DeRisking the Enterprise-Everywhere WAN

Digital transformation is accelerating within the enterprise, as businesses seek to improve agility, avoid disruption, and gain competitive advantage. As part of this transformation, enterprises are increasingly leveraging cloud-based applications and services and embracing mobility and a distributed workforce. Bandwidth consumption is dramatically expanding to accommodate SaaS, and the prospect of rising transport costs and suboptimal employee digital experience is creating greater pressure on enterprises to move away from their legacy WAN in favor of one optimized for the cloud.

The WAN Bends to the Shape of the Cloud

Many enterprises are beginning to supplement or replace MPLS with Internet/broadband connectivity and forgo backhauling traffic to a central or regional hub in favor of connecting to SaaS apps directly from branch offices. Meanwhile, enterprises are rearchitecting and moving their workloads to the cloud, creating more agile — but, increasingly, more distributed — applications. The net impact is that enterprise endpoints and critical services are now spread across multiple clouds and multiple service domains. The enterprise workspace is effectively everywhere.

SD-WAN and Cloud: Challenges & Risks

SD-WAN technology is key to enabling enterprises to efficiently operationalize this new complex ecosystem of providers and endpoints connected via multiple transport mechanisms and potentially hundreds of overlays, but it doesn’t shield enterprises from the risks of greater dependence on the Internet and applications outside their direct control.

Operating an enterprise WAN amidst this cloud ecosystem introduces a vast new set of performance, security and continuity risks that most organizations are unprepared to face. In moving to a software-defined, cloud-centric WAN, enterprises will be exposed to:

    • Cloud and SaaS performance complexity — SaaS app performance is subject to many variables including application components and service delivery architectures. For example, does the SaaS provider have an extensive edge, use a CDN provider, have only a few authentication gateways, and is it a customizable platform? All of these factors can influence performance in addition to network connectivity — and service delivery can change at any point over time.
    • Internet unpredictability — The Internet is composed of thousands of networks interconnected together based on mutual agreement and operating on trust. It’s best-effort, SLA-free transport subject to security vulnerabilities, suboptimal routing, performance degradation, and outages. (Gartner estimates that over half of all enterprise Office 365 deployments with global scope will encounter significant Internet network performance issues.) Yet, most enterprise IT teams don’t have a deep understanding of how the Internet works and how to manage performance across multiple providers — many of whom they have no commercial relationship with.
    • New branch security architecture and impact — Cloud security proxies may be a scalable approach to securing branch offices that break out to the Internet directly, but they introduce a new variable into SaaS application performance. Deploying security for branch offices without understanding how it impacts critical applications, could lead to user complaints and lost productivity.
    • Lack of insight & oversight of external dependencies — More aspects of enterprise digital experience are dependent on networks and services beyond the direct control of IT. Ensuring performance across these domains is increasingly challenging, as IT does not have the visibility necessary to isolate problems to a particular cause or provider. When issues come up, mean time to troubleshoot (MTTT) can be nearly infinite. In some cases, the root cause may never be identified.

Traditional Tools Flatline in the Cloud

Enterprise IT has a well-defined monitoring stack that, historically, has enabled it to manage network and internal application performance. Network performance management (NPM) tools such as packet capture and flow analyzers enabled network teams to identify and remediate issues for LAN, core network and site-to-site connectivity. Application performance management (APM) tools using code injection could be used to monitor performance for applications owned by the enterprise.

Unfortunately, these same tools are not usable by IT outside the “four walls” of its data centers and branch offices. If an issue occurs outside of enterprise premises, traditional tools are not able to identify the root cause or responsible party. As cloud and SaaS usage grows, alongside Internet dependence, the relevance of traditional monitoring tools narrows significantly.

Cloud-specific monitoring and SaaS app logs have their place in the new enterprise ecosystem, but even they don’t provide visibility into all of the services that lie between enterprise sites and SaaS/IaaS — all of the ISPs, cloud security gateways, CDNs, and DNS services. Each of these sets of infrastructure is now critical to enterprise digital experience — but they occupy a vast IT blindspot.

Operational Processes Change

Just as IT has traded in agility for a loss of control, they must now trade in their legacy operational model of “find and fix” to something more akin to a governance model. When you own the infrastructure, you have the tools available to you to find the problem — and you have the management authority to fix the problem. But in the cloud, this paradigm no longer applies. To successfully operate in the cloud, IT needs to develop a model of “evidence and escalate.” As in, gather evidence of the issue (and the responsible provider) and use it to get a successful escalation. Otherwise, you’re only able to address a small scope of issues, and the vast majority will quickly erode your ability to deliver a good digital experience for the business.

Three Ways to Respond to the New Everywhere-WAN

Digital experience is the primary deliverable of IT, yet delivering a good user experience across a diverse, distributed set of apps and services over potentially hundreds of networks introduces complexity and unpredictable risks. Which is why cloud and Internet-centric WANs must also have cloud and Internet-centric visibility and processes.

In order to be successful in the cloud and overcome the limitations of an on-prem toolset and “find-and-fix” mindset, IT needs to respond in the following ways:

    1. Develop Internet expertise — The Internet is the x-factor of SaaS and cloud digital experience. Given enterprise’s new dependence on the Internet, IT teams need to understand the underlying complexities of the Internet, including BGP routing, provider peering, and the role of DNS and CDNs (in addition to the architecture of their critical SaaS apps).
    2. Rethink your management stack — Make room in your stack for solutions that can provide visibility external to your environment, not only at the app level but into the network underlay as it spans the Internet. That may mean that you’ll have to allocate some resources away from on-prem centric tools, especially as their scope becomes less relevant to overall digital experience.
    3. Adopt a readiness lifecycle — Measuring performance across your critical app and connectivity services will enable you to make clear-eyed choices about your providers and your preparedness for SD-WAN and cloud. Fully understanding your baselines prior to WAN migration will be critical to know whether you’re moving digital experience in the right direction.

Delivering Digital Experience Across Domains

Enterprise digital experience is impacted by multiple, external management domains, yet, ultimately, IT still owns the digital experience outcomes. Particularly as enterprises migrate to SD-WAN and increase their dependence on SaaS, IaaS, and the Internet, they need to take proactive steps to reduce and manage their risk exposure. Developing a good understanding of the Internet, rethinking the IT management stack, and adopting a readiness lifecycle will ensure that they can deploy SD-WAN confidently — and truly flourish in the cloud.

 

Author's Bio

Angelique  Medina

Angelique Medina

Director, Product Marketing at ThousandEyes

Angelique has worked in technical marketing roles related to network infrastructure and network visibility for the past ten years, most recently at ThousandEyes, where she works on multi-layer visibility spanning application, DNS, L3, and BGP. She’s particularly focused on performance monitoring for SD-WAN and cloud/SaaS adoption. In 2018, she served as the lead author of the Global DNS Performance Benchmark Report. Prior to joining ThousandEyes, she spent time working on data center networking at Big Switch Networks and visibility switching at VSS Monitoring. You can follow her on Twitter @bitprints.