Drawing a New Map of Enterprise Networking

Earlier this year I got to hear Tim O’Reilly speak at Grand Central Tech as part of their Authors @ GCT lecture series. Mr. O’Reilly is out promoting his new book, “WTF? What’s the Future and Why It’s Up To Us.” One of themes of his book is the process of innovation – how we go about creating technologies that completely change the way that we think, work, and live.

O’Reilly writes about drawing visual maps of the different elements within a company’s business plan, in order to understand how they interrelate with each other, a process that he learned about from a strategic consulting firm called BEAM. He then proceeds to draw such a map for an on-demand transportation company like Uber or Lyft.

There was a particular way that on-demand transportation worked a decade ago – you called a cab company, and a dispatcher announced your location on a radio network, and hopefully one of the cab drivers agreed to pick you up. Over time a particular set of technologies have become available, including the Internet, smart phones, and dispatching algorithms, that have enabled a completely different way of organizing this process. However, the new map for on-demand transportation didn’t draw itself – it was the job of innovators to realize that an opportunity existed to connect each of these ingredients in a new way, and to persuade the public that this new way is, in fact, a better way.

Of course, this got me thinking about what we’re doing at OPAQ Networks. IT organizations have been building enterprise networks in the same way ever since we started connecting businesses to the Internet in the early 1990’s. I usually credit Steven Bellovin and William Cheswick for drawing the original maps of this territory in their book “Firewalls and Internet Security.” This model is often called the “perimeter security model” – “We’ve got a bunch of sensitive computer systems here in our corporate headquarters, so we connected all of our satellite offices into that headquarters and we’ve built a stack of security solutions there to protect everything.”

Over time that model has started to show signs of strain. The sensitive systems that used to collect at headquarters are gone – they’ve moved into the cloud. However, the security stack is still there, and all kinds of traffic is still getting backhauled through headquarters for the sole purpose of sending it through the stack. Despite this approach, attackers are successfully getting inside by infecting end user workstations. Once their malware is running on the other side of the firewall, they have free range over the internal network and can get right to the data they want to steal.

At OPAQ Networks we are building a new map for this territory. First, we’re moving the security stack into the cloud, where the sensitive assets now live. This solves the backhaul problem, because satellite offices and remote VPN users can connect to cloud assets through our network instead of backhauling through a corporate headquarters. OPAQ has a nationwide network of points of presence and more than 200 peering relationships with major service providers that enable us to get traffic to it’s destination as efficiently and reliably as possible. Most small and medium sized enterprises don’t have the means to build this kind of infrastructure for themselves.

Second, we’re introducing software-defined network segmentation, a completely new technology that provides enterprises with unparalleled visibility and control over their internal networks. Using this tool, it’s possible to granularly segment internal networks so that end users only have access to the resources that they need, without having to reconfigure VLANs or wrestle with NAC solutions. Our partners’ midsize customers are able to adopt a better security posture, so that a single endpoint compromise does not imperil their entire business.

We are entering a time when the traditional way of building enterprise networks is being disrupted, and other maps are being drawn. Google’s BeyondCorp is one such map, along with the idea of Zero Trust Networks that was eloquently detailed in a recent O’Reilly publication. These approaches suggest doing away with the VPN and the security stack entirely, placing internal applications directly on the Internet and connecting users to them through authenticating proxy servers.

While I believe the BeyondCorp approach has merit, and there is a great deal that we can learn from it, it’s also very difficult for small and medium sized businesses to adopt. The traditional security stack delivered from the cloud has value, particularly for businesses where consistent patch and configuration management can be a challenge. The VPN has value, because it draws a clear line between the organization’s assets and the outside world. The problem is that these assets are often hosted in the wrong place today, and better segmentation is needed behind them.

This is what we’re doing at OPAQ Networks – we’re drawing a new map for the practice of enterprise networking in the cloud computing era. By leveraging network security-as-a-service, software-define network segmentation, and a modern, global network infrastructure, we’re enabling our customers to build networks that are more efficient, reliable, and secure than they have ever been before.