As applications move to the cloud and the cloud becomes the new center of gravity, the internet becomes the new corporate network. When this happens, backhauling traffic to the data center no longer makes sense. Traffic should, and eventually will, find a way to take the path of least resistance and go direct-to-cloud, providing a fast and seamless user experience. Backhauling traffic destined for the internet to the enterprise data center is inefficient and expensive. Additionally, requiring remote users to be on the corporate network detracts from their productivity and exposes that network to abusers. The driving principle is to quickly connect any user on any device to any application wherever that user is in the world. All this while protecting the data and the end-user device at all times.
Hub-and-spoke network architecture has served IT for 25+ years
Corporate wide area networks (WANs) were originally deployed to interconnect the local area networks (LANs) in each office and data center. There were many protocols in use on these LANs, from Token Ring to Ethernet or even AppleTalk. As the corporate world moved to Windows for desktops and NT for servers, the standard for corporate networking became the internet TCP/IP protocol stack.
WANs too began to change. They had to interoperate with TCP/IP networks, and MPLS became a way to accomplish this while preserving some of the services and features of other protocols. Over time, these MPLS circuits became almost 100 percent TCP/IP traffic, but the dedicated circuits sold by carriers preserved the reliability and service guarantees that customers demanded—and paid for. The rise of networking vendors like Cisco was linked to the widespread adoption of today’s WAN and TCP/IP protocols.
As critical business resources like Salesforce and Office 365 move to the cloud, the underlying weaknesses in network architectures are discovered. When the data center was once the center of the universe it was logical to make investments in wide area network infrastructure to connect the remote office to the data center. This is commonly referred to as a hub-and-spoke architecture.
Traffic moves from remote offices to the nearest hub, a central or regional data center.
These are the three challenges cloud adoption has created for traditional hub-and-spoke architectures:
1. Backhauling traffic ultimately destined for the internet creates a bad user experience. Poor response times of SaaS applications and general internet sites cause users to complain. They get a better experience from home than they do on the corporate network.
2. As more and more traffic is destined for the internet, backhauling costs are skyrocketing. Some applications like Office 365 are bandwidth intensive, and the organization pays to transport that traffic both to and from the hub.
3. It becomes increasingly complex to architect the traffic flows to maintain usability with routers, switches, and management tools deployed to ensure a consistent experience.
One parallel to this analogy is airline travel. Frequent travelers are familiar with a hub-and-spoke design. Many airlines force you through three or four hubs. Instead of taking the direct route from one city to another you take long detours to one of those hubs where you encounter delays, lost luggage, and lost time; a poor user experience. The hubs—major airports—are upgraded continuously, and passengers are forced through more and more complicated routes as they make their way between gates. At Charles De Gaulle airport, the hub outside Paris that is arguably one of best examples of such complication, you may find yourself on a short layover rushing to your gate, only to be dumped back into the arrival hall and have to go through security again to catch your next flight. Similar traffic disruptions and complications occur in your hub-and-spoke network architecture.
“Imagine flying from New York to Chicago via Dallas or Houston.”
Jay Chaudhry, CEO and Chairman, Zscaler
Hybrid networking is a logical and low-risk first step
As more and more traffic is destined for the internet, the only way to accommodate this traffic is to move to a hybrid network. For each branch of a regional office in a hybrid network:
Internet-bound traffic is routed to the internet or the cloud over a local internet connection which is often broadband; and
Corporate traffic is routed to the data center over the traditional MPLS network.
This helps to save on MPLS bandwidth costs and ensures an optimal user experience.
Incremental path for local internet breakouts
Over time, there is a path to transition from a hybrid network to that envisioned by many of the enterprise IT leaders in this book: direct-to-internet and cloud connectivity for all traffic.
Of course, there is resistance to making too abrupt a move. The idea is appealing because MPLS circuit costs are staggering, but what about reliability? Can internet connections be counted on to deliver an always-up connection that MPLS circuits are known to provide? More and more vendors are now offering SLAs for reliability, and bandwidth quality of service over the internet.
In most regions, broadband connections are so inexpensive that two or more can be purchased at a fraction of the cost of MPLS circuits; anywhere from one half to one-tenth the cost.
Hub-and-spoke networking over MPLS gives way to local internet breakouts. Cost savings, enhanced user experience, and simplification are the result.
Network transformation does not have to be disruptive. It is nothing like the disruption caused by selecting a new ERP vendor with the cost and delays these projects incur. You can take incremental steps, first moving to a hybrid network then cutting the cord and going internet-only in select locations. It can be a measured transformation.
For example, the concept of a local internet breakout is not new. Many companies are already deploying internet-only branch offices. GE [Chapter 1] and AutoNation [Chapter 4] realized the value of the internet-only branch and embraced it years ago.
SD-WAN simplifies local internet breakouts
Software-defined wide area networks (SD-WANs) can make local internet breakouts easier to manage. They can be easily deployed at hundreds of branch offices. Managed from the cloud, these lightweight appliances use software policies to determine whether traffic should be routed to the internet over local connections—including broadband and cellular networks—or routed back to the corporate data center over private circuits. The days of logging into a remote appliance and issuing command line instructions are coming to an end.
In a world that requires multiple networks for optimal connectivity, it is critical to have a flexible software-based branch network. The branch network must make decisions on which network to use based on the applications and performance requirements rather than by IP addresses and routes. SD-WAN devices excel at integrating switching, routing, and path selection functionality. While they can offer basic security, most enterprises direct traffic from each branch office to a cloud security provider to secure their SD-WAN.
Global Network and Security Transformation
Global Head of Infrastructure
Company IT Footprint: Siemens’ IT infrastructure covers 192 countries globally. They serve 360,000 end users—employees—and another approximately 70,000 external contractors. Its server and application landscape encompasses 10,000 applications and around 60,000 servers. In addition to the 450,000 clients and internal/external employees, they manage approximately 200,000 mobile devices.
“The internet will become the new corporate network.”
Frederik Janssen, Global Head of Infrastructure, Siemens
Siemens is one of the largest manufacturers in the world. The company saw a proliferation of mobile endpoints in its environment in addition to having to secure and support its highly distributed and mobile workforce. With over 64% of its traffic per site going to the internet, Siemens had reached a tipping point whereby the internet was becoming its new corporate network.
Frederik Janssen, the global head of infrastructure, shares how he led the charge to improve IT systems through cloud transformation for his organization.
In the words of Frederik Janssen:
The Siemens transformation story
I have been working in IT for almost 17 years, ten of those at Siemens. I studied computer science and have held various roles at the company. In the beginning, I was mainly focused on software development, software engineering, software architecture, database systems, database development, and web applications.
The squeaky wheel gets the job
One day, seven years ago, I was in a meeting with our CIO in which we were discussing how our infrastructure was running. He offered me the challenge to take on the responsibility for our infrastructure, and I agreed.
“We knew early on that the cloud was going to revolutionize the way we consumed IT services.”
And that’s when my infrastructure career started. I was always keen on identifying options and investigating how we could really optimize our infrastructure by minimizing manual tasks and thereby eliminating typical errors and failures. Five years ago, our journey included many projects with a lot of different technological topics: we had rollouts of new operating systems, introduced big technological changes, and introduced cloud computing into our manager desks at Siemens.
We knew early on that the cloud was going to revolutionize the way we consumed IT services, and how we developed applications.
Today I have global responsibility for our Center of Expertise for Infrastructure, and I lead a service portfolio along with lifecycle management. That also includes strategy, innovation, and development of new services, including the transition to new services. My team is responsible from cradle to grave—we have responsibility for everything we develop with partners and providers throughout the lifetime of the respective services.
Siemens’ global IT scope
From a sizing perspective, the Siemens’ infrastructure covers 192 countries globally. We serve 360,000 end users—employees—and another approximately 70,000 external contractors. Our server and application landscape encompasses 10,000 applications and around 60,000 servers. We are also heavy users of Microsoft servers and Microsoft Windows operating systems.
It wasn’t just cloud computing that was on the horizon for the company, but also consumerization trends. We have seen an explosion of mobile endpoints in our environment. In addition to the 450,000 clients and internal/external employees, we managed 50% of all devices used. That made it about 200,000 devices from a mobile perspective.
We have already been able to significantly consolidate the number of applications we run, so we are now down to around 7,000 corporate applications, and around 500 applications that I would call corporate mission-critical applications.
Storage has been growing 25% annually
Five years ago, we had around three to four petabytes of storage for end users and roughly the same amount for databases. Since then, we have seen a significant increase. We now have growth rates up around 25% annually. That is challenging us to also identify ways to modernize our storage environment. We heavily leverage our network to push data to the cloud and to make sure that we can decommission old storage components and hardware.
The need for an infrastructure overhaul
We realized we needed to evolve our infrastructure to be more efficient—to help us embrace new technological possibilities, minimize costs, and provide us with more flexibility
We also needed to ensure that our users, managers, IT departments, and application owners had infrastructure in place that would allow them to run their applications at scale and drive greater productivity
We addressed this infrastructure transformation with a few different approaches, with top management aggressively championing the initiative. You will not get very far if you don’t have a full management buy-in to really transform the environment. As the complexity of infrastructure is typically very much underestimated, especially when it comes to things like network or identity and access management or server architectures, you have to “slice the elephant.” And that’s what we tried to do.
Data location poses a compliance problem
First, we tried to manage the overall image of the cloud. As a German multinational company with cloud computing, it was complicated to drive the transition from the U.S. There were several security concerns on our side, especially when you talk to people from the information security or privacy protection departments. They had their concerns, especially with the Patriot Act and other U.S. government-related actions, potentially leading to certain security or data leakage issues that we were committed to preventing. We also had to have discussions about competitiveness and intellectual property protection—business concerns.
It was time to migrate applications
After we addressed the fundamental changes for moving data, moving applications, and moving infrastructure into the cloud, we had to execute a holistic plan to “slice the elephant.” So, by gaining trust and providing fast results we added benefits to the business. We raised the confidence at Siemens and became more supportive when it came to cloud transformation activities.
As we began to optimize our application landscape, we followed the magic Five R Model from Gartner.
First, we tried to figure out what could be replaced by a new model, in terms of moving it into a SaaS environment and therefore consuming it out of the cloud. We introduced ServiceNow, Salesforce, and Office 365, which we had previously introduced into the company.
Next, we implemented additional validation or evaluation of the applications and decided whether we could just re-host them in terms of moving the application or put them as-is into the cloud environment.
Transforming the network to provide the right connectivity
We realized early on that our traffic pattern, overall, was changing significantly. We had reached a point where 64% of traffic on average, per site, was going to the internet. So, the traffic pattern in itself was very much becoming internet-centric.
We tried to clearly evangelize the story internally by saying that the internet will be the next corporate network. We stressed that over time, keeping that transition in mind, we are going to have more applications in the cloud than we are running in internal data centers or private cloud data centers, which are still connected to our intranet. We are reaching the tipping point now. Most applications in Siemens will be public cloud based, and therefore, totally connected through the internet.
From a capacity management point of view, we are gradually ramping up internet connectivity in parallel or to coexist with our remaining MPLS private networks. We are currently mobilizing a team that is getting our network to the next level of sophistication, which provides us much more flexibility. Ultimately, we will be introducing internet-only connectivity for around 90% of all sites that we are currently supporting. Siemens maintains around 2,200 sites globally in 192 countries.
With our global WAN carriers, we are required to closely manage interaction, so that we know what steps to execute on from a management point of view. We were quite lucky that we had already been consolidating our carrier infrastructure down to two carriers: one for Germany, and one for the rest of the world. That helped us directly steer activity and was one of the key success factors for our wide area network.
Improving application security
The access to applications was extremely important, especially when we could no longer rely on a secure network. We started off with a clear, strategic direction to all application owners that requested that they consider their application in a way that it would already be exposed to the internet today. In other words, protect yourself without relying on the network.
“It is quite a tough challenge to secure a network which you don’t control.”
We introduced single mechanisms that required the user, depending on the confidentiality, to classify an application through multi-factor authentication. We also applied traditional firewall approaches to reduce the number of possible ways to reach the server.
As we were moving applications to the cloud and embracing SaaS offerings, we realized that it is quite a tough challenge to secure a network which you don’t control. We also maintained outbound and inbound traffic at the same time. Therefore we recognized that our perimeter of policy enforcement and network control is going to be changing. It will not only be in our hands. That was also the point in time when we had been looking at solutions in the market to help us to secure connectivity in the cloud.
Introducing cloud-optimized internet access
During this process, we also found that we had to update our service areas. Thus, we came up with COIA, which stands for cloud-optimized internet access, a term we currently use to communicate internally. In the beginning it was quite a transition, but now every user is aware of the term.
Next, we had to create a security aspect. We decided to introduce Zscaler.
We started with a proxy server based on connectivity to the internet with our outsourcing partner and explored ways to optimize it. One of the first steps was to leverage local internet breakouts. We were riding on the lines of our carriers, and we let Zscaler find the most ideal routes to the next big net-based internet gateway.
Finding the right security partner
Eventually, we found ourselves discussing this with several different carriers and screening the market. For a company the size of Siemens, there were only five or six solutions that we could seriously consider. There was also one very new challenger. Our main carrier approached us and was concerned that we hadn’t heard of Zscaler. They brought Zscaler to our attention and explained how Zscaler had quite an interesting solution. They were completely running in the cloud—we would not have to deploy anything in our environment—and they could scale up very, very quickly. Through their cloud security platform with comprehensive functionality, they offered several things that other providers didn’t have.
We knew this was a crucial element in our transition and if we could find a partner who could keep up with the pace we require them to take, then we would be more than happy to embark on that partnership. I think that was the first time we met people from Zscaler, and they were quite different from anyone we had seen before. They approached it completely differently; they were cloud native.
We shared with our carrier and with Zscaler what we wanted to do and what our targets were, and it turned out our strategy was completely in line with what Zscaler was envisioning. We were able to execute against this joint vision and rolled out the service in less than twelve months. Since then, we have been able to set a certain track record for introducing cloud-based solutions and optimizing our network architecture.
Building a cloud-first team
We learned that we needed to have a team in place that was fully committed to using the cloud. My advice to other companies would be to carefully select their internal team and have an eye on those working from the carrier side.
Planning and understanding your application landscape, along with user requirements, is also a crucial factor.
Troubleshooting is much easier now that we don’t have to look at thousands of appliances on the ground. The cloud was a positive change in terms of resiliency and flexibility. It resulted in a very smooth rollout.
Taking on regional issues
You also have to take into consideration embargoed countries or countries with special political or economic circumstances. Just to name a few: Russia, India, China, Iran. These are countries where you, of course, must look a little bit more into the details of how you can drive the change. What can go to the cloud? Where do you have to store it? How do you have to store it? Do you have to have a copy, still, in the country locally? Are there any other legal considerations in each country that you have to respect and follow?
There is plenty to learn, especially when it comes to global deployment. The network is just taking care of the transportation and not the storing of data, especially when it comes to the re-hosting of applications and the storage of data. This is where it can start to become quite a headache.
Improving end-user satisfaction
Our end users are happy with the cloud-optimized internet access as one service, but they are also happy to use evergreen applications, which are updated or enhanced with new features on a monthly or quarterly basis. We do not have the discussions around why is Siemens not using the latest version. I think after some initial growing pains, people are now embracing the change. People are more relaxed about storing data in the cloud.
The first 12 months required some adjustment, but we are now in the phase where people can’t imagine going back to the old world, into the old situation.
Cloud transformation has empowered the organization
We have been giving more power to our different divisions and business units, which is providing a certain level of required separation between the groups.
“The higher performance and greater flexibility is helping our end users, in addition to company management and overarching targets.”
This separation requires individual customizing, which we love in the cloud—typically creating, then spinning off an old tenant. Multi-tenancy is a standard in the cloud and we require our vendors and application service providers to support it. Therefore, we have a much better chance to react to organizational changes, and we can cater to them from an IT perspective.
For Siemens overall, the cloud is helping us on these macro changes. And for the end users, obviously, we are much faster in terms of our ability to adjust infrastructure, apply new policies, control how people are consuming bandwidth, make sure that business-critical applications get the right priority—and we are able to increase the underlying infrastructure to cover any additional load during peaks.
The higher performance and greater flexibility is helping our end users, in addition to company management and overarching targets.
Gaining new freedom and flexibility
The cloud gave us the ultimate freedom to explore small, new ideas that didn’t require a heavy investment in new hardware or infrastructure. And we could do all of it without incurring any commercial risks. The cloud enables us to be more agile by inventing prototypes and including customers in the early stages of development. Our application landscape can now be optimized by using the agility of the cloud in terms of consumption level. We love being more flexible, faster, and able to address business needs as we are going into more prototyping—rapid prototyping—and faster development cycles.
Moving security to the cloud
Everything started when we knew we wanted to optimize how we accessed the internet. We needed a solution that would give us the additional security and protection in the cloud that we were accustomed to on premises. Zscaler Internet Access established distributed policy enforcement points through which all our traffic and regional hubs flowed. We could also use a standard enforcement point to establish and dispatch connectivity for inbound access, which would work with remote connections.
Providing secure access to internal apps
There are certain critical applications that Siemens is not currently considering moving to the cloud due to high sensitivity, such as those that involve financial or internal data. Our next step was to add another level, so that we could run different applications, services, and macro connections through Zscaler Private Access.
We are still in the process of integrating the inbound access with all Siemens’ specific tools or applications and services. Identity and access management was one. Here again, the cloud is helping us to just drive standardization to a certain extent so that we are using market-standard authentication.
In the end, the implementation and integration were straightforward. On the one hand, Zscaler is building its solution based on market standards. On the other, our strategy clearly pivots around on market standards which give us the ability to choose platforms and carriers.
Advice to others embarking on a cloud journey
I would advise other companies to create a bold vision and mission statement and to communicate it internally in a very aggressive way. You need to know exactly what you need to make your cloud journey happen and you need to get everyone fully behind it. And then you would also need to support the first movers. You should pick some lighthouse candidates for transformation.
I want to emphasize how important it is to ensure the close interaction and cooperation with respective departments, especially those that are responsible for cyber security or information security, protection, export control, and all the other critical support functions that have a say in the whole process.
You also need to have some users who are actively supporting the journey and who are bringing in some clear perspective that their life has improved since they began using cloud solutions. And of course, you must have a convincing time-scale calculation ready. That means giving it the right level of priority as you eliminate the high costs while you are handing over responsibility to third parties.
You need to focus on your partners and on retaining and building the partnership. This is why Siemens is calling one of the changing pillars of our overall global IT strategy “collaborative IT.” It’s no longer only up to us as an IT department to run our IT landscape. It’s much more about collaborating with our partners to innovate, to go at a certain pace. We are relying on them, on the one hand, to keep up, and on the other hand, to co-innovate the future service offerings, sharpening them for the future.
Things to avoid
What I would really try to avoid is losing focus. If you lose focus and if you’re not able to train your staff on the platforms you selected, you might get lost in complexity. And if you have some very complex and hard-to-lift applications, they shouldn’t be among the first lighthouse projects.
Careful selection of cloud projects is important, because if you screw up one of the products, it will create a certain noise level that becomes counterproductive. You need to avoid too many negative sentiments from within the organization, which tends to sow doubt about moving data and shifting responsibility into the cloud. These are our main pillars of getting the engine running.
In the future, an important aspect will be managing the landscape of partners, our idea of “collaborative IT.” We also want to develop integration based on market standards between the different cloud solutions. Application services will be a vital component of every corporate IT’ organization’s task. I would also envision that overall, corporate IT departments would reduce their footprint when it comes to internal staff and spend more time managing office IT-related applications and services, because their cloud consumption is going to be the clearly defined new standard.
At the same time, I do believe that these changes are also fostering collaboration with business units on digitalization. By moving workloads to the cloud, we are freeing up capacity that we can use to work together with the business units on even more sophisticated IT solutions, which will help our BUs to be more efficient and, in the end, more successful in the company.
The cloud will be our main data center going forward. There are some golden nuggets or crown jewels which we would typically not move into the cloud, such as our trust center where we use certificates to identify servers, clients, users, everything. But the number of workloads that still require an old data center presence is very low.
Chapter 3 Takeaways
It is clear that in a cloud and mobile-first world, users should be able to take the most direct path to the applications they need for a business to operate at its best. This necessitates that corporations adopt a “direct-to-cloud” and hybrid network architecture rather than a hub-and-spoke MPLS based architecture. As Siemens exemplifies in this chapter, in the new world the cloud is the new data center and the internet the new corporate network.
As the center of gravity of enterprise IT shifts from the data center to the cloud, where mission-critical applications now reside, so must security architectures change. The old world of applications hosted in the data center has given way to a world of applications in public clouds, private clouds, and SaaS.
The hub-and-spoke models that were so prevalent over the last three decades have to give way to the most direct path to these applications, wherever they reside. Local breakouts—connecting remote locations directly to the internet—is a preparatory phase to the future when every device will connect directly to the internet.
Treat remote offices like remote workers. Connect them directly to the internet. Users will do this no matter what you do especially when things like LTE and 5G are embedded in their devices natively.
Security based on building a perimeter with firewalls and other traditional security appliances will not be effective. Rather, think about how to securely connect a user to the right application or service.
The network must be transformed. A direct-to-cloud architecture will save money while improving user experience. MPLS will play a reduced role and may be relegated to a position that mainframes have today: legacy.
As the corporate network evolves to direct-to-cloud, legacy castle-and-moat security models built to protect those hubs must also give way to a new architecture—network transformation cannot happen without security transformation. In the next chapter, we will focus on the new security architecture organizations need to build in order to address the new form of corporate network that is not tethered to a single type of physical network and enables a mobile workforce.