A Case Study in SASE – Delivering much cheaper connectivity and enhanced security for a remote workforce

This article takes us down to ground zero – a real customer need that is being addressed by Superloop’s SASE solution. This was a manufacturing customer in acquisition mode with sites in Australia and multiple overseas countries. Superloop is supplying and deploying a complete SASE solution and network connectivity with subsequent ongoing management services.

The Customer Ask

Our customer operated an older, legacy SD-WAN solution with internet circuits into each site. The existing service provider supplies and manages the overlay network with associated capabilities and the underlying carriage links.  

The customer wanted to deploy a new network to meet its updated future state vision for IT services. Along with others, Superloop was tasked to provide a managed network option for consideration. The managed network option should include the provision of CPE (if required), 24x7 monitoring, and a Network Operations Centre for troubleshooting and repairing network issues. This is expected to provide at least:

• WAN network overlay (SD-WAN)
• Secure Web Gateway
• Cloud Access Security Broker (CASB)
• Zero Trust Network Access

The customer stated that the proposed solution must match or exceed existing security controls provided by the current solution and expected the proposed solution to specifically replace the remote access service that authenticates the user and validates the endpoint device. In addition, the proposed solution must replace the existing web access management and filtering of malicious web content.

Additionally, the customer was looking to consider potential value-add capabilities such as Firewall as a Service (FWaaS), Cloud Access Security Broker (CASB), User Experience (UX) monitoring and advanced network instrumentation.

Customer Pain Points

As we regularly consulted with the customer through our qualification and design process, we uncovered several specific pain points that the customer also wanted to be addressed. Every pain point had its own set of drivers:

Pain point

• Complexity of individual branch WAN connectivity and associated management
• Ability to rapidly deploy and support global locations
• High cost associated with MPLS across global locations
• Poor visibility of business applications and application performance
• Declining user experience
• Increased and inconsistent security risks between remote mobile users and Data Centre
• Poor service management experience

Driver(s)

• Multiple WAN links and hardware
• Legacy architecture
• Device sprawl
• Legacy network architecture limits rapid growth
• MPLS technical structure and a non-cloud-based solution
• Current CPE not able to provide visibility of application performance
• Branches trombone trunking to the DC for inspection of traffic and connectivity to services in the cloud or internet

Multiple point solutions include:

• CPE at branches and Head Office providing Security layer 3 and 4; and
• Firewalls in the Data Centre providing NGFW services.
• Support provider knowledge of legacy SD-WAN solution and ability to support it

The Superloop SASE Solution Overview

Leveraging our deep expertise in network connectivity and strong, emerging expertise in designing SASE solutions, Superloop, with the aid of its SASE Vendor partner, developed a comprehensive SASE solution that addressed both the customer’s ask and its pain points. The critical elements of this solution were:

• Our SASE solution is based on technology that leverages a global hyper-scale cloud technology that is infinitely extensible and scalable
• Two (2) data links from diverse carriers connect to a pair of managed SD-WAN appliances at each site which is configured in High Availability (HA) mode
• A virtual SD-WAN appliance in each of three Azure instances globally
• All sites connecting to a cloud-based security layer globally for security capabilities, including Web Filtering, Threat Prevention, Data Loss Prevention (DLP), Sandboxing (Zero Day threats) for traffic to SaaS applications and the Internet and User Experience Management (down to endpoint device level)
• Capability to connect to on-premise applications in a local data centre
• All mobile users connect to the cloud-based security layer globally (replacing the legacy VPN solution), where traffic is inspected before being forwarded to its intended destination

How SASE Addresses the Customer Pain Points

The Superloop SASE solution wasn’t just designed to address the customer’s original ask but also the pain points we uncovered through ongoing consultation with the IT team.  See how the SASE design addressed each pain point:

Pain point x How SASE addressed each pain point

Pain point:
Complexity of individual branch WAN connectivity and associated management

How SASE addressed it:            

• The SASE SD-WAN appliance reduces device numbers in offices by replacing routers and zone-based firewalls.
• Internet (Ethernet) connections are connected directly to the SASE SD-WAN appliance reducing complexity at sites.
• Hardware, management and operational costs are consequently reduced.

Pain point:
Ability to rapidly deploy and support global locations

How SASE addressed it:

• The SASE solution seamlessly and rapidly incorporates additional sites and/or additional links.
• Zero-touch deployment nature of our vendor’s SASE technology ensures rapid deployment.
• New SASE SD-WAN appliances and/ or links activated remotely by Superloop once physically connected.

Pain point:
High cost associated with MPLS across global locations

How SASE addressed it:

• Superloop’s SASE solution uses Internet links with the connectivity managed at the Network layer by both the SASE SD-WAN fabric with security managed by the SASE cloud-based security layers resulting in significantly reduced network connectivity costs for the customer

Pain point:
Poor visibility of business applications and application performance          

How SASE addressed it:

• Our SASE solution enables Superloop to support the customer by providing improved network visibility through the provision of access to the SASE portal (role-based access control) at no additional cost.
• Improved application awareness and analytics as the SASE SD-WAN technology allows the policy, and provides visibility of performance, at Layer 7 (Application Layer).
• The SASE SD-WAN controller responds to changing traffic conditions within the SD-WAN fabric to meet all business application requirements. This leads to increased business application performance which improves the end-user experience. Superloop is enabled to create policies based on the customer’s business intent rather than a series of fragmented networking features.
• Dynamic path selection enabled the choice of the highest performing network and provided visibility into performance and availability for applications and networks.  

Pain point:
Declining user experience    

How SASE addressed it:

• Ensures all remote sites connect to Azure directly via Internet underlay, which improves user experience.
• The Remote VPN users worldwide will connect to a Local Cloud Security node to access services in the Azure cloud. Once the user is connected to the node, the flow is backhauled via the hyper scale cloud to provide low latency and improve end-user experience.
• Included Specific User Experience functionality to provide clear view from user endpoint to destination on a hop-by-hop basis to quickly understand where a decline in user experience is.

Pain point:
Increased and inconsistent security risks between remote mobile users and Data Centre    

How SASE addressed it:

• SASE cloud-based security layer provides generation Firewall features (URL Filtering, VPN, Firewall and Threat prevention) from one platform; no more inconsistency or gaps when using multiple point solution security products.
• The SSE cloud-based security layer delivers the coverage to maintain traffic visibility and the enforcement of security policy. Superloop is able to create policies to control access to, and inspect all traffic, from SaaS applications, the data centre or the hybrid cloud.
• The SASE cloud security layer includes CASB functionality to allow Superloop to apply more granular enforcement of cloud security policies to safely enable the usage and transfer of SaaS-hosted content.

Pain point:
Poor service management experience          

How SASE addressed it:

• Superloop will leverage its service management experience, now coupled with its official SASE Managed Security Services Provider (MSSP) status. This has been achieved through our partnership with our SASE technology vendor that requires a range of staff in Pre-sales, Provisioning and Support to have undertaken relevant SASE vendor training.

Conclusion

Superloop now has a customer with much cheaper network connectivity by deploying a SASE solution. It also delivers consistent and enhanced security across all users (wherever they may be) whilst simultaneously reducing the number of legacy network and security point solutions, the operational complexity that follows such an environment and thus lowering cost.