Anticipating Scale and Security

Estimated reading time: 5 minutes

When HPE Aruba’s annually anticipated user conference happened, Aruba announced they would integrate Silver Peak’s flagship EdgeConnect with a number of Aruba products. “This would make it all easier to consume as one, and as software,” HPE Aruba’s Senior Director of Product Management at Silver Peak’s business, Rolf Muralt said.

The first important element was integration with Aruba’s ClearPass Policy Manager to improve visibility and segmentation, and deliver a consistent identity-based policy framework across the entire Aruba portfolio.

Rolf explained, “This means EdgeConnect would not just be aware of applications, but it would understand a whole lot more information, for example who the users are, what devices were used, their roles, and so on.”

This information or context used to be so network policy can assure quality of experience for users, but increasingly there is a security objective, as well.

“The integration will allow organisations better understanding, for example, of an Office 365 user at a certain location and how to provide the user a better experience, based on whether they are an employee or a third-party contractor,” Rolf explained.

He added that an integration like this would also detect whether a rogue device; for instance a surveillance camera; was running compromised code and exhibiting strange behaviour like trying to access files on Office 365.

It is important, to be able to take the necessary measures that mitigate the risk associated with a surveillance camera trying to access documents.

He added that an integration like this would also detect whether a rogue device; for instance a surveillance camera; was running compromised code and exhibiting strange behaviour like trying to access files on Office 365.

The reason that the integration would be able to detect this potential intrusion, is also really because of policy that can now provide consistent and automated definition of roles that can be enforced network-wide from users’ device, through the LAN, and across the WAN – and would not permit connection between a surveillance camera and software productivity tools.

Emphasising Zero Trust

Integrating EdgeConnect with a network access controller (NAC) like ClearPass via APIs, was initially driven by the objective to better enhance security.

Rolf also wanted to highlight the importance of APIs to make ‘bigger’ solutions work and be automated.

“If you think about the way enterprises have traditionally secured IoT devices, like a camera, or a point-of-sale (POS) cash register, or a HVAC (heating, ventilation, air conditioning) system, what typically happens is a VLAN or virtual local area network, is created to keep IOT traffic separate.

“But it was not segmenting within the IOT traffic. It was not keeping the HVAC traffic separate from the POS traffic, for example.”

The Target data breach of 2013 comes to mind, and Rolf commented, “There’s really no reason that the HVAC network would ever need to be able to connect to the cash registers, because those two things don’t talk to each other. So the only reason it was possible was just because networking admins lacked the fine grained way of keeping the traffic separate.”

EdgeConnect’s integration with ClearPass enables Zero Trust capability. Within Aruba, this capability is known as Dynamic Segmentation, whereby the default setting is to not allow everything to communicate with other ‘things’ on the network.

Combining role and security intelligence with this advanced dynamic segmentation can eliminate the complexity in implementing VLANs for every user and device, simplifying network administration and management.

If there was communication between two devices, like the HVAC system and a camera, it would be because it has been given purposeful and explicit permission to do so.

“If we could set up a matrix, there would be more Reds than permitted Greens,” Rolf said.

“You can make the network more secure, because unless you’ve explicitly allowed two entities to talk to each other, they will be denied. That’s really the zero trust element to it all.”

Rolf added that there were a lot of customers who were really interested in being able to use the combination of EdgeConnect and Aruba ClearPass to get better visibility and better security.

Orchestrating best-of-breeds

Another capability that customers have been asking for is Intrusion Detection System (IDS). In response, Aruba announced they would unify IDS and IPS (Intrusion Prevention System) capabilities across all their products.

The announcement of Service Orchestration capability also caused quite a stir during the Atmosphere conference. “Once again, this is about security, and really being able to allow best-of-breed solutions by partnering with the best cloud firewall companies out there,” said Rolf.

Aruba’s cloud-delivered security services partners include Zscaler, CheckPoint, Prisma Access and Netskope providing enterprises the freedom of choice and flexibility for multi-vendor integrations without compromising networking or security capabilities as enterprises shift toward a Zero Trust and SASE architecture.

Scaling up

Rolf shared how HPE and Aruba’s general strategy is for more products to be consumed as a service.

“Traditionally, that meant having a high touch services organisation – maybe go set up networks for customers and manage them for the customer. That is still part of the picture.”

But he also shared observations of hyperscalers and what they do. “With APIs, we can manage a lot of these networks for the customer.”

This aligns with HPE Aruba’s recognition of the potential an SD-WAN company like Silver Peak offers.

“It’s not only a new market segment being offered. SD-WAN within infrastructure was one of the first markets to start to sell product-as-a-subscription.

“Not to mention, from Day One we have had centralised orchestration. This means being able to manage a very distributed set of appliances, and also managing it all as ONE logical entity.”

Being able to do this with a set of business-intent policy is a very key element, and here once again we see the power of APIs to enable bigger ‘systems’ to work and take on an element of automation.

Rolf shared about other additional elements that were not really talked about at the conference. “These are more related to performance and scale increases.

“Now as part of Aruba, we are seeing larger customers come to the table, so we are ensuring we can run thousands of appliances as part of one orchestration, and as part of one logical Software-Defined fabric.

“So, we have been pushing a little bit of performance enhancements, to drive this requirement of scale,” Rolf concluded.