[ad_1]
In collaboration with Jon Heaton and Roel Bernaerts
Within the final SASE weblog, we outlined our aspiration emigrate to “Unified SASE” for many of our community. This unified strategy gives very good integrations between SD-WAN, cloud safety, end-point safety and nil belief — all obtainable by a unified providers portal.
For our third weblog in this collection, we’re specializing in how SASE is enabling Cisco IT to enhance the productiveness and work-life steadiness for our staff who’re working from dwelling.
Earlier than the pandemic, near 25% of Cisco’s workforce was working from dwelling for half of their week. A more moderen worker survey steered that staff count on this to extend to over 75% post-pandemic. Though Cisco IT’s Zero Belief technique permits an rising variety of staff to do their job with out utilizing VPN, most job profiles proceed to require VPN entry into the company community sooner or later, and a few roles nonetheless closely depend on VPN.

This enhance in distant staff, each on and off VPN, precipitated challenges. As an example, we needed to have the ability to break up off-tunnel site visitors on to the web for customers of all functions — together with a whole bunch of legacy and proprietary functions that aren’t Zero Belief enabled. Nonetheless, we’ve got safety insurance policies that solely permit trusted and well-known functions to be offloaded on to the web.
To deal with this problem, we made enhancements to our community, together with upgrading our VPN infrastructure and including community capability to ensure resiliency in case of outages.
That is the place SASE enters the image as a long-term resolution for distant staff utilizing our community. We’re planning to deploy a SASE resolution that may be consumed “as a Service” earlier than we’re required to improve our current {hardware} primarily based on-prem VPN and safety infrastructure. This enables us to scale up when wanted and cut back down as we allow extra Zero Belief entry.

Bringing customers nearer to functions and vice-versa
The brand new teleworker resolution is concentrated on bringing customers nearer to functions and knowledge they devour. We make the most of the Cisco AnyConnect endpoint shopper that integrates seamlessly with Cisco Umbrella to steer site visitors away from the VPN whereas conserving Cisco safe.
As a primary measure, Umbrella gives DNS Safety. Even when a person is off VPN, it blocks DNS requests for information which were recognized as malicious or high-risk.
Secondly, we’ve got choices to ship knowledge by way of essentially the most optimum path relying on efficiency and safety necessities. Functions which have handed Cisco safety assessment — i.e. Zero Belief-enabled functions by the Duo Community Gateway: Office365, Field, and so on. — are split-tunneled on to the web utilizing IP- or domain-based coverage. All public internet site visitors is redirected to the closest Umbrella’s Safe Internet Gateway (SWG). This assures a shorter, but extremely safe path. Remaining site visitors is forwarded by the VPN to our {hardware} and colocation primarily based Cisco Safe Firewall.

Changing our on-prem VPN with cloud delivered SFCN
We’re exploring alternatives to exchange our {hardware} primarily based, on-prem VPN infrastructure with Cisco Safe Firewall Cloud Native (SFCN). This could assist us keep away from the big capital investments that may be required to improve our present VPN {hardware} infrastructure, together with having to over-provision sources to cowl unexpected circumstances and potential future development.
With SFCN, Cisco Distant Entry VPN capabilities may very well be ordered immediately from the AWS market and scaled up or down when wanted with just some mouse clicks. The SFCN will combine with AWS Transit Gateways, and permit us larger flexibility to ship site visitors the place it must go — both to different VPCs or to on-prem sources by way of MultiCloud.
ThousandEyes ties all of it collectively
Within the outdated mannequin, the site visitors circulate was very deterministic and many of the community path was owned and managed by Cisco IT. Nonetheless, within the new mannequin, site visitors strikes to many alternative areas by way of totally different paths. This makes it far more troublesome to isolate and troubleshoot points. To deal with this, we should be capable to monitor the person expertise for vital enterprise functions. That is the place ThousandEyes enters the equation: with Cisco ThousandEyes, we’re capable of achieve insights into potential points and to assist isolate the place precisely points are. By integrating with Webex Groups customers at the moment are capable of troubleshoot any potential points themselves by way of interactions with a Groups bot.

With this new SASE mannequin, customers are capable of safely and effectively earn a living from home or, actually, from wherever, with out realizing any main offset in efficiency.
In our subsequent weblog on this collection, we’ll discover how we’ve got utilized related logic to our department places of work and the way we use Cisco SD-WAN to ship price efficient Center-Mile and Hybrid Cloud connectivity.
Assets
Comply with Cisco IT on social!
Share:
[ad_2]
