The Branch of One: Designing Your Network for the WFH Era

For decades, the campus, branch, office, and store formed the business center of the organization. Working from anywhere is challenging that paradigm. Is the home becoming a branch of one, and what does the future hold for the traditional branch, the work home for the many?

Network architects are used to building networking and security capabilities into and around physical locations: branches and datacenters. This location-centric design comes at a significant cost and complexity. It requires premium connectivity options such as MPLS, high availability and traffic shaping (QoS) through SD-WAN appliances, and securing Internet traffic with datacenter backhauling, edge firewalls, and security as a service.

However, network dynamics have changed with the emergence of cloud computing, public cloud applications, and the mobile workforce. Users and applications migrated away from corporate locations, making infrastructure investments in these locations less applicable, thus requiring new designs and new capabilities. The recent pandemic accelerated migration, creating a hybrid work model that required a fluid transition between the home and the office based on public health constraints.

In their research paper, “2021 Roadmap for SASE Convergence,” Gartner analysts Neil Macdonald, Nat Smith, Lawrence Orans, and Joe Skorupa highlight the paradigm shift from an IT architecture focused on the place of work to one that focuses on the person doing the work and the work that needs to be done. In the simplest terms, Gartner views the user as a branch of one, and the branch as merely a collection of users. But, catchy phrases aside, how do you make this transition from a branch-centric to a user-centric architecture?

This is where SASE comes in. It is the SASE architecture that enables this transition, as it is built upon four core principles: convergence, cloud-native, globally distributed, and support for all edges. Let’s examine how they enable the migration from branch-centric to user-centric design:

• Convergence: To deliver secure and optimized access to users, we need a wide range of networking and security capabilities available to support them including routing, traffic shaping, resilient connectivity, strong access controls, threat prevention, and data protection. Traditionally these were delivered via multiple products that were difficult to deploy and maintain. Convergence reduces the number of moving parts to, ideally, a single tight package the processes all end–user traffic, regardless of location, according to corporate policies and across all the required capabilities
• Cloud-native: A converged solution can be architected to operate in multiple places. It can reside in the branch or the datacenter, and it can live inside a cloud service. Being cloud-native, that is “built as a cloud service,” places the converged set of capabilities in the middle of all traffic regardless of source or destination. This isn’t true for edge appliances that deliver converged capabilities at a given physical location. While this is a workable solution, it cements the location-centric design pitfalls that requires traffic to specifically reach a certain location, adding unnecessary latency, instead of delivering the required capabilities as close as possible to the location of the user.
• Global: A cloud-native architecture is easier to distribute globally to achieve resiliency and scalability. It places the converged set of capabilities near users (in and out of the office). Cloud service density, that is the number of Points of Presence (PoPs) comprising the service, determines the latency users will experience accessing their applications. Using a global cloud-service built on PoPs has extensible reach that can address emerging business requirement such as geographical expansion and M&A. The alternative is much more costly and complex and involve setting up new co-locations, standardizing the networking and security stack, and figuring out global connectivity options. All this work is unnecessary when a SASE cloud service provider.
• All edges: By taking a cloud-first approach and allowing locations, users, clouds, and application to “plug” into the cloud service, optimal and secure access service can be delivered to all users regardless of where they work from, and to any application, regardless of where it is deployed. An architecture that supports all edges, is driven by identity, and enforces that same policy on all traffic associated with specific users or groups. This is a significant departure from the 5-tupple network design, and it is needed to abstract the user from the location of work to support a hybrid work model.

Gartner couldn’t have predicted COVID-19, but the SASE architecture it outlined enables the agility and resiliency that are essential for businesses today. Yes, it involves a re-architecture of how we do networking and security and requires that we rethink many old axioms and even the way we build and organize our networking and security teams. The payback, however, is an infrastructure platform that can truly support the digital business, and whatever comes next.