Costain enables agile collaboration and innovation on major infrastructure programs

Based in the United Kingdom, Costain is a leading-edge smart infrastructure solutions company that’s committed to improving people’s lives with safer, better, faster, greener, and more efficient infrastructure programs. For example, one of its flagship projects is working with a prominent water and wastewater company to develop a digital twin of 500 kilometers of interconnecting pipelines in order to deliver clean water to residents with greater efficiency. Having formed a strategic partnership with Microsoft in 2019, Costain is using Microsoft Azure cloud-based software like Azure Digital Twins for many of these projects.

As part of its push to digitally transform its industry, Costain also began looking for a way to create evergreen cloud network infrastructures for its employees and customers. In the past, the company used a traditional Multiprotocol Label Switching (MPLS) provider and set up two identical server racks in provider-run datacenters for redundancy. These racks consisted of point-in-time hardware from traditional router, firewall, and VPN manufacturers. To establish a new connection at each project site, the Costain network team had to contact the MPLS provider, open a support ticket, set up the connection, and have the provider test it—a process that could take several days.

The company made informed predictions as to what its network requirements would be for the next three to five years and designated a certain amount of capital expenditure to cover those needs. But its datacenter hardware would go out of date soon after installation. This equipment also required frequent patching and could not always handle ever-changing business needs. Barry King, Cloud Infrastructure Chief Technology Officer at Costain, says, “Costain, our customers, and our supply chain require a network that can adapt to business needs at any time. We always want the network to enable fast, agile collaboration and innovation. We have 70-plus active construction sites, so our network teams demand a WAN that can instantly grow as required—one they can connect to quickly and securely without the need for any third-party involvement.”

Taking an evergreen approach with Azure network services

In 2020, Costain began its switch to a network-as-a-service approach to gain more agility in connecting people and data, choosing Microsoft Azure Virtual WAN and Microsoft Azure Firewall Manager for this purpose. “The interoperability of Firewall Manager with Zscaler was a big benefit because we could take our existing Zscaler security policies and apply them to our Azure Virtual Desktop machines,” says King. Another bonus is that many of Costain’s critical national infrastructure customers must follow Cyber Essentials Plus requirements. King adds that the ability to template these expandable Azure services and deploy them efficiently and reliably to meet Cyber Plus standards is “a game changer.”

Today, Costain uses Virtual WAN (in place of MPLS) along with SilverPeak devices, to remotely link sites and hardware. The company has gained unified network and policy management while automating connectivity from various sites to Azure workloads. Costain can upgrade or reconfigure any site’s network edge without a physical visit or waiting for a hardware depreciation cycle to end, because we now consume network-as-a-service. “With Virtual WAN, we get the most from virtualized networks,” says King. “We use it to spin up services and connectivity more quickly and more securely than ever before, and we can change the network layer that supports our customers’ services and desktop estates on demand, so our customers’ networks will keep up with the pace of innovation.”

As a result, Costain no longer has to wait 2 to 12 hours for the provider to open a new network connection or travel to and from customer sites, increasing efficiency whilst driving down carbon emissions every month. King also cites the example of being able to work with a partner in India by seamlessly adding international connectivity without shipping firewalls, routers, and VPN devices to establish the connection. “We provisioned another Virtual WAN hub in India, benefitting from the Microsoft international backbone,” he says. Previously it could take an extended amount of time and effort to transport encrypted data to the company’s partner organizations. 

Simplifying IT management with an evergreen network infrastructure

Costain has streamlined its infrastructure processes. “We use Virtual WAN to keep our network infrastructure evergreen and make new connections across platforms remotely,” King explains. “Previously, when we used multiple device stacks from different vendors, we had to apply updates manually. Thanks to the virtualization of Azure services and their interoperability with both Silver Peak and Zscaler products, we are less susceptible to zero-day attacks and have reduced the need for patching the firmware or making onsite configuration changes. The connection is seamless.” 

Thus, Costain isn’t limited by the underlying technology. “We can rest easy knowing that if we input data at one end, it gets where it’s going safely and quickly no matter what type of physical network connection is used,” says King. “The connection is scalable, and I can trust the security of Azure services.”

Costain now manages multiple firewalls more efficiently. “With Firewall Manager, we create one policy and rubber-stamp it into Azure Firewall,” says King. “This reduces IT complexity and saves time. We no longer have to open a request, wait for our MPLS provider to make a change to the firewall, then implement and test the change. Instead, we can update settings with speed and agility, whilst maintaining our own governance.”

Gaining cloud security benefits

The company provides multifactor authentication and conditional access for network administrators with Microsoft Azure Bastion, boosting security. “Azure Bastion is our go-to for all administrative access,” says King. “It enables our administrators to sign in according to a Zero-Trust framework without having to spin up infrastructure like VPNs or jump boxes. We split our remote access into authenticated and non-authenticated for granular control.” Costain uses services such as Azure DDoS Protection Standard, Microsoft Azure Application Gateway, and Azure Firewall to protect non-authenticated access.

Costain feeds data from the Virtual WAN and Azure Firewall into the Azure Sentinel Security Information and Event Management (SIEM) solution to be read by its security operations center (SOC). “Thanks to interoperability between Virtual WAN and Azure Firewall, we can see all traffic moving across our networks, control it with Azure Firewall, and feed the logs into Azure Sentinel for our SOC. This helps us reduce risk; seeing is knowing,” says King. After defining a successful configuration, Costain creates a template for its architecture teams to use on similar projects, using tools like HashiCorp Terraform for a consistent, reliable infrastructure-as-code approach.

Taking full advantage of virtualization

Thanks to Azure Firewall, Costain can reset and maintain its security approach with minimal effort. “We block everything until we’re absolutely certain it’s needed, which is another way to reduce risk,” he says. “We also use service tags to define network access controls in Azure Firewall, so we can grant devices granular access to, say, a particular storage account, without having to search for or maintain the IP addresses of that cloud service.” In this way, Costain can be assured of high security, and it doesn’t encounter service errors when new IP addresses are added.

Costain maximizes the benefits of its Azure Virtual Desktop deployment by providing the functionality of high-powered devices that run CAD software on demand, often for digital twin projects. When working with partners, Costain uses Virtual Desktop to enable remote access to sensitive data for people who are connecting from one of its managed devices or from a partner’s managed device. “We can provide highly secure access to a Costain-managed virtual desktop in Azure with security policies enforced by Zscaler, Azure Defender, and our other Azure services,” says King. “Partners can use their existing devices, sign in to our virtual desktops in the cloud, and collaborate securely with the computing power they need.”

Working with Microsoft to build the future

By partnering with Microsoft to digitally optimize the design, delivery, and operation of UK infrastructure, says King, “We’re working to deliver more than the sum of our individual parts. We’ve been building this relationship for many years, and it just keeps getting better.”

Costain plans to expand its use of Virtual Desktop and retire its remaining legacy cloud firewalls in favor of Azure Firewall and Zscaler. It’s also considering a move to Microsoft Azure Front Door, a global edge network entry point that Costain uses to create fast, highly secure, and widely scalable web applications.

“The combination of Virtual WAN and Firewall Manager gives us the confidence to provide evergreen network infrastructures,” King sums up. “We know the connectivity is there with Virtual WAN because we used it to connect our sites from our existing devices. And we can establish targeted connections exactly the way we want to set them up. We can deploy and scale as necessary with the confidence that we can take the telemetry from Azure Firewall and feed it into our SOC.”

Find out more about Costain on Twitter, Facebook, and LinkedIn.