Monday, August 15, 2022
HomeCloud ComputingThe SASE story III: SASE as an answer for distant employees

The SASE story III: SASE as an answer for distant employees


In collaboration with Jon Heaton and Roel Bernaerts

Within the final SASE weblog, we outlined our aspiration emigrate to “Unified SASE” for many of our community. This unified method gives very good integrations between SD-WAN, cloud safety, end-point safety and 0 belief — all out there by way of a unified providers portal.

For our third weblog in this collection, we’re specializing in how SASE is enabling Cisco IT to enhance the productiveness and work-life steadiness for our staff who’re working from house.

Earlier than the pandemic, near 25% of Cisco’s workforce was working from house for half of their week. A newer worker survey recommended that staff count on this to extend to over 75% post-pandemic. Though Cisco IT’s Zero Belief technique permits an rising variety of staff to do their job with out utilizing VPN, most job profiles proceed to require VPN entry into the company community sooner or later, and a few roles nonetheless closely depend on VPN.

SASE For Remote Work Model

This improve in distant employees, each on and off VPN, brought on challenges. As an example, we needed to have the ability to cut up off-tunnel visitors on to the web for customers of all purposes — together with a whole bunch of legacy and proprietary purposes that aren’t Zero Belief enabled. Nonetheless, we’ve got safety insurance policies that solely permit trusted and well-known purposes to be offloaded on to the web.

To handle this problem, we made enhancements to our community, together with upgrading our VPN infrastructure and including community capability to ensure resiliency in case of outages.

That is the place SASE enters the image as a long-term resolution for distant staff utilizing our community. We’re planning to deploy a SASE resolution that may be consumed “as a Service” earlier than we’re required to improve our present {hardware} primarily based on-prem VPN and safety infrastructure. This enables us to scale up when wanted and reduce down as we allow extra Zero Belief entry.

SASE For Remote Work Model

Bringing customers nearer to purposes and vice-versa

The brand new teleworker resolution is concentrated on bringing customers nearer to purposes and knowledge they devour. We make the most of the Cisco AnyConnect endpoint shopper that integrates seamlessly with Cisco Umbrella to steer visitors away from the VPN whereas maintaining Cisco safe.

As a primary measure, Umbrella gives DNS Safety. Even when a consumer is off VPN, it blocks DNS requests for data which have been recognized as malicious or high-risk.

Secondly, we’ve got choices to ship knowledge by way of essentially the most optimum path relying on efficiency and safety necessities. Purposes which have handed Cisco safety assessment — i.e. Zero Belief-enabled purposes by way of the Duo Community Gateway: Office365, Field, and so forth. — are split-tunneled on to the web utilizing IP- or domain-based coverage. All public internet visitors is redirected to the closest Umbrella’s Safe Net Gateway (SWG). This assures a shorter, but extremely safe path. Remaining visitors is forwarded by way of the VPN to our {hardware} and colocation primarily based Cisco Safe Firewall.

SASE For Remote Work Model

Changing our on-prem VPN with cloud delivered SFCN

We’re exploring alternatives to interchange our {hardware} primarily based, on-prem VPN infrastructure with Cisco Safe Firewall Cloud Native (SFCN). This might assist us keep away from the massive capital investments that will be required to improve our present VPN {hardware} infrastructure, together with having to over-provision sources to cowl unexpected circumstances and potential future progress.

With SFCN, Cisco Distant Entry VPN capabilities could possibly be ordered immediately from the AWS market and scaled up or down when wanted with just some mouse clicks. The SFCN will combine with AWS Transit Gateways, and permit us better flexibility to ship visitors the place it must go — both to different VPCs or to on-prem sources by way of MultiCloud.

ThousandEyes ties all of it collectively

Within the outdated mannequin, the visitors circulate was very deterministic and many of the community path was owned and managed by Cisco IT. Nonetheless, within the new mannequin, visitors strikes to many various places by way of completely different paths. This makes it far more tough to isolate and troubleshoot points. To handle this, we should have the ability to monitor the consumer expertise for important enterprise purposes. That is the place ThousandEyes enters the equation: with Cisco ThousandEyes, we’re in a position to acquire insights into potential points and to assist isolate the place precisely points are. By integrating with Webex Groups customers are actually in a position to troubleshoot any potential points themselves by way of interactions with a Groups bot.

ThousandEyes Bot

With this new SASE mannequin, customers are in a position to safely and effectively make money working from home or, actually, from anyplace, with out realizing any main offset in efficiency.

In our subsequent weblog on this collection, we’ll discover how we’ve got utilized comparable logic to our department workplaces and the way we use Cisco SD-WAN to ship price efficient Center-Mile and Hybrid Cloud connectivity.



Comply with Cisco IT on social!





Most Popular

Recent Comments