Earlier this year, Citrix launched a new cloud-delivered Secure Internet Access (SIA) service, which protects users and infrastructure from threats coming from internet and SaaS app access. Citrix SIA has become a key component of Citrix’s solution for Secure Access Service Edge (SASE), a technology that enables the convergence of wide area networking (WAN) and cloud-delivered security services.
While there are many SASE and SD-WAN vendors, Citrix’s approach is to integrate the network and security products with its other products, such as application and desktop virtualization. This enables Citrix to deliver on the business agility that SASE architectures promise but often does not deliver because it's siloed from the applications. To get an idea of how these integrations work, I asked Citrix for a customer example.
The one Citrix shared with me is a very well-known American investment firm with over 450 employees, that needed a better way of protecting internet-facing user devices and servers. The firm, which manages more than $40 billion in assets, was looking to replace its existing cloud-delivered security solution due to the high cost and its inability to work well with static IP addresses. The firm wanted to use its own static IPs, but its existing solution couldn’t provide specific types of IP addresses because they were mixed in with other customers.
“They needed to make sure that their access control lists (ACLs) were connected to any SaaS-based apps that they had and with a roaming IP it causes a lot of problems. They were basically playing the cat and mouse game as the IP was changing,” explained Greg Cobb, SD-WAN solutions specialist at Citrix.
The firm deployed SIA with Citrix software-defined WAN (SD-WAN), including LTE and Wi-Fi enabled appliances. Using the solution, the firm was able to have dedicated IP addresses for connectivity with upstream cloud services. Since customer data in the Citrix SIA PoPs is kept private between customers, the firm’s traffic has a clean path all the way through. SIA also gives customers greater control on traffic flow between geographic regions – an important feature for customers looking for GDPR compliance.
The SD-WAN component provides the firm with application awareness and gives users optimal performance wherever they may be located. Citrix SD-WAN adds to this optimization by decrypting HDX traffic, which Citrix uses to optimize virtual apps and desktops used by remote workers for zero trust network access (ZTNA). For those that are unaware of HDX, that’s Citrix’s “High Definition eXperience” built on its independent computing architecture (ICA) protocol, which it has been using for over two decades to virtualize applications. The integration with SD-WAN lets the investment firm see the traffic, analyze it, understand it, and manage it from one centralized console. Having this kind of control allows the firm to adhere to data protection laws.
When the firm later added extra components, specifically hardware devices for remote workers, setting up a tunnel and connecting the nearest SIA PoP was a seamless process due to the tight automation between Citrix products. Instead of being connected to a single PoP, the firm has the option with SD-WAN to have a primary and a failover SIA PoP.
The financial firm has a large number of remote traders. Thus, having the failover ability is important if there is a network problem. The firm was previously using broadband MiFi, a portable device that creates a mini wireless broadband hotspot. It wasn’t unusual for traders to experience latency and jitter when they were buying or selling on-the-go. In one instance, the firm had an outage and those who were on the Citrix SD-WAN didn’t suffer any disruptions.
While the firm developed a unified approach to SASE, it also gained the ability to tie app performance to network changes. Having apps run over the best connection with failover is a major benefit cited by other Citrix customers. According to Citrix, almost all customers are explicitly reporting improvement in performance.
“Really it’s about performance,” Cobb added. “Customers get optimum throughput for all their apps, whether they're Citrix or Azure or Office 365. Whatever it may be.”
In addition, the simplicity in operations will continue to be important as well — a single pane of glass across networking and security, with shared analytics and a simpler logistics experience for procurement, implementation, training, technical support and scale. This would likely result in faster deployments and lower total cost of ownership.
The lessons learned from this case study is something that all network professionals should learn from. Cloud-delivered security, SD-WAN and SASE are about more than just savings or resiliency. One could achieve those but, if that’s at the expense of app performance, then the project will be deemed a failure. Network evolution must be tightly coupled to apps to ensure app performance remains as high.
Citrix is a late entrant into both SASE and SD-WANs, both of which are crowded markets with some big, established vendors. Typically, this would spell doom for newcomers, but Citrix could buck this trend. The company has a long history in application performance and virtual apps and desktops. If it can tie its go-to-market for SASE and SD-WAN to its historical areas of strength, it can build a strong set of customers and eventually become a viable option for customers outside of its install base. This is similar to the approach it took with its application delivery controller, formerly known as NetScaler where it’s been the #2 vendor for a long period of time.
Zeus Kerravala is the founder and principal analyst with ZK Research. He provides a mix of tactical advice to help his clients in the current business climate and long-term strategic advice. Kerravala provides research and advice to end-user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers. He can be reached at [email protected], and follow him @zkerravala and on YouTube.
Industry Voices are opinion columns written by outside contributors—often industry experts or analysts—who are invited to the conversation by Fierce staff. They do not represent the opinions of Fierce.