Optimising access for the remote workforce, that needs to conduct business from anywhere

Controlling and securing access to business applications in physical or cloud datacenters, or to public cloud applications, such as Office 365.

Remote users need regional or global access to applications hosted in datacenters. Traditionally, they accessed applications by running VPN clients on their remote devices and connected to VPN concentrators or datacenter firewalls. When remote users entered the network through remote locations, they would have to traverse the MPLS or Internet VPN to the servers in the datacenter.

Since VPN access is done entirely over the public Internet, users are exposed to erratic Internet routing with its significant latency and packet loss. These factors can severely degrade the application experience, frustrating users and hampering their productivity.

Furthermore, once authenticated, traditional VPN solutions enable users to access a whole network. This means that hackers may be one password away from getting an unrestricted foothold on the network.

While similar in concept to physical datacenters, cloud datacenters pose new networking and security challenges for fixed and mobile users. Legacy WAN architectures that backhauled traffic to a physical datacenter, need to incorporate the datacenter’s split into physical and cloud datacenter(s), sometimes hundreds of miles apart. None of the obvious solutions are sufficient.

Continuing to forward the traffic from the physical datacenter and then onto the cloud datacenter leaves datacenter-bound and mobile user traffic subject to the erratic routing of the Internet while adding latency due to the “trombone effect.”

Cloud interconnect services, such as DirectConnect for Amazon Web Services (AWS) and ExpressRoute for Microsoft Azure, provide direct connections from physical datacenter to the cloud. But remote users remain subject to Internet performance while site- and user-traffic are subject to tromboning.

Allowing remote users direct access to the cloud is equally ineffective. It eliminates tromboning, but leaves users subject to Internet performance. In addition, direct access bypasses the corporate network security stack, requiring the deployment of new cloud-based security solutions.

Accessing cloud applications (SaaS) introduces even more nuances. Cloud apps are outside of IT control so WAN optimisation capabilities cannot be extended into the application provider’s datacenter. Yet users need to access cloud application instances. Take an SFDC instance located within a specific region. All users, regardless of location, must access that instance and face the same connectivity challenges as they would if accessing the company’s datacenter.

Network security is even harder to implement. Traditional network security relies on a “line of sight” into the traffic to inspect and secure it. But as with direct mobile access to cloud datacenters, direct mobile-to-cloud access bypasses the corporate network security stack. Companies again face a tough choice: either force backhauling of mobile Internet traffic to the datacenter, which adds latency and degrades the user experience, or increase costs by deploying a cloud-based security point solution — such as a SWG or CASB — to intercept and inspect all mobile traffic to the cloud.