Office 365 doesn’t work well in a traditional hub-and-spoke corporate network. There. I said it. If enterprises don’t transform legacy networks to accommodate Office 365, their end users will force them to. (Full disclosure: Zscaler is a Microsoft partner.)
Gartner predicts cloud software revenues to grow more than 17% in 2019.Driving that market surge is end-user demand for SaaS applications, a market category that, according to Gartner, will reach $85 billion in revenues this year. At Zscaler, we have seen Office 365 traffic grow from 2% to over 20% of overall internet bandwidth consumption in enterprises. The previous champion of bandwidth consumption, YouTube, now accounts for nearly 12% of internet usage. The internet is becoming the new corporate network for running mission-critical business applications.
Traditional hub-and-spoke corporate networks were never designed for mobile and cloud-first enterprises. These architectures rely on centralized gateways to connect the internal “trusted” network with the external “untrusted” network (the internet). This worked well when users were on the internal network and applications were hosted within the enterprise. Branch offices were connected to headquarters over expensive MPLS backhaul links. Network security was deployed at the HQ gateway in the form of security appliances like firewalls and proxies that inspected traffic moving between the trusted and untrusted network boundary.
Fast-forward to today. Workforces are mobile and applications are moving to SaaS or cloud. Imagine employees sitting in a Los Angeles branch office for a business headquartered in New York. There is a traditional hub-and-spoke network with an internet gateway at HQ. The business has adopted Office 365. Instead of getting the fast, nimble experience that modern SaaS applications like Office 365 promise, branch-office users get latency and slow performance, as transactions get routed coast to coast to access the internet via New York. Internet-bound traffic volume explodes and so do MPLS costs. SaaS application providers implement agile changes, and IT struggles to keep up with managed gateways and must upgrade appliances running out of juice due to increased traffic.
The fundamental problem here is that a modern SaaS application, designed to be located as close to the user as possible, is bottlenecked by a traditional network that isn’t.
A better network architecture alternative is to give branch offices and remote employees access to the internet and SaaS directly and not via convoluted paths. It’s a common-sense approach, but it leads to tough questions: How do you protect it? How do you secure a network you don’t control or manage anymore? How can branch offices and remote employees get the same level of security everywhere while enjoying the benefits of local access?
In this new world, you need to rethink security. You need an approach that is network, device and cloud agnostic. In the same way Office 365 delivers applications as a service, security should be delivered as a cloud service. In this new architecture, users connect securely to applications using the best possible network. The center of gravity of the application and the security stack that sits between the user and destinations moves to the user. Protecting users and delivering awesome user experience become the primary objectives for IT instead of trying to protect the network and inconveniencing users with a castle and moat at HQ.
So how do you transform your network to a direct-to-cloud model? Here are five steps:
1. Revisit MPLS and WAN strategy: Office 365 traffic should travel the shortest path. Is your MPLS forcing unnecessary traffic-backhauling that causes network latency and jitter? That results in degraded performance, especially for latency-sensitive applications like Skype or bandwidth-heavy functions like file-sharing. How many internet egress locations do you have? Microsoft offers dozens of “front-door” locations worldwide. Are your global users able to access all of them?
2. Consider SD-WAN: Software-defined WAN simplifies remote connectivity and efficiently connects your branches to the internet and HQ. Businesses that move to a direct-to-cloud network can cut WAN costs. This can result in millions of dollars in annual savings for a large distributed enterprise. Significant capital expenses can be eliminated by not having to frequently upgrade gateway appliances to deal with increasing traffic. Operational costs associated with managing those on-premise appliances are also drastically reduced.
3. Simplify proxies and firewalls: SaaS applications constantly update their service IPs, URLs and port requirements. Office 365 in a traditional hub-and-spoke network environment requires IT to continuously react and update firewall and proxy configurations. That’s costly, error-prone and tedious. Consider automating and simplifying firewall and proxy settings across your organization. A good cloud security gateway can automatically manage this with one-click policies that securely connect a user to a desired application. In addition, it can provide centralized visibility and controls to who accesses what applications.
4. Use identity as your perimeter: The internet is your new corporate network. Identity should be your new perimeter. Consider moving to a modern single-sign-on (SSO) identity management system. Leveraging standards such as SAML will allow you to integrate business-critical SaaS applications with your corporate directory. Modern identity providers also support sophisticated conditional-access-based authentication that can enable user access based on device, location, security posture and other attributes.
5. Decouple applications from the network: Internal IT applications generally require users to be on the corporate network. Conversely, modern SaaS applications are network agnostic. Consider software-defined perimeter-based modern access systems that securely connect users to internal applications based on policy. Decoupling internal applications from the network they run on vastly simplifies network complexity and reduces your attack surface. It will also make your internal applications agile, giving you the flexibility to lift and shift them from on-premise to cloud.
If you’re planning on transforming your network to a direct-to-cloud model, Office 365 can be the catalyst to make that change happen.