Infrastructure Optimization for a Virtual World
By Alexis Pomierski & Gary Doria, Senior Technology Advisors, John Alexander Consulting
With the new world remote workforce, organizations have a multitude of opportunities that can, if thoughtfully architected, yield both faster application delivery and cost savings. In addition to the known benefits of reducing physical office space and overhead, supporting a remote workforce presents a new set of challenges. IT groups must now redesign their data transport routes to service the distributed workforce and re-invest in securing its transport.
In this article, we will segment the approach into two categories: infrastructure optimization and securing applications via the new “edge.”
Infrastructure optimization is a task that requires IT professionals to understand what application is most important to their organization and how to get it to the end-user faster. Common critical applications can include, but are not limited to Citrix, Oracle, Microsoft Teams, telephony, corporate CRM and many others. These applications may reside on premise-based servers, a customers’ cloud or a third-party cloud.
As more companies forgo physical office space, access requirements for applications shift — even though demand on them does not change. Traditionally, access is pulled largely into one location, requiring large, dual internet pipes and physical infrastructure inside an office’s edge. In a remote environment, access requirements must meet the needs of a dispersed geographical pull and questionable home internet connections. It is impossible to connect each user to a more traditional connectivity WAN without exorbitant costs; therefore, other accelerants must be deployed.
After you identify critical applications and understand the demand on them, the re-architecture process begins. This involves tools that can include:
- Express routes: a private tunnel connecting a customer’s WAN to one of the public cloud edges. This Azure-specific marketing term is now used for a multitude of cloud services connections.
- Pop to Pop private transport with public egress nodes: replacing more traditional MPLS technologies, many carriers now transport private data over their core backbone to reduce latency for a piece or all of a customer’s traffic.
- License virtualization: premise-based licensing and access to that application, pending the service vendor, can now be purchased and supported via vendor’s hosted cloud.
- Reallocation of bandwidth: requirements need to be met for the landing zone where the application resides no longer drawing at headquarters, the demand doesn’t disappear.
- SD-WAN: software-defined networking is an application accelerator that can be deployed on a FW, edge device, or cloud based.
- SASE: secure access service edge (SASE) converges SD-WAN and network security point solutions into a unified, cloud-native service.
Gartner introduced SASE as a new category that marries your enterprise network and security access points. This simplification offers organizations the ability to protect any edge, inclusive of multi-cloud landing zones and end-users alike. This is your first step to protecting your data in a new “edge” environment.
Securing Your Corporate Edge
Corporations are moving application processing, industrial devices, IOT, and on-prem data centers to natively integrated colocations with on-ramps to a multitude of hyperscalers and/or to their own private or public hybrid cloud. This is done to increase access, secure transport, and reduce latency. Securing these disparate edges presents new challenges to security professionals.
Historically an IT professional would have a siloed role focused on either network or security. Today’s professionals must now understand and successfully bridge the gap between network and security with a deep understanding of cloud-based solutions. The same concept applies to the security product itself.
Providing security to a large, centralized edge with devices that only support one function is now inefficient and costly. It also requires constant management and patching to cover the emerging threats that consistently reinvent themselves and threatens your business.
Here are some recommended tools to improve unified security access policies, reduce complexity, and improve performance:
- WAF – Web Application Firewall are always-on, fully managed cloud-based firewall that protects against expanding web-based attacks.
- DDos Mitigation: Distributed denial of Service Attacks protects secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.
- Next-Generation Firewalls combine a traditional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection, functioning as an intrusion prevention system.
- Secure Access Control is a method of guaranteeing that users are who they say they are, and that they have the appropriate access to company data.
- CDN: Content Delivery Network reduces loads on servers by keeping static content cached close to the customer and continuing to serve static content even when the server is offline.
- DLP: Data Leak Prevention (DPL): Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest. The terms “data loss” and “data leak” are related and are often used interchangeably.
- IDS/IPS – Intrusion detection systems & intrusion prevention systems detect, track, and block threatening traffic and malware.
Securing these multiple edges is a costly task if security isn’t considered in a green field environment. “Multifunction technology” is a careful orchestration in which your current infrastructure and hosting strategies must work in concert.
If you are interested in learning more about auditing your organization’s the current infrastructure to re-architect your environment with application-driven topology contact us at email@example.com.