Introduction
So much has changed in the world of IT over the past two decades. There was a time when almost all of us did our jobs at a place of work where IT resources were provided from an onsite data center. In larger organizations, branch locations were often connected back to headquarters over a private circuit or leased line, accessing IT resources from a centralized data center.
As the 2010s came along, two displacement trends started to accelerate the pace of digital transformation. First, public and private cloud applications began gaining significant traction, displacing locally installed and licensed monolithic apps.
Second, software-defined wide area networking (SD-WAN) emerged, taking advantage of a more robust and performant internet to displace expensive MPLS circuits and complex traditional WAN routing. SD-WAN networks are typically built using lower-cost commodity hardware, are managed via a cloud-hosted GUI instead of CLI, and use site-to-site VPNs over the internet to create virtual private circuits.
Unsurprisingly, SD-WAN took off and rapidly became the de facto means of connecting sites together, and users to their apps and services. Service providers followed the trend, placing more emphasis on selling business-grade direct internet access (DIA) services over which to run mission-critical services.
Challenges with SD-WAN
Extending the network using SD-WAN facilitates connectivity, but in typical deployments, it can create security challenges. Every SD-WAN appliance using the internet for transport must have a public IP address, opening up an attack surface that can be easily discovered. Then, if a breach occurs, it is easier for an attacker to move laterally through the network and between sites. Addressing these risks means deploying traditional network-based security like firewalls, intrusion detection and prevention, malware protection, and so on. What looked like a simpler, more cost-effective solution turned out to retain a lot of the cost and complexity from previous WAN solutions.
Reimagining branch connectivity
Fortunately, the underlying trends that helped SD-WAN gain its foothold also provide for a fresh approach to branch connectivity. Zscaler has spent the past 15 years developing its Zero Trust Exchange platform to securely connect users and workloads to their applications and services, creating session-based encrypted tunnels that can run on top of any network. This approach has made the use of client VPNs redundant, and is perfect for home workers, smaller café style branch offices, or co-working spaces where non-user devices are the concern of the building owner.
Larger branch offices are more likely to be owned or leased by the organization, with a mix of in-house IT resources, as well as reliance on services at other offices, or HQ. They’re also more likely to have devices unable to run the necessary client connector, like servers, printers, and IoT/OT devices.
To meet the needs of branch connectivity without relying on VPNs, Zscaler has developed the Branch Connector, a forwarder for all traffic emanating from, or bound for, branch sites, which eliminates VPNs and provides secure access via the Zscaler Zero Trust Exchange for users, servers, and devices within branch sites.
Benefits
Zero Trust Branch Connectivity delivers three key benefits:
- By eliminating VPNs, the risk of attack surface discovery/exploit and lateral threat movement is removed.
- A direct-to-cloud architecture removes the need to maintain complex legacy routable networks and reduces infrastructure, helping to reduce costs.
- A low barrier for new branch sites, M&A, and B2B. It’s now easier to seamlessly integrate collaborating workforces, reducing time to productivity for organizations bringing people and business applications together.
Deploying Zero Trust Branch Connectivity
The Branch Connector is deployed on-premises as either a lightweight virtual machine or – later in 2023 – a plug-and-play appliance. Its role is to manage all traffic forwarding for the branch location, using any router to relay traffic over the internet to the Zero Trust Exchange. The Branch Connector is managed out-of-band and all security policies are managed from the Zscaler portal. This makes it easy for security and IT admins to not only have the visibility they need into what’s running in the branch, but also ensure that appropriate policies are consistently applied to all users, servers, and devices at branch locations.
Interested in seeing whether Zscaler Zero Trust Branch Connectivity can replace your site-to-site VPN infrastructure? Click here to learn more in the data sheet, and reach out to your Zscaler representative to ask for a demo.
