• United States

What does SD-Branch mean for security, storage and IoT?

Feb 27, 20186 mins

Is the centrally orchestrated SD-Branch the successor to SD-WAN for enterprises?

Credit: istock

We’ve started to hear a lot about SD-Branch as a natural successor to SD-WAN, which makes sense as the centrally-orchestrated model is attractive to many enterprises. However, just as we saw with SD-WAN, the term “SD-Branch” is being adopted by many different vendors and service providers to mean what they want, in the absence of any “official” definition.

What is SD-Branch anyway?

Based on most definitions, SD-Branch means delivering more IT infrastructure to branches under a programmable, centrally orchestrated model. Think of it as “SD-WAN plus” – just as you can create templates or profiles in an SD-WAN network, an entire branch template could be generated that defines how the LAN is configured, what wireless LANs are used, how they integrate with the WAN, and what additional compute-based services need to be deployed at the branch.

So as an enterprise, why should you care about SD-Branch and what benefits could it potentially offer? As you’ll see, that varies a lot by industry vertical, but let’s look at five emerging trends that are worth tracking:

  1. SD-WAN is now part of almost every branch office architecture discussion. This doesn’t mean every enterprise is looking at it – many are still locked into multi-year traditional WAN agreements – but it’s hard to find a new WAN proposal where SD-WAN doesn’t play a material role. For the purposes of this discussion, what makes this trend interesting is that most new WAN services will include the deployment of a general-purpose compute device at every branch. Add a virtualization layer and this can become a platform for multiple SD-Branch services.
  2. High-performance virtualized network services are now a reality. Only a few years ago, physical network-related appliances were the default because of performance demands. Custom ASICs were (and still are) used to meet required throughput levels. However, the momentum is starting to shift. Intel is driving a lot of this change – technologies like AES-NI (and now QAT), DPDK, SR-IOV and others are dramatically increasing the performance available on generic compute devices. This is impacting network throughput itself as well as data encryption. Specialized appliances are increasingly available as software images that can run on generic hardware. A perfect example of this? On-premise firewalls.
  3. IoT is driving the need for distributed compute power. As enterprises in more industry verticals invest more in IoT, we’re seeing a rapid increase in the number of short-range sensors that connect to the LAN or WLAN infrastructure at branches. This could include sensors attached to various machines at a manufacturing plant, climate sensors in the logistics or food service industries, or in-store analytics sensors for retailers. What these sensors have in common is their ability to generate vast amounts of data, enough to overwhelm many branch WAN connections. To address this, we’re seeing a tiered model emerge where some processing of the data is performed close to the sensors, and derived data or metadata is carried over the WAN for further processing. Some have called this “fog computing,” as the processing is occurring close to the ground layer. Again, this is a perfect use case for software-orchestrated compute infrastructure at each branch.
  4. Storage requirements at branches are changing beyond recognition. Many enterprises are moving away from traditional file servers at branches as better options have become available. In some cases this means a cloud-only solution (like Microsoft OneDrive) where the sync functionality resides on each client device. Other models have gained some popularity, including the ability to provide a virtual (software-based) file server service, that looks like a traditional network drive to the end user, but uses caching and compression to link back to cloud-based object stores like Amazon S3 or enterprise-managed NAS systems at hub sites. Providing high-performance I/O on a generic compute device can allow more traditional appliances to be replaced.
  5. Centrally-orchestrated LAN and WLANs are already gaining market share. Of course, it’s impossible to ignore the LAN side of branch networks. Many enterprises have complex LAN segmentation – production devices, dev/test, IoT, guest Wi-Fi, etc. and keeping this up to date using traditional manual configs is a huge challenge. Cisco has some interesting solutions – some easy, like the Meraki product range with a friendly end-user interface – and some that require much more configuration and tweaking, like Prime. Many enterprises are already justifying the cost of orchestrating LAN / WLAN environments by demonstrating the benefits it provides in security audits, particularly in industry verticals that are subject to PCI DSS, HIPAA or other data integrity regulations.

The biggest challenges? Management and governance

The technical challenges associated with getting to an SD-Branch vision have largely been overcome. The problem is that they’ve been overcome in silos. An enterprise that wants to adopt each component needs to figure out how to glue it all together. Further complicating this is the internal challenge that many enterprises face – a methodology like SD-Branch can span many functional areas of the enterprise, even outside of IT and into operational technology (OT) teams in the case of many IoT-heavy environments.

What makes this situation a little more hopeful is the API-centric approach adopted in most “software defined” offerings. In the case of SD-WAN, we see some positive steps being taken to facilitate interoperability – for example, the MEF is leading a major initiative in this space. There are already software packages available that can act as an “orchestrator of orchestrators,” sitting on top of each component and triggering various actions based on a specific workflow. Anuta Networks is a good example of this. However, it is all still very modular, and many enterprises will not have the resources to take on the implementation and management of such a system.

What will happen next?

It’s highly likely that we’ll see more packaged offerings become available, that will make SD-Branch more accessible to more enterprises. Consolidation in the SD-WAN space is likely to help – look at where VeloCloud has ended up in VMware’s NSX team for example. This acquisition gives VMware the ability to address many of the components needed to deliver an SD-Branch offering, including compute, storage, LAN and SD-WAN. Within specific industry verticals, we may see more customized managed service offerings become available that combine the management of the IoT infrastructure with the other branch components. Overall, this looks like an interesting space for enterprises to be aware of as they look at new branch office infrastructure models.


Ciaran Roche is the co-founder and CTO of Coevolve. Ciaran has worked in a range of technology leadership roles in Europe and the US. He started his career in the networking industry working in London, UK for Virtual Access, one of the first 'software-defined' networking companies before that phrase even existed. The company built a range of edge routers and a central orchestrator platform for configuration management. Ciaran was responsible for managing trials and demonstrations for customers and prospects all across Europe and North America.

In 2002 Ciaran joined Vanco, the pioneer of the Virtual Network Operator model, just as IP-based networks were starting to take over from legacy Frame Relay / ATM / X.25 on a large scale. With a strong background in Internet and MPLS technology, Ciaran developed the technical solutions for some of Vanco's largest new customers including a 1,200 site network for Avis Europe, a large VPN solution for British Airways and complex solutions for Siemens and SGS. Ciaran moved to the US in 2005, and led projects for major clients including Ernst & Young (now EY), Pfizer and Wyeth.

In 2012, Ciaran joined Pace Harmon, a boutique management consulting firm specializing in IT strategy and transformation projects for major global businesses. Ciaran led a number of significant projects for large clients including Molson Coors, Capital One Bank, CSC and several of the largest technology and media companies in the world.

As the CTO of Coevolve, Ciaran brings over 15 years of experience that spans many technologies and geographies. Ciaran has presented to, and worked with major enterprise CIOs and CFOs to deliver effective, high quality networking and cloud-based solutions. Ciaran is based in Chicago, Illinois.

The opinions expressed in this blog are those of Ciaran Roche and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.