#CiscoLive

Cisco+ Secure Connect Now

Deploy & Scale SASE for Secure Remote Worker in the Cloud

Eric Eddy
Principal Technical Marketing Engineer, Cisco Security
https://ericeddy.blog
BRKSEC-2129

#CiscoLive
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2129

by the speaker until June 17, 2022.

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 About Me
Eric Eddy
• [email protected]
• Blog: www.ericeddy.blog
• Principal TME, CloudSec
• 12 years @ Cisco
• CCIE Sec #47300
• Husband + Father (5 & 6)
• Reef keeper & avid gamer

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
 • Industry trends and SASE
• Cisco+ Secure Connect Now
• Use Cases

Agenda • Capabilities and Architecture

• Demo Browser-based Access (ZTNA)
• Demo Remote Access
• Wrap-up & Call to Action

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction
Changes that led to SASE
Cloud revolution and hybrid work
SaaS
SAP
Cloud applications exploded, but traffic was still Public Private
Adobe
Oracle
Internet Office 365
routed through the central firewall at the data center. cloud cloud
Google
Salesforce Workspac
e

Branch security was redesigned differently at each

site, leading to inconsistent security policies.
Remote workers connecting through regional
VPNs introduced stress points, resulting in poor Data center
user experience.
MPLS MPLS

45%
Branch offices Branch offices

Internet Campus Internet

of business respondents cited reliable network

performance as the #1 challenge for hybrid work VPN VPN VPN

adoption.1
1: Gartner survey of 500 Enterprise businesses. Gartner Market Guide for Digital Experience
Monitoring, August 2020 Remote workers

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
SASE is enabling a hybrid workforce model
SASE can provide anywhere connectivity, Public Internet Private
SaaS
always-on cloud security, and an improved worker cloud cloud
experience no matter where you work.

Cisco can provide a solution beyond SASE…

Ensure user endpoints are safe to connect to the SASE

network or operate offline
Meet or exceed application SLAs for the best in
worker experience
Address the latest security threats with industry-
leading Talos® intelligence
Have faster time to value of the newest technology
Remote workers Campus Branch office
innovations deployed effortlessly at the pace of
your business One experience

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco+ Secure
Connect Now
Cisco+ Secure Connect Now
Speed and simplify your SASE with a Unified Solution
Securely connect people, applications and things from anywhere

Simple
Turn-key SASE solution with easy to onboard
and consume as-a-service subscription

Secure
Protect every point of service, including
those closest to threats - user, device,
application

Intelligent

Translate insights into action to predict and

remediate the application experience Optimize your hybrid work experience with a unified turn-key SASE
solution that is quick to deploy and easy to manage

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco+ Secure Connect Now delivers!
• Seamless, secure access to
Internet Public/ SaaS
any application, from any device private
or location clouds

• Single subscription adaptable to

business needs
Cloud dashboard, end-to-end application observability, APIs
• Cloud-delivered, streamlined
security and network capabilities
with unified visibility Security Network Observability

• Global cloud footprint with

rock-solid reliability and lightning- Global cloud footprint
fast performance

• Future: premium services and

extensibility to full network-as-a- Remote access SD-WAN
service stack

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
 Cisco+ Secure Connect Now
Public Internet Private
SaaS
cloud cloud
Secure internet access
Provide users with safe access to the internet and cloud
applications from any location and block malicious activity
and threats

Secure private access

SASE
Deliver secure connections to company assets in private data
centers or in the private cloud.

Interconnect
Dramatically simplify architecture and configuration by
inherently interconnecting anything you connect to the SASE
Fabric

Remote workers Campus Branch office

One experience

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco+ Secure Connect Now
for a hybrid workforce

Enable a hybrid workforce

Increase worker productivity
with a turn-key solution for
with anywhere connectivity and
consistent access and user
improved application performance
experience

Outcomes

Lower overall IT spend

Reduce security risk
with a simple consumption model
and maintain your security
and pay as you grow for
compliance requirements
SASE at your pace

What challenges do we face in achieving these outcomes?

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Use cases
 Cisco+ Secure Connect Now
Secure Remote Worker

Core elements
Traffic Steering
• Internet Security
• DNS-Layer
Sec
Internet/SaaS
Public
• SWG Proxy
applications DNS Layer 7 SWG CASB
• CASB security firewall
Private
Secure
• DLP Private Connect applications
Secure applications Private cloud
• Cloud Firewall remote worker IaaS
• Private access MFA Device posture
support and health
• Device
posture Branch/HQ
• SAML Auth Internet Private Tunnel
• Access control traffic traffic

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Browser-Based Access
Clientless ZTNA connectivity Least Privileged Access to Private
Simple Turnkey Solution: Apps:
• Frictionless end user experience • User identity-based authentication
• Cisco provided certificates • Endpoint posture based authorization
• Auto-generated external FQDN • Application specific access policies

GCP
AWS Azure
ZTNA Proxy
IaaS

Cisco+ Secure
Connect Now Private traffic

Managed or Client Tunnel

Unmanaged Browser
Device Private
data center

Identity & posture, access No client/agent Certificate & DNS

SAML authentication
control required Cisco managed

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Architecture &
Capabilities
 High-level architecture
Customer edge Service edge Platform Customer
environments
Posture Identity
Sanctioned Webex Office 365
Un-managed
Dashboard SaaS Salesforce
endpoint
Contractor

Services General internet

Managed Cloud Traffic
w/ client Cloud-control plane
Employee Acquisition

Private applications

Interconnect

Interconnect
Zero-trust proxy
In branch/
on network
Employee Cloud security

HQ/branch
Cloud data plane

Acquire information Acquire traffic Gather missing information Connect to cloud or

from the edge into the data center and authorize the flow back to customer edge
1 2 3 4

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Identity-based access control
Identity-based access control allows customers to
• Define and manage applications for use in access policies
• Control applications with access policies so only authorized users can access them​
• Have identity-based access control for remote access users to public and private applications
• Have network IP-based access control for branch traffic to public and private applications

Platform
Dashboard Identity Reporting

Managed w/
thick client Cloud Security Private applications
Employee
Cloud
Cloud data plane
Traffic Acquisition
In branch/ Public applications
on network Interconnect
Employee

Customer edge Service edge Service chain Customer environments

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Meraki branch interconnect
Simple and easy setup to connect Meraki branches

• Meraki® SD-WAN direct connection

to Secure Connect with Auto VPN Cisco+ Secure
Connect Now
• Advanced security capabilities for
branch sites

• High Availability via SD-WAN Fabric M

• Private applications access
by remote users via SD-WAN fabric
Meraki
• Easy addition and removal of sites SD-WAN
from Cisco+ Secure Connect Now fabric

Data center Branch

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Edge Security Services
‣ Visit our website to learn more
www.cisco.com/go/secureonnect

Cisco+ Secure Connect Now

Secure Cloud access

DNS-layer Cloud-delivered Remote
web security
security firewall (w/ IPS) Access
gateway broker

Interactive File Data Cloud ZTNA

threat Sandboxing loss malware Browser-
intelligence prevention detection based access

SD-WAN ON/OFF NETWORK DEVICES SecureX

Integrated security
platform

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
 Outbound Layer 7 Cloud-delivered firewall

Internet
• Internet bound firewall for traffic
filtering Request
originating from
the internet
• Globally distributed cloud firewall
with a single cloud managed policy
• Layer 7 App visibility and rules
(Control app usage) Request
originating from
• Cloud IPS powered by Snort client user

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Layer 7 application visibility and control
Internet/
• Tunnel all client-driven traffic to Cisco+ SaaS
Secure Connect
Non-web/
• Block high-risk applications and protocols site exclusions
(layer-7 application visibility and control) 80/443

• Centrally manage IP, port, protocol, CDFW SWG

and application rules (layers 3, 4, and 7 with
Cisco IOS® IPS) Secure
Connect
• Forward web traffic (ports 80/443) to secure
web gateway Tunnel (IPsec)

• Tunnel termination required

Devices on network
Secure web gateway (SWG)
Multiple functions and aggregated reporting

Internet/
• Malware scanning includes two
SaaS
anti-virus engines and secure endpoint
(Cisco® SD-WAN AMP) lookup
• File type controls
• Full or selective SSL decryption Cisco+
Secure
• Category or URL filtering for content control Connect Now

• Secure Malware Analytics (formerly Threat

Endpoint Tunnels
Grid) file sandboxing via Cisco AnyConnect®
• Application visibility and granular controls
• Full URL-level reporting
On/off network devices

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Content categories
• Apply policy to many sites
• Content categories are used for
“acceptable use policies”
• Security categories are used for
security policies

• Talos® categories are used for both

content and security
• Over 100+ categories
• Dynamic cloud updates (full dataset)
Inline data loss prevention
Cloud-native proxy DLP

Leverages SWG for connectivity,

routing, and SSL decryption
Robust DLP classification
• 80+ built-in data classifiers
• Custom keywords

Flexible DLP policy

• Apply to specific identities and
destinations with defined
data classifications

Robust reporting
• Includes identity, file name, destination,
classification, pattern match, excerpt,
triggered rule, and more

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Application discovery and controls
Visibility into shadow IT and control of cloud applications

• Full list of cloud applications

in use
• Reports by category and
risk level
• Number of users and
amount of incoming and
outgoing traffic
• Blocking of high-risk
categories or individual
applications

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Granular controls for over 40 popular SaaS
applications (CASB)

• Block posts/shares to social media Actions

applications
Download
• Block attachments to webmail applications
• Block uploads to cloud storage, Upload
collaboration, office productivity, content User Partner’s
management, and media applications cloud
storage

Box Twitter Dropbox Pinterest Messenger Gmail Facebook LinkedIn Slack

Instagram Google SlideShare YouTube Vimeo WhatsApp Smartsheet Pastebin

Drive

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco AnyConnect (Cisco Secure Client)
Entitlement is included for use with subscription

• Cisco AnyConnect® can be used

across an entire enterprise.
• Both remote access and secure
web gateway services coexist.
• Protect assets on or off network.
• Roaming security offers always on
protection (Web & DNS)
• OS Support: Win, MacOS, Linux,
iOS, Android*

* Roaming security module support limited to Win and MacOS

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 Cisco Secure Client – Coming Soon

• Cloud Managed
Endpoint
• Unified client
AnyConnect + AMP4E
• Group based
endpoint policies
• Included with Cisco+
Secure Connect Now

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Demo:
Browser-based
access (ZTNA)
Recorded Demos Links
• Recorded demos with narration are available on my blog at
www.ericeddy.blog

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Recorded Demo End user Browser-Based
Access - WIP

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Recorded Demo Admin Config Browser-Based
Access - WIP

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Demo:
Remote Access
Remote Access Config

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Wrap up &
Call to Action
 Summary Cisco+ Secure Connect Now
A unified, turn-key SASE solution for driving better IT outcomes

Broad security controls: Simplified & centralized Unified networking & Security
ZTNA, RA-VPN, SWG & DLP visibility and management with traffic optimization

Complete SASE solution in a single subscription

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Cisco advantage
Cisco+ Secure Connect Now

Uncompromised
Fast deployment, Best security
Easy to consume user and administrator
simple management protection
experience

Only Cisco leads in bringing together security and networking through a unified approach
that empowers businesses to easily and securely connect users and things to applications.
Call to Action

Visit the Cisco SASE Showcase for

additional demos.

Talk to your sales rep about a proof of value

Come ask me questions and speak with our

UX team

Visit the product page at

www.cisco.com/go/secureconnect

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!

• Attendees will also earn 100 points

in the Cisco Live Game for every
survey completed.

• These points help you get on the

leaderboard and increase your chances
of winning daily and grand prizes.

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. www.cisco.com/go/certs

Learn Train Certify

Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals

Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions

#CiscoLive BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs

your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

BRKSEC-2129 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Thank you

#CiscoLive
#CiscoLive