Transforming a legacy network through digital transformation
In a recent keynote speech, GE's CTO Chris Drumgoole outlines the transformation of a corporate giant's network from traditional and sluggish to limber and cloud-enhanced.
GE CTO Chris Drumgoole described how his company recently replaced its legacy network with a combination of SD-WAN and cloud-based security to implement its digital transformation. Drumgoole relayed the story at cloud network and security vendor ZScaler’s first user event, ZenithLive, in Las Vegas this week.
GE is one of the oldest, largest and most recognizable brands in the world. The 125-year-old company currently has over 425,000 employees in over 4,000 locations in 180 countries and its network is massive and continues to grow in both size and complexity. Despite continued investment, this legacy network has gotten more difficult to secure and manage. During his keynote, Drumgoole showed a map of the network, which it looked more like the picture of the Milky Way than it did a business network.
(Editor's note: Drumgoole's presentation was made prior to GE's decision to spin off its healthcare and oilfield services businesses as the company resizes its operations.)
He also talked about how, despite accelerating spending in security technology, GE was falling behind threat actors. Clearly, something had to change. Drumgoole summed up his opinion best with the slide that read: "If you can't secure your network, can't afford your network, can't scale your network and don't trust your network," then why have it? It's a sentiment I hear all the time from IT leaders. The problem is a business is so reliant on its legacy network, it can't just dump it. Or can it?
What about a BOT
Well, that's exactly what GE did. The company embarked on a project called BOT, which is an acronym for Branch Office Transformation. BOT's two key components are an SD-WAN (Drumgoole did not mention the vendor) and cloud security services provided by Zscaler.
GE's legacy network was very typical. It had a well-defined perimeter. The assumption was that anything inside that wall was good and anything outside was bad. This setup worked a decade ago but as more data and applications have moved to the cloud, traffic flows in and out of the enterprise waste bandwidth, compromise security and add to complexity. Not to mention that remote workers must use cumbersome VPN clients that are slow and inconsistent.
BOT simplifies the network because it starts with the assumption there is no company network built on expensive MPLS circuits and routers. Instead, each office is connected to broadband services using a low-cost SD-WAN appliance. In fact, Drumgoole joked that the cost of the SD-WAN box was about what one year of maintenance on the routers was. At that low price point, there is no reason to purchase hardware maintenance. If one fails, toss it out and buy a new one.
All branch traffic going to and from the branch is directed to Zscaler, which provides a wide range of security services including firewalls, rate limiting, cloud access security brokers, sandboxing and more. One myth in IT today is security infrastructure must live on the physical premises, but it works just fine one hop away in the cloud. Zscaler directs the traffic to where it needs to go. Zscaler has relationships with most of the major cloud providers so its customers, like GE, are assured of secure, private access to SaaS providers like Box, Office365 and Amazon Web Services. This is much more secure than sending the cloud traffic unsecured over the internet.
The only function the branch SD-WAN appliance needs to do is connect to Zscaler with a secure tunnel. All of the access, network services and security are then done in the cloud. From an IT perspective, this significantly cuts down on the amount of time spent fiddling with CLI, creating VLANs, firewall rules and so on. Drumgoole mentioned that the rule set associated with setting up an SD-WAN was very simple; instead of managing thousands of firewall rules, GE now manages six.
Application performance is also greatly improved. Drumgoole said the company was able to "trade in $5,000 1 MB circuits for $500 10 MB circuits." These probably aren't exact numbers, but I do believe the orders of magnitude are correct as business-grade broadband is in the hundreds while long-range MPLS circuits can cost thousands per month. Overall, the company will realize a savings of $30 million annually, with a jump of 35% in capacity and an 80% reduction in latency. This last point is achieved because traffic is no longer hairpinning and tromboning all over the place like the hub-and-spoke design of legacy networks.
Users now access company resources the same way--whether they are in the office, in a coffee shop, working from home or on an airplane. For remote workers, Zscaler uses a lightweight, almost invisible, application that first connects users into its cloud. If corporate resources are needed, it directs them via the closest connection. This is in stark contrast to traditional VPNs where an open tunnel is created between the remote worker and the company and then routed out to the cloud -- a waste of bandwidth and needless routing.
Drumgoole had one point of caution for IT leaders, CIOs and other agents of change in their organizations. He said he was genuinely shocked at the level of resistance from many of the network professionals whose jobs were threatened. If one's job is to run a network and the network goes away, so will the job. Network evolution is coming, however, and network engineers have to focus on developing new skills. They can’t do this if they’re spending all of their time running the network day to day. My advice to network professionals is to embrace change and be a leader in your company. This will set up the next act of your career instead of worrying about whether it will go away. If a company as large as GE can dump its network, almost any business can.