The corporate network, once a great enabler of business productivity, is rapidly becoming an obstacle. This is leaving CIOs with no choice but to make a strategic withdrawal away from defending global and integrated corporate networks, towards more secure-able and relevant perimeters. There is no other way forward.
The Corporate Network Meets Modern IT
The cloud is the tipping point. IT architects have discovered as they move to SaaS accounts such as Office 365 and lift and shift workloads to Cloud Data Centers, their extensive global corporate network is rapidly becoming a fancy, expensive guest network. Increasingly, as packets spill out of user devices onto the corporate network, the vast majority are destined to traverse the Internet. And much of the traffic that remains on the internal network is for relatively mundane operations.
This realization is a smack upside the head to those who have assumed that the life of owning and operating a corporate network is one of continual refresh to newer and enhanced networking and security products, constant upgrades, and network budgets of 100s of millions of dollars per year. All that money just to give office-based workers a path to get to cloud-based e-mail? To the lunch menu server?
The Strategic Withdrawal
The traditional network is no longer an efficient, complete, or effective environment on which to deliver the availability, agility and security requirements of the modern enterprise. In reaction to this, many corporations are re-forming their network architecture and investment strategy around the concept of “concentric circles” of application delivery and data access.
In the core circle are the applications that drive the business, deliver differentiation, and determine the brand. In the next concentric circle are apps that are needed for workflow efficiency but may be either vanilla in nature or relatively benign in terms of the impact of a security breach. The outermost circle contains only the networking functions required for guest access and for communication over networks not owned and controlled by the enterprise, such as the Internet and networks with-in Cloud Data Centers.
Often, the inner circle represents only 10-20% of the applications run in traditional enterprise, with roughly the same percentage of users authorized to access them. Maintaining a high cost, high function, global network for that 10-20% of the overall usage is extremely inefficient.
So how are enterprises addressing that inefficiency? It’s not like you can divide the network physically into two separate networks for the 20% and the 80%. This is not a physical view of the world, but a virtual one. The apps in either concentric circle may be delivered internally, moved to Cloud Data Centers, or outsourced to SaaS. The authorized users are spread out all over the place and constantly moving.
The idea of creating physically segmented access networks and data centers is implausible, as is the sister idea of doing the same thing at the network layer using VLANs, subnetting, firewall rules, and ACLs.
A Strategic Withdrawal… to Higher Ground
What many enterprises are realizing is that the role of the corporate network has just become getting packets from point A to point B as reliably and cost effectively as possible. Often, point B is a transfer point to another network, like the Internet. The network has become a simple utility. It doesn’t make sense to spend a lot of time and money on enhanced and expensive functions in this utility.
It does make sense for enterprises to concentrate their money, time, and expertise to ensure the security, availability, and performance of their core applications. This leads to a careful retreat from the ongoing investments in traditional packet-defined architectures into an architecture that defines and controls connectivity at higher layers (L4-L7).
This new architecture can hide high value apps from untrusted users and devices that share common networks, and only allow access on an application by application basis once trust is established. The result: a set of dynamic “communities of interest” centered on each core application, communicating securely over the network (or multiple networks), but unbeknownst to all other users, devices, and adversaries on the same network. This is sometimes called “Zero Trust” networking.
A L4-L7 based architecture can also deliver this value whether applications are delivered from an internal data center, a Cloud Data Center, or a SaaS account. By operating above the network layer, all kinds of hybrid and migration strategies are enabled.
This model for connectivity defined and controlled independent from the underlying network allows corporations to focus their security talent and spending only on the subset of the infrastructure related to delivering the core applications. The network becomes a simpler underlying utility. Who cares if someone gets on the network if they can’t do anything except access the Internet? No NGFW, no NAC, no network encryption, no IDS/IPS, no rush to deploy security patches, incident response focused just on the 20%, etc. The cost savings are huge while at the same time security improves tremendously for the things that really matter.
I’ve spoken with execs at some of the world’s largest corporations who are under increasing cost, availability and security scrutiny. They are moving from a network-centric strategy for availability and performance, to an application-centric strategy with the goal of decreasing costs by 75% while increasing protection for the applications that really matter.
Stay tuned as we talk about these game changers…
Read more: Segmentation: Where to Begin