How does a cloud-first strategy impact your campus network design and operations?
I’m currently helping a client migrate their campus networks to a new platform. As a Saleforce.com solution provider, they are all in on the public cloud. All collaboration is SaaS-based, including telephone services. The project forces me to re-think all I know about traditional campus and wide-area networking. Couple that with Gelstalt IT hosting me at a Network Field Day Exclusive (NFDx) at 128-Technology, and I come away with some new areas to ponder going into VMworld 2019.
The traditional view of campus computing comprised of a bunch of Active Directory-managed Windows clients, some telephony, and a local virtualization cluster. There’s a hard shell around this traditional design. The edge of the campus may include a multi-function router edge device that terminated dedicated circuits or VPN access back to the data center. Somewhere on that campus may be a server closest hosting a small virtualization cluster providing file, print, security, and desktop system management workloads. All of these workloads were in support of a data center-centric design.
IT infrastructure managers understand this model well. Except for guest Wifi, only managed devices ever connected to the production network (at least in theory). The production devices had controlled access to the data center resources. If connectivity proved constrained, network managers had knobs they could turn such as increasing bandwidth, quality of service (QoS), and WAN acceleration to improve the end-user experience. In hindsight, troubleshooting connectivity was relatively simple. All services existed in only a few locations. By today’s standard, isolating performance issues seems simple. Cloud-first services change all of these elements of the traditional campus network.
Bring Your Own Device
It starts with the bring your own device movement (BYOD) of the cloud. I can walk into the local electronics store and pick up a PC or Tablet and become productive in less than ½ hour. That’s the beauty of cloud-based services. There are no fat client apps that I must wait for my IT team to approve and install. My data exists in a cloud SaaS provider, so I don’t worry about restoring my working datasets. I only needed a reasonably fast broadband connection.
For a knowledge shop with only a few employees and contractors, this works exceptionally well. However, at scale, we run into challenges. Remember the traditional view; we had a hard shall around the campus. Part of that hard shell is device management and control. If a non-approved device connects to the network, the local security features of the campus will prevent these devices from connecting to protect data back at the data center.
When I worked for VMware, they used their EUC suite to make this a possibility. I could do all of my VMware related work from any laptop or tablet I owned. The only friction was the two-factor authentication required to get onto network hosted solutions. If I choose to use my VMware issued machine, I could ditch the two-factor. I remain impressed with the end-user experience.
VMware is on one side of the maturity spectrum that most companies haven’t reached yet. Also, I’m not privy to the details of how VMware handled proper campus locations that housed hundreds or thousands of employees. Most companies I encounter still want to maintain that hard shell for concentrated workforces.
Maintaining a Hard Shell
If you aren’t going to use a EUC product from the likes of VMware and Citrix, you must ask yourself, where does your security posture start? Do you want to control data stored on physical machines? Or, is just leveraging two-factor authentication ensuring the identity of the person accessing the data via a browser enough security?
Depending on your answer to this very fundamental question will determine if BYOD is even a realistic approach. You may still need those VM’s running security, authentication (AD), and management software if you take an OS up approach. If you choose to leverage browser only applications, you can focus security at the application layer.
How do you want the campus to connect to cloud-hosted collaboration services? Do you want all connectivity going through a VPN to your data center or point-of-presence and some firewall controlling connectivity to the cloud? Or do you want each campus to access the cloud-based resources directly? What capabilities do you want to have to control access, troubleshoot connectivity, and management point-to-point VPN’s for inter-campus traffic for voice and video collaboration? Is VPN even the right technology approach if all that traffic is encrypted?
After answering these questions, you begin to look at solutions from companies like 128-Technology versus traditional WAN products. 128-Technology takes the approach that SD-WAN services are part of a general routing platform. In our cloud-first use case, the 128-Technology solution collapses the connectivity, SD-WAN, and network security capabilities into a single white box solution. They have the luxury of being built from the ground up in the age of cloud-first. It’s worth it to look at the video series from the NFDx event.
A migration from a data center-centric design to a cloud-only design doesn’t stop at the data center. There are repercussions down to the campus and individual end-user. A non-trivial amount of thought and preparation must be made to consider your security posture and user experience. Before you initiate a full-on migration to the cloud, thoroughly assess your compass end-user compute need.
Don’t forget to subscribe to the CTO Advisor Newletter