Employees often complain about latency issues when accessing cloud applications after launching Office 365, and companies are experiencing skyrocketing WAN costs. The much-touted advantages of the cloud of more efficiency, agility and cost savings seem to vanish into thin air. Often, the root cause is an oversight during the planning phase, writes Marc Lueck, EMEA CISO at Zscaler, where not enough consideration is given to the impact Office 365 can have on the security and network infrastructure.”
Fifteen years ago, the Internet was used by most companies as a search engine, a digital encyclopaedia and a telephone directory. Less than 10 per cent of traffic was Internet-centric and the rest was on the internal corporate network. The cloud has turned traffic into the opposite: applications are migrating out of the enterprise network, and today more than 70 per cent of traffic is connected to cloud-hosted applications. However, security and network infrastructures were not adapted to fit this changed traffic.
Marc Lueck, EMEA CISO at Zscaler
Office 365 in particular provides a number of special requirements for high-performance operation, which companies must consider in the planning phase.
As this is the cloud variant of the popular program collection, the data streams are shifting out of the company network, increasing network utilisation often by a factor of five. Therefore, high-performance Internet access is mission-critical for the user experience.
Office 365 Networking: Break Out Internet Locally?
Microsoft recommends local Internet transitions as an essential part of the introduction in the Office 365 Implementation Design Guide to transport the data streams to and from the cloud without going to and from the user.
In a traditional hub-and-spoke network architecture there is no provision for breaking out directly from any location to the Internet because traditionally, Internet egress had to be secured by a stack of equipment resident in the corporate office. But this is precisely the problem that prevents high-performance access.
The simplest solution, and the one recommended by Microsoft, is to break out Internet locally at each location, providing the shortest route to the Microsoft data centres possible. This method ensures low latency access. However, this also creates a problem; security requirements must also be taken into account at each location, as that Internet traffic needs to continually be secured.
Content from our partners
Three Security Concepts to Safeguard Local Breakouts
If a company follows Microsoft’s recommendation and implements local Internet access at all sites, the next step is to rethink the security infrastructure.
If companies rely on hardware appliances for IT security in every branch office, as they have done before, they’re opting for a cost and administration-intensive approach. There’s also the bother of manual on-site maintenance to consider. Because Microsoft changes its IP addresses up to 250 times a year due to the rapid growth in the number of Office 365 data centres, firewalls typically require a high administrative overhead. Moreover, this approach only scales with great effort across all locally connected locations. In particular, hardware firewalls are not designed to support the application of parallel connections. The permanent traffic and SSL inspection required for security reasons can only be realised with high costs.
Alternatively, companies can virtually map IT security. When choosing a cloud service provider, the number of data centres provided must be taken into account. This should roughly match the number of branch offices so that bundling traffic over virtualised firewalls does not become a bottleneck. If a company has 100 offices or more, redirecting traffic through a few data centres to the provider would slow down traffic again and wipe out the speed benefits of local breakouts at each site.
In a cloud-based security approach, the security checkpoint is offered with all the functionalities that were present in the old stack of boxes at each site – Next Generation Firewall, SSL inspection, Sandboxing, DLP, URL filtering in the cloud, and anti-malware. This is a relief for IT administrators, as load balancing becomes unnecessary, and management is done centrally. Security from the cloud makes all updates available without manual interaction and the security policies follow the employee regardless of location and device used. This also helps cover the growing demands on IT security, as a cloud security service provides scalability for high-performance scanning of SSL-encrypted traffic.
In addition, the challenge of Microsoft’s regular IP address updates can be mitigated by the one click deployment of a cloud security stack. A cloud solution automatically delivers these rule updates for the Next Generation Firewall in real time. The many parallel requests are scheduled and rebuilt on a proxy in the cloud. A one-click deployment feature speeds up the management process and, once again, takes some burden off the IT department. It also ensures the permanent accessibility of Office 365.
Boosting Performance when Accessing Office 365
In addition to the local Internet breakouts and cloud security concepts, companies can influence the required performance by considering further criteria. Greater access speeds are provided by resolving DNS requests locally. Traditionally, the site uses the data centre at headquarters to ask which Microsoft data centre and Microsoft servers to use. To mitigate the resulting latency, it is beneficial to answer the DNS request at the local data centre of the cloud provider.
In consequence, companies should appreciate the fact that the telecommunications provider operates direct peering with Microsoft. This means that the service of the cloud provider routes directly to the Microsoft servers. This avoids a detour that increases latency and increases the performance of an Internet-based application. A separate TCP / IP stack of the provider also provides for a further boost in performance, as this can optimise the session handling. These three criteria accelerate Office 365 traffic without the need for an additional WAN Optimiser.
Don’t Forget Bandwidth Management and Trouble Shooting
Bandwidth management also contributes to user satisfaction when Office 365 is given priority over other bandwidth-intensive applications. Such a solution must be able to dynamically prioritise Office 365 data in Layer 7, at the application level. When the network is heavily used, Office 365 also takes top priority over all other applications. On the other hand, with a low load, the priority decreases and other programs gain access to the Internet at the highest possible speed.
Last but not least, smooth operation of Office 365 always goes hand in hand with extensive but simple troubleshooting. To maintain the security and operation of mission-critical applications, you need real-time logs and concise dashboards of network utilisation and firewalls. This is the only way to ensure the smooth roll-out of Office 365 as well as further continuous operation right from the start.
The easiest way for organisations to successfully address the many challenges of moving to Office 365 is to redesign the network architecture: local Internet transitions and IT security from the cloud. Only this modern approach of an Internet-facing, yet centralised IT architecture brings the required performance and usability that a bandwidth-intensive public cloud application like Office 365 needs. It’s the key to ensuring employees and businesses enjoy all the benefits of cloud-based applications.
