The Latest in Cisco Secure Access (SSE) Innovation

[Music] Okay. Yeah, let's get the show on the

Okay. Yeah, let's get the show on the road. So, good afternoon everybody.

road. So, good afternoon everybody.

Thank you for coming. Uh, day one, so I think we're all still energized. My name

is Johnny Noble and I'm going to spend the next hour with you and we're going to be looking at what's new in Cisco Secure Access.

There is the session in the WebEx space if you've joined that and I think it's open for another week or so. So I've got a few of my colleagues there as well. So

feel free to pop some questions in. You

may not get an answer during the session, but I'll do my best afterwards to to answer questions. And like I said, some of my peers and colleagues are there as well.

So a few words about me. I've been with Cisco for 15 plus years. I'm based in the San Francisco Bay area, but as you may hear and guess, I'm not originally

from there. I joined Cisco in London. I

from there. I joined Cisco in London. I

know, surprise, right? Spill the beans.

Uh I I joined Cisco in London in '09 through an acquisition. Anybody here

heard of Scan Safe? Remember that? Okay,

a few hands. Yep. and then later rebranded as Cisco cloud web security and then we went together with the

umbrella team and so I've been you know doing cloud uh based security for the whole time in Cisco I lead our technical

marketing team and when I'm not presenting at Cisco Live I love traveling with my family um these days my kids are probably a bit too old to

travel with us. Mountain biking is a passion of mine and um well all the hobbies that tend to be expensive, photography, scuba diving,

stereos um but I like to hack them all as well and that's that sort of makes it even more expensive. Anyway, um so

that's me and um we're going to like I said spend the next hour or so together and what I want to ask first let's just

see a raise of hands who here is familiar with Cisco secure access great and that's what I was hoping that I would see most of the hands in the air

and because this is a 60-minute session with the intention to cover really what's new what I'm done is I've included loads of additional slides in

the PDF that you can get access to and actually section two and three I will not be talking through like I said it was my expectation and hope if you're

coming to hear what's new about a solution you know a fair amount about that solution so this won't be an introduction this won't be covering the architecture and I really do want to

jump in and show you what's new. Okay.

Um, so I'll be talking over the last mainly the most sort of 3 to six months.

In fact, some of the what's new items are even from the last couple of weeks.

So there's some really, you know, they keep me on my feet. I was on the flight here still updating the latest updates.

Um, so I've split it into four main sections and as we go through them, it will be clear what they are. experience

integrations. We'll talk about security and then market access which as I go through each one it will be clear what what I mean okay and then we'll summarize. So all of that for about an

summarize. So all of that for about an hour just under now um I've got a demo along the way as well and let's go straight in. So one thing I

do want to point out and that is you you may know this already but when we think about secure access this is a solution that's been out well we announced it

exactly two years ago at Cisco Live 2022 uh 23 but it was in the making for a couple of years before that as well. We

understand we're not the first vendor to go to market with an SSSE solution. By

the way has anyone been in my sessions before?

Okay, a few hands. But you may have heard me say that, but we know we're not the first. And you know what? We're not

the first. And you know what? We're not

even the second. But having coming late to market gave us also the advantage of understanding where those first

generation SSE vendors um how they've built their solutions and what gaps and challenges customers have with those solutions. So it's given us an advantage

solutions. So it's given us an advantage as well. And then

as well. And then why am I showing you this? So it's a solution that's been out in the market for two years, but before that was in the the making for a couple of years

before that. So you know, like I said,

before that. So you know, like I said, relatively new still, not not been out there as long as other solutions. So I

get asked a lot, why should we by customers, why should we trust this solution that hasn't been out for for that long? And the answer to that is

that long? And the answer to that is here on this slide. We are basically we designed a more modern architecture that underneath it all is tying together all

of these technologies that are very well proven technologies that Cisco owns has been running for all these years and

that's why okay and another reminder secure access we want to make the experience and and the first section here is going to be experience we want to make this a great experience both for

our end users and our admins. And that's

why everything comes together under a single endpoint client. As an admin, you can do everything in a single console.

We've built a single policy and it's a single license. So the licensing is

single license. So the licensing is simple as well. So all of that comes together as a single experience. With

that, I'm going to jump into the first section which is da experience. So,

and again, some of these things I'm going to cover are pretty new, others less new, but there's a reason I'm going back to the ones that have been there

longer time, just like this. So, you're

familiar with the Cisco secure client.

The modules that are relevant for us are the any connect or the VPN module which a lot of you are probably using already anyway.

The new zero trust access module that we built using modern protocols quick and mask.

And this is a combination that other vendors don't have. So we see it like a journey. You can go from traditional VPN

journey. You can go from traditional VPN to VPN as a service with the end goal being zero trust. Okay. Using this

module and that's the the new zero trust module. It comes with advantages.

module. It comes with advantages.

Stronger security. We've got

segmentation of of um private apps.

We've got masking of the client and the um resources from each other or from an attacker possibly. We've got better

attacker possibly. We've got better compatibility because it's UDP based, supports all ports and protocols, and there's going to be a better experience

because like I said, it's UDP based, it's streaming, works really well in uh networks that just are noisy or with high latency.

So single client if you are migrating from umbrella I'll talk about that later you can also continue to use the roaming module and then over time move over to the other two modules which I'll talk

about as well.

So on that note and again this may be news maybe not the whole zero trust experience we

developed in partnership with Apple Google Samsung meaning so if you think about how our zero trust architecture works it's

parallel to Apple's enterprise relay which is actually based on Apple's private relay which is more wellknown and that gave us the advantage antage of

being able to have zero trust natively built into mobile devices at the operating system layer. Okay. So if you want to do zero trust from those mobile

devices, it's there. It's built in.

A few words about the policy.

So who here is familiar with umbrella?

Okay. Now, if you remember in Umbrella SIG, you've got three policies. You've

got a DNS policy, you've got a web policy, and a firewall policy. And I'm

sure a lot of you can relate to the fact that it's sometimes confusing. I want to block something. Let's say, wild

block something. Let's say, wild example, I don't want to see Tik Tok in my organization. Do I do it at the DNS

my organization. Do I do it at the DNS layer, at the web layer, the firewall layer, all of them? Right? Confusing. So

we've brought everything together from a security perspective into a single intentbased policy. So my intent is to

intentbased policy. So my intent is to block Tik Tok.

We will go behind the scenes and work out all the layers where to do that.

Okay. But we took it further. It's a

single policy not only for the web uh but also for web destinations but also for private. So we've got secure

for private. So we've got secure internet access and secure private access all in one place. Okay, again

probably not news to all of you. Now

when we think about an intentbased policy, we've taken that a step further and we built an AI based assistant and

you can type in natural language and tell that assistant what you want to do.

So like I gave the example before of blocking Tik Tok, I could say, okay, let's allow Johnny to access social media but not allow Fernando and things

like that. So I can use my natural

like that. So I can use my natural language, my my intent and tell that AI assistant what I want to do. You may

have heard more about this AI assistant because it's now actually called the Cisco assistant or Cisco AI assistant which is present across a number of

different products. So in secure access

different products. So in secure access it doesn't just end with writing policy and we'll I'll talk more about that as

we go through. Right now like I said use natural language type in add a policy that does this, add a rule that does that and and it will do it. Going

forward, we're going to take it further and it can do things like check and see optimize the policy and understand if there's duplication of rules or rules that are shadowed or maybe a rule that

hasn't been hit in a while. So things

like that. So we're going to further enhance that. Okay.

enhance that. Okay.

So still thinking about the AI assistant, another use case that we added more recently. So the the policy assistant has been there for quite a few

months. And then for troubleshooting,

months. And then for troubleshooting, this was more recently added, I think in the last maybe two months. And you can again use natural language to ask the

assistant, for example, why can't Lee Parker access Jira? Okay, so you can give it a troubleshooting scenario. And

what it will do is come up with suggestions. It will find, okay, this is

suggestions. It will find, okay, this is the user you're talking about. When you

say Jira, it might be referring to this private app and you'll fill in the g the gaps and then it will run an analysis

and come back with the the results what it sees is happening uh step by step and help you to troubleshoot and it will identify where it sees that there might

be an issue. Okay. Now in a few minutes I'm going to talk about another scenario that it also does um something similar.

So remember we'll come back to that in a few moments.

So thinking now about troubleshooting and and end user performance on on devices. The remember I said single

devices. The remember I said single console single licensing. The product

also includes digital experience management DEM. You might may know this

management DEM. You might may know this already. It's been there for quite a

already. It's been there for quite a long while, but we're constantly updating all sorts of uh features within the within DEM. Now, we call this

experience insights. It's based on

experience insights. It's based on thousandized technology. Remember single

thousandized technology. Remember single agent. So, we're pushing the

agent. So, we're pushing the thousandized client to the endpoints as well. Uh you may may have reme you may

well. Uh you may may have reme you may recall seeing that when you deploy the the endpoints. So some of the more

the endpoints. So some of the more recent things that we've added I I'll go through because like I said experience insights has been there for a while. So

one thing we've added more recently is the ability to drill down on an endpoint and if an endpoint is having heavy uh CPU or memory utilization we'll go all

the way down to the process and tell the admin what it is. So you know I might have 60 or 150 tabs open in my browser.

it will tell me that is the that browser is what's eating up the resources right now. Okay. Um so

now. Okay. Um so

like I said um end user experience we can help guarantee a good experience. We can make the admin's life be more proactive.

And from an admin perspective you can drill down. You can do it in a map and

drill down. You can do it in a map and you can see where your endpoints are or you can go to SAS destinations or you can also go and take a look at uh

private resources as well. So from a destination perspective you can go out like I said both to public and also um

internal destinations and you can run all sorts of HTTP and and other tests as well across the network pointtooint. So you know if

network pointtooint. So you know if someone is not having a good experience right now I can go and see is does this go down to the endpoint itself the local

network where that endpoint is maybe the ISP maybe one of the processes running in our cloud all the way to the final destination okay

now going back to the AI agent okay the AI assistant we've also included AI insights

as part of the AI assistant and that is specifically using that AI assistant for um queries related to experience

insights. Okay. So you can further re

insights. Okay. So you can further re you know take it further and use that AI assistant to to drill down. So that goes hand inhand with some of the

troubleshooting that I was talking about before that.

So, still tied to that, this is something that is available. It's in

private preview, meaning like a a controlled availability, but literally I think just last week we we brought this into private preview. This is something

that we call policy assurance.

And what this is doing is further using the capabilities on the thousand eyes um agents on the endpoints to run sort of

like a whatif scenario. So as an admin, I'm adding changes to the policy, making new rules, making maybe updating the posture, things like that. Before I go

and save my configuration, I can run synthetic tests from all the endpoints and as an admin see in the console how that's going to impact the experience of

my users. So we've got a simple example

my users. So we've got a simple example here where we want to add a policy that will allow the user pool D to the sales app. And I can define that change to

app. And I can define that change to make the policy. Before I save it, I can click analyze button and it will tell me it will run those synthetic tests and

tell me yes this user pool T can access Salesforce, okay? Or the sales app or

Salesforce, okay? Or the sales app or whatever it is. Now let me give you another sort of more real life scenario.

Let's say we're rolling out, let's say, McAfee endpoint uh security endpoint, endpoint security on all of the desktops. I've got a thousand uh

desktops. I've got a thousand uh endpoints in my organization and I'm the security admin and I've been told from

the forces to be please add a posture condition that in order to access this private app, you need to have McAfee installed. Okay, so I go and add McAfee

installed. Okay, so I go and add McAfee requirement into the posture policy.

Before I save it, I'll click the analyze button and it will run all these synthetic tests from all of my thousand endpoints and come back and tell me, okay, the situation today is all

thousand can access this sales resource.

If you now go and save that policy, 600 will be able to access, but the other 400 will not because they do not have this uh McAfee and point installed. So I

can then decide do I still want to save this or go back and say hey maybe the endpoint team should put macafee on all the devices first. Okay. So that will help guarantee

continuous um connectivity for the end users. Okay. Policy assurance like I

users. Okay. Policy assurance like I said in private preview should be going live probably usually a couple of months or so. We run private preview.

or so. We run private preview.

All right. Another change that we've made recently and so you're probably familiar with this already when you're accessing internetbased destinations through

secure access. So you've always got the

secure access. So you've always got the option to bypass and go direct to internet from your branches or from your endpoints. But the typical use case is

endpoints. But the typical use case is that we apply our security controls and you break out to the internet securely.

we can offer a um reserved IP from our egress points on our on our data centers. And then another option is if

centers. And then another option is if you are using a resource connector, we can also allow to go back from our cloud

to the resource connector to break out to the internet from your egress from your IP. So this I would say the

your IP. So this I would say the mainstream use cases would be to continue to go out from our cloud. But

if you've got something very specific that needs to come from your IP and you've got your resource connector, you can allow just that traffic to go. So

like I said, the the upside here is it will come out with your egress. The

downside though is there's an additional hop to get back to your network rather than egressing out from our cloud. Okay.

All right, still on experience. The last

uh thing I want to talk about and this is probably of interest to many people here. Yeah, quick question here.

here. Yeah, quick question here.

>> Is there a way to pull down the public addresses that will be assigned and will be going to the internet through the access?

>> So, all right. So, the question is, is there a way to pull down the public IP addresses that will come from our cloud?

Do you mean just our egress IPs?

>> Right. So if I'm connecting to my to the internet but I still want to give the resource that use the white listing to

whats will be assigned to me.

>> So it's probably there somewhere. Um so

the answer is yes. We will provide you always with the ranges and like I said, you can just use our IPs that everybody's using or if you want a

unique reserved IP, you'll get that.

That is probably the only item that a customer would pay extra for. Everything

else is included in the licensing. If

you get a reserved IP, no other Cisco cisco customers will egress from that IP. Or you can do the the the third

IP. Or you can do the the the third trick. Okay, another quick question

trick. Okay, another quick question here. So if I have a 24 can

here. So if I have a 24 can >> so so you're asking can you bring us bring basically bring your own IP >> today no we don't do bring your own IP

something we're looking to do so as you are aware we're running and you know what I I'll talk back to this later towards the end when I talk about market

access and data centers I'll I'll add a comment on that okay all right um so going back. The last area of interest

going back. The last area of interest for experience is a question that a burning question that many of you probably have. What about if I'm an

probably have. What about if I'm an umbrella customer and I want to migrate I need to migrate to secure access. So

up to now we've had a way that from a a sales play we can support you manually migrating from umbrella to secure access

something that we call elevate. If you

are an umbrella customer buying secure access, we give you an extra year to keep your umbrella deployment while you manually migrate. Some customers it

manually migrate. Some customers it might take them a week, others it might take a few months. That's why we gave a year. However, we are launching and

year. However, we are launching and we've just launched an inproduct migration.

We've kicked off with DNS and if you are an umbrella DNS customer, you can already in the product migrate

from umbrella DNS to secure access.

Okay. And it's a really nice way of doing it. you sort of go into your

doing it. you sort of go into your umbrella deployment, trigger the migration, and then you've got total flexibility of which

components, which um endpoints, which rules in the policy you want to migrate.

And it's sort of like emptying the umbrella bucket while filling up the secure access bucket until at your own pace you've moved everything over, everything works and then you sort of

tick off umbrella and then it's gone and everything else continues in secure access tool.

>> So the question is is this migration tool available now? It is. It's

available for DNS and right now we're building it also for umbrella SIG which so sort of towards the end of of middle

to end of this summer um the the SIG migration will start as well. Now like I said right now you can do this as a DNS

customer. We just launched a DNS only

customer. We just launched a DNS only package for secure access. So

this is parallel to Umbrella DNS. You've

got your essentials and advantage packages. The pricing is parallel. It's

packages. The pricing is parallel. It's

the same pricing as umbrella uh DNS advantage and essentials.

If you sign up and start using secure access DNS, it's called DNS defense. You

will also get secure private access. You

can use up to 100 seats of private access at no cost. You won't get support. That's the small disclaimer

support. That's the small disclaimer there. But up to 100 seats, just use it.

there. But up to 100 seats, just use it.

In production, it's there. If you let's say have 101 users, you need to license 101 users. Okay.

101 users. Okay.

Um we're we've also extended the reporting uh retention from 30 to 90 days and we've thrown in some additional

capabilities for SAS API based DLP and API based cloud malware protection. If you think about the DNS offering, it's not a full

proxy. We're not seeing all the traffic.

proxy. We're not seeing all the traffic.

We can't do inline DLP, but we can do API based DLP and API based um searching for for threats in in cloud-based storage for your sanctioned apps. So API

to API. Okay, so that's included as well. Quick question here.

well. Quick question here.

>> Is umbrella going away?

>> Is umbrella going away? The big elephant in the room. The official answer to that is no. Okay, maybe one day it will, but

is no. Okay, maybe one day it will, but we are not end of lifeing umbrella. And

but with all these additional capabilities to me it seems a no-brainer especially if you are also interested in secure

private access you can have everything under one should I say the word umbrella but all right so hopefully that clears

up a lot of things like I said the umbrella sig in product migration will be coming over the next sort of 3 to six months depending on the different stages.

>> DP.

>> So I mentioned there's no inline DLP not in the DNS only uh offering because we don't see the the traffic. We don't get the payload when it's a DNS query. Okay.

And the other nice thing about it is if if if it means anything to you when you log into the umbrella dashboard in the URL you will see your org ID. Okay.

Getting a bit geeky here. um when you do the inproduct migration, you get to keep your org ID. It's the same or ID which later gets used for secure access. That

means you don't need to redeploy your endpoint agents if you've got a virtual appliance things that are based on the org ID. Everything remains intact. In

org ID. Everything remains intact. In

fact, it's zero downtime for all the end users. And that's why I included it here

users. And that's why I included it here in experience. Okay. All right. How we

in experience. Okay. All right. How we

doing for time? We're good. And that was probably the longest section for the the experience.

Integrations. What are we doing? What

have we done with integrations? So,

first of all, not too much news here.

You probably know this. We have a very nice integration with Cisco Catalyst SDWAN. Uh, we're doing more things with

SDWAN. Uh, we're doing more things with the other SDWAN platforms as well. You

might have heard this week. Um,

Cisco won SDWAN. So we're sort of bringing all the SDWAN platforms together.

If we think of Catalyst, what's nice about it, I mean, I was in a in a meeting with a customer this morning and the use case was just ideal. If you've

got a number of branches that have SDWAN um SD1 enabled branches with direct internet access then you can go break

out sorry with direct internet access you can turn that into secure internet access and break out via secure access

to um to the internet securely. So

automation of tunnels if you've got a 100 or even a thousand branches no one will be sitting there configuring all of the the routers and the SD1 devices

through templates we can got the tunnel is automated okay um the capacity of tunnels in secure access is one gig per tunnel 1

gigabit per second out of the door we'll probably increase that over time and you can use eCMP equal cross multipath and get up to 10 up to eight or even 10

tunnels. So if you've got those, you

tunnels. So if you've got those, you know, you need those mega uh or elephant tunnels as they're known as, you can you can get that high capacity. What else?

An SD1 admin will be get visibility into the security um um policy and you've got your layer 7 health checks. So again an

SD and admin can see the health check of those SD SSC components things like SWG and firewall and things like that. Okay.

So again not so new uh we've got a road map. We're adding a lot of additional

map. We're adding a lot of additional capabilities all the time. Now this goes hand inhand with if you are a customer

of Cisco ICE. Okay. Who here is using ICE as well? Perfect. That was what I was hoping for. So, we've got three points of integration with ICE and

secure access. The first use case is

secure access. The first use case is SGT, secure group tags, meaning you can integrate and get into secure access

your SGTs. So, the integration looks

your SGTs. So, the integration looks like this in secure access. Once you've

done that integration, you can see your list of SGTs. And then the third stage is you can use those SGTs in your secure

access policy. So an example for that is

access policy. So an example for that is it's non-human devices but it could also be you know people people groups as well. But let's think about a device on

well. But let's think about a device on the network. Let's say a camera. Okay. I

the network. Let's say a camera. Okay. I

can then put using my SGTs I can put into the policy a rule that says if I'm a camera device I can only access this let's say internal server on the network

where maybe video files get uploaded and not other destinations and that means that if that if a camera on the network were to get compromised the only place an attacker would be able to go maybe

not a good thing is to that server where the video files is but more important they can't then go across the network and try and hack into a let's say HR

database. Okay. So, SGTs

database. Okay. So, SGTs

now. Yeah. Question here.

>> What about ice clusters?

>> Do you support multiple clusters?

>> Do we support multiple ice clusters? I'm

not 100% sure. Um, I'll follow up on that one. Okay. If you pop it into the

that one. Okay. If you pop it into the WebEx space, I'll and one of my colleagues, who hopefully is in the space, FA, she is my ICE expert, so she

I will make sure she helps you with that answer. Um, all right. So, that's SGT is

answer. Um, all right. So, that's SGT is the first use case. Like I said, like I didn't say, but I'm going to say that requires you to have SG SDWAN

as well. Okay. The reason for that is

as well. Okay. The reason for that is through the SD1 we carry the um the the SGTs. There are two other use cases that

SGTs. There are two other use cases that do not require u you to have SD1 question here.

>> So is there going to be a fe yeah in the future will you be able to do SGT without SD1? It is a plan we have. Okay.

without SD1? It is a plan we have. Okay.

when and how that's still TBD, but we we're aware of the the the requirement.

Okay. Now, by the way, you can also carry SGTs without SDWAN today from VPN, but then it's only for humanbased. It's

VPN, so it's only userbased SGTs, not devices. Okay. All right. The other two

devices. Okay. All right. The other two use cases are radius authentication. If

I'm doing radius through ICE, I can benefit, I can leverage that uh authentication in secure access. And

then the third use case is posture. If I

am doing posture in ice, I can bring that into secure access as well for on-prem use cases.

So that's the first couple of integrations. Let's talk about another

integrations. Let's talk about another integration which literally just in the last um two or three weeks went into private preview and this is what we're

calling hybrid zero trust hybrid ZTNA.

Uh the use case here is let's say I have a Cisco firewall on my network.

I will still log in to the secure access dashboard and write my zero trust policy as usual and it will get pushed to all

of my cloud locations but as well as that it will also get pushed to my local ASA devices only mine no other customers

of course and then we've got two use cases here one I am a user on the network accessing a resource that is

also on the network. Before we had this integration, the data path would go up to the cloud to hairpin straight back down to that

same network. So, not optimum. Now, we

same network. So, not optimum. Now, we

keep the data path on the network. So,

the control plane is still from the cloud. Like I said, we're still writing

cloud. Like I said, we're still writing our same zero trust policy in one place as always, but the data plane stays on the network. So, we're optimizing. Okay,

the network. So, we're optimizing. Okay,

that's the first use case up there.

The second use case is let's say I've got an internal resource that is really sensitive and when I'm off network I don't want like it has been up to now

like it is typically I don't want the data plane to go via some third part some customer called Cisco some vendor called Cisco

maybe we don't trust Cisco anyway um but I want it to go directly onto my network and stay on the network. Okay, so that's the second use case.

In the future, there will be a third case which will be resiliency. So if

there's let's say some catastrophic outage in the cloud, we can force all zero trust traffic back to the network.

Okay, so like I said, this is in private preview. If you are using a Cisco

preview. If you are using a Cisco firewall then you this is available and we can start you know we can get you

started with private preview identifying the C proxy part of it. So

is there >> yeah so that's a good question. The

question is now we're we're covering only zero trust. Is there a plan to do everything else basically right? not not

only zero trust and have sort of like a full hybrid onrem. Um it's an idea but we started with zero trust. Okay. Um I

can definitely see the use case for that.

>> So >> so today it's FTD or or firepower not MX. Um that is also another idea

MX. Um that is also another idea possibly in the future but we started with now if you don't have firepower you can run a virtualized firewall okay

virtualized firepower however it still need to be licensed as a full firewall and then this is an additional capability okay

>> okay what's the difference between Cisco secure connect and secure access I'm gonna answer this really quickly because otherwise it could and one of my colleagues by the way Chris River I

think is talking about that this week so you can find that session secure connect was a sister product that was built in parallel it runs in the Mari dashboard

it cross um launches into umbrella and the the the target market is Mari MX customers so it's down market SDWAN it's

a full sassy solution what we're doing is We're just like we're migrating the umbrella customers to secure access, we're also migrating the secure connect

customers into secure access with let's say two flavors. One where it's a Mari based um experience, the other where you have both secure access and Mari. But in

order to do that, we are adding capabilities such as um AutoVPN enhancing the Mari MX tunneling experience and in the end it's it's

going to be a part of secure access as well. So we understand that we confuse

well. So we understand that we confuse you sometimes, we confuse ourselves, but it makes more sense to just have one platform that will support everything.

Okay. And just like we're we're migrating the sec the umbrella customers, we will also be migrating the secure connect customers into this

unified experience. Okay. Yeah. One last

unified experience. Okay. Yeah. One last

question here before I move on.

>> Oh, that's a good question. For hybrid

ZTNA, is it all or nothing or can it be specific apps? It can be for specific

specific apps? It can be for specific apps. It's not all or nothing. Yeah.

apps. It's not all or nothing. Yeah.

Yeah. All right.

Uh still talking about integrations. So

I spoke quite a bit about uh Cisco integrations. Let's cover some

integrations. Let's cover some thirdparty integrations. Google

thirdparty integrations. Google Enterprise browser. You may have noticed

Enterprise browser. You may have noticed the little um video that was running when you came in. It was a customer case study who was integrated in this way. So

this is great. This is the enterprise browser use case whereby if you are already subscribed to Google Chrome

enterprise browser we have that integration and some other vendors may may provide you with their own flavor of a browser. The great advantage here is

a browser. The great advantage here is that this is based on Chrome. More than

70% of laptops and devices out there already have Chrome on it. Now if I take my Chrome browser and log in with enterprise credentials, it becomes the

enterprise browser. So there's no

enterprise browser. So there's no additional browser to install and that gives additional capabilities. So we've

got our usual Whoops. We've got our usual heavy lifting in the cloud, the all of the controls that we have and and DLP and everything, but then on the device

you've got additional capabilities that the enterprise browser controls as well.

Things like copy paste, printing, screen capturing, things like that. And

actually through the integration, if I set up a posture policy for um for for for clientless zero trust, when I if

when I select which browser it needs to be and I I select the Chrome Enterprise, it opens up additional posture capabilities that the browser can do,

things like um local disk encryption, local firewall, things like that. Okay,

question here.

Yeah.

>> So, >> so the capabilities are, you know, parallel. Each browser has different

parallel. Each browser has different capabilities. Um, Talon, that's Palato's

capabilities. Um, Talon, that's Palato's flavor. Like I said, it requires you to

flavor. Like I said, it requires you to install a another browser. We are

partnering with additional vendors.

Microsoft is one I can say. Um, it will be very similar cuz just like many devices have Chrome, they also have Edge and Island is also a vendor that Cisco

has invested in and we're building a similar and there's others that I'm not going to talk about today.

>> So, okay. So, you this is included from our perspective but not the Chrome Enterprise browser licensing that you need to do from through Google

separately. Okay. We we don't sell that.

separately. Okay. We we don't sell that.

Okay.

Um actually, yeah, I've got a little demo. This is I like this demo. It's

demo. This is I like this demo. It's

pretty cool. Um let's let it run. It's

very fast. Um what we're seeing here is first of all from the admin perspective.

I am going to add a posture profile. I'm

going to make it browser based. And then

I've got my OS. When I select the browser to be Chrome Enterprise browser which gets added through the integration if you can see on the left there it added

those additional capabilities of firewall dis encryption and that's through the integration that I've done with the enterprise browser. Okay,

that's the integration. Let's take a look now at the end user perspective.

So on the right is my Chrome Enterprise browser profile. I've logged in. I want

browser profile. I've logged in. I want

to access a private resource. I'm going

to get authenticated and I will get access to that resource.

Okay, make that's authentication and I'm in. If I now copy that URL on the left side, this is my personal instance, my personal profile. I'm still

going to get authenticated but after that it will realize that this is a personal instance and not the enterprise

browser. Okay. So that's a quick

browser. Okay. So that's a quick >> does it provide any benefits of >> um no this so I wouldn't say it provides additional advantages over SAML and and and Duro

because you still need to be authenticated to access the private app.

the the the the benefit here is um unmanaged devices. Okay, unmanaged

devices. I don't need to ask an end user to install some sort of um browser.

Okay, so this is contractors, guests act accessing internal resources. All I need to do is make sure they've got a login to the enterprise uh version of of of

Chrome. Okay. And that is like I said

Chrome. Okay. And that is like I said something that you would set up with Google.

>> When you go into how are you extension?

>> All right. So,

>> all right. When you go into the enterprise version, it's not extensionbased.

Every Chrome browser has the built-in capabilities of an enterprise browser.

By the way, I think it's tomorrow. look

up a session that my colleague Christian Classen C len is presenting. He's going to go deep in

is presenting. He's going to go deep in the the enterprise browser. Um, by the way, if you've got the PDF there, one of the first couple of slides I put in was the learning map. It's over a couple of

slides. I think I included his session

slides. I think I included his session there over the learning map as well.

Okay. All right. Um, very very quickly, another integration is browser isolation. So, we didn't really talk

isolation. So, we didn't really talk about this much in the past, but we've partnered with Menllo for our browser isolation. But the points that I want to

isolation. But the points that I want to bring up here are that it's totally included in the licensing, totally included in the same um admin console,

and it's built right into the policy.

So, when I'm building a policy, I can choose if I'm going to allow, block, warn, or isolate. In the same way, when

I'm running a report, I can just add a filter for isolation and see details of events that were isolated. Okay, other

than that, it's browser isolation. It's been around for a while. We did it in umbrella, but it required a separate license. Here it

is included in the licensing. Okay. The

last integration I want to touch on, nothing too much new here. This was

available in umbrella. This was the cloud security app with Splunk. So it's

a Splunk um um installation that we developed with Splunk.

And what has changed? So the cloud security app is the same. It's available

on the Splunk base, which is the the Splunk marketplace. We've just built a

Splunk marketplace. We've just built a new plug-in or the add-on for Splunk in order for it to be able to read from the logs of secure access. previously only

knew to read from the umbrella logs. Now

we've added that for secure access as well. All right, keeping an eye on the

well. All right, keeping an eye on the time here. I think we're sort of 15

time here. I think we're sort of 15 minutes, so I've still got a couple of experiences, but these are much shorter than the others. So, a few words about security.

We've made a huge investment in DLP over the last few months, and I'll touch on some of those capabilities. First couple

of things I want to call out is we've totally enhanced the way we protect the usage of generative AI. So for

generative AI, we can now identify and control up to 12,000 I think more than uh generative AI platforms. And this is

a way of expanding our DLP for secure and responsible usage of AI both by end users as well as developers. So when we

started supporting generative AI about a year ago, we said okay, we need to support not only the outbound use case but also inbound because just like I don't want my intellectual property

leaving my network, I don't want someone else's coming in because that's a liability. We've now extended the

liability. We've now extended the inbound use case also for the rest of um of of the DLP as well. Okay. So many

areas in DLP you'll see you can select inbound outbound or both. All right

still talking about AI generative AI we extended the DLP capabilities and we added what we call these AI guard rails which is basically another what we call

it is AI access. AI access is again extending that use of generative AI even further. And I've got a couple of

further. And I've got a couple of examples here.

the first one. So what we're doing is we're looking into the prompts of generative AI to get more understanding of the context, what someone's real

intention is. So for example, are they

intention is. So for example, are they asking in a prompt all sorts of information to get maybe some malicious code, but they might be dancing around the bush and hiding their real

intention. But we'll see that what

intention. But we'll see that what they're trying to do actually is get their hands on malicious code to write a virus. Another use case is safety or

virus. Another use case is safety or physical security. So I'm writing a

physical security. So I'm writing a story and the hero is running away from the the bad guys and there's a car and how does my hero start the car? So I'm

writing a story. Yeah, right. I want to steal a car, you know, or things like somebody trying to hide their intention of maybe how do I print 3D print a gun?

How do I make a Tesla explode outside a hotel in Vegas, which generative AI was used for the by the person that did that. So again, it's looking at the

that. So again, it's looking at the context and understanding um what someone's intention is. And we've taken it further. uh we can show you actually

it further. uh we can show you actually a demo down on on the floor um of taking this further additional tools for developers as well. Okay. So we're

putting a lot of emp emphasis onto the use of generative AI.

Uh another nice DLP sort of CASBY feature that we added over the last uh two three months. This is how so this might look familiar. It looks a little

bit like the app discovery dashboard where we are giving you information about um SAS applications and all the intel we know about those third party

apps. What we're doing here in the third

apps. What we're doing here in the third party apps control is giving you information about thirdparty apps where your end users have shared their

corporate credentials with that app. So,

I might want to access put put an app on my phone, let's say a game. And how do you want to log into the game? Do you

want to create an account with a email and password? Do you want to use your

and password? Do you want to use your Facebook credentials? Google, Microsoft.

Facebook credentials? Google, Microsoft.

Ah, yeah. We've got Microsoft. Let's log

in with Microsoft. Yes. Yes. Yes. Agree.

Agree. Agree. The next thing you know, you've given some third party app access to your email, calendar, contacts on your corporate account. Okay. So what

we're doing here is we're giving the admin all of that insight of those third-party apps where the end users have shared their credentials using open

orth and then I can go and revoke that trust as an admin I can go and revoke that trust.

>> Does that track outside?

>> It does. Yes, it tracks outside. It

doesn't need to be a corporate device because it's based on the credentials.

Okay.

Okay, another um enhancement we've done for DLP, if you are using a um enterprise DLP on network, then we will

use secure IAP to send you details of all of the DLP violations that we have seen. So you can keep it in a

seen. So you can keep it in a centralized place for centralized logging and event um um

um management on on your enterprise DLP.

Okay.

Private access for accessing internal or private resources. You can now do DLP on

private resources. You can now do DLP on that as well. And uh at the moment this is just checking files not the actual pages of those destinations those

private destinations themselves. Okay.

So that's DLP for private access.

We've also added resource uh sorry private resource app discovery. So we're

scanning all of the internal traffic and identifying this is sort of like the the shadow IT use case but for internal apps. So, you know, I I often think to

apps. So, you know, I I often think to myself, I wonder if Cisco it knows of all the internal apps running on the network. It could be that they do, it

network. It could be that they do, it could be that they don't. So, this is a way of identifying some rogue or not rogue apps that are running on the

network, giving like a profile of the type of traffic it is, what we're seeing, and suggesting policy for um for

those those internal private apps. Okay.

generally what sorry I don't understand the question is >> most based >> okay I I get it okay so is okay is it

more for zero trust or more for VPN pretty much everything I've been talking about is for both okay it's it's it would be rare that we have some so the

hybrid use case is zero trust and not VPN but all of these other features it doesn't matter what the track traffic acquisition is it could come through an IP sec tunnel as well okay

>> so yeah that's a good question some of the stuff I'm talking about from a DLP perspective most of our de almost all of our development is in parallel for umbrella

and secure access a lot of other development that we're doing and all the private access stuff. We never put anything private access into umbrella.

So >> yeah, so all new DLP stuff is both in secure access and umbrella. Most of our other new development is only in secure access. Okay, if you've got specific

access. Okay, if you've got specific examples, we can talk. What I want to do is ask to hold now all the questions till the end and I'll stay on otherwise I won't finish all the content. Okay,

got a few more minutes and I want to sort of run through the last few bits.

Um so um zero trust the zero trust client can now um be deployed and enrolled without the end user having to

do that enrollment. So it can be certificate based that just rolled out literally in the last couple of weeks.

Last couple of things on security. So

DNS tunneling we've been doing that on on DNS queries forever. But what we've done now is enhance that using AI to make it more accurate. So the first few

few packets that we see, we will identify that this is DNS tunneling. I

can actually show you like a nice graphic. But also by using AI, it's it's

graphic. But also by using AI, it's it's not only fast, it's more accurate. So if

if you're familiar what DNS tunneling is is it's using DNS queries to take Xfiltrated data, break it into small packets and put it into the extended DNS

uh field where the the subdomains are and then an attacker will go and get all those DNS queries um and and reassemble the the information. Basically, like I

said, we've been doing this for forever, but now it's more accurate and there's less false positives, and we're using AI to identify that this is DNS tunneling.

Okay.

All right. Last uh section I want to touch on is market access. And first of all, who here is this relevant for

people having employees in China?

A few good a few hands. So, we've built a data center in China. This has been in the works for a long time, and Cisco is always very conservative and does things

by the book, which is why it took us a long time to get this into the market.

So, the Chinese authorities requirements and regulations are very strict. This

has to be sold by, operated by, and supported by a Chinese company. We've

partnered with Digital China Cloud who is that partner that is is doing all that for us. It's it's in AWS China and

there's a few I've put in a hidden slide. There's a few um um capabilities

slide. There's a few um um capabilities that still are not in this solution.

Some of them from a um regulation perspective, others we will be adding over time. One other requirement of the

over time. One other requirement of the Chinese um government is that all data needs to stay in country. So for that

reason when you access the um dashboard as an admin you need to log to a separate instance. Okay. Same look and

separate instance. Okay. Same look and feel and we'll make it easier over time like things like being able to export lists from the global secure access dashboard and import them here. But

here's an important thing. If any of your if if if you yourselves or you've heard or or if you're a partner your customers ever say to you um well hold

on I work with such and such vendor and they allow me to log into the same dashboard for China then that vendor is operating under the radar and could be shut down. We don't know. Like I said,

shut down. We don't know. Like I said, Cisco does things by the book and the the requirement to have this operating managed in a separate dashboard is is why.

All right, last couple of slides here.

Um, so from a global map perspective, as you may know, we built this solution in AWS. We went

to market with AWS so we could go to market quickly. All of the blue

market quickly. All of the blue locations are where we have a presence, those AWS regions. So there's probably

about 60 plus maybe percent of AWS regions already enabled. If you are operating in a country where there is an

AWS region that is still black, we're not yet operating. Talk to us. We can

work together to see if we can make it happen. we can get a a secure access pop

happen. we can get a a secure access pop up and running very quickly in AWS even two weeks. Okay. Now, like I said, we

two weeks. Okay. Now, like I said, we went to market a couple of years ago with AWS to go to market quickly. AWS

isn't everywhere. In parallel, we've started taking our existing edge data centers that have been used for umbrella up to now and rebuilding them to enhance

them and upgrade them for secure access.

So the blue ones you can see we've already got four running in the US, one in the Middle East in uh the Kingdom of Sa Saudi Arabia and then the green ones are the next ones that we're building.

So you'll see over time that those umbrella data centers will start becoming secure access and we'll end up with a hybrid um cloud architecture that

will be both AWS and edge and like from your perspective it will be transparent.

it won't matter but from our perspective it's resiliency it's going to market quickly it's going to market in areas where AWS doesn't has a have a presence

okay so that's that's the goal um certifications so we literally a couple of weeks ago we released HIPPA

sock 2 ISO we're working on Fed ramp and other local um and other regional or country based um um certifications ations. So, one that's probably

ations. So, one that's probably important to a lot of you is Fed Ramp and Secure Access for Government. Um, I

was hoping I would be able to say today that it is Fed Ramp authorized, but it's not yet. It could be still this week.

not yet. It could be still this week.

It's literally any day now, we will have Fed Ramp moderate authorized and then our intention from there is to go to Fed Ramp. And this whole um framework that

Ramp. And this whole um framework that we've built for Fred Ramp will allow us to go back and apply the same for all those other countries that you saw on

the previous list. So coming very soon with that I think I'm close to done. Um

so quickly just to summarize what I do recommend additional updates like you've heard today you can get yourselves if you go to the community.isco.com

cisco.com and that's the path and if you subscribe you will get updates on new announcements. Okay, that's worth doing.

announcements. Okay, that's worth doing.

So just quickly to summarize I think it's clear you can see that we have invested and are investing in a big way in secure access in many different areas

in the indiv individual features capabilities the platform the experience we understand we're not the first vendor to go to market with an SSSE like I said

but I I you know like I said that gave us the advantage to talk to customers research and understand challenges challenges with the other vendors. With

that, I'm going to end with a cheesy statement here. You've probably heard

statement here. You've probably heard the expression that the early bird gets the worm. We say second mouse gets the

the worm. We say second mouse gets the cheese.

>> With that, thank you for your time. I

will hang around.

Please do submit your surveys. I love to see the comments. Please add some comments. I want to know what you liked,

comments. I want to know what you liked, what you didn't. If the room was too cold or too hot, don't judge me on that, but add a comment. Okay, thank you so much.

[Music]