The future of networking

Flexibility and security with NaaS and SASE

Organizations should modernize their network to remain flexible

Traditional corporate networks were designed for the rigid constraints of physical offices and data centers. For years, companies have relied on solutions like multiprotocol label switching (MPLS) to connect office locations while layering on disparate, complex security tools. Moreover, traditional network connectivity solutions that are not cloud-ready have introduced vendor lock-in and bottlenecks that constrain architecture.

Adding complexity, many organizations have signed multi-year contracts for network services under the assumption that physical offices would always be the default. As the way we work changes, organizations should look to modernize their network sooner rather than later in an aim to stay flexible.

A flexible modern network can be identified by three key attributes, they are:

• Network elasticity. The ability to upgrade or downgrade capacity with ease, so that the organization can respond quickly to changing business needs.

• Built-in protection. By embracing integrated security into your network infrastructure, you can avoid the pitfalls of layered-on security tools, like security gaps and reduced performance.

• Cloud-ready. Integrate cloud services into network architecture to avoid application performance bottlenecks.

Creating flexible networks with NaaS and SASE

The two primary technologies organizations use to attain a flexible, modern network are Network-as-a-Service (NaaS) and Secure Access Server Edge (SASE).

When companies adopt a NaaS solution, they rent cloud-delivered networking functions from a provider. This relieves companies of the need to maintain their own network infrastructure and replaces a number of legacy tools like MPLS and virtual private networks (VPNs). Some NaaS solutions include integrated security functions like network firewalls, distributed denial-of-service (DDoS) protection, and more.

Similarly, SASE solutions combine software-defined networking with network security functionality in a consolidated platform. Consuming network security-as-a-service is foundational to SASE. As such, the four security components that are key to SASE solutions are secure web gateways, cloud access security brokers, Zero Trust Network Access, and Firewalls-as-a-Service (FWaaS).

It is worth noting that NaaS and SASE are not mutually exclusive. In fact, some SASE solutions use NaaS technology as their connectivity foundation.

Cultivating network elasticity by moving past MPLS and SD-WAN limitations

Incumbent connectivity methods like MPLS and SD-WANs are barriers to network elasticity. They make it difficult to quickly adapt to changes like accommodating a remote workforce or consolidating offices.

The challenges with MPLS

MPLS WANs are not well-suited for the SaaS and cloud era. Integrating a public cloud service with an MPLS WAN forces an organization to create a hub and spoke network with tunnels to public cloud providers.

This reduces performance because all site traffic is backhauled through a centralized hub. For example, a user in London may see their traffic travel to a hub site in New York when accessing email, even if their email provider has a data center in London.

Moreover, MPLS WAN services lock customers into multiple-year contracts and make it difficult to quickly upgrade or downgrade capacity. These contracts are notoriously costly and introduce delays when adding new websites.

The challenges with SD-WAN

Software-defined (SD) WANs, on the other hand, use WAN options like broadband Internet to help address the cost and rigidity issues of traditional MPLS. However, SD-WANs also have significant limitations.

For one, SD-WANs require companies to configure their own network and layer on security tools and other services, such as load balancers. This means that to deliver security services, SD-WANs are still reliant on hub and spoke architecture and experience performance bottlenecks.

SD-WANs also do not manage end-to-end performance because, unlike private links or networks, they are primarily an edge technology and do not control “the middle mile.” (The middle mile connects the local network to larger, external networks — like the Internet or other network service providers — as opposed to end-users.) Without control of the middle mile, organizations depend on the Internet, which is susceptible to congestion, impacting overall performance.

How NaaS and SASE create network elasticity

Because NaaS and SASE allow organizations to manage their infrastructure with the use of software, they can easily scale capacity up or down without delay.

Additionally, without traffic backhauling, employees experience improved performance when accessing cloud applications, reducing the barriers to productivity.

Embracing built-in protection

Organizations need to secure and enable their workforce from any location around the globe. To do that, a holistic security strategy that eliminates complexity and security gaps is required.

However, many companies are reliant upon several appliance-based security solutions which introduces rigidity and complexity. For one, using distinct solutions like VPN concentrators, secure web gateways, and network firewalls constitutes multiple policies and fragmented threat information. This approach is not only expensive but also creates “choke points” that hurt application performance and employee productivity.

While many NaaS solutions offer built-in security functions, SASE solutions are built upon this concept. With security functions built into the network, organizations no longer need to funnel traffic through a series of security appliances. This reduces hops and security inspections and improves application performance.

SASE also reduces operational costs by consolidating the appliance teams that have to manage and update the network. Additionally, security services are always up-to-date with the latest protection, securing your organization against emerging or evolving attack trends. Integrated security services can also share threat intelligence with each other, ensuring holistic protection.

Design cloud-ready networks

According to a recent report, 92% of enterprises have a multi-cloud strategy while 82% have a hybrid cloud strategy. Unfortunately, creating networks that support this architecture is challenging.

While some vendors offer multi-cloud networking options, many do not integrate with traditional WANs. This forces organizations to find complex workarounds to integrate public cloud services into their network architecture. Some cloud providers also make it difficult to connect to other cloud service providers or on-premise infrastructure, constraining architecture and creating vendor lock-in.

Thus, organizations must ensure their network and security architecture is cloud-ready and can connect a variety of cloud-based and on-premise infrastructure. However, because this is an emerging need, new strategies for how to approach this issue will likely appear over the next few years.

Cloud-ready networks and SASE

While many SASE solutions offer connectivity to multiple public cloud services, organizations must pay attention to the underlying platform used to deliver these services. Inadequate network connectivity to public cloud services can force traffic through limited interconnections, creating artificial choke points and reduced performance.

Modern SASE solutions, delivered from a global platform with dense interconnections to all the major public cloud services can ensure fast, secure connectivity between your applications and end-users.

Roadmap to modernizing your network

While SASE is the ultimate goal, most organizations will not get there overnight. However, there are a few steps organizations can take to begin their journey.

Step 1: Add and secure Internet breakouts

The Internet will continue to be a critical element of network strategies and SaaS vendors will continue to optimize applications to be consumed over the Internet. Adding inexpensive Internet breakouts allows companies to shift some traffic off of legacy WANs that may exist at branch locations. Breaking out SaaS traffic directly to the Internet immediately improves application performance.

Internet breakouts can also be combined with SD-WAN edge technology to intelligently shift traffic between available network options. However, SD-WANs still do not guarantee performance over “the middle mile” and require a hub to interconnect sites and public cloud services. Shifting away from the hub and spoke requires a new security model, with policy enforcement performed at each of the branch devices.

Step 2: Adopt NaaS

NaaS is increasingly available in most data centers and is expanding to office buildings. NaaS offers flexible, programmable network connectivity, with end-to-end performance control. Increasing and reducing capacity and adding websites is easier with NaaS. Additionally, NaaS services can be set up with virtual connections over the Internet, using standards-based technologies such as GRE and IPSec.

NaaS solutions also make it easy to interconnect to public cloud services using direct connections or cross-connects. In the short term, NaaS will improve application performance and, in the long term, it will significantly reduce network costs.

Step 3: Adopt Zero Trust security

Modern Zero Trust solutions work across multiple connectivity options and protect users when working from home or in an office. This will prove invaluable as hybrid-work becomes the norm. Zero Trust security not only protects users from threats on the Internet but also prevents the lateral spread of malware commonly seen during ransomware attacks.

Once all sites have been connected via Internet breakouts and/or NaaS, and all application traffic has been migrated to the new network, it is safe to retire a legacy MPLS WAN. It is best to start planning this journey well in advance of a contract term expiring.

Modernize your network

Cloudflare has built an integrated cloud platform to help companies create modern, flexible networks.

Cloudflare Magic WAN replaces traditional WANs with the Cloudflare network and offers a variety of built-in security functions like a network firewall and Zero Trust Network Access (ZTNA). Magic WAN is the connectivity foundation of Cloudflare One, a SASE solution, which combines NaaS functionality with Zero Trust security features into a single, comprehensive platform.

Using these solutions together, companies can modernize their networks by easily scaling capacity up or down, protecting their network with built-in security, and connecting to major public cloud providers and on-premise infrastructure.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• Why network elasticity positions organizations to better address changing business needs

• Built-in network security reduces security gaps

• The importance of designing a cloud-ready network

• The steps organizations can take to modernize their networks
  

Related resources

• 451 Research: Cloudflare One Market Insights Report

• Whitepaper: WAN-as-a-Service

• Guide: Getting started with SASE

• Cloudflare Network Services