprises start their SASE transformation journey and embrace cloud deployments, mobile connections, and work-from-anywhere users, they will discover that traditional monitoring tools are inadequate. Trying to detect, troubleshoot, and diagnose performance problems using traditional data center-centric monitoring stacks introduces visibility gaps. Instrumentation—the ability to gather network, application, or system data—is a big challenge when apps sit in the cloud and users sit outside the network perimeter. With the internet as the corporate network and the cloud as the data center, legacy monitoring tools cannot see what they cannot instrument.
Legacy monitory can’t see through the fog
Traditional monitoring falls into three categories:
- IT Infrastructure Monitoring (ITIM). ITIM tools focus on polling to understand the health and availability of network and system infrastructure elements.
- Application Performance Monitoring (APM). APM tools focus on the use of agents on hosts, to ingest and analyze deep cross-tier code-level traces.
- Network Performance Monitoring (NPM). NPM tools use appliances or software collectors to collect network packet or flow information.
When it comes to measuring a cloud- and mobility-centric world, each of the three monitoring tool sets experience instrumentation challenges. For example:
- ITIM tools cannot poll systems in a SaaS provider’s data center.
- APM tools cannot put agents on those same hosts that are hosted by a SaaS provider.
- NPM tools cannot analyze traffic if it is encrypted or if the traffic doesn’t go through a central aggregation point (such as a data center).
Moving to a SASE architecture forces IT teams to rethink their security focus—away from a security perimeter and on to policies that see user identity and context. Similarly, it forces IT teams to rethink their monitoring perimeter—away from monitoring the data center, application host, or the network connection—to monitoring the end user. Gartner defines this approach as Digital Experience Monitoring (DEM). DEM is a set of monitoring techniques that provides instrumentation from the user to the application irrespective of the network used to connect the two—wherever the user sits and wherever the application is hosted. To be clear, DEM tools don’t replace traditional monitoring tools, but they do fill the visibility gaps created as cloud applications accessed by mobile users continue to gain favor.
Digital Experience Monitoring is part of SASE transformation/resources/security-terms-glossary/what-is-endpoint-security
DEM tools leverage a combination of real user monitoring, synthetic transaction-monitoring, network path-monitoring, and endpoint device-monitoring to understand the end user experience. Lightweight agents on the end user’s device enable instrumentation for these measurements. When evaluating DEM solutions, it is important to consider which mix of these techniques fill the visibility gaps left by existing tools.
But choosing a good DEM solution is more than just filling in “gaps” in visibility. Instead of checking off a list of features, enterprise CIOs and CISOs must consider strategic context, and evaluate how a DEM is going to integrate with the company’s overarching transformation journey. Enterprises must verify that their DEM solution...
- ...has a deep understanding of the end user’s identity and context. Most DEM solutions have only a basic understanding of the end user based upon an IP address. DEM solutions that understand an end user’s office location, physical location, department, and other contextual information provide much more useful context in monitoring workflows. Tools can integrate with an identity provider like Okta or Azure AD to capture contextual user identity data.
- ...has an integrated and multi-purpose agent. A DEM tool should do more than just monitor. Enterprises suffering from “agent-fatigue” should consider DEM solutions that are integrated parts of a SASE vendor’s network security architecture, with a lightweight agent that provides monitoring and advanced threat protection and zero trust network access.
- ...provides visibility to both network and security teams. Improving user experience is a shared goal among network and security teams, yet both teams tend to operate independently. DEM solutions that provide a common dashboard to both teams improve efficiency in triaging and diagnosing performance issues.
- ...is an extension of the Secure Access Service Edge. DEM tools should leverage a light-branch, heavy-cloud model. They should use lightweight agents on the endpoint to collect data, and employ a highly-scalable, cloud-based ingestion and analytics engine to derive both performance and security insights from the data.
SASE and Digital Experience Monitoring make for a great user experience
Enterprises must have visibility into all the traffic connecting to all the assets in their distributed network. Traditional monitoring relies heavily on branch-to-data-center models that use perimeter-based security—neither of which adapt well to the new transformation of internet-based networks, cloud-based applications, and work-from-anywhere users. The new SASE model is designed to adapt to the new network and security paradigm. In the same way, digital experience monitoring adapts to the new ways of work to deliver a better visibility model.
DEM solutions fill in the visibility gaps that traditional monitoring tools overlook, and allow for both network teams and security teams to leverage the same data in order to optimize end user experience.
Zscaler, a leading SASE network security vendor, has recently introduced its own DEM solution called Zscaler Digital Experience (ZDX) that is closely tied to its cloud security platform. More information can be found on Zscaler’s website.