How Cushman & Wakefield Landed Secure SD-WANwith Aruba and Zscaler

Cushman & Wakefield’s network serves a huge number of users and customers, who need a secure, responsive network that provides the same experience no matter where they connect.

“One of the biggest complaints, when I started at Cushman & Wakefield, was ‘our network is unusable, I’m more productive at a hotel or at a Starbucks or at my house,’” noted Rob Franch, CTO of Cushman & Wakefield. “We really set out to change that.” 

Cushman & Wakefield employees rely on many software as a service (SaaS) offerings like Workday, Salesforce, and Microsoft 365, both in offices and on the go. Franch found that the traditional hub-and-spoke WAN architecture wasn’t meeting the company’s needs—not only for Cushman & Wakefield users and teams but also as the company focused on its growth strategy through mergers and acquisitions (M&A).

“M&A was a big part of our growth strategy,” elaborated Franch. “We made the conscious decision to integrate these companies into our ecosystem from a technology, process, and people perspective on day one.” 

Integrating companies into the Cushman & Wakefield network rather than keeping them separate means bringing technology, software, networks, processes, and people on board as seamlessly and quickly as possible. Rapid onboarding means the whole company can quickly leverage the assets of each new acquisition. Rob found that the current WAN architecture wasn’t suited to handle rapid onboarding. 

Franch and his teams’ search for WAN solutions included an investigation of software-defined wide area networks (SD-WAN). The idea intrigued everyone. In addition to solving Cushman & Wakefield’s networking issues, the right SD-WAN solution would:

• Improve performance for business-critical applications no matter where users accessed them, and make sure that performance was uniform across all sites
• Push ownership of the service to branches to make sure that local issues were resolved locally and quickly
• Simplify the network environment and provide a flexible architecture to support business goals, improve response times, and reduce points of failure
• Improve deployment speed when spinning up new branch offices or integrating new systems and locations from M&A
• Gain visibility into all WAN traffic and usage so that decisions could be made not only for local environments but for the whole network
• Reduce overall costs for the network as it scaled up to meet growth expectations 

In a typical WAN, enterprises use centralized data centers protected by stacks of security appliances. All connections go to the data center over the WAN, through the stack, and back out again, even if those connections are ultimately internet-bound. This doesn’t scale well, especially now that software, infrastructure, and data have moved out of the data center and are hosted in the cloud. 

An SD-WAN is a virtual WAN architecture that allows enterprises to leverage any combination of transport services—including MPLS, LTE, and broadband—to connect users to applications. SD-WANs centralize control functions and intelligently move traffic across a network to increase application performance and improve user experience. This has the additional benefit of reducing IT costs. 

Once the IT teams decided to deploy an SD-WAN, they chose Aruba as their SD-WAN provider. Aruba EdgeConnect SD-WAN edge platform checked all the boxes for Cushman & Wakefield, offering increased application performance, support for the company’s M&A growth strategy, reduced deployment costs, and network-wide traffic visibility. 

“By leveraging the EdgeConnect SD-WAN edge platform, we enable Cushman & Wakefield to collaborate effectively and efficiently between regions to service our multinational customers in a truly global way,” said Chris Butcher, Cushman & Wakefield Platform Architect for Global Networks, Cloud, and Perimeter Security.

With the decision to move to Aruba EdgeConnect, Franch and his security teams also needed to secure connections between users and applications. As part of the SD-WAN architecture, internet traffic from branch offices would go direct instead of through the corporate security stack at headquarters. With over 400 branch offices, the company needed rigorous security and policy enforcement for company-wide protection without the headaches and expense of on-premises firewall appliances. 

Since Aruba EdgeConnect was the chosen solution, it made sense to go with cloud-based security, so the company could further its move toward cloud agility and simplicity. Besides air-tight security, the security teams sought a solution that easily integrated with the Aruba EdgeConnect SD-WAN deployment.

Cushman & Wakefield selected the Zscaler Internet Access (ZIA) service. ZIA examines internet-destined traffic across all ports and protocols, including SSL-encrypted traffic. It also enables policies to follow users, regardless of location or device, providing security for Cushman & Wakefield’s over 50,000 staff members around the globe. It also seamlessly works with the company’s Aruba EdgeConnect deployment.

Zscaler Internet Access also allows Cushman & Wakefield to control bandwidth for critical applications. It was essential that IT teams could prioritize business-critical applications such as Microsoft 365 and Salesforce over less important traffic such as YouTube, live-streaming, and other social media. ZIA allows Cushman & Wakefield to make sure productivity doesn’t get bogged down by other traffic—it can use Zscaler to set crucial application bandwidth minimums and guarantee application performance. 

In addition, Zscaler was the first cloud security provider to be a certified partner in the Microsoft Networking Partner Program (NPP) for Microsoft 365. Zscaler peers with Microsoft in more than 20 data centers around the world, connecting Cushman & Wakefield’s Microsoft 365 users to the closest Microsoft portal via fast internet connections. 

As Franch explains: “You can walk into an office in Hong Kong, Sydney, London, Boston, Los Angeles and you’re able to connect immediately with the same experience no matter where you are in the world. We’ve got that consistency and predictability that we’ve set out to achieve.” 

Zscaler and Aruba APIs work together to provide edge to cloud security that protects every user on the network. Aruba EdgeConnect zero-touch branch provisioning:

• Establishes tunnels to primary and secondary Zscaler Public Service Edge, and forwards all branch traffic to the primary Zscaler Public Service Edge
• Creates additional tunnel pairs to the same Zscaler Public Service Edge pairs for branch locations served by multiple ISPs
• Monitors SD-WAN transport service health to the Zscaler Public Service Edge pairs and controls tunnel failover
• Supports GRE tunnels for high-bandwidth locations and IPSec tunnels for dynamic IP locations
• Complies with Zscaler IPSec and GRE tunnel best practices 

With SD-WAN from Aruba and security from Zscaler, Franch and his teams could enable local internet breakouts that are adaptive and secure, set bandwidth for business-critical applications, and provide a unified WAN experience for users with fast connections, no matter where they are and what they need to access. The combined solution allows complete network visibility over who is using what applications, giving Franch’s teams insight into exactly what is happening in the network. 

Both Aruba and Zscaler are best-in-class and Gartner Magic Quadrant Leaders in their respective markets. Seamless API integrations speed and simplify deployment, both to existing branches and at new acquisitions as Cushman & Wakefield grows its business. 

The combination of Aruba’s self-driving EdgeConnect SD-WAN edge platform and Zscaler Internet Access enables Cushman & Wakefield to deliver fast, secure, and uninterrupted access to business-critical applications. Branches going directly to the cloud can be provisioned and secured in minutes, providing optimal performance from applications, and secure SD-WAN connectivity that automatically adapts to changing business requirements. For Franch’s IT teams, that means simplified operations and lower costs.

“In order to get your foundation right, you need to have a solid network with good connectivity and good security that wraps around it,” stated Franch. “Zscaler is a big component to help you enable that. I would recommend looking closely at Zscaler and the ecosystem and partnerships that they’ve built.”