Partnering to Deliver an Automated Secure Access Service Edge

Silver Peak and Netskope partner to provide scalable, secure branch, HQ and direct-to-net connectivity, with advanced data and threat protection for application users

As enterprises accelerate the migration of applications to the cloud, changing traffic patterns are driving the need to transform wide area network (WAN) and security architectures. When applications were hosted in enterprise data centers, traffic from branch locations was backhauled to the data center over MPLS circuits, with the entire stack of security services enforced at data center egress points, requiring only rudimentary security services at the branch.

In today’s modern cloud-first enterprise, applications are hosted everywhere: the data center, in public and private clouds, or delivered by myriad Software-as-a-Service (SaaS) providers. Users access applications from anywhere, from any device and across diverse WAN transports including broadband internet further complicating the security model and the IT challenge. The dissolving enterprise security perimeter expands the attack surface, significantly increasing the need for advanced data and threat protection services to mitigate exposure to threats.

While enterprises could deploy next-generation firewalls at every branch, that model is too costly to deploy and too complex to manage. To address the security and cost challenges, centrally orchestrated cloud-hosted security services, such as those available from Netskope, have emerged and continue to experience rapid adoption. The Netskope cloud-delivered security service, complemented by the application-aware, business-driven Silver Peak Unity EdgeConnect™ SD-WAN edge platform provides a powerful secure access services edge (SASE) solution that protects the enterprise from threats, delivers the highest application performance and user experience while keeping costs in check.

The dissolving enterprise security perimeter expands the attack surface, significantly increasing the need for advanced data and threat protection services to mitigate exposure to threats.

Key Benefits of the Silver Peak and Netskope Integrated Solution:

  • > Unencumbered safe connectivity to web and cloud applications: Cloud-delivered SaaS solutions provide optimized application and data delivery for any user and location.
  • > Security without compromising performance: Global cloud infrastructure provides real-time, inline security defenses at scale including, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (ZTNA), and more.
  • > Automated orchestration: Centralized policy definitions and true zero-touch provisioning accelerate deployments of new branch locations and applications and enable faster assimilation of mergers and acquisitions.
  • > Simplified management: Netskope console enables security operations while Silver Peak Unity Orchestrator™ enables network operations for branch connectivity
  • > Secure Access Service Edge (SASE): Enables a SASE architecture, based on integrated best-of-breed SD-WAN and cloud-delivered security services.

Application Migration to the Cloud Compels WAN and Security Transformation

For many enterprises, migrating applications to the cloud presents a number of challenges. End-user application experience is impacted by latency, and thus, cloud-hosted applications perform better when the end-user connects directly over the internet from the branch site. The traditional approach of backhauling all application traffic through an enterprise data center via an expensive MPLS connection only adds to the latency, degrading application performance and end user quality of experience. Adoption of local internet breakout to cloud-hosted (IaaS) and SaaS applications directly from branch locations not only optimizes available bandwidth but also reduces any latency that can negatively impact performance and user productivity.

The cloud-first paradigm calls for new methods to secure the access to hundreds or even thousands of cloud applications. Traditionally, when applications were hosted within the enterprise data center, guarding the enterprise against the unsafe internet was relatively straightforward with the deployment of expensive next-generation firewalls. But to deliver a high quality of experience for cloud-hosted applications, enterprises need a high-performance, secure network, built on a highly available foundation that can support local internet breakout from the branch reliably while protecting the business from threats. An advanced SD-WAN solution enables enterprises to intelligently break out cloud-destined traffic locally from branch sites over the internet. Additionally, the ability to support micro-segmentation and granular policy enforcement provides enterprises with the ability to secure their WAN, adhere to compliance mandates and defend against breaches. And with the comprehensive cloud-delivered security service from Netskope, the end-user is protected when accessing cloud applications from remote branch locations. Together, Silver Peak and Netskope, deliver a SASE architecture that uniquely addresses the evolving business needs faced by today's cloud-first enterprises.

Secure WAN Access with Silver Peak and Netskope

Cloud-hosted security services, such as Netskope, have emerged to provide a superior security alternative for cloud-first enterprises. Centrally managed cloud-delivered security services deliver protection for all users, supported by consistent policies and policy enforcement across hundreds or even thousands of sites - without buying, deploying or managing any physical security appliances.

Silver Peak First-packet iQ™ application classification technology automatically identifies more than 10,000 SaaS applications and 300 million web domains on the first packet, enabling granular traffic steering and security policy enforcement. For instance, a business-driven security policy may include:

  • > Send data center-hosted application traffic back to headquarters across MPLS
  • > Send trusted SaaS traffic, like UcaaS, directly to the SaaS provider across the internet
  • > Send all other internet-destined traffic such as Box, Salesforce and web browsing to the Netskope cloud-delivered security service for security inspection prior to handing off to the providers’ cloud

Ensuring SaaS performance over the internet is far more complicated than it is for conventional applications that run over MPLS or a private network. The challenge is that even if IT managers can identify the SaaS application, they may be unable to improve its performance since network performance is critical to SaaS, and the internet does not provide the same level of SLAs as MPLS services. Silver Peak provides a number of advanced features that optimize SaaS application performance over the internet including:

  • > Cloud Intelligence
  • > Efficient DNS query resolution
  • > Intelligent Internet Breakout
  • > Intelligent Cloud Breakout
  • > O365 integration
  • > Support for custom-defined applications
<3>Scalable, Comprehensive Business Connectivity and Security

The Silver Peak Unity EdgeConnect SD-WAN edge platform streamlines WAN edge infrastructure at branch locations. The EdgeConnect platform provides optimal networking services by delivering high-performance, reliable access to public cloud services, private data centers, and SaaS-based enterprise applications for branch offices, headquarters and users. Integration with the Netskope Security Cloud provides complementary security services including a next-generation SWG, an advanced CASB, both with API-enabled and inline protections, as well as comprehensive data and threat protection for users, applications and data on any device and location. These security services are all managed from a single console with unified policy controls and intuitive reports and dashboards for SaaS, IaaS, and web environments. The integrated Silver Peak and Netskope solution delivers the promise of the SASE architecture: a thin branch WAN edge with comprehensive cloud-delivered security and management.

Figure 1: First-packet iQ application identification and classification enables granular traffic steering to enforce application-specific QoS and security policies

The EdgeConnect SD-WAN edge platform supports physical and virtual appliances that deliver consistent, highly available application performance, even for latency-sensitive applications such as voice and video. EdgeConnect appliances connect to build an SD-WAN fabric and communicate via secure IPSec tunnels to one another as well as to the Netskope Security Cloud.

Branch offices connect to the enterprise data center to access on-prem data center hosted applications and route to the Netskope NewEdge network infrastructure (a global network infrastructure that enables Netskope Security Cloud to deliver real-time security without the traditional security and performance trade-off) when accessing cloud applications and services. Similarly, headquarters-based application traffic traverses the SD-WAN fabric for branch access and is routed through the NewEdge network infrastructure when accessing cloud apps. EdgeConnect continuously monitors the entire SD-WAN fabric and underlying WAN transport services and automatically adapts to changing conditions to deliver optimal application performance, even when network changes, congestion or impairments occur.

From the Silver Peak Orchestrator, IT can configure tunnels from each enterprise branch site location to the NewEdge network infrastructure, where the Netskope cloud-delivered security service applies granular security controls and advanced data and threat protection. IT centrally defines the business-driven policies that dictate how applications are delivered across the SD-WAN fabric from Orchestrator. From a single pane of glass, IT can quickly define quality of service (QoS) policies, failover prioritization and service chaining to thirdparty network and security services, such as the Netskope Security Cloud. Orchestrator also provides historical and real-time dashboards displaying a wealth of metrics for network health, application performance, network performance, WAN transport service performance and more.

Remote users outside of the Silver Peak SD-WAN fabric connect directly to the Netskope Security Cloud

Figure 2: Silver Peak Unity EdgeConnect SD-WAN integration with Netskope Security Cloud

via encrypted SSL/TLS communications whereby the aforementioned security controls are applied. Remote workers using corporate or managed devices are assigned the lightweight Netskope Client, which provides several key functions: it steers all traffic to the Netskope Security Cloud, it delivers consistent notifications to end users for coaching and guidance purposes when users violate a policy, and it can provide the identity of the user with no additional setup needed by the customer. Remote workers in branch offices or those using their own personal or unmanaged devices such as in organizations supporting Bring Your Own Device (BYOD), would be directed to the Netskope Security Cloud via its reverse proxy functionality where subsequent security controls would be applied. The reverse proxy also is used in situations where the client device is not using the Netskope Client.

Together, Silver Peak and Netskope streamline the integration of optimized SD-WAN capabilities with cloud-native security functions. Silver Peak and Netskope fulfill and support the Gartner Secure Access Service Edge (SASE) design philosophy in which cloud-managed network services (e.g. SD-WAN, routing, segmentation and stateful zone-based firewall and WAN Optimization) are combined with cloud-native, converged single-pass security controls (e.g. CASB, SWG, DLP, ZTNA) to offer organizations with a highly-scalable, fast and secure environment that protects users and data no matter where they are.

About Netskope

The Netskope Security Cloud provides unrivaled visibility and real-time data and threat protection when accessing cloud services, websites, and private apps from anywhere, on any device. Only Netskope understands the cloud and takes a datacentric approach that empowers security teams with the right balance of protection and speed they need to secure their digital transformation journey. Reimagine your perimeter with Netskope. For more information, visit www.netskope.com.

Categories: 
Appliance, Application Visibility & Control, Best Practices, Business Intent Overlays, Cloud Intelligence, Customer, Dynamic Path Control, EdgeConnect, Internet Breakout, Latency, Measuring Results, MPLS, Network Monitoring, Path Conditioning, Real-Time Monitoring, Replication Acceleration, Reporting, SD-WAN, Security, Unity Architecture, Unity Boost, Unity Orchestrator, Zone-based Firewall