WIXLIB

SASE Delivered Your WayAccelerating the cloud journey with CiscoTuan NguyenTechnical Solution SpecialistJune 2021

Historic traffic flowsLed to the age of perimeter-based security and networkingNetwork:CentralizedSecurity:Single, on-premisesecurity stackInternetTRAFFICTRAFFICInternal 80%Internal 80%Internet 20%Security stackMPLSBranch offices 2021 Cisco and/or its affiliates. All rights reserved.Internet 20%VPNHQRoaming/mobile

Changes in the types of traffic and destinationsHave inverted the traffic modelInternetProblems: Costs Performance # Tools/vendors Integrations MaintenanceSaaSPrivate cloudBrowsingTRAFFICTRAFFICInternal 20%Internal 20%Internet 80%Bottle neckMPLSBranch offices 2021 Cisco and/or its affiliates. All rights reserved.IaaSInternet 80%VPNHQRoaming/mobile

Network transformationInternet/cloud is new “center of universe”InternetPerimeter securityappliances to protectnetworkMPLSInternet/cloudVPNDC-centric 2021 Cisco and/or its affiliates. All rights reserved.Internet/cloud-centric

Networking and security teams struggle to connect usersanywhere toapplications everywhere protect againstevolving threatvectors deliver highquality userexperienceA new approach is needed 2021 Cisco and/or its affiliates. All rights reserved.

Today’s cloud-centric worldDrives the need for a secure access service edge (SASE) architectureCombine networking and securityfunctions in the cloud Connect users to the apps and dataneeded — in any environment, fromanywhere Control access and enforce theright security protection consistently Internet / SaaS / IaaSSecure Access Service EdgeAll locations 2021 Cisco and/or its affiliates. All rights reserved.Headquarters/campusRemoteworkers

Cisco’s three Cs for SASEConnectDeliver secure, seamlessconnections to applicationsanywhere 2021 Cisco and/or its affiliates. All rights reserved.ControlEstablish zero trust access andsecure with leading threatprotectionConvergeIntegrate cloud-deliverednetworking and security

Components of Cisco’s SASE architectureConnectSD-WANPowered byViptela & MerakiRemote accessControlConvergeAvailable as a single offerIntegrated solutionsAnyConnect, DuoCloud securityUmbrella: SWG, firewall,DNS security, CASBZero trustnetwork accessDuoObservability: ThousandEyes 2021 Cisco and/or its affiliates. All rights reserved.

With Cisco’s SASE architecture, you’ll be able to:Converge networking and security in the cloudConnect andsecure accessOptimizeperformanceDeliver bestapp experienceFor all locations, remoteworkers, devices, workloadsWith the fastest, mostreliable, and secure pathWith end-to-end observabilityto resolve anomalies fromusers to apps, over anynetwork or cloud 2021 Cisco and/or its affiliates. All rights reserved.Adopt zero trustnetwork accessMake your businessmore agileBy verifying user identityand health of devices,for every sessionBy leveraging the cloudto remove complexityand provide immediate,global scalability

Major SASE use casesInternet / SaaS / IaaSSecure remote workerSecure edgeSecure Access Service Edge Seamless connection toapps and data everywhere Streamline connectivity toapps across office locations Secure access to internetand cloud apps Authenticate users andensure device healthProvision SD-WAN fabricacross thousands of usersand locations Secure access to appsand direct internet access Identify and resolve issuesacross ISPs, SaaS, publicand private apps SD-WANfabricDeliver the best connectivityand application experiencefor every remote workerRemote worker 2021 Cisco and/or its affiliates. All rights reserved.Campus/Branch,colocation andhosted data centers

Use case: Secure remote workerHow it worksCISCO SASEAnyConnectRemote workerUmbrellaDNS securityAdaptive MFASecure web gatewayDevice healthCloud access securitybroker (CASB)Behavior analyticsThousandEyes 2021 Cisco and/or its affiliates. All rights reserved.DuoInternetPublic cloud/ SaaSClientless remote accessEnd-to-end visibility across any networkUser-specific app experiencePrivate apps / netsCo-location nets

Use case: Secure edgeHow it worksCISCO SASEUmbrellaNetwork edgeDuoDNS securityAdaptive MFASecure web gatewayDevice posture and healthCloud-delivered firewallBehavior analyticsCloud access securitybroker (CASB)Continuous verificationSD-WANInternetSaaSAnalytics / automationApplication SLA / Smart thresholdsMiddle-mile efficiencySaaS optimizationThousandEyes / telemetryIntegrated multi-cloud accessPrivate/public cloudThousandEyes 2021 Cisco and/or its affiliates. All rights reserved.End-to-end visibility across any networkUser-specific app experience

Our approach & capabilities are second to noneThe pioneer in DNS securityBest-of-platformis the newbest-of-breedLargest commercial threat intelligenceteam on the planetThe leader in zero trustLargest SD-WAN solution provider 2021 Cisco and/or its affiliates. All rights reserved.

Cisco Umbrella 2021 Cisco and/or its affiliates. All rights reserved.

Cisco cloud security capabilitiesCisco UmbrellaSecureXDNS-layersecuritySecure webgatewayCloud-deliveredLayer 7 firewallIncl: RBI, DLPSD-WAN 2021 Cisco and/or its affiliates. All rights reserved.ON/OFF NETWORK DEVICESCloud accesssecurity broker(CASB)Interactivethreat intelIntegrated securityplatform

Born in the cloud global architectureConsistent high performance, high throughput securityMicroservices, multitenant containerarchitectureflexibility to optimizeperformance and scaleAgile infrastructuredelivers continuousinnovation withoutcustomer downtimeProven track record100% uptime since2006 with global datacenters on sixcontinentsLow latencyDelivers highperformance and up to73% latency reduction 2021 Cisco and/or its affiliates. All rights reserved.

Rock solid reliability and lightning-fastperformance 1000 peeringpartnerships with IXPs,CDNs and SaaSplatforms - fastest route 6000 peering sessions tocreate shortcuts to majorISPs - decrease hopcount reduce latency andspeed performance 2021 Cisco and/or its affiliates. All rights reserved.

Our view of the internet620 Brequests per day22.5Kenterprise customers100Mdaily active users190 countries worldwide

Large, global footprint38 data centersworldwide100%business uptimesince 2006Latency and middle mile optimization is what is most important to consider when choosing a SASE vendor: 2021 Cisco and/or its affiliates. All rights asure-cloud-security-performance

FindingsInitial, limited-scope performance tests Reduced hop count by up to 33%Improved latency and traffic consistency (jitter) by up to 73%Substantive network performance improvements, measured using real application use casesTable reflects: Scenario 1 (direct to internet) vs. scenario 3 (Umbrella with SWG and CDFW policies set) Connecting to Box 2021 Cisco and/or its affiliates. All rights reserved.

NEW AV-TEST security efficacy report!Featuring Cisco UmbrellaSecurity efficacy is one of the topdifferentiators for Umbrella.Umbrella is #1 in security efficacy- again! Focus of lab test: assessing each SWGvendor’s ability to protect roaming andremote workers AV-TEST assessed both our SWG andDNS-layer protection security efficacy 2021 Cisco and/or its affiliates. All rights reserved.Umbrella consistently performedbetter than the competition!Get the report:https://bit.ly/3jFNVwK

Efficacy testing: SWG Data captured Sep-Oct 2020 by AV-TEST, using their samples (not Cisco’s) Products configured to provide highest level of protection Umbrella SWG also with DNS security policyUmbrellaZscalerPalo AltoNetskopeAkamaiMalicious PE files93.6587.2983.8882.1261.41Malicious destinations99.1593.2857.6855.5248.35Phishing links93.7985.2091.5148.3574.12Total detection rate96.3989.6773.1561.9058.43Type of test(Portable executables)% Detected (higher is better) 2021 Cisco and/or its affiliates. All rights reserved.

DNS security 2021 Cisco and/or its affiliates. All rights reserved.

DNS-layer securityInternet/SaaSFirst line of defense Deploy enterprise wide in minutes Block domains associated with malware,phishing, command and control callbacksanywhere Stop threats at the earliest point andcontain malware if already inside Accelerate threat response with anintegrated security platform Amazing user experience — faster internetaccess; only proxy risky domains 5%SaferequestsUmbrellaSD-WAN 2021 Cisco and/or its affiliates. All rights reserved.BlockedrequestsON/OFF NETWORK DEVICES

Cloud-deliveredfirewall 2021 Cisco and/or its affiliates. All rights reserved.

SIG policy outcome summaryDNS DNS policies are evaluatedfirst, any traffic allowed isevaluated next**Also applies to traffic where allowrule is not explicitly configured 2021 Cisco and/or its affiliates. All rights reserved.CDFW CDFW evaluates anythingnot blocked by DNS Any 80/443 traffic sent toSWG (unless blocked infirewall policy)SWG SWG evaluates 80/443traffic not blocked by DNSand CDFW

Umbrella cloud-delivered firewallInternet/SaaSLayer 7 application visibility and control Tunnel all outbound traffic to Umbrella Block high risk, non-web applicationsand protocols (layer 7 applicationvisibility & control) Centrally manage IP, port, protocoland application rules (layer 3, 4 and 7)Forward web traffic (ports 80/443)to secure web gatewayNon-web /site exclusions80/443CDFWSWGUmbrellaTunnel (IPsec)IPsec tunnel terminationDEVICES ON NETWORK 2021 Cisco and/or its affiliates. All rights reserved.

Tunnel capabilitiesIPsec capacity 250 Mbps is guaranteed (can burst higher),ongoing development to increaseguaranteed capacityExampleData center region code US-1Los Angeles146.112.67.8PrimaryMultiple tunnels can be deployed tosupport higher capacityIn case of primary failure,uses secondary DC in thesame regionAvailability Santa Clara146.112.66.8SecondaryHard code primary, secondary (optional)Failover to secondary DC and DR is handledby hybrid anycastDR SiteDynamic failover noconfiguration requiredFailure detection uses IKE DPDDallas TXAutomaticBranch 2021 Cisco and/or its affiliates. All rights reserved.

Secure web gateway 2021 Cisco and/or its affiliates. All rights reserved.

Umbrella SWGMultiple functions and aggregated reporting in one cloud console Internet/SaaSSaaS appe.g. O365Malware scanning includes two anti-virusengines and Secure Endpoint (AMP) lookup File type controls Full or selective SSL decryption Category or URL filtering for content control SecureX Malware Analytics (Threat Grid)file sandboxing App visibility and granular controls Full URL level reporting 2021 Cisco and/or its affiliates. All rights reserved.DirectUmbrella SWGTunnel (IPsec)Secure VPN (AnyConnect)PAC filesProxy chainingON/OFF NETWORK DEVICES

Remote browser isolationChallengeDeliver a secure browsing experiencewith protection from zero-day threats 2021 Cisco and/or its affiliates. All rights reserved.PSOSEC-101731

Remote browser isolationResultsCapabilities Protect from browser-based attacksProvide air gap between userdevice and browser-based threats Choose from three levels ofprotection Deploy rapidly without changingexisting browser configurationsImprove productivityReduce alerts and incidentsSupport compliance goalsEstimated availability: May 2021 Cisco and/or its affiliates. All rights reserved.#CLUSPSOSEC-1017 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public32

GAGranular controls for popular SaaS apps Block posts/sharesto social media apps Block attachmentsto webmail apps Block uploadsto cloud storage,collaboration, officeproductivity, contentmanagement, andmedia appsUserActionsDownloadx 2021 Cisco and/or its affiliates. All rights reserved.Partner’s cloud storageUpload

GATenant Restrictions (Enterprise Applications)cisco.com(Corp. instance)debsmith(Personal instance)bobjones(Personal instance)Key Use CasesSecurityEnsure, sensitive data is created and storedin approved instances of cloud apps 2021 Cisco and/or its affiliates. All rights reserved.ProductivityOnly provide access to corporate instancesof core SaaS apps