October 31, 2024 • 52 mins
The meeting discussed updates and plans for Secure Access and User Suite, including hybrid cloud deployment, VPN enhancements, simplification of connectivity and policy management, and the consolidation of tools into a single dashboard. Secure Access and User Suite were discussed in a recent meeting, including plans for a hybrid cloud deployment. There have been updates to VPN, such as radius support and SMB version two for ZTA. The use of quick and mask for performance improvement is being discussed, but no claims are being made yet. Participants discussed their plans for trick-or-treating and handing out candy on Halloween. They also mentioned decorating their houses with inflatables and lights for the occasion. Secure Access offers flexibility for connecting different devices and users to various resources. The goal is to move towards simplicity, allowing end users to connect without thinking about the process. Security features include zero trust access, user identity verification, posture controls, and various security controls for internet and private access. Secure access is working on all aspects of the dashboard, including policy, internet experience insights, and analyzing reporting and logs. Experience insights integrated with secure access dashboard provides real-time monitoring of user experience, device resources, and network performance. Secure access simplifies connectivity by allowing application definitions to be defined once and providing redundancy through network tunnel groups and resource connectors. The goal is to have a unified policy that can be implemented across all layers and aspects of the network. Secure access aims to simplify remote access VPN for end users and make it easier for administrators. The secure access solution consolidates multiple tools and services into a single dashboard. There is a focus on simplification, enabling engineers to be more strategic and less tactical. SSL decryption in secure access allows for global decryption at the firewall level and selective decryption for web traffic. TLS 1.3 is fully decrypted, providing advanced capabilities to block specific aspects of applications. Secure access offers scalability and handles increased encrypted traffic without impacting user experience or requiring additional hardware.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
All right, so good afternoon.
(00:01):
It is October 30th, 2024.
Happy early Halloween, everybody.
Welcome to the Security 45 show
where we cover a new security topic every month
in 45 minutes or less.
We've got a Halloween themed presentation today
on the spookiest of topics, Cisco Secure Access.
(00:23):
With us, we've got two award-winning guests
returning for their second appearance on the show,
David the Ghost Keller and Justin Plants vs. Zombies Murphy.
For those that are doing the audio playback
and you can't see the video,
you have no idea what I'm talking about.
Andres, let me kick it over to you.
Thank you, Mike, and thank you guys for being here.
(00:44):
Well, welcome to the show.
We're super excited.
We're gonna talk about Secure Access today.
This is, I guess, from our perspective,
is something that we're seeing definitely a lot more
and a lot more with our customers, partners,
and everybody inside of Cisco.
It's just a lot of crazy information
(01:05):
and a lot of technologies
that we're just putting together into one place.
But hey, that's what we're gonna be talking today.
This is our round number two on Secure Access.
We do have new questions.
We have more information that we can,
that we're gonna find out today from our guests.
And I guess let's kick it off.
(01:26):
Yeah, and we had Justin and David, welcome back.
We had you guys back last October on the show
and that was a great, Secure Access was newer then
and it was great to see Cisco bringing a lot
of security technologies into kind of one dashboard.
So we're excited to hear a little bit about the updates.
(01:48):
Andres, I just do wanna point out
you look almost identical to Harry Potter.
I keep thinking you are Harry Potter there.
And David with the background, the transparency,
you got that.
Also, I will point out Justin Murphy
made that Plants vs. Zombies on the back
while they're out of old school paper mache.
So kudos to that.
I thought I was being cool with my fireman outfit.
But well, guys, October is Cybersecurity Awareness Month.
(02:14):
At Cisco, we talk about if it's connected, it's protected.
Justin, I'll give this first one to you or David,
whoever wants to take this first one,
but describe what we're actually connecting
into Secure Access.
Sure, so the idea is to connect everything
(02:35):
to anything that it needs to connect to, right?
So we're talking about end users, we're talking about IoT,
we're talking about mobile devices,
all connecting to web apps, RDP, anything.
Anything that they need to get to on the other end,
whether it's SaaS in your own private data centers
(02:56):
or in public cloud, right?
So there are a lot of different mechanisms
that we've talked about to make this happen, right?
Whether it's VPN or ZTA
and some of the underlying protocols like IPsec
and Quick and Mask and all of that.
We've been connecting them since our last conversation,
(03:17):
but we've advanced more as we go through,
whether it's auth methods, including like radius
and some cert-based auth enhancements,
as well as just so that we know who they are
and are able to get users in a lot of cases
connected more smoothly, right?
In the case of cert-based auth
(03:39):
or to make the transition smoother in the case of radius.
If you're used to on-prem radius based auth for your VPN,
users can or admin can configure that
and have that run up and running much quicker
than maybe moving to a SAML solution, right?
So that's where we're going.
There's a lot more enhancements there
(04:00):
with our IPsec tunnels and our resource connectors,
I believe weren't out at that point either,
which helps get you that app connectivity over ZTA.
But I'll pass it over to David or Mike,
if you want me to dig deeper into any of those things, I can.
Yeah, so for those that missed the first webinar
and haven't seen Secure Access from Cisco,
(04:22):
there's two primary use cases
when we're talking about connecting to Secure Access.
And to preface, Secure Access
is Cisco Security Services Edge solution,
which would be cloud hosted security services.
So from a use case perspective,
we're talking about internet access and private access,
where private access would be,
being able to utilize resources that are hosted internally,
(04:43):
which would be those that you'd have access to
if you were traditionally on network
or connected via remote access VPN.
So when Justin's talking about the connectivity methods,
he's referring to different ways
to either connect to Secure Access
to get access to either those internet or private resources,
and then the means in which Secure Access
(05:04):
connects back to your network,
either via tunnel or that resource connector.
And then of course, on top of that,
the different security services
and kind of how those services are delivered can vary.
But yeah, it's all about connectivity.
That's cool.
And certainly about the flexibility as well,
(05:24):
certainly an overarching kind of product
where you can connect in through different methods,
roaming users, on-prem sites.
You guys already mentioned like the network tunnel,
which is an IP sec tunnel versus that resource connector.
But yeah, connecting anything to everything solution.
(05:45):
I think we're gonna talk on this a little bit later as well,
but it sounds like there's a lot with Secure Access,
but the overarching goal and direction that Cisco's going
in general from a strategy perspective
is to kind of move towards simplicity.
And so the end users don't have to really think
about how they're connecting to those resources.
The administrators have flexibility,
but there's not like a ton of different steps,
(06:06):
and there's no like fixed cookie cutter way to deploy it,
where you have to do one thing or the other.
If you just want that Secure Private Access initially,
there's ways to set that up.
And maybe you only need the ZTA,
either client-based or clientless,
and the resource connector, maybe use the tunnel
if you wanna have a boat access VPN.
There's a lot of different ways to set that up.
(06:29):
Then it all is just geared toward flexibility
and then simplicity.
That's great information.
Thank you for that, David.
I actually wanted to ask another question
that it's in everybody's minds today,
and it's the security aspect,
and probably just diving deep into the actual product,
(06:51):
into Secure Access.
What are the security features that you guys see?
And I guess this will be for you, David,
or Justin, if you wanna take on that.
But what exactly does the Zero Trust access mean
in this product?
Yeah, yeah.
So from a security perspective,
(07:12):
there's a handful of ways you can really break it down.
Starting with the Zero Trust,
that is, I always think of it in terms of private access,
but it can't apply to internet access as well,
because there are policies you can set
based on user identity for what people can access
on the internet.
So you could consider that as being tied to Zero Trust,
because you're minimizing how much a user can access
(07:34):
based on their role or function
or whatever else you wanna break it down by.
It can also be tied to the private access, though,
and that's what I typically think of.
And that's where we're looking at,
not only is the user who they say they are,
and with Secure Access,
you can bring your own identity provider for SAML.
You can use RADIUS or CertBase authentication
for Remote Access VPN.
(07:56):
You can add MFA, so if you were to use something like Duo
for SSL, you could have MFA there.
And then for each of the connection methods,
there are varying posture controls you could use.
So is this user on a version of an operating system
that we want to allow access to this resource,
or are they super out of date
(08:16):
and that's too high of a risk
and we don't wanna allow access with that?
So it's minimizing both based on who the user is,
but then also on additional factors related to risk.
And there are, of course,
other things we're looking at in the future
that I don't know if we can talk about today,
but we're constantly looking for ways to increase
(08:40):
how much visibility we have into that risk
and offering ways to control it.
Yeah, and go ahead.
Oh, I was just gonna mention from the other security side,
there's of course a lot of the same security controls
that we had from the umbrella security gateway
which were rebuilt for purpose for secure access
inside the secure access environments
that offering things like the DNS security,
the secure web gateway, which of course has full decryption
(09:03):
to file analysis, sandboxing, remote browser isolation,
file type controls.
There's the firewalls service component to it,
data loss prevention.
There's all kinds of other controls that can be utilized
depending on the traffic flow
and the policy that's being set.
Excellent, just to expand on that a little bit,
all of those controls that David's talking about,
(09:24):
secure access is taking an approach of simplicity
as he mentioned earlier, where it's a unified policy.
So you don't have to worry about what the tool is,
whether it's the firewall, the proxy, DNS,
what's controlling that.
You just configure what you want to happen,
who you want to have access to, what,
and what the action needs to be
and what sort of inspection needs to happen.
(09:44):
And all of that happens in the process.
It happens to happen and all of that happens
in the background.
It is good to be aware of kind of how all of that works.
However, you don't have to be, you're just creating
a flow of who gets to what and what action happens
in between in order for all of those pieces to occur.
And then just to dig a little deeper into some enhancements
(10:08):
that we've made since our last conversation,
one of them is in the secure private access realm
where before we were just sort of, hey,
you are either allowed or not allowed to get to this
based on your posture or user identity.
Now we're actually putting, with IPS,
and now we're actually putting some proxy capabilities
in line where we can analyze and block file types,
(10:32):
as well as malicious files trying to be uploaded
to maybe some local file stores or things like that
so that we can catch them on the way in
or out of your file store, right?
So those types of things are being added in
and that'll continue to be enhanced
with more capabilities like DLP
and some of the things that you're used to
on the secure internet access side.
(10:54):
And with the secure internet access side,
actually DLP has come a long way, right?
So with data loss prevention, we started out
with just sort of standard categories
that were based on-
Data classifiers and-
Yeah, yep, classifiers and everything
that were already predetermined
(11:15):
and you could make some regex entries and things like that,
but now we've gone to being able to see,
to categorizing AI type destinations,
being able to upload like exact data match
and index data match type files
so that you can have a lot more flexibility there.
And then beyond that, we've actually implemented some AI
(11:37):
to analyze things like IRS forms
and other types of standard forms
that we can train an AI to recognize
so that you don't have to try to match something
on the actual document itself.
It's going to intelligently figure out,
okay, this is very close to what I've seen before, right?
And it could be a combination of factors
(11:58):
depending on what form it is, right?
So there's a lot of enhancements continuously going in there.
The final one that I've seen was OCR, right?
So now if the text is in an image,
whether it's PDF, JPEG, and several other formats,
we can pull that out and be able to recognize,
hey, that's a credit card number.
(12:18):
We need to block that from going up
to this third-party file share site, right?
So there's a lot of enhancements going into that security,
security pathway that we're using in secure access
on both sides of the internet and private access.
And to tie back to the policy a little bit as well,
(12:39):
not only is it a single policy stack
where it's intent-based, it's based on user action destination
and then the controls you wanna have in place with it,
but Cisco's going a step further in adding an AI assistant
that will eventually be uniform across multiple things
in this Cisco security stack as we get into things
(12:59):
that I don't know if they're fully out yet,
but it's going a step further to help administrators
see kind of what's being utilized,
where's the redundancy, where can I place a rule,
change a rule, what would the impact of the rule be?
So not only can you block something,
but you can also make sure that you are doing the thing
that you want to be doing.
(13:22):
Absolutely, yeah, that's definitely coming to secure access.
You may have seen some of those features
in the Cisco secure firewall.
They've been implemented there more comprehensively today,
but we're definitely working on all aspects, actually,
of the dashboard, not just policy,
but also experience insights and things like that,
which we'll probably get into a little bit later
(13:42):
to be able to analyze reporting and logs
and user experience so that we can help administrators
understand how their users are accessing applications,
how their policies are being used
and where there may be redundancies or inefficiencies.
And I'm a little bit of a fraud
because I always forget this
and it's an important part of security,
but availability is like one of the three aspects
(14:04):
of the CIA triad, because I'm lazy, Justin,
would you mind talking a little bit
about experienced insights and how that would relate
to availability and experience for end users
and how an administrator could leverage those?
Sure, so with experience insights,
we've taken our capabilities within Thousand Eyes
and integrated them into secure access.
(14:25):
So it's all within the secure access dashboard
and integrates with the secure client
that you deploy to your users,
the same one that you use for VPN and ZTA.
And what it does is it runs two standard tests
from those clients, right?
So it'll check and make sure that, hey,
if they're using WebEx or they're using some other
(14:49):
video conferencing software, what their experience is there,
what delay did her over time.
So you're able to see whether or not
they're having a good experience on conversations
like this webinar, as well as other internal meetings.
And then you're able to also see what their experience is
at to secure access with one of our standard tests as well.
(15:12):
So are they able to get to their closest
secure access data center?
And is there a particular amount of delay there?
On top of that, monitoring the resources on the device.
So right now we're showing summary information
about CPU utilization, what their network experience is
(15:33):
or configuration is, whether it's one gig,
a hundred meg, whatever on their device itself.
And so you can start seeing where with a map,
you can start seeing a delay,
where the delay might be occurring,
where they might be having issues.
Are they over utilizing their memory
because they have too many tabs open, things like that,
which would lead to a poor experience.
(15:54):
In the future, we're actually going to be able to show,
and actually not too far in the future
so I can talk about it.
We're gonna be able to show what specific processes
are being utilized on that device.
So more in-depth information on what exactly is going on
to help troubleshoot if somebody calls in and say,
hey, I'm having an issue or to proactively interact
(16:16):
with users if you wanna go and say,
hey, you need to reboot your machine
or you need to do this or that to help
if you're having issues, right?
And then we're also monitoring the delay between our cloud
and common cloud services based on every single region.
So you'll know when your users call in
(16:37):
from the East Coast of US,
or if they're calling in from somewhere in Europe,
hey, it looks like Secure Access
is having great response time from Google
or bad response time from Google in this particular region.
So you kind of know what could be the issue, right?
There's a lot to talk about here, David.
(16:57):
The final thing though that I'll mention
is that we did add custom tests
to the repertoire, I guess, of Experience Insights,
which gives you the ability to say,
okay, I want to make sure that X users
can get to this application
(17:18):
and you define the application by domain name or IP address
and give it a port number,
and you can do a full network map of that user's access
to that application real time
and set it to occur continuously as you need it
so that you can know and have historical data
on exactly if that user's having issues,
(17:40):
when they have issues, where they are when they have issues,
how they're connected,
all of that information with the full path
so that you can monitor either C-suite devices
or you can monitor somebody who's constantly calling in
and saying, hey, I can't get to Salesforce
or I can't get to X app.
Now you can have real data over time to say,
okay, yeah, when you're at Starbucks,
(18:01):
it doesn't work very well.
You can go work from home or whatever, right?
So you can have a lot more data
to be able to tell what's going on
as opposed to the internet's down
and the limited information that you have
on those remote users today.
So secure access being an all-in-one
kind of connectivity solution, security on top of it
(18:21):
and then it can also diagnose a lot of troubleshooting
like end user experience,
you mentioned even monitoring resources
on the local computer,
which could be the root cause of the experience
that they are going through.
That's great.
Absolutely.
We can try to build connectivity,
but if the end user doesn't have, you know,
(18:41):
a path to it, like it doesn't matter how secure it is,
they can't get to it.
So, you know, you've got all ports there.
And I know tomorrow we're doing the live demo.
So that'll, I think everyone's gonna really love
seeing that experience inside.
So I'm glad you brought that up, David.
All right, so back in 1999, 25 years ago,
there was a quote,
(19:02):
the worst enemy of security is complexity.
And then that quote goes on to say,
this has been true since the beginning of computers
and is likely to be true for the foreseeable future.
So related to that quote,
I know Secure Access has a strong focus on that simplicity
from the administrator experience,
(19:24):
as well as the just the end user experience.
We talked about a frictionless user experience.
Can you talk a little bit about how Secure Access
makes life less complex?
Maybe just a minute for both the users
and maybe the SecOps teams?
Sure, I'll talk about it from the admin and the SecOps side.
(19:46):
And David, I'll pass it over to you
to talk about the end user experience.
I'll just ramble.
Take it that way?
All right, so from a connectivity standpoint,
basically being able to define applications one time
and not have to revisit how they're being accessed
is key, right?
(20:06):
So normally you have a bunch of different tools
if they're accessing via VPN versus on-prem
versus some other access methods.
So you have to create new application definitions,
new rules that from an admin standpoint
is simplified in Secure Access where you define it once,
you say how it's gonna be accessed,
and then you determine who can access that application
and what the criteria is.
(20:29):
When you're talking about connectivity,
we provide a couple of different methods, right?
So we make redundancy just built in,
just a no-brainer within Secure Access
by creating network tunnel groups, right?
So you connect up to regions
and each region has two availability zones.
Those availability zones are completely separated
(20:49):
physically from each other so that you can have connectivity,
you can build redundant tunnels that can fail over
in case there is something that happens on our side
or on your side, so, or on the far side
at the data center rather,
so that you do have that redundancy,
but we can make, but we make that simple and easy
every time you build one, you get all the information
(21:10):
you need to make that connectivity happen
and build those tunnels and share routes via BGP.
We do have some more flexibility there
depending on your connectivity method
and what your needs are with different tunnel types,
but we may dive deeper into that a little bit later
if we have time, but wait,
because I really wanna get to resource connectors.
(21:31):
Resource connectors really simplify the way you connect up
because the way those work is there an all-in-one
virtual appliance that we actually can run in Azure,
AWS or ESXi on VMware today,
and we have a containerized version
as well as TCP coming very shortly
(21:52):
where you basically deploy this all-in-one appliance,
virtual appliance, configure it up with an IP address,
put it on a subnet, and it checks in to secure access,
builds its own tunnel and basically creates a pathway
through your network to your applications
without needing to change firewall rules,
without needing to change routes or share anything.
(22:13):
You just say, hey, this application needs to be accessed
via this resource connector group
because we do deploy them in groups,
so the redundancy again is built in
as well as load balancing and everything else.
Once you have that connectivity in place,
users can connect to that application
that you're allowing through the platform.
And so David, I'll let you address
(22:35):
the user experience on that.
Before we go to David, real quick,
the resource connector, that's really cool.
So I don't even have to build a,
I've got some on-prem location.
I don't even need to manually build
an IPsec network tunnel into this.
Resource connector will expose the applications.
I wanna give my users access to it.
Absolutely, and with the way it's designed actually,
it not only gives you those benefits,
(22:57):
but also if you have an acquisition or for IP management,
you have duplicate IPs across parts of your network,
the resource connector can obfuscate all of that
from both the end user side and the application side.
So you no longer have to worry about
what the IP addresses are on both ends.
You can connect it up regardless.
It's awesome.
(23:17):
Yeah, and I would really say it's in line
with Cisco's overall strategy with security,
looking toward simplicity.
And like the administrator experience, right?
I think the overarching vision with Cisco
is that we will become a platform ecosystem
where you import or set up objects like once,
(23:38):
and you can use those across everything, right?
So, I mean, today you'd have to do a directory sync
with firewall, you'd have to do one with secure access,
you'd have to do one with Duo, you'd have to do one
with all, like every single layer,
and then have objects created for each
that you then have to reference to the policies.
I think the overarching goal is that you'll be able to have
(24:00):
all the objects that you use across all of them,
you'll be able to set a policy,
and that policy be implemented at each layer
that it made sense to apply that,
which is what we currently have today with secure access
when it comes to the DNS, the firewall traffic,
the Web Gateway, private access and internet access,
where you set the one rule for either internet or private,
(24:22):
and it applies that.
From a end user perspective,
I mean, remote access VPN is great for a lot of things.
It's still a better option for certain applications
or certain tasks you're trying to do,
but there can be a lot of friction for end users
(24:42):
with remote access VPN.
It can be generally annoying.
Even myself, right, I can get aggravated
and having to hop on VPN access something,
and then I wanna drop off it afterwards and whatever.
It's just kind of annoying.
With secure access from the end user perspective,
there'll be a separate module,
and it's still using secure client,
(25:03):
which is a rebranding from AnyConnect.
The AnyConnect VPN component has been changed
into the name of the specific VPN module,
and then there's a separate zero trust access module
that would be used for the client-based access.
You would enroll and authenticate at the interval
determined by the administrator within the dashboard,
(25:24):
and then it does the rest, right?
So that can be weekly, it could be whatever they set,
and then when I go to build that connection,
it's going to dynamically build a per session tunnel
using QuickonMask, which Justin talked about earlier,
to secure access, and it's gonna do the posture check,
(25:45):
and it's gonna build that gap, policies can be checked,
am I allowed access?
If not, I'm not gonna be allowed,
and then of course the traffic can be encrypted
and inspected with the other security controls.
So it's all with the goal of end users
not having to choose how they're connecting.
They log into the device, they enroll,
(26:06):
and then they just access things they need to for work,
and the posture controls, the security,
all that's applied without the end user
having to do anything.
And from an administrative perspective,
it's trying to make it as easy as possible
with the intent-based policy, the AI,
the common resources they can leverage
within the security access dashboard,
future vision across multiple things.
(26:29):
So really trying to get that direction.
Now, I will say as an engineer myself,
engineer in air quotes,
those that don't know my background
in exercise and sports science,
and that doesn't really play that much of a part
in this role.
But complexity to me long felt like job security
(26:53):
because if things were complex, you had to have me.
You can't just replace me.
And so when the move to simplify things
like introducing GUI instead of CLI,
and now with AI, I've first experienced
a little bit of concern about
maybe my role will be seen as redundant
(27:14):
or I'll be kind of exited out,
but there's still gonna be the need to have
your design, decision-making,
how things should be implemented,
best practice for that implementation.
And I think it's making an opportunity
where as engineer, I can become less of a
fully technical, fully tactical resource
and then become more strategic,
(27:36):
more toward the business.
How can I on the engineering or security team
enable the business?
And instead of having to spend all my time
dealing with nerd knobs and how am I gonna deploy this thing
and read through a hundred pages of documentation
to do it and then break it and do it again
and then break it again and spend weeknights and stuff
just prying in the corner,
(27:59):
I'll instead be able to have an easier deployment,
reach those outcomes that we're looking to achieve
and be involved in bigger things
than just turning dials.
So it feels like an opportunity to do more
and to do it better.
(28:19):
Not only that, but it's also helping balance out
the number of tools.
I feel like no one talks about it,
but in my opinion, back in the day,
when you first started networking,
it was, you had a handful of devices on the network,
you had phones connected to switches
and then you had a computer connected to the phone
and it was like layer two.
You had VLANs you had to worry about,
you had voice VLANs,
(28:40):
like it's a different game out there these days.
So having these additional things trying to make it simpler
and easier to use offsets that
because now there's dozens of tools you have to leverage
and it's not just a firewall on your network
you have to deal with.
Yeah, absolutely.
Just real quick, that makes you write an enabler
(29:01):
instead of a blocker
and a lot of these types of applications
and types of business needs, right?
And so that I don't know that I've ever been on a team
where we've been able to do every project
that was put forth to us,
not that we didn't want to, but we just didn't have time.
So this simplification definitely gives you that time
to be able to address some of those additional asks
(29:23):
and be able to think about what your,
again, what your business needs and security needs are
and make sure that those are in alignment
as opposed to just putting out fires
and trying to just manage the complexity always.
Yeah.
This definitely talks really good about simplification
(29:45):
and all the things that can be just made easier.
I know we talked a little bit about the resource connectors
and also the way that the users connect to the solutions.
It's very, remove some of the friction
and we've seen that
and we're gonna see some of that tomorrow
just on the demo.
(30:06):
But the other question that I have in this one,
it's kind of interesting,
this is kind of like a report that we saw back in 2022.
It's a Gartner survey that showed 75% of organizations
are pursuing security vendor consolidation.
And I'm pretty sure a lot of you on this webinar
(30:29):
have heard about that, have seen that
and we're thinking that a lot,
that that number is gonna grow with time
and then customers are really seeing the benefit
and that's one of the things that we have with,
for example, secure access.
But if you don't mind, I think David, you're next.
(30:53):
What are the products that you think
it's gonna help customers replace
or consolidate with secure access?
Yeah, yes, I mean, as far as cloud-hosted security services
go, there's a lot of stuff that you get
within the single dashboard.
There is DNS layer security,
again, building off what we had with Umbrella,
(31:14):
formerly OpenDNS.
We have the secure gateway from Umbrella as well
that's been added, so that's full proxy.
You have traffic encryption, including TLS 1.3.
You have file analysis, you have sandboxing
using Scrum Analytics.
You have, you know, forming ThreadGrid
and then file analysis is through advanced mile protection,
but there's also, I think, some other file scanning with AV,
(31:37):
but I digress.
You have DLP, both out of band using API
for SaaS applications, it is like seven now,
as well as cloud mile detection,
again, using the same API for the same applications,
where it is able to look at files
that are being hosted on the cloud storage.
So you have out of band CASB controls there,
as well as real-time or inline DLP
(31:58):
that's inline with the web proxy,
so we can look at files that are being uploaded,
we're able to look at web forms
that are being put in posts on web pages
for the different data classifiers that,
or identifiers that Justin talked about earlier.
We have the firewalls of service,
which has layer three, layer four, and layer seven controls,
as well as IDS and IPS using SNORT3.
(32:20):
You have remote access controls,
so you have the remote access VPN as a service
where you can use secure access as the head end,
instead of having a head end on-premise,
and then you can provide backhaul connectivity
to any device that can pretty much build an IPsec tunnel.
To us, in addition to the ZTA,
(32:43):
and with the ZTA, we have both client-based,
using the ZTA module that can,
in most cases, client to server application
that can leverage it,
and then you have browser-based,
which today is web applications,
but they're expanding that very shortly.
I'll let Justin talk on that if we're able to.
(33:07):
Am I missing anything?
Oh, experience monitoring,
so you have the Thousand Eyes endpoint component,
you have all the reporting that's in there,
both from a security perspective,
from an app discovery perspective,
all of that can be pulled into a Sim or a SOAR,
you have an S3 bucket you can use,
either from Cisco or you can bring your own,
so you can adjust all of that there.
Anything else?
(33:28):
So I will just add the roaming module
in case there's devices that you want to,
have that continuous DNS and SWG
or web proxy analysis going on,
so there's a lot of different pieces together,
and what all of this means is that now,
if you have branches that you used to have to manage
decryption or put larger boxes in
(33:50):
because you needed local security on,
now you can build tunnels up to secure access
and have a smaller box and have a unified policy.
You may not have been able to,
across your distributed firewalls, proxies, VPN services,
have a single place to configure, single policy,
so we can consolidate all of those things
and replace the need for the hardware that you need,
(34:13):
the hardware replacement in case of,
and management in the case of like VPNs
and proxies and things like that.
Instead now just provide a method,
whether it's, again, whether it's an edge device,
like a catalyst ISR,
whether it's a firewall connected up to us
and or a resource connector out of your ESXi host,
(34:35):
and you don't, and everything else is taken care of
in the cloud and you just worry about policy,
and what is best for your business, again,
so that you don't have to decide on new hardware every year
and figure out all of the different pieces
on what you're trying to support at the different sites
and having a disconnected experience for your users.
Yeah, and tied to the intent-based policy aspect, right?
(34:58):
You have all those controls,
but when you set like the internet access rule
and you say, David cannot access YouTube, right?
That action will be taken wherever the traffic seems.
So if we see a DNS request for,
you know, ChinaResolveYouTube.com, we're gonna block it.
If we were to see, you know,
layer three, layer four traffic related to it,
we can take an action on it.
(35:18):
If you were to see web traffic related to it,
we can take an action on it.
And so you're not having to choose the layer
with which you want to apply that.
It's going to do that for you.
And then of course, in the report,
you can see where the action was taken itself
based on just, you know, breaking it down.
That's a great point.
In the intent-based policy,
you guys talking about that unified policy,
(35:39):
I just put it in the policy.
I don't need to worry about like where this is happening
in the network or at what layer.
So, I mean, message on simplicity there.
Now AWS is where secure access lives, right?
Well, yes or no?
So that's actually changing.
We will continue to stay in AWS
(36:00):
and that is a long-term plan
to continue to leverage their network, right?
Because AWS does have a lot of peering relationships.
We can add those to our peering relationships
and we can stand up in different regions
very quickly through AWS.
But we also don't want to be completely reliant
on a single public cloud.
(36:21):
So actually just this last week,
we announced that we're in four new data centers
that are our own edge data centers, right?
So the reason we're in four is because we're in two regions.
We stood up US East and US West first.
So we're in places like LA and San Jose and Reston.
And I think DC.
(36:41):
And so those are our data centers.
There are hardware, there are hypervisor, everything.
But it's still the same secure access on the top layer.
So we've been able to abstract the,
or yeah, create the ability to have a generalized version
of our cloud security platform to be anywhere, right?
(37:02):
And we can manage just a single deployment
so that we can keep everything up to date and sync.
There's not gonna be a difference in service
between one cloud or one region versus the other.
Everything's gonna continue to be seamless
and you don't have to worry about
where you need to connect up.
We handle that distribution
(37:23):
and we're gonna continue to move through
our edge data centers throughout the year.
The plan is to have around 12 more.
So if you think about how quick that is
compared to some of the other cloud solutions,
even Umbrella, when we were trying to deploy that
and we were talking to customers like,
hey, we need this in this region,
it would take us a year or more
to get even just a couple data centers stood up.
(37:44):
So we're rapidly expanding our footprint
across both AWS and our edge data centers.
And you may see us in other public clouds in the future.
And yeah, I'll leave it at that for now.
And so there's a lot of big things to come.
We're able, we're very flexible
and can provide that connectivity and redundancy
(38:06):
wherever users are.
That's pretty awesome.
Yeah, that actually resonates with a lot of our customers
and just that we are the ones doing it also.
So that's pretty cool to hear about.
It's the Cisco cloud I was gonna call it.
Exactly, exactly.
The world is hybrid, so we are too, right?
(38:27):
Whether you're a worker or you're cloud, you're hybrid.
That's so true.
Cool, cool.
Now, I do have another thing that if David or you Justin
can talk a little bit about,
and this is about SSL decryption.
I was talking to a customer last week about this
precisely a few, I think it was last week
(38:50):
or a few days ago, and they wanted to understand
a little bit more of how we do the SSL decryption
if anything with secure access.
And if you guys don't mind going over
just the highlight details, that'll be awesome.
I mean, so I can't tell you exactly how we do it
on the backend because proprietary,
but I can say there's two aspects to it.
(39:14):
Today, the firewall layer three, layer four decryption
is global across the dash.
So if you enable it, it's decrypted everywhere.
And then for the web traffic, we can determine per policy
that's set or per rule within the policy stack
where you wanna have it enabled.
And so once you have it enabled,
there's also the aspect of choosing what to not decrypt.
(39:38):
And so by default, it's gonna be everything.
And then you can choose to selectively
not decrypt specific destinations.
And so often that would be things like healthcare or finance.
Sometimes you might see like social media, web email.
It really comes down to the organization
and where they are located,
will kind of inform what they can decrypt and look at.
(40:00):
And then also the vertical, right?
If you're healthcare or a bank or something,
you probably wanna decrypt that
because you care about PHI being extra traded
and that's something you wanna have visibility into.
But you can choose to not decrypt certain traffic
and after you set that component.
And just to add to that, the functionality aspect
(40:23):
is we do fully decrypt TLS 1.3 today.
And with decryption within the web proxy,
it gives us a lot of advanced capabilities
to be able to block Facebook Messenger
and not just all of Facebook
or block different aspects of an application.
Hey, you can get to Dropbox and download,
but you can't upload to it, right?
(40:44):
So you have some more advanced controls
and we handle the scalability.
So whether it's decryption in our IPS or in the web proxy,
or even connecting up VPN users
when everybody all of a sudden works from home, right?
We handle that scalability in our cloud.
The admin no longer has to worry about,
we had 50 users going to this page yesterday
(41:07):
and it was getting decrypted.
Today we have 5,000, right?
Or we had 50 users working from home, now we have 5,000.
Secure access will dynamically expand and scale
to be able to handle that traffic, handle that decryption,
and you no longer have to worry about your boxes turning over
or a poor user experience
just because your traffic flows and destinations have changed.
(41:31):
Yeah, and that's-
Go ahead, David, go ahead.
I was gonna say, that's an aspect
I hadn't actually considered in my answer was that
as the quantity of internet traffic
that's encrypted increases
and the need for decrypting that traffic for inspections,
if you don't know what's inside it,
you don't know if it's malicious or not.
And now with Firepower, there's methods
(41:53):
to get visibility into encrypted traffic
without having to decrypt it.
But I've seen a lot of organizations
will leverage secure access for internet access
for branch sites or even their main sites
and offload that web decryption to secure access
rather than enabling it on the reg device.
(42:14):
Even going a step past what you might see with a branch
where they wanna do a bring your own SD-WAN
to make a secure access surface edge solution
where you have both the networking and the security side
and you're wanting to offer security services
for that branch that are having to add a firewall online
or enable it on an edge device.
(42:36):
Now you can also offload decryption to secure access
and it does that scalability that
or offers a scalability that Justin mentioned.
Yeah, and we have to talk about that
because I mean, Google says 95% of the traffic it sees
is encrypted.
So you can write all the great policies
in the world that you want
and they can be bypassed by very common encryption otherwise.
(42:56):
So I think that's a really important point
that we're talking about.
And I think part of the reason why both Justin and I
have mentioned that specifically that we support TLS 1.3
is for those that aren't familiar with the TLS standards.
With TLS 1.2 and below, the Serum indicator
which could be seen or SNI
should be seen in the earlier handshakes
(43:18):
for establishing the TLS encryption
for the session with the web server,
you can see the SNI.
And so you could see the SNI
the end user was communicating with
even without decryption.
And so when I reach out to the web server for Facebook,
you would know that I'm communicating with Facebook.
And so you could have like content level controls
(43:38):
without having to decrypt.
With TLS 1.3, that entire payload is encrypted.
And so you no longer have that visibility
unless you're decrypting it
or you're doing some of the fun stuff
that Cisco does with the encrypted visibility engine
that I'm not gonna tell you how we do
because I have a mortgage.
Well, that's awesome.
(43:59):
But no, that's great.
The encrypted conversation just comes up more and more
because that's what most traffic is.
We didn't have this conversation 10 years ago
and everything was clear text.
Okay, so guys, great conversation today.
I have so many more questions I wanna ask you guys,
but for the sake of time,
(44:20):
Andres probably get into the Halloween questions
at this time.
I'll take the first one.
David, I'll ask you this.
If you could pick one candy when you go trick or treating
that you don't wanna get, what would it be?
Oh, a candy that I do not wanna get.
(44:43):
Oh, geez.
I never liked the candy that was in the wrapped plastic
because it just felt less sanitary.
I was a fat kid, so I still ate it,
but I didn't really like it as much
because it just seems like, you know.
Yeah.
What about a Tootsie Roll of something?
(45:04):
You're not talking about that, but like a...
Yeah, yeah, like Tootsie Roll,
like wrapped popcorn,
like the bag of popcorn somebody made.
Because someone could unwrap it, do something,
and then put it back.
Yeah, yeah, like sometimes I buy that candy at the store,
and some of them are unwrapped in the bag by accident.
I don't wanna accidentally get your fingerprints
in my candy, you know?
Yes.
Those are the ones that I'm used to.
(45:26):
I like the ones where I can press on the bag,
and it still has the air seal.
I'm like, this still has the air seal.
Yeah.
I don't know who's opened this.
All right.
I thought maybe you were gonna say the candy corn thing.
I know a lot of people.
Look, again, I was a fat kid, man.
I loved the candy corn.
It was just strange.
I was like, there's a reason why I had weight problems.
You know, like it was delicious, I'm gonna tell you.
(45:49):
There's a huge debate on that one.
I've seen that.
Yes.
Whether candy corn's good or not, I haven't seen that,
but I can imagine, yeah.
Cool, cool, cool.
I do have the next one, and this one's simple,
and for you, Justin.
If, so classic movie monster,
(46:11):
which one would you want to be in?
Why Dracula or werewolf?
Or if you have another one, that would be nice too.
I'm glad you gave me a choice,
because there's, go ahead, David.
Oh, I just wanted to make sure we verify,
like Nosferatu, Dracula, or like, you know,
Dracula where you have like the big cow in the suit.
(46:32):
Right.
I guess that would go into my reasons, right?
Like, if you want to be like,
interviewing with the vampire vampire
or something like that.
Exactly.
You already do kind of have the werewolf thing going.
Yeah, no, I was going to say werewolf,
but yeah, just because it,
I like to go hiking and go on adventures,
and it seems like having some of those werewolf powers
would allow me to get to places that I can't get to today.
(46:55):
You wouldn't have to hike anymore.
You can just jump tree to tree.
Exactly, exactly.
That's true.
Well, it's been a great conversation, guys.
Let me kick it over to you guys real quick
for any closing remarks, Justin and David,
that you may have.
David, I know you have a Secure Access,
some stuff up on YouTube,
but anything you want to wrap it up with
(47:16):
from your personal viewpoint?
Yeah, yeah.
If you're interested in seeing me give an overview
on Secure Access, check out my channel.
I think it's Decrypt-Ed is the channel name.
I think it's at security-decrypted or maybe.
You can tell I'm active on it.
Keep an eye on Secure Access.
I mean, it's SaaS solutions.
(47:37):
Cisco's doing a ton to add features and functions
to all their SaaS, especially the security ones.
There's a lot of stuff on the roadmap,
all of it moving real quick.
So if there's something that you want to see
Secure Access doing or able to do,
there's a decent chance it might get added
in the next couple months even.
(47:57):
So reach out to whoever you're engaged with
on the Cisco side, talk to them,
look at what's being posted online.
Like it's moving fast.
And Justin, I know we'll definitely see you
on the demo tomorrow.
Yes.
But for today's conversation,
any closing remarks that you have?
Sure, yeah.
No, I'll just echo what David said
is as far as like Secure Access is moving fast,
(48:18):
you're going to see a lot of things coming
for clientless ZTA very shortly.
You're going to see a lot of things coming
in the way of ICE integrations.
Some of them are already there today
that we didn't get to get into.
You're going to see a lot of enhancements
in our ability to check the health of identities even
(48:41):
if you're familiar with how Duo
and some of our identity health is working
and be able to apply policy
and do a lot of very exciting things
to get closer to that zero trust sort of ideal, right?
Because zero trust is really a framework,
it's really a journey and nobody's all the way there yet.
And I don't know if we ever will be,
but we're going to start picking it all of the things, right?
(49:04):
We need to trust the device, we need to trust the user,
we need to know more about what the user's doing,
we need to know more about what that device is doing
so that we know that they are not just,
should they access it, or not just can they access it,
but should they access that application
from that device as that user,
or should we make more, check them additionally, right?
(49:27):
Give them a little bit of a sense of what's going on
and give them a little bit more of a push
to figure out whether they are who they say they are
and things like that.
So all of it's continuing to develop,
there's going to be,
there's been a couple announcements over the last two weeks,
there's going to be more announcements
towards the beginning of November,
and then every quarter we're coming up
(49:48):
with a lot of new stuff, so stay tuned.
Okay, great, great stuff.
Andres, for me, the zero trust access in general,
I'm able to have this solution
that's giving me the flexibility
on how I'm going to connect in remotely or on-prem,
and then having that connected,
(50:09):
we talked about Cisco being the plumber,
and I don't have to worry about all the piping
behind the scenes.
Just keeping that simplistic approach,
complexities, the enemy's security,
and this is, I think, a good product to showcase that.
The tools, the consolidation,
a lot of stuff being consolidated.
David, you were talking about bonus of umbrella,
(50:32):
we're talking about duo, we're talking about IPS stuff,
so just again, further simplifying all that
into the one dashboard.
I don't know what you thought, Andres.
Yeah, on my mind, the benefits of being on AWS
and what we're doing right now with our own data centers,
that's, I guess, we're not expecting that one,
(50:54):
so it is going to be developing in the future,
and that's pretty cool.
The SSL decryption, thank you, David, for that explanation.
That actually gives us a lot of information
to share with our customers,
and the new developments on PLP are also another thing
that is really cool, and I know I was thinking
(51:17):
about the user experience, the visibility that we have
on that user's computer, the connectivity,
all those things, those are pretty new and super impressive.
So if you have the chance to take a look at Secure Access,
I recommend you just going for it,
and it's a lot of stuff that we're doing into it.
(51:38):
Good stuff, good stuff.
Well, Justin, David, appreciate you guys joining us today.
Great conversation.
We'll all be tuning in tomorrow, noon Eastern,
to the live demo of Secure Access.
You can see the dashboard, see the experience insights,
I think will be pretty cool, as well as anything else
you want to show there, Justin.
(51:59):
So stay secure, everybody,
and we will see you on the next episode.
Thank you all.
Always.
Thank you.
Take care, y'all.
All right, so good afternoon.
(00:01):
It is October 30th, 2024.
Happy early Halloween, everybody.
Welcome to the Security 45 show
where we cover a new security topic every month
in 45 minutes or less.
We've got a Halloween themed presentation today
on the spookiest of topics, Cisco Secure Access.
(00:23):
With us, we've got two award-winning guests
returning for their second appearance on the show,
David the Ghost Keller and Justin Plants vs. Zombies Murphy.
For those that are doing the audio playback
and you can't see the video,
you have no idea what I'm talking about.
Andres, let me kick it over to you.
Thank you, Mike, and thank you guys for being here.
(00:44):
Well, welcome to the show.
We're super excited.
We're gonna talk about Secure Access today.
This is, I guess, from our perspective,
is something that we're seeing definitely a lot more
and a lot more with our customers, partners,
and everybody inside of Cisco.
It's just a lot of crazy information
(01:05):
and a lot of technologies
that we're just putting together into one place.
But hey, that's what we're gonna be talking today.
This is our round number two on Secure Access.
We do have new questions.
We have more information that we can,
that we're gonna find out today from our guests.
And I guess let's kick it off.
(01:26):
Yeah, and we had Justin and David, welcome back.
We had you guys back last October on the show
and that was a great, Secure Access was newer then
and it was great to see Cisco bringing a lot
of security technologies into kind of one dashboard.
So we're excited to hear a little bit about the updates.
(01:48):
Andres, I just do wanna point out
you look almost identical to Harry Potter.
I keep thinking you are Harry Potter there.
And David with the background, the transparency,
you got that.
Also, I will point out Justin Murphy
made that Plants vs. Zombies on the back
while they're out of old school paper mache.
So kudos to that.
I thought I was being cool with my fireman outfit.
But well, guys, October is Cybersecurity Awareness Month.
(02:14):
At Cisco, we talk about if it's connected, it's protected.
Justin, I'll give this first one to you or David,
whoever wants to take this first one,
but describe what we're actually connecting
into Secure Access.
Sure, so the idea is to connect everything
(02:35):
to anything that it needs to connect to, right?
So we're talking about end users, we're talking about IoT,
we're talking about mobile devices,
all connecting to web apps, RDP, anything.
Anything that they need to get to on the other end,
whether it's SaaS in your own private data centers
(02:56):
or in public cloud, right?
So there are a lot of different mechanisms
that we've talked about to make this happen, right?
Whether it's VPN or ZTA
and some of the underlying protocols like IPsec
and Quick and Mask and all of that.
We've been connecting them since our last conversation,
(03:17):
but we've advanced more as we go through,
whether it's auth methods, including like radius
and some cert-based auth enhancements,
as well as just so that we know who they are
and are able to get users in a lot of cases
connected more smoothly, right?
In the case of cert-based auth
(03:39):
or to make the transition smoother in the case of radius.
If you're used to on-prem radius based auth for your VPN,
users can or admin can configure that
and have that run up and running much quicker
than maybe moving to a SAML solution, right?
So that's where we're going.
There's a lot more enhancements there
(04:00):
with our IPsec tunnels and our resource connectors,
I believe weren't out at that point either,
which helps get you that app connectivity over ZTA.
But I'll pass it over to David or Mike,
if you want me to dig deeper into any of those things, I can.
Yeah, so for those that missed the first webinar
and haven't seen Secure Access from Cisco,
(04:22):
there's two primary use cases
when we're talking about connecting to Secure Access.
And to preface, Secure Access
is Cisco Security Services Edge solution,
which would be cloud hosted security services.
So from a use case perspective,
we're talking about internet access and private access,
where private access would be,
being able to utilize resources that are hosted internally,
(04:43):
which would be those that you'd have access to
if you were traditionally on network
or connected via remote access VPN.
So when Justin's talking about the connectivity methods,
he's referring to different ways
to either connect to Secure Access
to get access to either those internet or private resources,
and then the means in which Secure Access
(05:04):
connects back to your network,
either via tunnel or that resource connector.
And then of course, on top of that,
the different security services
and kind of how those services are delivered can vary.
But yeah, it's all about connectivity.
That's cool.
And certainly about the flexibility as well,
(05:24):
certainly an overarching kind of product
where you can connect in through different methods,
roaming users, on-prem sites.
You guys already mentioned like the network tunnel,
which is an IP sec tunnel versus that resource connector.
But yeah, connecting anything to everything solution.
(05:45):
I think we're gonna talk on this a little bit later as well,
but it sounds like there's a lot with Secure Access,
but the overarching goal and direction that Cisco's going
in general from a strategy perspective
is to kind of move towards simplicity.
And so the end users don't have to really think
about how they're connecting to those resources.
The administrators have flexibility,
but there's not like a ton of different steps,
(06:06):
and there's no like fixed cookie cutter way to deploy it,
where you have to do one thing or the other.
If you just want that Secure Private Access initially,
there's ways to set that up.
And maybe you only need the ZTA,
either client-based or clientless,
and the resource connector, maybe use the tunnel
if you wanna have a boat access VPN.
There's a lot of different ways to set that up.
(06:29):
Then it all is just geared toward flexibility
and then simplicity.
That's great information.
Thank you for that, David.
I actually wanted to ask another question
that it's in everybody's minds today,
and it's the security aspect,
and probably just diving deep into the actual product,
(06:51):
into Secure Access.
What are the security features that you guys see?
And I guess this will be for you, David,
or Justin, if you wanna take on that.
But what exactly does the Zero Trust access mean
in this product?
Yeah, yeah.
So from a security perspective,
(07:12):
there's a handful of ways you can really break it down.
Starting with the Zero Trust,
that is, I always think of it in terms of private access,
but it can't apply to internet access as well,
because there are policies you can set
based on user identity for what people can access
on the internet.
So you could consider that as being tied to Zero Trust,
because you're minimizing how much a user can access
(07:34):
based on their role or function
or whatever else you wanna break it down by.
It can also be tied to the private access, though,
and that's what I typically think of.
And that's where we're looking at,
not only is the user who they say they are,
and with Secure Access,
you can bring your own identity provider for SAML.
You can use RADIUS or CertBase authentication
for Remote Access VPN.
(07:56):
You can add MFA, so if you were to use something like Duo
for SSL, you could have MFA there.
And then for each of the connection methods,
there are varying posture controls you could use.
So is this user on a version of an operating system
that we want to allow access to this resource,
or are they super out of date
(08:16):
and that's too high of a risk
and we don't wanna allow access with that?
So it's minimizing both based on who the user is,
but then also on additional factors related to risk.
And there are, of course,
other things we're looking at in the future
that I don't know if we can talk about today,
but we're constantly looking for ways to increase
(08:40):
how much visibility we have into that risk
and offering ways to control it.
Yeah, and go ahead.
Oh, I was just gonna mention from the other security side,
there's of course a lot of the same security controls
that we had from the umbrella security gateway
which were rebuilt for purpose for secure access
inside the secure access environments
that offering things like the DNS security,
the secure web gateway, which of course has full decryption
(09:03):
to file analysis, sandboxing, remote browser isolation,
file type controls.
There's the firewalls service component to it,
data loss prevention.
There's all kinds of other controls that can be utilized
depending on the traffic flow
and the policy that's being set.
Excellent, just to expand on that a little bit,
all of those controls that David's talking about,
(09:24):
secure access is taking an approach of simplicity
as he mentioned earlier, where it's a unified policy.
So you don't have to worry about what the tool is,
whether it's the firewall, the proxy, DNS,
what's controlling that.
You just configure what you want to happen,
who you want to have access to, what,
and what the action needs to be
and what sort of inspection needs to happen.
(09:44):
And all of that happens in the process.
It happens to happen and all of that happens
in the background.
It is good to be aware of kind of how all of that works.
However, you don't have to be, you're just creating
a flow of who gets to what and what action happens
in between in order for all of those pieces to occur.
And then just to dig a little deeper into some enhancements
(10:08):
that we've made since our last conversation,
one of them is in the secure private access realm
where before we were just sort of, hey,
you are either allowed or not allowed to get to this
based on your posture or user identity.
Now we're actually putting, with IPS,
and now we're actually putting some proxy capabilities
in line where we can analyze and block file types,
(10:32):
as well as malicious files trying to be uploaded
to maybe some local file stores or things like that
so that we can catch them on the way in
or out of your file store, right?
So those types of things are being added in
and that'll continue to be enhanced
with more capabilities like DLP
and some of the things that you're used to
on the secure internet access side.
(10:54):
And with the secure internet access side,
actually DLP has come a long way, right?
So with data loss prevention, we started out
with just sort of standard categories
that were based on-
Data classifiers and-
Yeah, yep, classifiers and everything
that were already predetermined
(11:15):
and you could make some regex entries and things like that,
but now we've gone to being able to see,
to categorizing AI type destinations,
being able to upload like exact data match
and index data match type files
so that you can have a lot more flexibility there.
And then beyond that, we've actually implemented some AI
(11:37):
to analyze things like IRS forms
and other types of standard forms
that we can train an AI to recognize
so that you don't have to try to match something
on the actual document itself.
It's going to intelligently figure out,
okay, this is very close to what I've seen before, right?
And it could be a combination of factors
(11:58):
depending on what form it is, right?
So there's a lot of enhancements continuously going in there.
The final one that I've seen was OCR, right?
So now if the text is in an image,
whether it's PDF, JPEG, and several other formats,
we can pull that out and be able to recognize,
hey, that's a credit card number.
(12:18):
We need to block that from going up
to this third-party file share site, right?
So there's a lot of enhancements going into that security,
security pathway that we're using in secure access
on both sides of the internet and private access.
And to tie back to the policy a little bit as well,
(12:39):
not only is it a single policy stack
where it's intent-based, it's based on user action destination
and then the controls you wanna have in place with it,
but Cisco's going a step further in adding an AI assistant
that will eventually be uniform across multiple things
in this Cisco security stack as we get into things
(12:59):
that I don't know if they're fully out yet,
but it's going a step further to help administrators
see kind of what's being utilized,
where's the redundancy, where can I place a rule,
change a rule, what would the impact of the rule be?
So not only can you block something,
but you can also make sure that you are doing the thing
that you want to be doing.
(13:22):
Absolutely, yeah, that's definitely coming to secure access.
You may have seen some of those features
in the Cisco secure firewall.
They've been implemented there more comprehensively today,
but we're definitely working on all aspects, actually,
of the dashboard, not just policy,
but also experience insights and things like that,
which we'll probably get into a little bit later
(13:42):
to be able to analyze reporting and logs
and user experience so that we can help administrators
understand how their users are accessing applications,
how their policies are being used
and where there may be redundancies or inefficiencies.
And I'm a little bit of a fraud
because I always forget this
and it's an important part of security,
but availability is like one of the three aspects
(14:04):
of the CIA triad, because I'm lazy, Justin,
would you mind talking a little bit
about experienced insights and how that would relate
to availability and experience for end users
and how an administrator could leverage those?
Sure, so with experience insights,
we've taken our capabilities within Thousand Eyes
and integrated them into secure access.
(14:25):
So it's all within the secure access dashboard
and integrates with the secure client
that you deploy to your users,
the same one that you use for VPN and ZTA.
And what it does is it runs two standard tests
from those clients, right?
So it'll check and make sure that, hey,
if they're using WebEx or they're using some other
(14:49):
video conferencing software, what their experience is there,
what delay did her over time.
So you're able to see whether or not
they're having a good experience on conversations
like this webinar, as well as other internal meetings.
And then you're able to also see what their experience is
at to secure access with one of our standard tests as well.
(15:12):
So are they able to get to their closest
secure access data center?
And is there a particular amount of delay there?
On top of that, monitoring the resources on the device.
So right now we're showing summary information
about CPU utilization, what their network experience is
(15:33):
or configuration is, whether it's one gig,
a hundred meg, whatever on their device itself.
And so you can start seeing where with a map,
you can start seeing a delay,
where the delay might be occurring,
where they might be having issues.
Are they over utilizing their memory
because they have too many tabs open, things like that,
which would lead to a poor experience.
(15:54):
In the future, we're actually going to be able to show,
and actually not too far in the future
so I can talk about it.
We're gonna be able to show what specific processes
are being utilized on that device.
So more in-depth information on what exactly is going on
to help troubleshoot if somebody calls in and say,
hey, I'm having an issue or to proactively interact
(16:16):
with users if you wanna go and say,
hey, you need to reboot your machine
or you need to do this or that to help
if you're having issues, right?
And then we're also monitoring the delay between our cloud
and common cloud services based on every single region.
So you'll know when your users call in
(16:37):
from the East Coast of US,
or if they're calling in from somewhere in Europe,
hey, it looks like Secure Access
is having great response time from Google
or bad response time from Google in this particular region.
So you kind of know what could be the issue, right?
There's a lot to talk about here, David.
(16:57):
The final thing though that I'll mention
is that we did add custom tests
to the repertoire, I guess, of Experience Insights,
which gives you the ability to say,
okay, I want to make sure that X users
can get to this application
(17:18):
and you define the application by domain name or IP address
and give it a port number,
and you can do a full network map of that user's access
to that application real time
and set it to occur continuously as you need it
so that you can know and have historical data
on exactly if that user's having issues,
(17:40):
when they have issues, where they are when they have issues,
how they're connected,
all of that information with the full path
so that you can monitor either C-suite devices
or you can monitor somebody who's constantly calling in
and saying, hey, I can't get to Salesforce
or I can't get to X app.
Now you can have real data over time to say,
okay, yeah, when you're at Starbucks,
(18:01):
it doesn't work very well.
You can go work from home or whatever, right?
So you can have a lot more data
to be able to tell what's going on
as opposed to the internet's down
and the limited information that you have
on those remote users today.
So secure access being an all-in-one
kind of connectivity solution, security on top of it
(18:21):
and then it can also diagnose a lot of troubleshooting
like end user experience,
you mentioned even monitoring resources
on the local computer,
which could be the root cause of the experience
that they are going through.
That's great.
Absolutely.
We can try to build connectivity,
but if the end user doesn't have, you know,
(18:41):
a path to it, like it doesn't matter how secure it is,
they can't get to it.
So, you know, you've got all ports there.
And I know tomorrow we're doing the live demo.
So that'll, I think everyone's gonna really love
seeing that experience inside.
So I'm glad you brought that up, David.
All right, so back in 1999, 25 years ago,
there was a quote,
(19:02):
the worst enemy of security is complexity.
And then that quote goes on to say,
this has been true since the beginning of computers
and is likely to be true for the foreseeable future.
So related to that quote,
I know Secure Access has a strong focus on that simplicity
from the administrator experience,
(19:24):
as well as the just the end user experience.
We talked about a frictionless user experience.
Can you talk a little bit about how Secure Access
makes life less complex?
Maybe just a minute for both the users
and maybe the SecOps teams?
Sure, I'll talk about it from the admin and the SecOps side.
(19:46):
And David, I'll pass it over to you
to talk about the end user experience.
I'll just ramble.
Take it that way?
All right, so from a connectivity standpoint,
basically being able to define applications one time
and not have to revisit how they're being accessed
is key, right?
(20:06):
So normally you have a bunch of different tools
if they're accessing via VPN versus on-prem
versus some other access methods.
So you have to create new application definitions,
new rules that from an admin standpoint
is simplified in Secure Access where you define it once,
you say how it's gonna be accessed,
and then you determine who can access that application
and what the criteria is.
(20:29):
When you're talking about connectivity,
we provide a couple of different methods, right?
So we make redundancy just built in,
just a no-brainer within Secure Access
by creating network tunnel groups, right?
So you connect up to regions
and each region has two availability zones.
Those availability zones are completely separated
(20:49):
physically from each other so that you can have connectivity,
you can build redundant tunnels that can fail over
in case there is something that happens on our side
or on your side, so, or on the far side
at the data center rather,
so that you do have that redundancy,
but we can make, but we make that simple and easy
every time you build one, you get all the information
(21:10):
you need to make that connectivity happen
and build those tunnels and share routes via BGP.
We do have some more flexibility there
depending on your connectivity method
and what your needs are with different tunnel types,
but we may dive deeper into that a little bit later
if we have time, but wait,
because I really wanna get to resource connectors.
(21:31):
Resource connectors really simplify the way you connect up
because the way those work is there an all-in-one
virtual appliance that we actually can run in Azure,
AWS or ESXi on VMware today,
and we have a containerized version
as well as TCP coming very shortly
(21:52):
where you basically deploy this all-in-one appliance,
virtual appliance, configure it up with an IP address,
put it on a subnet, and it checks in to secure access,
builds its own tunnel and basically creates a pathway
through your network to your applications
without needing to change firewall rules,
without needing to change routes or share anything.
(22:13):
You just say, hey, this application needs to be accessed
via this resource connector group
because we do deploy them in groups,
so the redundancy again is built in
as well as load balancing and everything else.
Once you have that connectivity in place,
users can connect to that application
that you're allowing through the platform.
And so David, I'll let you address
(22:35):
the user experience on that.
Before we go to David, real quick,
the resource connector, that's really cool.
So I don't even have to build a,
I've got some on-prem location.
I don't even need to manually build
an IPsec network tunnel into this.
Resource connector will expose the applications.
I wanna give my users access to it.
Absolutely, and with the way it's designed actually,
it not only gives you those benefits,
(22:57):
but also if you have an acquisition or for IP management,
you have duplicate IPs across parts of your network,
the resource connector can obfuscate all of that
from both the end user side and the application side.
So you no longer have to worry about
what the IP addresses are on both ends.
You can connect it up regardless.
It's awesome.
(23:17):
Yeah, and I would really say it's in line
with Cisco's overall strategy with security,
looking toward simplicity.
And like the administrator experience, right?
I think the overarching vision with Cisco
is that we will become a platform ecosystem
where you import or set up objects like once,
(23:38):
and you can use those across everything, right?
So, I mean, today you'd have to do a directory sync
with firewall, you'd have to do one with secure access,
you'd have to do one with Duo, you'd have to do one
with all, like every single layer,
and then have objects created for each
that you then have to reference to the policies.
I think the overarching goal is that you'll be able to have
(24:00):
all the objects that you use across all of them,
you'll be able to set a policy,
and that policy be implemented at each layer
that it made sense to apply that,
which is what we currently have today with secure access
when it comes to the DNS, the firewall traffic,
the Web Gateway, private access and internet access,
where you set the one rule for either internet or private,
(24:22):
and it applies that.
From a end user perspective,
I mean, remote access VPN is great for a lot of things.
It's still a better option for certain applications
or certain tasks you're trying to do,
but there can be a lot of friction for end users
(24:42):
with remote access VPN.
It can be generally annoying.
Even myself, right, I can get aggravated
and having to hop on VPN access something,
and then I wanna drop off it afterwards and whatever.
It's just kind of annoying.
With secure access from the end user perspective,
there'll be a separate module,
and it's still using secure client,
(25:03):
which is a rebranding from AnyConnect.
The AnyConnect VPN component has been changed
into the name of the specific VPN module,
and then there's a separate zero trust access module
that would be used for the client-based access.
You would enroll and authenticate at the interval
determined by the administrator within the dashboard,
(25:24):
and then it does the rest, right?
So that can be weekly, it could be whatever they set,
and then when I go to build that connection,
it's going to dynamically build a per session tunnel
using QuickonMask, which Justin talked about earlier,
to secure access, and it's gonna do the posture check,
(25:45):
and it's gonna build that gap, policies can be checked,
am I allowed access?
If not, I'm not gonna be allowed,
and then of course the traffic can be encrypted
and inspected with the other security controls.
So it's all with the goal of end users
not having to choose how they're connecting.
They log into the device, they enroll,
(26:06):
and then they just access things they need to for work,
and the posture controls, the security,
all that's applied without the end user
having to do anything.
And from an administrative perspective,
it's trying to make it as easy as possible
with the intent-based policy, the AI,
the common resources they can leverage
within the security access dashboard,
future vision across multiple things.
(26:29):
So really trying to get that direction.
Now, I will say as an engineer myself,
engineer in air quotes,
those that don't know my background
in exercise and sports science,
and that doesn't really play that much of a part
in this role.
But complexity to me long felt like job security
(26:53):
because if things were complex, you had to have me.
You can't just replace me.
And so when the move to simplify things
like introducing GUI instead of CLI,
and now with AI, I've first experienced
a little bit of concern about
maybe my role will be seen as redundant
(27:14):
or I'll be kind of exited out,
but there's still gonna be the need to have
your design, decision-making,
how things should be implemented,
best practice for that implementation.
And I think it's making an opportunity
where as engineer, I can become less of a
fully technical, fully tactical resource
and then become more strategic,
(27:36):
more toward the business.
How can I on the engineering or security team
enable the business?
And instead of having to spend all my time
dealing with nerd knobs and how am I gonna deploy this thing
and read through a hundred pages of documentation
to do it and then break it and do it again
and then break it again and spend weeknights and stuff
just prying in the corner,
(27:59):
I'll instead be able to have an easier deployment,
reach those outcomes that we're looking to achieve
and be involved in bigger things
than just turning dials.
So it feels like an opportunity to do more
and to do it better.
(28:19):
Not only that, but it's also helping balance out
the number of tools.
I feel like no one talks about it,
but in my opinion, back in the day,
when you first started networking,
it was, you had a handful of devices on the network,
you had phones connected to switches
and then you had a computer connected to the phone
and it was like layer two.
You had VLANs you had to worry about,
you had voice VLANs,
(28:40):
like it's a different game out there these days.
So having these additional things trying to make it simpler
and easier to use offsets that
because now there's dozens of tools you have to leverage
and it's not just a firewall on your network
you have to deal with.
Yeah, absolutely.
Just real quick, that makes you write an enabler
(29:01):
instead of a blocker
and a lot of these types of applications
and types of business needs, right?
And so that I don't know that I've ever been on a team
where we've been able to do every project
that was put forth to us,
not that we didn't want to, but we just didn't have time.
So this simplification definitely gives you that time
to be able to address some of those additional asks
(29:23):
and be able to think about what your,
again, what your business needs and security needs are
and make sure that those are in alignment
as opposed to just putting out fires
and trying to just manage the complexity always.
Yeah.
This definitely talks really good about simplification
(29:45):
and all the things that can be just made easier.
I know we talked a little bit about the resource connectors
and also the way that the users connect to the solutions.
It's very, remove some of the friction
and we've seen that
and we're gonna see some of that tomorrow
just on the demo.
(30:06):
But the other question that I have in this one,
it's kind of interesting,
this is kind of like a report that we saw back in 2022.
It's a Gartner survey that showed 75% of organizations
are pursuing security vendor consolidation.
And I'm pretty sure a lot of you on this webinar
(30:29):
have heard about that, have seen that
and we're thinking that a lot,
that that number is gonna grow with time
and then customers are really seeing the benefit
and that's one of the things that we have with,
for example, secure access.
But if you don't mind, I think David, you're next.
(30:53):
What are the products that you think
it's gonna help customers replace
or consolidate with secure access?
Yeah, yes, I mean, as far as cloud-hosted security services
go, there's a lot of stuff that you get
within the single dashboard.
There is DNS layer security,
again, building off what we had with Umbrella,
(31:14):
formerly OpenDNS.
We have the secure gateway from Umbrella as well
that's been added, so that's full proxy.
You have traffic encryption, including TLS 1.3.
You have file analysis, you have sandboxing
using Scrum Analytics.
You have, you know, forming ThreadGrid
and then file analysis is through advanced mile protection,
but there's also, I think, some other file scanning with AV,
(31:37):
but I digress.
You have DLP, both out of band using API
for SaaS applications, it is like seven now,
as well as cloud mile detection,
again, using the same API for the same applications,
where it is able to look at files
that are being hosted on the cloud storage.
So you have out of band CASB controls there,
as well as real-time or inline DLP
(31:58):
that's inline with the web proxy,
so we can look at files that are being uploaded,
we're able to look at web forms
that are being put in posts on web pages
for the different data classifiers that,
or identifiers that Justin talked about earlier.
We have the firewalls of service,
which has layer three, layer four, and layer seven controls,
as well as IDS and IPS using SNORT3.
(32:20):
You have remote access controls,
so you have the remote access VPN as a service
where you can use secure access as the head end,
instead of having a head end on-premise,
and then you can provide backhaul connectivity
to any device that can pretty much build an IPsec tunnel.
To us, in addition to the ZTA,
(32:43):
and with the ZTA, we have both client-based,
using the ZTA module that can,
in most cases, client to server application
that can leverage it,
and then you have browser-based,
which today is web applications,
but they're expanding that very shortly.
I'll let Justin talk on that if we're able to.
(33:07):
Am I missing anything?
Oh, experience monitoring,
so you have the Thousand Eyes endpoint component,
you have all the reporting that's in there,
both from a security perspective,
from an app discovery perspective,
all of that can be pulled into a Sim or a SOAR,
you have an S3 bucket you can use,
either from Cisco or you can bring your own,
so you can adjust all of that there.
Anything else?
(33:28):
So I will just add the roaming module
in case there's devices that you want to,
have that continuous DNS and SWG
or web proxy analysis going on,
so there's a lot of different pieces together,
and what all of this means is that now,
if you have branches that you used to have to manage
decryption or put larger boxes in
(33:50):
because you needed local security on,
now you can build tunnels up to secure access
and have a smaller box and have a unified policy.
You may not have been able to,
across your distributed firewalls, proxies, VPN services,
have a single place to configure, single policy,
so we can consolidate all of those things
and replace the need for the hardware that you need,
(34:13):
the hardware replacement in case of,
and management in the case of like VPNs
and proxies and things like that.
Instead now just provide a method,
whether it's, again, whether it's an edge device,
like a catalyst ISR,
whether it's a firewall connected up to us
and or a resource connector out of your ESXi host,
(34:35):
and you don't, and everything else is taken care of
in the cloud and you just worry about policy,
and what is best for your business, again,
so that you don't have to decide on new hardware every year
and figure out all of the different pieces
on what you're trying to support at the different sites
and having a disconnected experience for your users.
Yeah, and tied to the intent-based policy aspect, right?
(34:58):
You have all those controls,
but when you set like the internet access rule
and you say, David cannot access YouTube, right?
That action will be taken wherever the traffic seems.
So if we see a DNS request for,
you know, ChinaResolveYouTube.com, we're gonna block it.
If we were to see, you know,
layer three, layer four traffic related to it,
we can take an action on it.
(35:18):
If you were to see web traffic related to it,
we can take an action on it.
And so you're not having to choose the layer
with which you want to apply that.
It's going to do that for you.
And then of course, in the report,
you can see where the action was taken itself
based on just, you know, breaking it down.
That's a great point.
In the intent-based policy,
you guys talking about that unified policy,
(35:39):
I just put it in the policy.
I don't need to worry about like where this is happening
in the network or at what layer.
So, I mean, message on simplicity there.
Now AWS is where secure access lives, right?
Well, yes or no?
So that's actually changing.
We will continue to stay in AWS
(36:00):
and that is a long-term plan
to continue to leverage their network, right?
Because AWS does have a lot of peering relationships.
We can add those to our peering relationships
and we can stand up in different regions
very quickly through AWS.
But we also don't want to be completely reliant
on a single public cloud.
(36:21):
So actually just this last week,
we announced that we're in four new data centers
that are our own edge data centers, right?
So the reason we're in four is because we're in two regions.
We stood up US East and US West first.
So we're in places like LA and San Jose and Reston.
And I think DC.
(36:41):
And so those are our data centers.
There are hardware, there are hypervisor, everything.
But it's still the same secure access on the top layer.
So we've been able to abstract the,
or yeah, create the ability to have a generalized version
of our cloud security platform to be anywhere, right?
(37:02):
And we can manage just a single deployment
so that we can keep everything up to date and sync.
There's not gonna be a difference in service
between one cloud or one region versus the other.
Everything's gonna continue to be seamless
and you don't have to worry about
where you need to connect up.
We handle that distribution
(37:23):
and we're gonna continue to move through
our edge data centers throughout the year.
The plan is to have around 12 more.
So if you think about how quick that is
compared to some of the other cloud solutions,
even Umbrella, when we were trying to deploy that
and we were talking to customers like,
hey, we need this in this region,
it would take us a year or more
to get even just a couple data centers stood up.
(37:44):
So we're rapidly expanding our footprint
across both AWS and our edge data centers.
And you may see us in other public clouds in the future.
And yeah, I'll leave it at that for now.
And so there's a lot of big things to come.
We're able, we're very flexible
and can provide that connectivity and redundancy
(38:06):
wherever users are.
That's pretty awesome.
Yeah, that actually resonates with a lot of our customers
and just that we are the ones doing it also.
So that's pretty cool to hear about.
It's the Cisco cloud I was gonna call it.
Exactly, exactly.
The world is hybrid, so we are too, right?
(38:27):
Whether you're a worker or you're cloud, you're hybrid.
That's so true.
Cool, cool.
Now, I do have another thing that if David or you Justin
can talk a little bit about,
and this is about SSL decryption.
I was talking to a customer last week about this
precisely a few, I think it was last week
(38:50):
or a few days ago, and they wanted to understand
a little bit more of how we do the SSL decryption
if anything with secure access.
And if you guys don't mind going over
just the highlight details, that'll be awesome.
I mean, so I can't tell you exactly how we do it
on the backend because proprietary,
but I can say there's two aspects to it.
(39:14):
Today, the firewall layer three, layer four decryption
is global across the dash.
So if you enable it, it's decrypted everywhere.
And then for the web traffic, we can determine per policy
that's set or per rule within the policy stack
where you wanna have it enabled.
And so once you have it enabled,
there's also the aspect of choosing what to not decrypt.
(39:38):
And so by default, it's gonna be everything.
And then you can choose to selectively
not decrypt specific destinations.
And so often that would be things like healthcare or finance.
Sometimes you might see like social media, web email.
It really comes down to the organization
and where they are located,
will kind of inform what they can decrypt and look at.
(40:00):
And then also the vertical, right?
If you're healthcare or a bank or something,
you probably wanna decrypt that
because you care about PHI being extra traded
and that's something you wanna have visibility into.
But you can choose to not decrypt certain traffic
and after you set that component.
And just to add to that, the functionality aspect
(40:23):
is we do fully decrypt TLS 1.3 today.
And with decryption within the web proxy,
it gives us a lot of advanced capabilities
to be able to block Facebook Messenger
and not just all of Facebook
or block different aspects of an application.
Hey, you can get to Dropbox and download,
but you can't upload to it, right?
(40:44):
So you have some more advanced controls
and we handle the scalability.
So whether it's decryption in our IPS or in the web proxy,
or even connecting up VPN users
when everybody all of a sudden works from home, right?
We handle that scalability in our cloud.
The admin no longer has to worry about,
we had 50 users going to this page yesterday
(41:07):
and it was getting decrypted.
Today we have 5,000, right?
Or we had 50 users working from home, now we have 5,000.
Secure access will dynamically expand and scale
to be able to handle that traffic, handle that decryption,
and you no longer have to worry about your boxes turning over
or a poor user experience
just because your traffic flows and destinations have changed.
(41:31):
Yeah, and that's-
Go ahead, David, go ahead.
I was gonna say, that's an aspect
I hadn't actually considered in my answer was that
as the quantity of internet traffic
that's encrypted increases
and the need for decrypting that traffic for inspections,
if you don't know what's inside it,
you don't know if it's malicious or not.
And now with Firepower, there's methods
(41:53):
to get visibility into encrypted traffic
without having to decrypt it.
But I've seen a lot of organizations
will leverage secure access for internet access
for branch sites or even their main sites
and offload that web decryption to secure access
rather than enabling it on the reg device.
(42:14):
Even going a step past what you might see with a branch
where they wanna do a bring your own SD-WAN
to make a secure access surface edge solution
where you have both the networking and the security side
and you're wanting to offer security services
for that branch that are having to add a firewall online
or enable it on an edge device.
(42:36):
Now you can also offload decryption to secure access
and it does that scalability that
or offers a scalability that Justin mentioned.
Yeah, and we have to talk about that
because I mean, Google says 95% of the traffic it sees
is encrypted.
So you can write all the great policies
in the world that you want
and they can be bypassed by very common encryption otherwise.
(42:56):
So I think that's a really important point
that we're talking about.
And I think part of the reason why both Justin and I
have mentioned that specifically that we support TLS 1.3
is for those that aren't familiar with the TLS standards.
With TLS 1.2 and below, the Serum indicator
which could be seen or SNI
should be seen in the earlier handshakes
(43:18):
for establishing the TLS encryption
for the session with the web server,
you can see the SNI.
And so you could see the SNI
the end user was communicating with
even without decryption.
And so when I reach out to the web server for Facebook,
you would know that I'm communicating with Facebook.
And so you could have like content level controls
(43:38):
without having to decrypt.
With TLS 1.3, that entire payload is encrypted.
And so you no longer have that visibility
unless you're decrypting it
or you're doing some of the fun stuff
that Cisco does with the encrypted visibility engine
that I'm not gonna tell you how we do
because I have a mortgage.
Well, that's awesome.
(43:59):
But no, that's great.
The encrypted conversation just comes up more and more
because that's what most traffic is.
We didn't have this conversation 10 years ago
and everything was clear text.
Okay, so guys, great conversation today.
I have so many more questions I wanna ask you guys,
but for the sake of time,
(44:20):
Andres probably get into the Halloween questions
at this time.
I'll take the first one.
David, I'll ask you this.
If you could pick one candy when you go trick or treating
that you don't wanna get, what would it be?
Oh, a candy that I do not wanna get.
(44:43):
Oh, geez.
I never liked the candy that was in the wrapped plastic
because it just felt less sanitary.
I was a fat kid, so I still ate it,
but I didn't really like it as much
because it just seems like, you know.
Yeah.
What about a Tootsie Roll of something?
(45:04):
You're not talking about that, but like a...
Yeah, yeah, like Tootsie Roll,
like wrapped popcorn,
like the bag of popcorn somebody made.
Because someone could unwrap it, do something,
and then put it back.
Yeah, yeah, like sometimes I buy that candy at the store,
and some of them are unwrapped in the bag by accident.
I don't wanna accidentally get your fingerprints
in my candy, you know?
Yes.
Those are the ones that I'm used to.
(45:26):
I like the ones where I can press on the bag,
and it still has the air seal.
I'm like, this still has the air seal.
Yeah.
I don't know who's opened this.
All right.
I thought maybe you were gonna say the candy corn thing.
I know a lot of people.
Look, again, I was a fat kid, man.
I loved the candy corn.
It was just strange.
I was like, there's a reason why I had weight problems.
You know, like it was delicious, I'm gonna tell you.
(45:49):
There's a huge debate on that one.
I've seen that.
Yes.
Whether candy corn's good or not, I haven't seen that,
but I can imagine, yeah.
Cool, cool, cool.
I do have the next one, and this one's simple,
and for you, Justin.
If, so classic movie monster,
(46:11):
which one would you want to be in?
Why Dracula or werewolf?
Or if you have another one, that would be nice too.
I'm glad you gave me a choice,
because there's, go ahead, David.
Oh, I just wanted to make sure we verify,
like Nosferatu, Dracula, or like, you know,
Dracula where you have like the big cow in the suit.
(46:32):
Right.
I guess that would go into my reasons, right?
Like, if you want to be like,
interviewing with the vampire vampire
or something like that.
Exactly.
You already do kind of have the werewolf thing going.
Yeah, no, I was going to say werewolf,
but yeah, just because it,
I like to go hiking and go on adventures,
and it seems like having some of those werewolf powers
would allow me to get to places that I can't get to today.
(46:55):
You wouldn't have to hike anymore.
You can just jump tree to tree.
Exactly, exactly.
That's true.
Well, it's been a great conversation, guys.
Let me kick it over to you guys real quick
for any closing remarks, Justin and David,
that you may have.
David, I know you have a Secure Access,
some stuff up on YouTube,
but anything you want to wrap it up with
(47:16):
from your personal viewpoint?
Yeah, yeah.
If you're interested in seeing me give an overview
on Secure Access, check out my channel.
I think it's Decrypt-Ed is the channel name.
I think it's at security-decrypted or maybe.
You can tell I'm active on it.
Keep an eye on Secure Access.
I mean, it's SaaS solutions.
(47:37):
Cisco's doing a ton to add features and functions
to all their SaaS, especially the security ones.
There's a lot of stuff on the roadmap,
all of it moving real quick.
So if there's something that you want to see
Secure Access doing or able to do,
there's a decent chance it might get added
in the next couple months even.
(47:57):
So reach out to whoever you're engaged with
on the Cisco side, talk to them,
look at what's being posted online.
Like it's moving fast.
And Justin, I know we'll definitely see you
on the demo tomorrow.
Yes.
But for today's conversation,
any closing remarks that you have?
Sure, yeah.
No, I'll just echo what David said
is as far as like Secure Access is moving fast,
(48:18):
you're going to see a lot of things coming
for clientless ZTA very shortly.
You're going to see a lot of things coming
in the way of ICE integrations.
Some of them are already there today
that we didn't get to get into.
You're going to see a lot of enhancements
in our ability to check the health of identities even
(48:41):
if you're familiar with how Duo
and some of our identity health is working
and be able to apply policy
and do a lot of very exciting things
to get closer to that zero trust sort of ideal, right?
Because zero trust is really a framework,
it's really a journey and nobody's all the way there yet.
And I don't know if we ever will be,
but we're going to start picking it all of the things, right?
(49:04):
We need to trust the device, we need to trust the user,
we need to know more about what the user's doing,
we need to know more about what that device is doing
so that we know that they are not just,
should they access it, or not just can they access it,
but should they access that application
from that device as that user,
or should we make more, check them additionally, right?
(49:27):
Give them a little bit of a sense of what's going on
and give them a little bit more of a push
to figure out whether they are who they say they are
and things like that.
So all of it's continuing to develop,
there's going to be,
there's been a couple announcements over the last two weeks,
there's going to be more announcements
towards the beginning of November,
and then every quarter we're coming up
(49:48):
with a lot of new stuff, so stay tuned.
Okay, great, great stuff.
Andres, for me, the zero trust access in general,
I'm able to have this solution
that's giving me the flexibility
on how I'm going to connect in remotely or on-prem,
and then having that connected,
(50:09):
we talked about Cisco being the plumber,
and I don't have to worry about all the piping
behind the scenes.
Just keeping that simplistic approach,
complexities, the enemy's security,
and this is, I think, a good product to showcase that.
The tools, the consolidation,
a lot of stuff being consolidated.
David, you were talking about bonus of umbrella,
(50:32):
we're talking about duo, we're talking about IPS stuff,
so just again, further simplifying all that
into the one dashboard.
I don't know what you thought, Andres.
Yeah, on my mind, the benefits of being on AWS
and what we're doing right now with our own data centers,
that's, I guess, we're not expecting that one,
(50:54):
so it is going to be developing in the future,
and that's pretty cool.
The SSL decryption, thank you, David, for that explanation.
That actually gives us a lot of information
to share with our customers,
and the new developments on PLP are also another thing
that is really cool, and I know I was thinking
(51:17):
about the user experience, the visibility that we have
on that user's computer, the connectivity,
all those things, those are pretty new and super impressive.
So if you have the chance to take a look at Secure Access,
I recommend you just going for it,
and it's a lot of stuff that we're doing into it.
(51:38):
Good stuff, good stuff.
Well, Justin, David, appreciate you guys joining us today.
Great conversation.
We'll all be tuning in tomorrow, noon Eastern,
to the live demo of Secure Access.
You can see the dashboard, see the experience insights,
I think will be pretty cool, as well as anything else
you want to show there, Justin.
(51:59):
So stay secure, everybody,
and we will see you on the next episode.
Thank you all.
Always.
Thank you.
Take care, y'all.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com