Let Your Identity Lead the Path – Identity in SD-WAN

Cato Networks announced today the addition of identity as an element in the contextual policy and operation of an SD-WAN. The concept is relatively simple -- enable identity and identity associated contextual data to be an element in the policy decision process of the SD-WAN –- but the implications are significant for how SD-WANs can manage communications, especially real-time.  

With identity, the policy mechanisms that the Cato SD-WAN cloud uses to decide how to manage packet priority, routing, discards, etc. can now include specific information/policies that are driven by the user name, department, business unit, or other identity-related affiliations. Cato Networks accomplishes identity correlation by integrating with Microsoft Active Directory (AD).

According to Dave Greenfield, secure networking evangelist, at Cato, "Cato dynamically correlates Microsoft Active Directory (AD) data, across distributed AD repositories, and real-time AD login events to associate a unique identity with every packet flow. Organizational context, such as groups and business units, is derived from the AD hierarchy.” As networks migrate from one-size-fits-all packet handling to the per flow customization that SD-WAN offers, identity is a multi-faceted new factor that can be used to enhance the packet management process.

The examples of how identity can be used for SD-WAN flow delivery management are broad. For example, real-time traffic for sales people might be prioritized higher than other real-time traffic. So, a salesperson scheduling a video for a client might receive access to a better-quality service unavailable to a non-sales employee. All contact center agents can be given a higher priority policy, regardless of location or device, even if they happen to be sitting on a subnet shared with other types of employees. In this way, the relative business value of the communications event can be linked into the service levels and determinism that it receives.

Another example is in large system emergency call enablement. For many years, government agencies have defined the requirement for emergency parameters that give precedence to certain specific traffic types if there is an emergency and traffic exceeds capabilities (for example, in military systems during a crisis or for certain first providers during a response situation). In the past, access was focused on sharing limited resources (trunks, recording, etc.). With VoIP, often the limitation is the network, including bandwidth limitations. With identity-based SD-WAN policies, identity can be used to assure that in times of emergency or capacity issues the right individuals or groups get the service needed for operational continuity.

This packet flow management based on individual business parameters can also apply during times of capacity challenges. One key capability of an SD-WAN is to rapidly redirect traffic flows around network route failures. If the remaining routes do not have the aggregate capacity needed, the policy structure allocates the available capacity based on the policies in place. But real-time phone calls are not always the highest priority.  

A good example of this was an actual large retail bank that had both terrestrial and wireless route paths to their branches. After extended discussion, the decision was made to have the voice traffic blocked from the wireless back-up during a network outage on the primary path to avoid impacting data traffic from bank tellers. (The most important factor to a bank branch’s success is not having people stand in line.) With identity, the mechanisms for including real-time VoIP into the redundancy path can now include the identity of the caller. So, the bank manager may now get precedence during the failure as his call may be critical and the local access trunks may be limited or not available. Of course, the identity information can be included with a full range of other information, where the flow is going, etc.

Another example is when some traffic is generally considered to be more valuable than real-time, but some real-time traffic is the most valuable. For example, in many financial institutions, the highest priority traffic is actual financial transactions, not voice calls. The time from when a transaction is sent to when it is received and completed is an open float period. During this time, exchange rates can change, or other changes can happen that can change the value of the transaction. So, expediting those packets may be of the highest priority. However, real-time conversations that are actual transactions or the CEO talking to the largest shareholder may be even more important. Using identity of the users/clients/partners to decide how that traffic should be prioritized can assure that the needs of both the business and the most demanding clients are met.

The final value is the ability to define policy based on the user, not the endpoint device. This can work in two ways. First, a salesman can get the “enhanced” service regardless of device she is on -- desk, conference phone, mobile, etc. For a user shared device, the policy can now be tied to the user, so two contact center agents can be treated differently even though they use the same device at different times. The agent working with high-value clients may get higher priority and bandwidth and better determinism, etc. than the other agent using the same desk but working with general clients. The service level of the network can be tied to the identity and service needs of the actual agent and their profile.

Identity factors can also be used to drive physical routing paths for privacy/discovery across geopolitical boundaries. There are many countries and companies that have adopted policies that impact the storage location of data and the geographic path of a data flow. For example, many non-U.S. companies limit storing data in U.S. locations that are subject to U.S. subpoena. Similarly, certain data is prohibited from flowing through certain areas as it could be captured as it passes. Identity can be a key policy factor in the routes that can be used. For example, if the policy is to prohibit paths through a specific country/region, with identity, that policy can be limited to individuals who are communicating on topics that are of concern. In some cases, this may drive more circuitous routes, but enhances security in certain environments.

In addition to using policies to manage and operate the actual network, the inclusion of identity into the defined data factors enables identity to be part of the analytics and reporting of the SD-WAN. In Cato’s case, the company has extensive analytics, and those can connect users to their IP flows. For example, video chat bandwidth can be linked to usage levels of an employee without having to correlate call logs with device/IP address-based flows. By using local network identify data, flows managed by third-party providers, such as cloud video collaboration, can be linked to the actual user that is consuming the bandwidth and where/when. Including the identity data in the analytic framework enables user-based analysis in new ways that can enhance the delivery and stability of real-time services.

With the granularity of identity, SD-WAN policies can now include a new range of information and actions. These can be used to optimize SD-WAN performance and services to the users and the actual business needs. This allows organizations to define optimization or response policies that can include individual or group identities as part of the policy. With this the contextual policy of both parties on a communication can be considered when defining the policies of that flow versus other flows on the network. This brings a new personal identity meaning to the phrase “Can YOU hear ME now?”