Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Gartner verizon zscaler hybrid newsletter may 2014


Published on

“Is your network Cloud Ready ?” With the advent of the Cloud, Enterprise Network is changing significantly. Discover the European Analysis commissioned by #Verizon and #Zscaler featuring #Gartner research which examines this major IT transformation

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Gartner verizon zscaler hybrid newsletter may 2014

  1. 1. Featuring research from 2 9 15 Enterprise Computing Has Changed, So Why Hasn’t Network Design? From the Gartner Files: Four Steps to Optimize Your Network for IaaS About Verizon Enterprise Solutions and Zscaler Is Your Network Cloud-Ready? A European Perspective This paper, commissioned by Verizon and Zscaler, examines how networks are evolving in Europe, focusing on the factors that are driving companies to consider moving more of their traffic over the internet. This work would not have been possible without the contribution of four European Senior Consultants: Ivan Rogissart, Peter Franken, and Alistair Neil from Verizon, and Charles Milton from Zscaler.
  2. 2. 2 Enterprise Computing Has Changed, So Why Hasn’t Network Design? Enterprise computing isn’t what it used to be. Ask any team of executives if they can imagine running their enterprise system the same way they did ten, even five years ago, and they will likely laugh. Computing has changed and so has the way business interacts with and uses technology. Mobile access is more important than ever. Along with mobile, the need for users to access enterprise systems from anywhere, at any time, on any device has become integral to companies of all sizes. Yet, for many businesses, network design has not kept up with the pace of change. This has led many industry leaders to begin to re-evaluate and re- think the way they approach network design. This newsletter details innovative responses to those changes and cutting-edge practices businesses can implement to safeguard themselves, while also capitalizing on the opportunities of an ever more mobile, cloud- based, and interconnected marketplace. Way Back When: Previous Network Designs Compared to technologies like radio or TV, computing is relatively young. Thus, it may seem unnecessarily dramatic to speak of corporate network designs as being archaic or outdated. But with the rapid speed of technological change, it’s fair to say that many enterprise network designs are antiquated and ill-equipped to deal with the contemporary business climate. Traditional network designs were predicated on a hub-and-spoke model, with the central office as the hub and the branch offices emanating from that. In this model, wide area networks (WANs) generally connected to the Internet through a company’s main office. That network was protected by hardware, often housed in the central office. This setup, based on the assumption that the bulk of traffic flowed to and from the central office, permitted a business to exert tight security over employees’ Internet use and made it possible to centralize data protection. Branch offices would connect to the main office through dedicated multiprotocol label switching (MPLS) lines that directed all traffic, regardless of location, through this central hub to ensure uniform security across the business. Access to the public Internet was also funneled through the central office. This model had a number of upsides, foremost among them that businesses were able to achieve a high level of security and protection. However, this type of network design is a poor fit for a world in which employees want to use their own (often multiple) devices to access enterprise systems, want to do so from anywhere in the world, and expect to have low latency and consistent quality of access wherever they might be. Additionally, the core assumption of that network model is no longer true: the applications housed at the central office are consuming an ever-diminishing share of network traffic. Companies are increasingly turning to SaaS and cloud computing to achieve cost savings and greater agility and to reduce the footprint of their IT infrastructure. Cloud services are projected to grow by over 18% through 2017 (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013). The result is that many companies are now seeking a network design solution that offers the security of the traditional model, with the flexibility, speed and lower costs of public Internet providers and the cloud. With a safe path to SaaS provided by Zscaler, an international construction company in Great Britain was able to ensure high performance for SaaS regardless of users’ location. “We’ve gone from a world where de facto standards of technology for most of our corporate clients have been private networks, typically
  3. 3. 3 using technologies such as point to point or MPLS. Increasingly, however, customers are questioning the validity of utilizing private networks,” says Alistair Neil, EMEA Security Senior Consultant Manager of Verizon. Our Brave New World There is a new reality for which any successful network design must account. Hybrid WAN architectures offer many unique benefits of MPLS networking that ensure performance and security while also offering the flexibility of the public cloud. This reality has a number of key aspects, covered below. Localization. In many cases, accessing the Internet locally makes more sense than having to route through an office that may be hundreds if not thousands of miles away from the user. There are myriad reasons for this. Regulations differ from country to country, and security must be compliant. Latency becomes a significant problem when Internet traffic must flow through distant hubs. Usability is another very important factor. As Charles Milton, Service Provider Director EMEA of Zscaler said, “User perception isn’t just about latency. It’s also about localization of content. Imagine for a moment that you work for a German company. But, you are based in London, and the Internet breakout for your network is in Germany. Every time you go to a weather website, you will see German weather, and if you go to you will get Problems like this can obviously annoy users and impede effectiveness, but most importantly bad localization can put critical content off limits. As just one example, an employee in France cannot access French government websites if they are seen to be accessing the internet from outside France. SaaS is driving change. Unquestionably, the cloud has arrived. Businesses of all scales have recognized the opportunity of operating in the cloud and are becoming increasingly comfortable with migrating major operations there. SaaS applications, like Office 365, Google Apps, and are all drivers of this cloud adoption. SaaS is projected to grow at 18.5% through 2017 (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013). Corporate apps were designed for WANs, but corporate interest in the cloud is intensifying. Companies experience significant benefits with the cloud, which include cost savings and no longer having to run hardware. More importantly, the cloud is an easy and efficient way for the employees of global corporations to collaborate harmoniously and in real time. Even when businesses have security and safety concerns about putting sensitive information in the cloud, adoption of SaaS apps continues to increase. Cloud providers hosting SaaS applications are expanding their presence around the world, so accessing these datacenters directly via the Internet makes much more sense than backhauling traffic through central offices using MPLS. According to Ivan Rogissart, Head of Solution and Sales Engineering France for Verizon, “SaaS providers are doing more and more geographical expansion and are adding Internet data centers around the world where they host applications in the cloud environment. Therefore, you’re closer to these providers by using direct connections to the Internet for SaaS.” A French retail brand initiated a move to SaaS applications including Salesforce and Office 365. With the increased traffic from SaaS, as all workers rely on the Internet for day to day tasks, the company’s connectivity to the Internet was becoming as critical as its MPLS connectivity. The company deployed a hybrid WAN networking solution from Verizon, enabling local breakout Internet connections around the world, protected using the Zscaler cloud proxy solution. Consistent performance. With high-speed Internet available almost everywhere, users are less and less tolerant of dealing with uneven performance and online accessibility. It’s just not realistic to imagine that a company’s entire business will be in the same office. They want the same experience whether they’re in the office or not, and whether they’re logging in from an iPad, laptop or mobile phone. Enterprise systems have to respond to these demands while also preserving the security and internal coherence found in traditional MPLS-based networks. Consistent performance is even more critical as more and more daily work moves to the cloud. “If you move some of those critical applications to the cloud, you can’t have a bad user experience or the local business units will find alternatives,” says Milton. “Most users are accustomed to the fast broadband they have at home. They are not prepared to tolerate a lesser experience in the office, especially when they are trying to use applications that are critical to their job. So that is driving change in the network architecture.” According to Gartner analysts Andrew Lerner and Neil Rickard, “Network architects should revise WAN architectures to improve performance for external cloud applications and resources. In most cases, hybrid WAN architectures will provide the best blend of performance and availability” (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013)
  4. 4. 4 A global manufacturing company headquartered in the UK deployed Zscaler to replace a proliferation of web security technologies. The deployment introduced a consolidated web access policy and reporting framework, which, along with a consistently good user experience, has led to increased user satisfaction. Network performance. In both personal and professional spheres, users are accustomed to direct connections to the Internet and the high speed and reliability this provides. By relying on the hub-and-spoke model for all Internet connectivity, users can experience high latency and poor performance. This problem can become especially pronounced when a network becomes overly stretched out. Call this phenomenon tromboning. It occurs when a traditional WAN is broad geographically, with many branch offices and remote users, yet everything is still being funneled through a central location, negatively impacting latency and reliability. This type of bottleneck frustrates users and impedes performance. A multinational Dutch retailer was facing the challenge of how to allow Internet browsing at two offices, one in Amsterdam and one in Asia. The delays incumbent in its MPLS system were dragging down performance. The company adopted a proxy service housed in the cloud, improving performance and allowing high-speed Internet browsing regardless of user location. Consumer connectedness. More than ever, businesses want as much information on their customers as possible and want to connect with consumers in meaningful ways. This poses challenges for the traditional model, in which, with a centralized gateway, there is a static security perimeter protecting all of the business’s online interactions. This static perimeter is too restrictive for a world in which social media and mobile phones are crucial elements to driving and meeting consumer demands. Businesses have to be able to protect themselves, without bogging down customer experience. A major manufacturer runs key manufacturing, supply chain, and financial elements of its business on SAP, delivered across a predictable global MPLS infrastructure. Since the manufacturer represents a confluence of numerous consumer brands, global marketing is a critical function of its business, which in turn requires more low-cost bandwidth to support Internet marketing, client research, and partner collaboration. These requirements drove the successful adoption of integrated cloud security for the manufacturer’s global WAN. Cost. Attempting to use a traditional WAN to meet these new realities cannot only be challenging from the technical side: it can also be overwhelmingly expensive. Businesses can try to address the barriers by adopting numerous direct connections, but to use the appliance- based architecture in this way is prohibitively costly. According to Gartner, monthly service costs for consumer-grade Internet services are generally 20-40% lower than the cost of traditional MPLS (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013) A major UK retailer with an increasingly globalized footprint, dynamic requirements to follow the market, and customer centricity at the core of its business successfully combined a hybrid global WAN, secure Internet hubs, and localized Internet breakout. This network model provides secure, reliable, predictable communications for core global applications, with the flexibility and cost-efficiency of local, cloud-secured Internet access at the branch level. A New Type of Networking Is Emerging in Europe Where there are problems, there are solutions— and opportunities. Businesses and Internet and security providers have not been sitting idly on their hands. In Europe particularly there are pioneering new network designs to meet today’s challenges. The bandwidth required between the enterprise’s data center and the cloud center can be highly variable and difficult to predict, as workloads move back and forth between data centers and cloud centers. As a result, enterprises should ensure they have high-capacity access lines and, if available, ‘bandwidth on demand’ services, allowing them to adjust capacity at short notice.” (Gartner “Four Steps to Optimize Your Network for IaaS,” Neil Rickard and Andrew Lerner, December 2013)
  5. 5. 5 Getting Connected, Directly For any network redesign to be successful, the network must be optimized to incorporate elements of traditional MPLS WAN architecture with the ability to support cloud-based services. Services have evolved to provide greater customization for businesses and a wider range of options. One of the most effective methods, both from an economic and a usability perspective, was introduced first in Europe but is spreading across all geographic borders. This new design allows branch offices to direct connect to the Internet for nonsensitive operations and SaaS apps, rather than having to go through the central chokepoint of traditional systems. It also pushes noncritical, time-sensitive operations into the cloud to improve multilocation collaboration. A company’s most confidential or operationally essential information can still be located in the central office and accessed via an MPLS hub to protect against data leakage. Crucially, this design does not inherently have to sacrifice security if companies use an effective cloud security provider. It’s all depends who is providing the services and how the network is designed. According to Gartner, by employing WAN optimization, a business can reduce latency anywhere from 30% to 70%, as well as reducing bandwidth by similar margins (Gartner “Four Steps to Optimize Your Network for IaaS,” Neil Rickard and Andrew Lerner, December 2013). A major utility in the Netherlands adopted the Verizon-Zscaler solution to move a small number of its services to the cloud. The utility was risk averse and wanted to retain many of the benefits of MPLS control, but still experienced cost savings and improved employee collaboration by adopting a hybrid network. Verizon and Zscaler: An Established Partnership Designed for the Future With the direct connect model, to ensure that any network operates at the highest capacity, Internet connectivity, reliability, and security must be complementary ingredients rather than oil and vinegar. For the past three years, industry leaders Verizon and Zscaler have worked together to support this new network design. The match is as logical as it is strategic: Zscaler provides rigorous cloud-based security while Verizon provides the support services, network design, and optimization features required of any high-functioning network. As Alistair says, “Our offering is about enabling agility for clients. It’s about using the best technologies for the purpose, hybrid technologies, whether in the cloud, whether on premise, whether traditional private or public networks, to deliver the right kind of solutions for sophisticated business requirements.” Vital to this partnership is the flexibility of the solutions Verizon and Zscaler can create and tailor for individual businesses. Use of the public Internet can be optimized in many ways because there’s no one-size-fits-all solution for an entire global economy. A major European beverage company deployed Zscaler to replace its existing appliance-based web security solution. The project enabled a transition to a more distributed Internet access architecture, important for many business units operating in emerging economies. The Verizon-Zscaler team allows a company to make the best decisions about where to position certain types of information. It’s critical to remember that this is not a death knell for MPLS. MPLS will still have its place, but companies have to decide where and how to use it, juggling the increased security provided with the competing needs of immediacy, latency, mobile accessibility, and cost. Gartner supports this, projecting 4% annual growth for MPLS through 2017 ( Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013). But with Verizon-Zscaler, companies develop guidelines and internal regulations to direct traffic based on its content. A company’s most sensitive information can still be housed within the static perimeter of a data center. But for less critical data, or consumer information, Zscaler can set up protection that makes the cloud and public Internet secure. And this can all be done without any hardware for the company to purchase, as well as with dedicated customer service not available through SaaS alone. Verizon-Zscaler Recommendations Based on extensive work in and observation of the changes underway in networking in Europe, here is some actionable advice. Seek single responsibility. Having one point of contact for network infrastructure and security makes life considerably easier, particularly as new use cases and business initiatives emerge. This is true of the Verizon-Zscaler partnership. Though businesses receive the best of Internet and support services from Verizon and cloud security from Zscaler, they only have to interact with a single vendor. There’s no question of “Due to the performance, feature and security requirements for most branches, enhanced MPLS and hybrid solutions will emerge as the most common approaches.” (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013).
  6. 6. 6 who to call or contact for support, regardless of the nature of the problem. Verizon-Zscaler will diagnose the problem, whether it’s a connection or protection issue, and then fix it, saving executives and IT departments countless hours going back and forth between vendors that each place responsibility on someone else. This is especially critical in this era when almost all business depends upon the functionality and availability of fast Internet connectivity. Businesses just can’t afford to have their networks down for any amount of time. Look for a full spectrum of solutions. Zscaler’s offering of protections is as comprehensive as it is valuable. When a business contracts with Verizon-Zscaler, it is entering into an agreement that can meet all of its needs, both present and future. Zscaler offers protections that include HTTP scans, SSL scanning, data loss protection (DLP), and advanced threat protection (ATP). A business may not require all of these services initially or at any one time, but Zscaler can provide them as needed, allowing the company to change its range of services as its security needs evolve over time. It is even possible to use the Zscaler Enforcement Node appliance locally if a cloud-based approach is not appropriate for legal or proxy reasons, according to Peter Franken, Manager Security Engineers at Verizon. Move from capex to opex. Cloud-based security solutions reduce hardware costs and maintenance onus for a company and since they are services, shift the costs from capital expenses to operating expenses. Hardware was a large expense associated with security when networks were designed to backhaul all traffic through central points. Overcome geographic limitations. Because Zscaler is cloud-based, it easily handles geographic scalability, regardless of business size, location, or size of the workforce. Its scalability allows companies to constantly right-size their relationship with Zscaler—like Goldilocks, never having too much or too little, while also having the added assurance that they can add services whenever they need to. Cut costs. Every company wants to improve its bottom line and cut costs. Moving some traffic from private MPLS circuits to the cloud and the public Internet can achieve this. Verizon and Zscaler and allow businesses to have a high level of performance for information safe enough to travel on the public Internet, which can lead to significant savings. As Gartner points out in a 2013 report, WAN prices continue to decrease, with a decline of 10% or more annually in countries with competitive telecom markets (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013). Look to move fast. By migrating some operations to the cloud, businesses can realize greater speed and scalability with application deployment and new product development. Customers and employees no longer have to be beholden to MPLS circuits that can slow the speed of business. SaaS can be quickly adopted with security assured. A major international European Financial institution was trying to improve efficiency on a huge WAN that was proxy-based and proving to be incredibly costly. With the protection provided by Zscaler and the Internet reliability of Verizon, this financial institution was able to dramatically improve performance and offer localized content.
  7. 7. 7 Support mobility. Any device, anywhere, anytime. It’s what customers and employees are demanding and it’s what Verizon-Zscaler provides. Employees can work where and when is most convenient for them, while companies have the certainty that granting mobile device access isn’t resulting in a loss of protection. “The concept of the enterprise has changed,” explains Alistair. “We moved from a very defined perimeter of the enterprise to something much more expanded. You’ve got more and more people who are traveling, working on the train, at the airport, working from home all or part of the day, meeting with customers and working from customer offices, working with partners and so on. The nature of the business has changed and there are no more boundaries delineating the perimeter of the enterprise. You don’t need only to think about the security inside the corporation, but also to consider all the remote users, the people equipped with smartphones, with tablets, and also those doing more traditional remote access on a PC.” Find faster protection. Unlike traditional centralized hardware solutions, Zscaler has the flexibility to provide up-to-the-second security protection. Zscaler adapts to threats as they arise, without the need for new hardware or software downloads. Look for distributed enforcement with centralized control. “What a large multinational wants is to maintain centralized policy and reporting control,” said Milton. “Distributed enforcement enables small branches to break out to the Internet using the most efficient type of connection available to them, and do it securely.” Zscaler allows a business to have a uniform security protocol, with consistent regulations, protocol, and accessibility controls, regardless of where the user is located. Zscaler also enables companies to comply with all local regulatory compliance restrictions, adjusting compliance restrictions appropriately for the user’s location. An executive can thus set a companywide policy that’s adaptable to local conditions. Get centralized reporting. Zscaler is foremost a security solution, but it also provides companies with powerful analytical tools and reporting, all housed in one central location. Businesses can learn more about how and when customers and employees are using their network and thus make targeted adjustments based on this information. Look for a product whose logs can be fed into existing systems for analytics, says Franken. “Customization can be done to take security feeds and integrate them into existing management systems.” What Is Right For Your Business? Whenever a company embarks on the process of rethinking and restructuring its network design, it needs to take a number of factors into consideration to make sure its solution covers all aspects of the enterprise. Gartner analysts Andrew Lerner and Neil Rickard recommend that enterprises first analyze their own needs and then find a WAN solution that is “based on the features, availability and performance requirements of the business” (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013). With a solution like Verizon-Zscaler, companies have a partner to help them think through these challenges, such as the following: Increased support at the endpoints. More locations mean more endpoints to support. Each branch location can have public Internet access, and with this, there’s a loss of centralized control from both security and connectivity perspectives. Any platform must provide continuous support, like Verizon-Zscaler, to protect against any loss of Internet connectivity. The public Internet becomes more critical. The reliability of the public Internet connection in each branch and for each user becomes paramount in this new reality. Any downtime can significantly impact customers’ and employees’ impressions of the business. Verizon is well-equipped to provide maximum reliability. Says Franken, Verizon’s background enables the company to “give guarantees on part of our backbone, which means that we really ensure availability and quality of service on the global Internet.” MPLS is not obsolete. Again, it is critical to keep in mind that even in this new reality, MPLS remains vital for critical applications. The most integral systems for a business must still run through MPLS. For instance, at a clothing manufacturing plant, a connection to the central office network remains essential, as does the access to applications that require guaranteed the high performance and high reliability that MPLS provides. New Wave Adopters The type of network design solution offered by Verizon-Zscaler is gaining traction across industries and business sectors. While rates of adoption and needs differ by industry, international corporations are especially keen to implement hybrid network solutions to satisfy the demands of their diverse and geographically scattered workforces. “…closer analysis reveals that while Internet VPNs and Ethernet services will play a greater role in the enterprise WAN over the next two to four years, it will largely be as part of a hybrid network, blended with MPLS service to ensure delivery of the performance, availability, and feature functionality that businesses desire.” (Gartner “Is MPLS Dead?”, Andrew Lerner and Neil Rickard, June 2013)
  8. 8. 8 Who Is Driving Adoption? Motivations for adoption differ by industry. There is no single reason hybrid networks are increasingly popular across sectors. For instance, in the finance sector, companies want improved performance and ever better security in the cloud. So much of their operations are dependent on the reliability of high-speed connections. With milliseconds meaning the difference of millions, hybrid networks are a logical solution. The retail and manufacturing sectors are lead adopters, in large part because they have so many branches and individual use cases as part of their enterprises. It makes sense for these industries to migrate noncritical operations to the cloud whenever possible to lower costs and improve performance. Manufacturing plants, warehouses, and distribution centers are often in remote and far-flung locations where MPLS connectivity is more expensive than in large cities. The ability to securely support activities such as email and web surfing using local broadband connections such as DSL means that mission-critical activities requiring MPLS can be supported by the same low-bandwidth connections currently in use. Retailers are transforming their businesses with new applications such as mobile point of sales. Tablet deployment within stores and warehouses is growing along with Internet application usage. On top of this, more and more retail stores are offering their customers Guest WiFi hotspots. Retail stores’ Internet usage is therefore increasing in a way that the typical MPLS store connection cannot support cost-effectively. Adoption of hybrid networking is seen as the most appropriate answer for these stores, which are often located in well-connected cities that offer high-speed broadband connectivity (such as FiOS in the US, cable, and other broadband offerings). Conclusion Numerous trends are transforming business. Mobility enables us to do business from anywhere. The use of cloud services and software are on the rise. Increasingly, multinational corporations are finding that they need a hybrid network infrastructure that uses MPLS where the business case justifies it but allows as much traffic as possible to traverse the public Internet, accompanied by leading edge cloud- based security. Decisions about the corporate network require a trusted advisor and partner that can help organizations take a hard look at their current infrastructure, their business requirements, and the array of options available to help them continue to offer their users a responsive, localized, productive experience, from any device, anywhere, any time securely. Source: Verizon & Zscaler EMEA Experts
  9. 9. 9 Four Steps to Optimize Your Network for IaaS The performance of IaaS-based applications is highly dependent on the networks used to support them. Enterprise networking and architecture staff must undertake specific activities to optimize performance and ensure consistent delivery of application networking services. Key Challenges • Differences in network services (such as routing, security and application delivery) between internal data centers and IaaS environments can cause issues when migrating applications between these environments. • There are a broad range of enterprise use cases for IaaS, leading to a wide range of networking requirements that can only be met via a portfolio of vendor and architectural approaches. • The performance of applications running in an IaaS cloud is highly dependent on connectivity to the enterprise, and the default connectivity may not be “good enough.” Recommendations Application and networking teams: • Collaborate to quantify specific use cases and requirements. • Ensure network consistency, for applications that may need to be moved between internal and IaaS deployments, with a portable suite of virtualized networking products. • Maximize the back-end network performance between the enterprise’s data centers and the IaaS data centers. • Optimize the front-end network between the users and the IaaS service to maximize the end-user experience. Introduction Many organizations are adopting infrastructure as a service (IaaS) for the promise of increased agility and elasticity, improved fault tolerance, and reduced capital expenditure. This is evidenced by: • Gartner projects IaaS investments to continue to grow significantly (37.3% CAGR) through 2017. • Gartner clients have searched for IaaS at a higher rate (7,112) than WAN (4,074) (note: search results include synonyms as well). • Inquiry volume regarding IaaS from Gartner clients has increased 26% during the past 12 months, as compared with the prior 12 months. • According to a PC Connection survey* of more than 500 organizations, 48% are investigating IaaS for public cloud services. Networking Is Often Overlooked In most organizations, the selection and initial deployment of workloads to an IaaS provider is typically led by development, architecture or line-of-business teams, versus traditional infrastructure or networking teams. In fact, nearly 80% of Gartner’s 3,400-plus client inquiries into IaaS over the past 24 months have been initiated by teams other than the IT infrastructure team. This can create gaps in performance, security or consistency, as infrastructure teams are typically well-versed in these aspects while other teams, such as architecture or application teams, are more focused on developing applications in a timely fashion. The teams selecting and procuring IaaS services often have basic networking knowledge and are looking to IaaS primarily for increased infrastructure agility. In many instances, infrastructure and networking teams are pulled in after the IaaS decision is made. Key Networking Considerations When considering IaaS from a provider, there are several networking challenges that must be addressed, including performance, security and maintaining the appropriate degree of homogeneity with internal data center network services. When designing IaaS environments, organizations are faced with a microcosm of their internal network decisions, including IP addressing, VPN, firewall, application delivery and load balancing. From the Gartner Files: *
  10. 10. 10 While many cloud providers offer basic networking services, organizations must determine if these “vanilla” services are good enough for their specific use cases and requirements. For example: • Most IaaS providers offer only basic load- balancing services versus a full suite of application delivery services. • Several IaaS providers offer limited VPN capability in terms of number of tunnels that can be configured and/or the encryption strength that can be used. • Default IaaS connectivity is via the public Internet, which has no end-to-end SLA or capability to provide elevated levels of quality of service. Enterprise networking teams need to act to ensure that their IaaS deployments are supported by appropriate network architectures or risk poorly performing IaaS-based applications and a lack of consistency between the internal and IaaS networking environments, which can be a major obstacle to enabling application mobility in a hybrid cloud model. Analysis Application and Networking Teams Must Collaborate to Quantify Specific Use Cases and Requirements Since IaaS initiatives are often being led by noninfrastructure personnel, infrastructure teams should press for a cross-functional effort to ensure appropriate performance, availability and consistency with existing data center services. These teams must collaborate to identify the following: • Existing and proposed workloads and use cases delivered via IaaS. This includes identifying existing IaaS providers. • The associated performance and availability requirements of workloads. Performance should be focused on application response time, as measured from the end-user perspective. • Where the workloads will ultimately reside (that is, will they remain in the cloud or “return” to traditional corporate data centers?). • The appropriate degree of homogeneity or consistency required with existing network services, including VPN, firewall, intrusion detection system (IDS)/intrusion prevention system (IPS), WAN optimization controller (WOC), application delivery controller (ADC), Web application firewall (WAF) and data loss prevention (DLP). The networking team can then develop a cloud networking architecture that accommodates these requirements. Typical mainstream IaaS workloads can be categorized as cloud-native applications, e-business hosting, general business applications, enterprise applications, test/development/QA and batch computing. These workloads often have dramatically different requirements as illustrated in Table 1. Table 1. Typical Networking Needs of Different IaaS Workloads Workload Performance Need Availability Need Cloud-Native Applications High Moderate E-Business Hosting High High General Business Applications High Moderate Enterprise Applications High High Test, Development and QA Good Enough Good Enough Batch Computing High Moderate Disaster Recovery High High Source: Gartner (December 2013) Organizations should inventory their specific workloads and applications on a per-IaaS provider basis, and identify specific performance and availability requirements for each. This will provide the basis to ensure performance and availability requirements are met from the networking perspective. Organizations must identify where these workloads are ultimately destined to be run – in the IaaS cloud permanently versus “coming back” to traditional data centers for the production phase after test and development in IaaS. Based on these requirements, the enterprise’s networking teams need to determine the degree of consistency required with existing network
  11. 11. 11 services. For example, many organizations have remarked to Gartner that they have difficulty in bringing test/development workloads “back” to private data centers for production, due to security or ADC configuration mismatches between IaaS provider and corporate IT services. Similarly, organizations that utilize their IaaS provider for disaster recovery will likely want to maintain a high degree of consistency between their existing network services and what resides in the IaaS provider’s network to simplify business continuity activities. Once these criteria have been determined, testing of the network performance and functionality should be factored into the vendor selection and adoption process. Ensure Network Consistency, for Applications That May Need to Be Moved Between Internal and IaaS Deployments, With a Portable Suite of Virtualized Networking Products Enterprises frequently develop and test applications in an IaaS environment with the intention of moving the application to their own data center for the production phase. However, Gartner clients report that in many cases they face issues when they attempt to move the application back in-house, because they have used the networking functionality embedded in the IaaS service, such as routing, firewalling and load balancing, which operates differently in their internal environments. When they attempt to move the application in-house, they are unable to easily replicate these configurations on their own networking platforms. The cost and time required to re-engineer and test the changes are unacceptable. As a result, the application is often kept in the IaaS environment for production deployment, despite the high usage costs this incurs. A similar issue can occur when trying to move an in-house application to an IaaS environment, where differences in replicating the networking environment can restrict the enterprise’s ability to move applications and/or deliver equivalent outcomes when they do so. The networking functionality provided as part of IaaS offerings is often very limited compared with that found on enterprises platforms. For example, IPsec VPNs may be limited to 128-bit encryption versus the 256-bit or more possible on enterprise platforms. Basic load balancing is often supported, but not content acceleration, to boost performance for remote users. Even when the functionality is adequate, it can be challenging to replicate a configuration between internal and IaaS-provided platforms, such as developing an equivalent set of firewall rules in both environments. To address this issue, and ensure consistent networking functionality between internal and IaaS environments, the networking team needs to develop a portable suite of networking products. This requires using virtual machine versions of the networking devices the enterprises uses internally, such as: • Routers • WOCs • ADCs • Firewalls Or using cloud-based services, which can be applied equally to internal or IaaS environments, such as: • Secure Web gateway as a service • WOC as a service Most vendors of enterprise networking equipment now have virtual machine editions of their appliances. However, the enterprise’s networking team needs to do more than simply confirm the availability of a virtual edition of their products. It needs to: • Put in place the commercial arrangements to acquire the virtual editions of these products. • Determine the necessary maintenance and management services to support them. (If devices, such as routers and WOCs, are provided as part of a managed network service, enterprises will need to work with their managed network service provider to determine how these devices will be deployed and supported.) • Gain hands-on experience with these products and/or cloud services, determine how they should be configured and combined in an IaaS environment, and test these configurations. • Determine the IaaS resources that these products will need to deliver different levels of performance and resilience. The objective should be to have a preconfigured suite of virtual networking products and services, with a known IaaS footprint, fully tested and ready to be deployed on demand whenever IaaS is used. Network architects should require
  12. 12. 12 that this suite of capabilities is used whenever the organization uses IaaS, rather than use the functionality embedded in the IaaS service. Any incremental cost arising from this approach will be more than offset by the reduced time and effort required to re-engineer the applications and networks later. Enterprises should also make the availability of virtual versions of networking products a requirement for future network equipment sourcing decisions, for products such as ADCs, WOCs, routers and network security. Enterprises should make the availability of their preferred networking products one of their selection criteria when choosing IaaS providers. Maximize the Back-End Network Performance Between the Enterprise’s Data Centers and the IaaS Data Centers Most enterprises’ applications are intertwined with other applications and systems within the enterprise. For example, an e-commerce website will link to back-end payment systems, customer databases and stock control systems. These back-end connections, between the IaaS-hosted application and in-house systems, typically require low latency and substantial bandwidth to ensure optimal performance. In instances where an enterprise is using multiple IaaS centers, there may be a need for back-end traffic between the different IaaS providers’ centers. Finally, in the case of dynamic use of IaaS services, such as “cloudbursting,” additional capacity may be needed when the application images need to be moved to and from the IaaS environment. Connectivity Is Paramount Minimizing the physical distance between the enterprise’s data centers and the IaaS provider’s centers will not only reduce latency, but also typically reduce networking costs, and should be included as one of the decision-making criteria when selecting IaaS providers. However, when IaaS services are being used as part of a disaster recovery solution there may be a minimum separation requirement between the enterprise’s and the IaaS provider’s locations. For test and development environments high-capacity Internet services will normally be adequate. When production workloads are being run in the IaaS environment, high-bandwidth low-latency services, such as wavelength or Ethernet services, should be preferred, although higher-capacity (1 Gbps and 10 Gbps) MPLS services may be suitable when available. For business-critical production applications, these links will need fully diversely routed access lines and diverse backbone routing. The good news is that both the enterprise’s data center and the cloud provider’s center will typically already have diversified access in place. If virtualized workloads are to be moved between the enterprise data center and the IaaS environment (for example, long-distance vMotion), then Layer 2 (Ethernet) adjacency and virtual LAN (VLAN) extension between the enterprise’s data center and the IaaS environment will be required, making MPLS services and Internet VPN connectivity less attractive. The bandwidth required between the enterprise’s data center and the cloud center can be highly variable and difficult to predict, as workloads move back and forth between data centers and cloud centers. As a result, enterprises should ensure they have high-capacity access lines and, if available, “bandwidth on demand” services, allowing them to adjust capacity at short notice. In the longer term, software-defined networking (SDN) should allow even greater flexibility to adjust capacity, although understanding the cost implications of such volume/capacity related charges is vital to avoid unexpectedly high costs. Where IaaS providers do not allow direct connectivity to their data centers, then enterprises will need to establish connections to the providers’ “direct connect” locations, which will often be at hub sites (for example, Equinix), where access to multiple cloud and network providers will be possible. WAN Optimization Where latency between an enterprise’s data center and the cloud center is high (typically greater than 10 ms round-trip delay), and/or bandwidth is expensive, it may also be beneficial to deploy WAN optimization to reduce bandwidth and mitigate the impact of latency. Vendors, such as Silver Peak and Riverbed, offer high-capacity WAN optimization, support application and data center protocols, and are available embedded in leading IaaS offerings. WOC solutions typically reduce the impact of latency significantly (30% to 70%), as well as reduce bandwidth (35% to 70%), but can cost several hundred thousand dollars for a multigigabit configuration. IP Addressing Enterprises will need to consider how IP addressing is managed between their own data centers and the IaaS service. The IaaS vendor
  13. 13. 13 may provide their own IP addresses for the virtual machines, or may allow the enterprise to use its own public or private IP addresses and isolate the virtual machines in one or more VLANs. Depending on what addressing capabilities the IaaS provider offers, enterprises may need to provide network address translation between the IaaS environment and their data centers, and/ or may need tunneling between the IaaS service and their own data centers. A virtual router capable of supporting complex routing tasks is therefore highly desirable. Optimize the Front-End Network Between the Users and the IaaS Service to Maximize the End-User Experience IaaS is often used to support external (Internet or extranet) user-facing applications. IaaS providers typically have good Internet connectivity readily available. However, for intranet applications where good performance is often vital, there are a number of connectivity options – and for all applications, network-level services can be used to enhance security, ease of use and performance. Connectivity Options for Intranet Users There are several connectivity options to deliver IaaS-hosted production applications to intranet users with different cost and performance trade-offs: • Connecting the IaaS service directly to the enterprise’s WAN provider’s backbone – A growing number of MPLS providers are extending their services into IaaS-hosting centers, or “direct connect” locations, which are connected to the IaaS center. This allows the enterprise to add the IaaS center as a location on their WAN, as if it was another of their data centers (for example, Verizon with Equinix, or AT&T with IBM and CSC). Since the provider’s edge router is in the IaaS data center, access costs should be almost zero, resilience inherent and provisioning lead times low. • Adding the IaaS services’ centers as “sites” on the enterprise WAN – If the enterprise’s MPLS provider does not have a point of presence (POP) in the IaaS provider’s data center, it is still possible for the enterprise to arrange for a router, WAN optimizer and any other required devices to be provisioned, either as physical devices in colocation space in the same data center, or as virtual machines running on the IaaS service and connected over an access line to the enterprise WAN. This approach will have longer lead times and higher costs than direct WAN backbone connectivity, as access lines will need to be installed from the WAN provider’s POPs to the IaaS centers. • Routing user traffic back to the enterprise data center over the back-end connectivity – This can be reasonably effective provided it does not add significant latency to the end-to- end path, or result in single points of failure. Quality of service (QoS) will be needed on shared links to ensure front-end and back-end traffic cannot interfere with each other. • Accessing the intranet application over the Internet – If the enterprise allows local Internet breakout at its branch locations, then users can access their own organizations’ IaaS-based applications over the public Internet. Security will need to be addressed with IPsec or SSL tunnels. Performance will usually be lower than with direct WAN connectivity, and the reliability of Internet access at the branch may need to be improved. Each of these options will have different reliability, performance and cost characteristics, which will depend on the specific circumstances. (For example, does the enterprise have local Internet breakout at all sites? Does the enterprise’s MPLS provider offer direct connectivity to the IaaS provider?) In many cases, the IaaS location will be farther away from the enterprise’s branch sites than their own data centers, resulting in higher latency between the user and the application and potential performance degradation. This will strengthen the case for deploying WAN optimization on the enterprise’s WAN, to reduce bandwidth and offset the impact of latency on application performance. WAN optimization can also reduce the need to run multiple instances of an IaaS-based application in different geographies to ensure adequate performance. Physical WOC appliances in the enterprise’s branches and data centers can be complemented by virtual WOCs in the IaaS center, cloud-based WAN optimization services or even public content delivery network (CDN) services. Network Services for Internet and Intranet Users In addition to connectivity, there are several other networking aspects that still need to be addressed in order to deliver a consistent and optimized application experience to the end user, while minimizing support efforts and risk.
  14. 14. 14 These network services will typically be required regardless of whether the application users are internal or external. These include: • Performance optimization using ADC functionality • Integration with the IP-addressing and DNS services used by the enterprise • Ensuring consistency with firewall measures, including application firewalling • Enabling transport security features, such as SSL and IPsec VPNs The enterprise’s networking teams should determine how each of these networking functions will be delivered for the IaaS-based applications, and ideally ensure the same standards, resilience and management processes (for example, how encryption keys are managed and who can administer firewall rules) are employed as are used for comparable internally hosted applications. Note 1 Typical IaaS Use Cases Cloud-native applications. These are applications specifically architected to run in a cloud IaaS environment, using cloud transaction processing (TP) principles. E-business hosting. These are e-marketing sites, e-commerce sites, SaaS applications, and similar modern websites and Web-based applications. They are usually Internet-facing. They are designed to scale out and are resilient to infrastructure failure, but they might not use cloud TP principles. General business applications. These are the kinds of general-purpose workloads typically found in the internal data centers of most traditional businesses; the application users are usually located within the business. Many such workloads are small, and they are often not designed to scale out. They are usually architected with the assumption that the underlying infrastructure is reliable, but they are not necessarily mission-critical. Examples include intranet sites, collaboration applications such as Microsoft SharePoint, and many business process applications. Enterprise applications. These are general- purpose workloads that are mission-critical, and they may be complex, performance-sensitive or contain highly sensitive data; they are typical of a modest percentage of the workloads found in the internal data centers of most traditional businesses. They are usually not designed to scale out, and the workloads may demand large VM sizes. They are architected with the assumption that the underlying infrastructure is reliable and high-performance. Test, development and quality assurance. These workloads are related to the development and testing of applications. They are assumed not to require high availability or high performance. Batch computing. These workloads include high- performance computing (HPC), big data analytics and other workloads that require large amounts of capacity on demand. They do not require high availability, but may require high performance. Source: Gartner Research, G00259040, Neil Rickard, Andrew Lerner, 20 December 2013
  15. 15. 15 About Verizon Enterprise Solutions and Zscaler Is Your Network Cloud-Ready? A European Perspective is published by Verizon Enterprise Solutions and Zscaler. Editorial content supplied by Verizon Enterprise Solutions and Zscaler is independent of Gartner analysis. All Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients. © 2014 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Verizon Enterprise Solutions and Zscaler’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on its website, http:// ABOUT VERIZON ENTERPRISE SOLUTIONS Verizon Enterprise Solutions provides intelligent networks, cloud, mobility, managed security and machine-to-machine (M2M) solutions to the world’s most successful companies. With industry-specific solutions and a full range of global wholesale offerings, Verizon Enterprise Solutions helps open new opportunities around the world for innovation, investment and business transformation. Visit verizonenterprise. com or the Verizon Enterprise Solutions News Center to learn more. About Zscaler Zscaler is transforming enterprise security with the world’s largest Security Cloud built from the ground up to safely enable users doing business beyond the corporate network. Zscaler’s Security Cloud processes over 12 billion transactions a day with near-zero latency to instantly secure over 12 million users in 180 countries, with no hardware or software required. More than 4,500 global enterprises are using Zscaler today to simplify their IT operations, consolidate point security products, and securely enable their business for mobility, cloud and social media. Visit us at