What does SD-Branch mean for security, storage and IoT?

We’ve started to hear a lot about SD-Branch as a natural successor to SD-WAN, which makes sense as the centrally-orchestrated model is attractive to many enterprises. However, just as we saw with SD-WAN, the term “SD-Branch” is being adopted by many different vendors and service providers to mean what they want, in the absence of any “official” definition.

What is SD-Branch anyway?

Based on most definitions, SD-Branch means delivering more IT infrastructure to branches under a programmable, centrally orchestrated model. Think of it as “SD-WAN plus” – just as you can create templates or profiles in an SD-WAN network, an entire branch template could be generated that defines how the LAN is configured, what wireless LANs are used, how they integrate with the WAN, and what additional compute-based services need to be deployed at the branch.

Why is this relevant to the enterprise? Five key trends

So as an enterprise, why should you care about SD-Branch and what benefits could it potentially offer? As you’ll see, that varies a lot by industry vertical, but let’s look at five emerging trends that are worth tracking:

1. SD-WAN is now part of almost every branch office architecture discussion. This doesn’t mean every enterprise is looking at it – many are still locked into multi-year traditional WAN agreements – but it’s hard to find a new WAN proposal where SD-WAN doesn’t play a material role. For the purposes of this discussion, what makes this trend interesting is that most new WAN services will include the deployment of a general-purpose compute device at every branch. Add a virtualization layer and this can become a platform for multiple SD-Branch services.
2. High-performance virtualized network services are now a reality. Only a few years ago, physical network-related appliances were the default because of performance demands. Custom ASICs were (and still are) used to meet required throughput levels. However, the momentum is starting to shift. Intel is driving a lot of this change – technologies like AES-NI (and now QAT), DPDK, SR-IOV and others are dramatically increasing the performance available on generic compute devices. This is impacting network throughput itself as well as data encryption. Specialized appliances are increasingly available as software images that can run on generic hardware. A perfect example of this? On-premise firewalls.
3. IoT is driving the need for distributed compute power. As enterprises in more industry verticals invest more in IoT, we’re seeing a rapid increase in the number of short-range sensors that connect to the LAN or WLAN infrastructure at branches. This could include sensors attached to various machines at a manufacturing plant, climate sensors in the logistics or food service industries, or in-store analytics sensors for retailers. What these sensors have in common is their ability to generate vast amounts of data, enough to overwhelm many branch WAN connections. To address this, we’re seeing a tiered model emerge where some processing of the data is performed close to the sensors, and derived data or metadata is carried over the WAN for further processing. Some have called this “fog computing,” as the processing is occurring close to the ground layer. Again, this is a perfect use case for software-orchestrated compute infrastructure at each branch.
4. Storage requirements at branches are changing beyond recognition. Many enterprises are moving away from traditional file servers at branches as better options have become available. In some cases this means a cloud-only solution (like Microsoft OneDrive) where the sync functionality resides on each client device. Other models have gained some popularity, including the ability to provide a virtual (software-based) file server service, that looks like a traditional network drive to the end user, but uses caching and compression to link back to cloud-based object stores like Amazon S3 or enterprise-managed NAS systems at hub sites. Providing high-performance I/O on a generic compute device can allow more traditional appliances to be replaced.
5. Centrally-orchestrated LAN and WLANs are already gaining market share. Of course, it’s impossible to ignore the LAN side of branch networks. Many enterprises have complex LAN segmentation – production devices, dev/test, IoT, guest Wi-Fi, etc. and keeping this up to date using traditional manual configs is a huge challenge. Cisco has some interesting solutions – some easy, like the Meraki product range with a friendly end-user interface – and some that require much more configuration and tweaking, like Prime. Many enterprises are already justifying the cost of orchestrating LAN / WLAN environments by demonstrating the benefits it provides in security audits, particularly in industry verticals that are subject to PCI DSS, HIPAA or other data integrity regulations.

The biggest challenges? Management and governance

The technical challenges associated with getting to an SD-Branch vision have largely been overcome. The problem is that they’ve been overcome in silos. An enterprise that wants to adopt each component needs to figure out how to glue it all together. Further complicating this is the internal challenge that many enterprises face – a methodology like SD-Branch can span many functional areas of the enterprise, even outside of IT and into operational technology (OT) teams in the case of many IoT-heavy environments.

What makes this situation a little more hopeful is the API-centric approach adopted in most “software defined” offerings. In the case of SD-WAN, we see some positive steps being taken to facilitate interoperability – for example, the MEF is leading a major initiative in this space. There are already software packages available that can act as an “orchestrator of orchestrators,” sitting on top of each component and triggering various actions based on a specific workflow. Anuta Networks is a good example of this. However, it is all still very modular, and many enterprises will not have the resources to take on the implementation and management of such a system.

What will happen next?

It’s highly likely that we’ll see more packaged offerings become available, that will make SD-Branch more accessible to more enterprises. Consolidation in the SD-WAN space is likely to help – look at where VeloCloud has ended up in VMware’s NSX team for example. This acquisition gives VMware the ability to address many of the components needed to deliver an SD-Branch offering, including compute, storage, LAN and SD-WAN. Within specific industry verticals, we may see more customized managed service offerings become available that combine the management of the IoT infrastructure with the other branch components. Overall, this looks like an interesting space for enterprises to be aware of as they look at new branch office infrastructure models.