In almost every industry, the business lifecycle has shortened and accelerated to help companies gain or sustain a competitive advantage. The expectation is that information technologies will enable that transformation, giving users superb experiences, reducing organizational costs, and shortening the time to market.
Fundamental to these transformation efforts is being able to easily reflect business requirements in our networks. Widespread industry efforts have been underway to tie network traffic operations to business operations. At its recent user conference, AT&T said it will bring context-aware networking to its 5G services. Cisco has long advocated intent-based networking.
Traditional Routing Isn’t Enough
All approaches recognize that traditional routing is insufficient for today’s business needs. The way we think about routing traffic has little to do with how we build our organizational processes. Traffic is routed and prioritized based on physical network information — namely IP address ranges — not higher levels of abstraction, such as applications, users, or groups. As such, traditional routing does not differentiate between application requirements. And unless they sit in separate address ranges, executives, sales, engineering, marketing, and temporary workers are all treated the same by traditional networks.
Yes, to an extent we’ve been able to get around these issues. But those efforts only serve to increase network complexity and with mounting complexity comes the increased rigidity and maintenance costs all too often associated with enterprise networks. All of which makes aligning the network to the business particularly challenging.
Routing Must Reflect Business Context
SD-WAN took a step toward bringing the network closer to the business with application-aware routing. With SD-WAN, we’re able to calculate routes and prioritize traffic by application type. It’s application awareness that allows us to treat voice-over-IP (VoIP) differently than file transfers, for example. But even with application awareness we’re left ignorant of the users behind the application. We might route VoIP differently from file transfer but we can’t route business-critical calls, such as sales calls to high-value customers, any differently than internal calls.
Identity awareness evolves routing by connecting packet flows to the associated users and resources. With identity awareness, traffic is routed based on the source and destination identity, namely a username or group affiliation, such as a department or category (“executives”). Identity awareness abstracts networking policies from the physical network, making reflecting business context in the network easy.
To deliver identity-aware routing, SD-WAN must
- Build or use an existing identity repository;
- Use a policy engine that can consume identity information;
- And label packet flows with the appropriate identity information.
Adding a proprietary identity repository to the IT landscape complicates SD-WAN deployment. By contrast, integrating with an enterprise’s existing authoritative user source, such as Active Directory (AD), minimizes adoption friction. In this way, when a user authenticates against AD, the SD-WAN immediately identifies the person and relevant policies.
Identity for Routing not Just Security
Identity awareness has been part of networking. Many security tools restrict resource access based on identity. Identity-aware routing is different. It changes how SD-WAN prioritizes traffic, selects last mile services, and calculates the optimum path.
With identity awareness, high-priority voice calls can be given preferred access to the last mile over low-priority calls, for example. Regulatory compliance can be easily met by restricting application usage of certain users to specific networks regardless of a user’s device or location.
Identity awareness allows IT to align routing to a function or role. The CEO’s quarterly video conference can be routed along a more optimum path than other video calls. And where users share a computer, such as customer support reps in a call center, identity-aware routing allows the IT to treat reps differently — something that would be impossible when forwarding packets based solely on sub-network or application.
Identity awareness also means routing is independent of a user’s device. Employees connecting to the network from their corporate notebooks or personal smartphones will continue to receive the same experience regardless. Identity awareness eliminates the need to instantiate separate routing policies for different devices, making network management easier.
By tying traffic back to a user or group identity, IT organizations can easily see exactly how business units consume the networking resource regardless of if users are in or outside of the office connecting to resources on the WAN, in the cloud, or on the internet.
Routing for the Digital Business
As organizations look to reduce costs by streamlining IT, identity awareness represents the logical evolution of routing. It’s simpler to use than working with subnets and IP addresses, and it abstracts the policy from the underlying network. Combining all three types of awareness — identity, applications, and location — with routing make for an easier, more agile SD-WAN, one that’s in line with today’s digital business.