Transforming branch office connectivity and security

If your company leaders have made the decision to adopt a cloud-first strategy, the first thing you should do is applaud them. They’re taking a major step forward, embracing a future that promises better productivity, agility, and competitiveness.

The second thing you should do is look at approaches for making the strategy a success. You want to enable great cloud app performance and a frictionless user experience. And, of course, you need a strong security strategy to protect your organization from global threats that are growing in frequency and sophistication.

But not everyone achieves these goals right out of the gate. Many Zscaler customers have told us that early attempts to implement a cloud-first strategy often produced sluggish application performance—especially those cloud apps requiring multiple persistent connections such as Microsoft Office 365. As for security and access controls, going cloud-first can result in countless headaches as you try to maintain legacy network and security architectures.

A cloud-first strategy represents a sea change, and the legacy architectures with centralized controls on which we’ve relied for decades cannot adapt. Backhauling traffic from your branch offices made sense when most traffic was bound for the data center. But most traffic now is heading for the cloud and open internet, and backhauling all that traffic over MPLS is expensive and inefficient—and users hate it.

You need to flip the security model when you go to the cloud. The old approach used centralized internet gateways at headquarters and a select number of regional hubs. The new way is to provide breakouts at all locations, and to provide secure, direct-to-cloud connectivity from branch offices. Direct connections bring about faster performance for cloud apps, simplify network infrastructure, reduce costs, and deliver a better user experience.

The secret to the success of your cloud-first initiative is in the deployment. Here are five strategies to help your organization successfully deploy and secure direct-to-cloud connections.

1. Move security closer to users. To optimize performance and the user experience, your data centers and egress points must be close to branch users in all geographies, and directly peered with your critical applications to provide fast connections and simplify compliance. Such proximity is best achieved with a global security cloud.  

2. Insist on identical security for all. The legacy approach to local breakouts typically deploys stacks of appliances performing various security services at each branch. But, replicating the gateway security stack at each location is prohibitively expensive. These functions may be deployed as virtual instances, but they still have capacity limitations. And, you still have performance issues when adding new security features or inspecting SSL. The alternative of deploying smaller next generation firewalls or UTM devices at branch locations leaves you with security gaps that are equally undesirable.

A cloud-first approach requires identical protection across all locations that can best be achieved with an integrated global platform that inspects all ports and protocols. The platform must automatically deliver the entire security stack: sandbox, firewall, advanced threat protection, and more—all as a cloud-based service.

3. Inspect all traffic with a proxy-based architecture. A cloud-first architecture must be proxy based to enable full inline inspection of traffic. For example, security services for monitoring and filtering traffic use packet analysis to identify unauthorized or malicious content. Encryption adds a layer of complexity that requires a proxy for traffic analysis. According to recent reports from Google, 91 percent of traffic across Google is encrypted, so SSL/TLS inspection is no longer simply an option. Your proxy solution must natively inspect SSL/TLS-encrypted traffic, at scale, without degrading performance.

4. Recognize the need for elastic scalability. The notion of elasticity is a critical element for cloud apps. It means infrastructure required to support your bandwidth-hungry applications automatically handles increases in network traffic without added costs or complexity. By using a multi-tenant security platform that scales elastically, your organization can take advantage of direct-to-internet breakouts without complex capacity planning or fear of maxing out appliances. Your users can rely on fast and access to cloud applications, while you can rely on consistent security and performance—regardless of traffic volume.

5. Demand real-time policy management and visibility. While the cloud has brought major benefits, one area many organizations struggle with is getting visibility into applications and the networks upon which they reside. It’s one thing to buy a solution that does this for infrastructure you own. But with cloud, it’s impossible for legacy tools to get much (if any) visibility into activity occurring in applications on networks you don’t own that could be occurring anywhere in the world.

Be sure your cloud-first solution for branch connectivity doesn’t force you to piece together fragmented logs, or use separate subscriptions or management platforms. Your solution should simplify IT operations, not complicate them. For true control, your solution must provide real-time policy creation, deployment, and visibility by user, application, and location.

A cloud-first strategy will bring many benefits to your organization no matter where employees are accessing resources. By enabling a direct-to-cloud approach for branch offices, with comprehensive cloud-delivered security, you can successfully secure your branch traffic and ensure that users will have fast access to cloud apps while you simplify your IT infrastructure and optimize costs. As planned.