Nov 07 2023

Making Sense of the Cloud Connectivity Options Available to Agencies

Size, application and mission needs will dictate whether agencies go with software-defined WAN or security service edge first.

VPNs have long been federal agencies’ default for cloud connectivity, but the balance has shifted toward software-defined WAN (SD-WAN), security service edge (SSE) and secure access service edge (SASE).

How should you choose the right connectivity option? Much will be based on agency factors such as size, application needs and mission objectives.

How to Choose the Right Cloud Connectivity Option

These are the key terms to know: SD-WAN allows enterprises to leverage any combination of transport services, SSE refers to converged network security services delivered from a cloud platform, and SASE is an architecture that delivers converged network and security as a service.

“SD-WAN is at the core of this ecosystem,” says Larry Lunetta, vice president of security solutions marketing for HPE Aruba Networking. “It ensures that users make the right connection and get the right experience, especially for IT resources in the cloud.”

Click here to learn more about optimizing your cloud connection.

The job of SD-WAN “is to make the infrastructure person’s job easier,” says Hansang Bae, public sector chief technologist at Zscaler. Instead of manually configuring hundreds of routers, “the tenet of SD-WAN is there’s only one brain, only one controller. And that brain dictates to all the routers, ‘You’re going to do this; you’re going to do that.’”

SASE, meanwhile, “is the framework that merges both SD-WAN and SSE together under a single, unified cloud-delivered security platform,” says Craig Hill, distinguished architect in Cisco Systems’ CTO office for U.S. public sector. This includes secure internet, zero-trust architectures, cloud access security brokers, secure web gateways and Firewall as a Service.

Agencies likely will be looking at all these components as part of an integrated whole.

“Some organizations will invest in SD-WAN first, and then add SSE,” Lunetta says. “Some organizations will invest in SSE before they invest in SD-WAN. By definition, SASE requires both.”

It’s Time for Agencies to Revisit Cloud Connectivity

The increasing complexity of cloud deployments should be triggering a re-evaluation of connectivity methods. Today there are workloads in the cloud, on-premises and in colocation facilities.

“In that hybrid cloud environment, connectivity becomes crucial. At any one time, you may be connecting the workloads in any of those places,” Lunetta says. “Making sure those workloads communicate properly is key to success.”

On Ramp Sidebar


At the same time, a VPN alone won’t meet evolving security needs.

“Some of the biggest hacks that we’ve seen so far came from VPN issues,” Bae says. “You’re connecting your end user to your network, and there is no security other than whether you’ve authenticated. As soon as I connect to a VPN, you have the run of the entire data center, every application, every other server inside my corporate network. I can touch, I can infect, I can scan.”

Fortunately, agencies today have more connectivity options than ever.

“Like any product or offering, solutions, technologies and capabilities continue to evolve with new innovation, including solutions that offer more simplicity, security, with lower OPEX and CAPEX costs,” Hill says.

People periodically refresh their laptops, mobile phones and even automobiles.

“We need to take this same approach with cloud connectivity offerings,” Hill says.

MORE FROM FEDTECH: Learn why agencies should pay for servers like they do for cloud.

Questions to Ask About Connecting to the Cloud

In evaluating their cloud connectivity options, agencies must consider a range of factors.

First, they need to determine whether a given solution will provide robust connectivity. With the rise of remote and hybrid work models, employees may be in the office, at home or in a coffee shop.

“No matter where they are working, they need to be able to get to the same IT assets, the same applications and the same data,” Lunetta says.

“The first objective is to make access easy, seamless and high-performance,” he adds. “The experience for the end user must be the primary consideration.”

In addition, IT leaders need to look at the level of security available in a given solution.

“You have to protect the organization,” Lunetta says. “The more variety of where workloads run and where access happens, the bigger the attack surface and the more of a concern it is to the security group.”

A simple internet connection likely won’t be enough to fulfill that requirement because your internet service provider (ISP) isn’t in the business of securing your traffic.

“You need a solution that says, ‘I will ensure that these packets that I’m using in this application are never tampered with,’” Bae says. “‘And if someone tampers with these, I’ll immediately disconnect and let you know.’”

The solution should support zero-trust security, the ability to know and manage everything and everyone that’s connected to the network.

“That should be a driving element in evaluating these different strategies,” Lunetta says. “The set of factors to be weighed includes cost, performance, experience and security; it is a fairly sophisticated conversation, but it has to happen.”

DISCOVER: Read how OPM is using TMF funds to improve its zero-trust architecture.

Here Are Some Other Options for Connecting to the Cloud

Other methodologies may come into play as agencies look to improve cloud connectivity. VPNs are still an option, but as noted above, security issues mean they can no longer stand alone.

Direct cloud access via the network service providers “offers a private network connection between an agency’s private VPN service and the customer’s cloud provider offering,” Hill says. “This type of service is relevant for those customers already leveraging an IP VPN transport service.”

IT leaders will also want to factor in their ISP’s cloud exchange strategy.

“Cloud exchange is like Grand Central station; it’s where all the different lines come to meet so users can jump on and jump off and go to different places,” Bae says. “As an infrastructure person, you want to investigate these ISPs to see which exchange they connect with. If you have a predominant presence in the Northeast, you’re not going to use an ISP that has the bulk of its infrastructure on the West Coast.”

Ultimately, any means of connectivity will likely connect back to SD-WAN.

While various means can support data transport, SD-WAN provides “a consistent operational model for the branch router connectivity into the cloud,” Hill says. “Regardless of the underlay, SD-WAN could be leveraged as that overlay into the cloud.”

Getty Images: GeorgePeters, Delmaine Donson, PeopleImages

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT