Separating WAN from Remote Access No Longer Makes Sense for FDMG
For years, enterprises connected locations via wide area networks (WANs), and remote users via concentrators and other remote access technologies. Keeping networking and remote access separate might have made sense when offices were the rule, and mobility was the exception, but in today’s mobile world, such distinctions only complicate mundane IT tasks. Just ask Jerry Cyrus.
As the technical team leader and information security officer at FDMG, Cyrus knew all too well the complexities and costs of separate remote access and networking solutions. FDMG had many journalists working in the field as well as physical locations. Separate security policies were required for fixed and mobile users; user provisioning was also cumbersome.
And then there were the cost and scaling limitations of MPLS and, for that matter, remote access concentrators. MPLS bandwidth is notoriously expensive, particularly for multimedia companies such as FDMG, where stories involve video and other large data formats.
As for remote access, Cyrus was generally pleased with the concentrator’s functioning but tired of the concurrent-user problem. “We would have 50 concurrent users, and once you wanted to add that 51st, you were stuck,” he says.
Cyrus could have upgraded the concentrator, but that would have impacted the business.
“We’d have had to take down the concentrator for about two hours, which wouldn’t have sat well with journalists filing breaking stories from the field,” he says. “Two hours is a lifetime for them. In the past, many drove to one of our offices just to work — not a very good way to experience IT.”
Instead, Cyrus realized that solving both WAN and remote access problems would reduce costs and a whole lot more. “By consolidating security management, we could give users a better mobile experience and simplify firewall and security system operations.”
FDMG Evaluates Cato Cloud
Cyrus considered replacing MPLS with an Internet-based, site-to-site VPN. That would have lowered his bandwidth costs, but it would also have been a “big head-breaker,” he says. “In some cases, we’d have to upgrade concentrator hardware; in others, we’d have to set up new firewalls, configure the necessary tunnels, and deal with a lot more headaches.”
Cyrus had heard how Cato Cloud converges security services, SD-WAN, and mobile access onto an affordable MPLS alternative. With Cato Cloud, he could connect and secure his entire enterprise — offices, mobile users, and cloud resources — with one seamless network.
“After doing some research, I knew Cato Cloud would fit right in,” he says.
But Cyrus had to deal with internal concerns about working with a new company. “At first, people were a bit scared of moving forward with Cato Cloud,” he says. “They were familiar with vendors, such as Palo Alto and Cisco. Cato was new to them. After several conversations with Cato and showing the product, people became much more comfortable.”
Cato’s ability to be rolled out incrementally also helped Cyrus address those concerns. He started small, proving viability by adding a Cato Socket, Cato’s zero-touch SD-WAN appliance, in the Amsterdam hub and connecting a few users with Cato’s mobile VPN client. Both Socket and the mobile client automatically connect to the closest Cato point of presence (PoP), where the Cato software secures, optimizes, and dynamically directs traffic to the Internet or the optimum path across the Cato Cloud network.
Having validated datacenter access, Cyrus connected an internal AWS site to check Cato Cloud’s connectivity. Once successful, he began converting production sites to Cato. Branch offices with more than ten users received a Cato Socket; freelancers and other external users were equipped with Cato’s mobile client.
FDMG Converges Security, Mobile Access, and MPLS with Cato Cloud
With Cato, site installation has been fast and easy. “Cato gives me ‘no-hassle setup.’ I connect the Socket, and we’re online and secured,” he says. “I don’t have to configure firewalls, establish dozens of security rules, or anything.”
Moving sites has also become trivial. “I’m going to be moving one office to another floor, and the only thing I need to ask is if there’s an Internet connection. If so, we’ll be up and running instantly.”
The newfound agility has not gone unnoticed. “Somebody asked me how long it would take to move the team to a new office. When I told him about ten minutes, he was shocked.”
As for performance, Cyrus says users haven’t missed a beat. “Cato Cloud’s latency, packet loss, and uptime have been basically the same as MPLS — but, of course, much less expensive and more flexible,” he says. “If I want to scale up, it’s easy with Cato. With MPLS, I would need to make all sorts of arrangements.”
That’s not to say there have been no hiccups. “Any new technique encounters some configuration issues, and Cato was no different. Early on in the deployment, Cato upgraded one of our Sockets without our knowing. They resolved the problem quickly, and since then I haven’t had an issue.”
In fact, Cato support has been one of the biggest eye-openers for Cyrus. “Cato is not your typical provider,” he says. “The product is flexible, and support is good. If we have modifications and questions, Cato support is always eager to listen and either adjust or recommend a solution to the problem.”
Cato Improves Mobile User Experience and More
Cost savings might have initially driven FDMG’s WAN transformation, but it’s the operational benefits of increased usability and agility that became particularly compelling. “In the early days, users had to open a browser and navigate to our portal, log in, and only then launch an application to get a VPN connection up and running as if they were in the office,” Cyrus says. “There were so many steps, which not only frustrated users but meant more helpdesk calls for support.”
With Cato, Cyrus sets the policies determining the applications and resources available to users and user groups. Mobile users join the Cato network directly, not a separate remote access solution, making network access much cleaner.
“Now users just push the slider on their mobile device, and they’re authenticated right into the network.
Visibility and ease of security operations have also improved. “Not only do we have greater insight into who’s logging into which application across our network, but our security toolset has become much easier to use,” says Cyrus.
“We decide which users can connect to which resource without having to configure different firewall rules.”
FDMG’s Bottom Line: It’s More than Just the Bottom Line
FDMG’s initial goal was to reduce WAN costs, and Cato certainly did that. “We’re spending about 10 percent less with Cato than with MPLS,” says Cyrus. “Our savings are even greater if we factor in the licensing, installation, and management costs associated with the VPN concentrator.”
But more than just costs, Cyrus has gained value. “With Cato Cloud, I increased bandwidth, replaced two things with one solution, improved user experience, maintained performance and uptime, and made IT more agile. That’s what I call a huge win.”