Select Page

What is Zero-Touch Provisioning (ZTP)?

When we explain zero-touch provisioning (ZTP) to enterprises, some remark that ZTP is a misnomer. They point out that someone needs to touch something physically — an administrator clicking a button to provision a remote device or an individual handling a remote box to connect it to a network and power it up. Putting aside the debate on the fidelity of the acronym, ZTP refers to the capability of a remote device to self-configure and self-update on startup with minimal human intervention.

ZTP is designed to enable devices to self-provision in locations that lack skilled local IT staff. The philosophy around ZTP involves building resilient systems designed for low-overhead mass deployment. ZTP-enabled devices can be installed and powered on by non-IT staff, while IT teams can perform remote management once these devices establish connections to central controllers.

Beyond streamlined provisioning, leading vendors engineer their ZTP implementations for resiliency. These systems should fail gracefully and provide appropriate diagnostic information for subsequent remediation and provide multiple options for automatic recovery.

ZTP is critical for SD-WAN success

Coupled with centralized controllers that handle ongoing management and configuration beyond Day 1 provisioning tasks, ZTP enables rapid distribution and deployment of branch devices like SD-WAN appliances. For enterprises with a few branch locations, manually configuring on-site or shipping out pre-configured appliances may be adequate for small roll-outs. However, manually rolling out SD-WAN would be cost-prohibitive for enterprises with tens, hundreds, or thousands of sites and incur unnecessary delays.

Just as SD-WAN is critical to enterprise WAN transformation, ZTP is vital to the success of rapid SD-WAN uptake. Without ZTP’s ability to easily configure and deploy templated configurations across large geographic spans and thousands of instances, WAN transformation would be delayed. The delay impacts an enterprise’s ability to benefit from always-on, cost-effective connectivity that SD-WAN brings with multi-link routing and improved productivity with application- and context-aware quality-of-service controls. Most importantly, SD-WAN brings a reduction in an enterprise’s threat exposure through its security capabilities. Every day of delay in rolling out SD-WAN means an extra day of unnecessary threat exposure. It represents an impediment to the eventual adoption of secure access services edge (SASE) — an evolution of SD-WAN’s security capabilities.

ZTP and work-from-home (WFH)

In conversations with service providers globally, the ongoing pandemic is driving hybrid arrangements for corporations worldwide. The employee’s home has become the new branch — the branch of one. The number of branch offices has grown multifold, from hundreds and thousands to tens of thousands or more. Previously, corporations relied on software-only VPN clients on corporate laptops and mobile devices to secure employee corporate access. Recently, companies have started shipping SD-WAN appliances with built-in WiFi to key employees for home use.

These low-cost SD-WAN customer premises equipment (CPEs) extend branch control capabilities into employee homes, creating a segmented network under corporate control with consistent policies across the entire enterprise WAN. Segmentation protects against other insecure home computing and IoT devices on open or poorly secured home WiFi networks. For employees, the experience with a home-based SD-WAN CPE extends the branch experience with corporate SSIDs, security policies, and quality-of-service (QoS) controls.

Another critical advantage of SD-WAN CPEs in a WFH setting is the potential reduction of workload on IT staff. Instead of spending time troubleshooting an employee’s home network, with the attendant privacy issues, or trying to protect an employee from home-borne security threats, corporate IT staff can deploy a compartmentalized network under their complete control. Further, companies can use pooled mobile data plans for 4G LTE or 5G backup links that kick in should the home-based broadband links fail. SD-WAN-enabled mobile failover keeps key employees online with near-enterprise reliability but at a fraction of the cost.

Again, the key to making these large home-based deployments feasible is ZTP. Without ZTP, IT staff have no reasonable means to manage the scale of SD-WAN deployment necessary to make this a reality. ZTP allows the drop shipment of SD-WAN devices to many employee home locations and rapid provisioning post-power-on. Some SD-WAN solutions use mobile links for initial ZTP provisioning, guaranteeing (assuming mobile connectivity is available) success for the initial bring-up and providing centralized IT admins with the means of troubleshooting errant broadband wireline links. ZTP reduces the complexity of bring-up and shortens the time to successful deployment.

No ZTP, no SD-WAN?

With the challenges facing enterprises worldwide in connecting and securing, SD-WAN has emerged as a critical platform for corporate IT teams. And as we’ve detailed in this article, a solid ZTP capability can ensure the successful roll-out of SD-WAN. IT teams contemplating large-scale SD-WAN adoption would be well-advised to evaluate the ZTP capabilities in concert with and at the same priority level as other vital SD-WAN features (central management, security, multi-link handling).

About the Author

Portrait of Roy Chua Roy Chua is founder and principal at AvidThink, an independent research and advisory service formed in 2018 out of SDxCentral’s research arm. Roy was previously co-founder at SDxCentral where he ran both the research and product teams. Roy was formerly a management consultant working with both Fortune 500 and startup technology companies on go-to-market and product consulting. As an early proponent of the software-defined infrastructure movement, Roy is a frequent speaker at events in the telco and cloud space and a regular contributor to leading technology publications. A graduate of UC Berkeley’s electrical engineering and computer science program and MIT’s Sloan School of Business, Chua has 20+ years of experience in telco and enterprise cloud computing, networking and security, including founding several Silicon Valley startups.

Cybersecurity Red Teams, Blue Teams: Rivals or Allies?

From NGFW to SD-WAN to SASE – A Stepwise Journey

Hillstone’s New WAF Solution Offers Comprehensive Security for Web Assets and APIs

Key Takeaways from Forrester’s Micro-segmentation Solution Analysis

Launching Hillstone’s Modernized NIPS V4.1

SD-WAN and Next-Gen Security – Natural Bedfellows

Announcing First Dedicated SD-WAN Solution for Hillstone NGFWs

Introducing Hillstone New Entry-level NGFW – An Affordable Solution for Comprehensive Protection

Getting started with MicroSegmentation