1 00:00:00,000 --> 00:00:01,780 All right, so good afternoon. 2 00:00:01,780 --> 00:00:05,080 It is October 30th, 2024. 3 00:00:05,080 --> 00:00:07,020 Happy early Halloween, everybody. 4 00:00:08,100 --> 00:00:09,880 Welcome to the Security 45 show 5 00:00:09,880 --> 00:00:13,120 where we cover a new security topic every month 6 00:00:13,120 --> 00:00:15,100 in 45 minutes or less. 7 00:00:15,100 --> 00:00:18,120 We've got a Halloween themed presentation today 8 00:00:18,120 --> 00:00:23,120 on the spookiest of topics, Cisco Secure Access. 9 00:00:23,360 --> 00:00:25,420 With us, we've got two award-winning guests 10 00:00:25,420 --> 00:00:28,020 returning for their second appearance on the show, 11 00:00:28,020 --> 00:00:33,020 David the Ghost Keller and Justin Plants vs. Zombies Murphy. 12 00:00:33,120 --> 00:00:35,840 For those that are doing the audio playback 13 00:00:35,840 --> 00:00:36,740 and you can't see the video, 14 00:00:36,740 --> 00:00:39,000 you have no idea what I'm talking about. 15 00:00:39,000 --> 00:00:40,800 Andres, let me kick it over to you. 16 00:00:41,640 --> 00:00:44,620 Thank you, Mike, and thank you guys for being here. 17 00:00:44,620 --> 00:00:46,160 Well, welcome to the show. 18 00:00:46,160 --> 00:00:47,240 We're super excited. 19 00:00:47,240 --> 00:00:50,040 We're gonna talk about Secure Access today. 20 00:00:50,040 --> 00:00:53,580 This is, I guess, from our perspective, 21 00:00:53,580 --> 00:00:56,680 is something that we're seeing definitely a lot more 22 00:00:56,680 --> 00:00:59,600 and a lot more with our customers, partners, 23 00:00:59,600 --> 00:01:01,320 and everybody inside of Cisco. 24 00:01:01,320 --> 00:01:05,160 It's just a lot of crazy information 25 00:01:05,160 --> 00:01:07,360 and a lot of technologies 26 00:01:07,360 --> 00:01:09,160 that we're just putting together into one place. 27 00:01:09,160 --> 00:01:12,420 But hey, that's what we're gonna be talking today. 28 00:01:12,420 --> 00:01:15,720 This is our round number two on Secure Access. 29 00:01:15,720 --> 00:01:17,000 We do have new questions. 30 00:01:17,000 --> 00:01:19,100 We have more information that we can, 31 00:01:20,200 --> 00:01:23,940 that we're gonna find out today from our guests. 32 00:01:23,940 --> 00:01:26,800 And I guess let's kick it off. 33 00:01:26,800 --> 00:01:29,560 Yeah, and we had Justin and David, welcome back. 34 00:01:29,560 --> 00:01:32,880 We had you guys back last October on the show 35 00:01:32,880 --> 00:01:36,080 and that was a great, Secure Access was newer then 36 00:01:36,080 --> 00:01:40,240 and it was great to see Cisco bringing a lot 37 00:01:40,240 --> 00:01:44,080 of security technologies into kind of one dashboard. 38 00:01:44,080 --> 00:01:46,960 So we're excited to hear a little bit about the updates. 39 00:01:48,600 --> 00:01:49,920 Andres, I just do wanna point out 40 00:01:49,920 --> 00:01:51,960 you look almost identical to Harry Potter. 41 00:01:51,960 --> 00:01:54,480 I keep thinking you are Harry Potter there. 42 00:01:54,480 --> 00:01:57,200 And David with the background, the transparency, 43 00:01:57,200 --> 00:01:58,040 you got that. 44 00:01:58,040 --> 00:01:59,600 Also, I will point out Justin Murphy 45 00:01:59,600 --> 00:02:02,160 made that Plants vs. Zombies on the back 46 00:02:02,160 --> 00:02:04,080 while they're out of old school paper mache. 47 00:02:04,080 --> 00:02:05,400 So kudos to that. 48 00:02:05,400 --> 00:02:07,760 I thought I was being cool with my fireman outfit. 49 00:02:07,760 --> 00:02:12,760 But well, guys, October is Cybersecurity Awareness Month. 50 00:02:14,800 --> 00:02:18,480 At Cisco, we talk about if it's connected, it's protected. 51 00:02:18,480 --> 00:02:21,560 Justin, I'll give this first one to you or David, 52 00:02:21,560 --> 00:02:22,760 whoever wants to take this first one, 53 00:02:22,760 --> 00:02:25,960 but describe what we're actually connecting 54 00:02:25,960 --> 00:02:28,200 into Secure Access. 55 00:02:30,520 --> 00:02:35,520 Sure, so the idea is to connect everything 56 00:02:35,560 --> 00:02:38,120 to anything that it needs to connect to, right? 57 00:02:38,120 --> 00:02:40,840 So we're talking about end users, we're talking about IoT, 58 00:02:40,840 --> 00:02:44,360 we're talking about mobile devices, 59 00:02:44,360 --> 00:02:47,880 all connecting to web apps, RDP, anything. 60 00:02:47,880 --> 00:02:52,360 Anything that they need to get to on the other end, 61 00:02:52,360 --> 00:02:56,080 whether it's SaaS in your own private data centers 62 00:02:56,080 --> 00:02:58,400 or in public cloud, right? 63 00:02:58,400 --> 00:03:03,080 So there are a lot of different mechanisms 64 00:03:03,080 --> 00:03:06,040 that we've talked about to make this happen, right? 65 00:03:06,040 --> 00:03:08,160 Whether it's VPN or ZTA 66 00:03:09,400 --> 00:03:12,040 and some of the underlying protocols like IPsec 67 00:03:12,040 --> 00:03:14,600 and Quick and Mask and all of that. 68 00:03:14,600 --> 00:03:17,840 We've been connecting them since our last conversation, 69 00:03:17,840 --> 00:03:21,320 but we've advanced more as we go through, 70 00:03:21,320 --> 00:03:24,840 whether it's auth methods, including like radius 71 00:03:26,680 --> 00:03:29,680 and some cert-based auth enhancements, 72 00:03:29,680 --> 00:03:32,880 as well as just so that we know who they are 73 00:03:32,880 --> 00:03:36,160 and are able to get users in a lot of cases 74 00:03:36,160 --> 00:03:37,480 connected more smoothly, right? 75 00:03:37,480 --> 00:03:39,040 In the case of cert-based auth 76 00:03:39,040 --> 00:03:42,240 or to make the transition smoother in the case of radius. 77 00:03:42,240 --> 00:03:45,760 If you're used to on-prem radius based auth for your VPN, 78 00:03:45,760 --> 00:03:48,400 users can or admin can configure that 79 00:03:48,400 --> 00:03:52,000 and have that run up and running much quicker 80 00:03:52,000 --> 00:03:54,840 than maybe moving to a SAML solution, right? 81 00:03:54,840 --> 00:03:58,400 So that's where we're going. 82 00:03:58,400 --> 00:04:00,960 There's a lot more enhancements there 83 00:04:00,960 --> 00:04:04,080 with our IPsec tunnels and our resource connectors, 84 00:04:04,080 --> 00:04:06,400 I believe weren't out at that point either, 85 00:04:06,400 --> 00:04:09,720 which helps get you that app connectivity over ZTA. 86 00:04:10,920 --> 00:04:14,360 But I'll pass it over to David or Mike, 87 00:04:14,360 --> 00:04:17,800 if you want me to dig deeper into any of those things, I can. 88 00:04:17,800 --> 00:04:20,400 Yeah, so for those that missed the first webinar 89 00:04:20,400 --> 00:04:22,480 and haven't seen Secure Access from Cisco, 90 00:04:22,480 --> 00:04:24,960 there's two primary use cases 91 00:04:24,960 --> 00:04:27,280 when we're talking about connecting to Secure Access. 92 00:04:27,280 --> 00:04:29,280 And to preface, Secure Access 93 00:04:29,280 --> 00:04:31,240 is Cisco Security Services Edge solution, 94 00:04:31,240 --> 00:04:33,960 which would be cloud hosted security services. 95 00:04:33,960 --> 00:04:35,560 So from a use case perspective, 96 00:04:35,560 --> 00:04:38,240 we're talking about internet access and private access, 97 00:04:38,240 --> 00:04:39,680 where private access would be, 98 00:04:40,880 --> 00:04:43,920 being able to utilize resources that are hosted internally, 99 00:04:43,920 --> 00:04:47,120 which would be those that you'd have access to 100 00:04:47,120 --> 00:04:48,680 if you were traditionally on network 101 00:04:48,680 --> 00:04:50,440 or connected via remote access VPN. 102 00:04:52,280 --> 00:04:54,320 So when Justin's talking about the connectivity methods, 103 00:04:54,320 --> 00:04:55,640 he's referring to different ways 104 00:04:55,640 --> 00:04:58,000 to either connect to Secure Access 105 00:04:58,000 --> 00:05:02,040 to get access to either those internet or private resources, 106 00:05:02,040 --> 00:05:04,280 and then the means in which Secure Access 107 00:05:04,280 --> 00:05:06,400 connects back to your network, 108 00:05:06,400 --> 00:05:08,640 either via tunnel or that resource connector. 109 00:05:10,520 --> 00:05:11,560 And then of course, on top of that, 110 00:05:11,560 --> 00:05:12,800 the different security services 111 00:05:12,800 --> 00:05:16,240 and kind of how those services are delivered can vary. 112 00:05:18,200 --> 00:05:20,040 But yeah, it's all about connectivity. 113 00:05:21,440 --> 00:05:22,280 That's cool. 114 00:05:22,280 --> 00:05:24,360 And certainly about the flexibility as well, 115 00:05:24,360 --> 00:05:27,720 certainly an overarching kind of product 116 00:05:27,720 --> 00:05:29,840 where you can connect in through different methods, 117 00:05:29,840 --> 00:05:32,520 roaming users, on-prem sites. 118 00:05:32,520 --> 00:05:34,640 You guys already mentioned like the network tunnel, 119 00:05:34,640 --> 00:05:39,000 which is an IP sec tunnel versus that resource connector. 120 00:05:39,000 --> 00:05:44,000 But yeah, connecting anything to everything solution. 121 00:05:45,320 --> 00:05:47,160 I think we're gonna talk on this a little bit later as well, 122 00:05:47,160 --> 00:05:49,920 but it sounds like there's a lot with Secure Access, 123 00:05:49,920 --> 00:05:52,760 but the overarching goal and direction that Cisco's going 124 00:05:52,760 --> 00:05:54,440 in general from a strategy perspective 125 00:05:54,440 --> 00:05:58,280 is to kind of move towards simplicity. 126 00:05:58,280 --> 00:05:59,680 And so the end users don't have to really think 127 00:05:59,680 --> 00:06:01,640 about how they're connecting to those resources. 128 00:06:01,640 --> 00:06:03,280 The administrators have flexibility, 129 00:06:03,280 --> 00:06:06,320 but there's not like a ton of different steps, 130 00:06:06,320 --> 00:06:09,760 and there's no like fixed cookie cutter way to deploy it, 131 00:06:09,760 --> 00:06:12,240 where you have to do one thing or the other. 132 00:06:12,240 --> 00:06:15,240 If you just want that Secure Private Access initially, 133 00:06:16,720 --> 00:06:17,760 there's ways to set that up. 134 00:06:17,760 --> 00:06:20,000 And maybe you only need the ZTA, 135 00:06:20,000 --> 00:06:21,480 either client-based or clientless, 136 00:06:21,480 --> 00:06:23,880 and the resource connector, maybe use the tunnel 137 00:06:23,880 --> 00:06:25,600 if you wanna have a boat access VPN. 138 00:06:25,600 --> 00:06:27,840 There's a lot of different ways to set that up. 139 00:06:29,000 --> 00:06:31,520 Then it all is just geared toward flexibility 140 00:06:31,520 --> 00:06:32,880 and then simplicity. 141 00:06:34,000 --> 00:06:36,200 That's great information. 142 00:06:36,200 --> 00:06:38,160 Thank you for that, David. 143 00:06:38,160 --> 00:06:41,760 I actually wanted to ask another question 144 00:06:41,760 --> 00:06:44,640 that it's in everybody's minds today, 145 00:06:44,640 --> 00:06:46,440 and it's the security aspect, 146 00:06:47,560 --> 00:06:51,400 and probably just diving deep into the actual product, 147 00:06:51,400 --> 00:06:53,200 into Secure Access. 148 00:06:53,200 --> 00:06:55,960 What are the security features that you guys see? 149 00:06:55,960 --> 00:06:58,200 And I guess this will be for you, David, 150 00:06:58,200 --> 00:07:02,080 or Justin, if you wanna take on that. 151 00:07:02,080 --> 00:07:06,960 But what exactly does the Zero Trust access mean 152 00:07:06,960 --> 00:07:09,680 in this product? 153 00:07:09,680 --> 00:07:10,520 Yeah, yeah. 154 00:07:10,520 --> 00:07:12,320 So from a security perspective, 155 00:07:12,320 --> 00:07:15,760 there's a handful of ways you can really break it down. 156 00:07:17,280 --> 00:07:18,840 Starting with the Zero Trust, 157 00:07:18,840 --> 00:07:22,440 that is, I always think of it in terms of private access, 158 00:07:22,440 --> 00:07:24,000 but it can't apply to internet access as well, 159 00:07:24,000 --> 00:07:26,360 because there are policies you can set 160 00:07:26,360 --> 00:07:29,000 based on user identity for what people can access 161 00:07:29,000 --> 00:07:30,080 on the internet. 162 00:07:30,080 --> 00:07:32,320 So you could consider that as being tied to Zero Trust, 163 00:07:32,320 --> 00:07:34,880 because you're minimizing how much a user can access 164 00:07:34,880 --> 00:07:36,840 based on their role or function 165 00:07:36,840 --> 00:07:39,040 or whatever else you wanna break it down by. 166 00:07:40,040 --> 00:07:42,160 It can also be tied to the private access, though, 167 00:07:42,160 --> 00:07:43,960 and that's what I typically think of. 168 00:07:43,960 --> 00:07:46,000 And that's where we're looking at, 169 00:07:46,000 --> 00:07:48,520 not only is the user who they say they are, 170 00:07:48,520 --> 00:07:49,360 and with Secure Access, 171 00:07:49,360 --> 00:07:52,280 you can bring your own identity provider for SAML. 172 00:07:52,280 --> 00:07:54,520 You can use RADIUS or CertBase authentication 173 00:07:54,520 --> 00:07:56,120 for Remote Access VPN. 174 00:07:56,120 --> 00:07:59,360 You can add MFA, so if you were to use something like Duo 175 00:07:59,360 --> 00:08:02,640 for SSL, you could have MFA there. 176 00:08:02,640 --> 00:08:04,320 And then for each of the connection methods, 177 00:08:04,320 --> 00:08:07,480 there are varying posture controls you could use. 178 00:08:07,480 --> 00:08:12,360 So is this user on a version of an operating system 179 00:08:12,360 --> 00:08:14,960 that we want to allow access to this resource, 180 00:08:14,960 --> 00:08:16,720 or are they super out of date 181 00:08:16,720 --> 00:08:18,640 and that's too high of a risk 182 00:08:18,640 --> 00:08:20,640 and we don't wanna allow access with that? 183 00:08:21,760 --> 00:08:26,520 So it's minimizing both based on who the user is, 184 00:08:26,520 --> 00:08:30,120 but then also on additional factors related to risk. 185 00:08:31,360 --> 00:08:32,480 And there are, of course, 186 00:08:32,480 --> 00:08:33,880 other things we're looking at in the future 187 00:08:33,880 --> 00:08:35,920 that I don't know if we can talk about today, 188 00:08:35,920 --> 00:08:40,360 but we're constantly looking for ways to increase 189 00:08:40,360 --> 00:08:41,920 how much visibility we have into that risk 190 00:08:41,920 --> 00:08:44,280 and offering ways to control it. 191 00:08:44,280 --> 00:08:46,720 Yeah, and go ahead. 192 00:08:46,720 --> 00:08:49,520 Oh, I was just gonna mention from the other security side, 193 00:08:49,520 --> 00:08:51,680 there's of course a lot of the same security controls 194 00:08:51,680 --> 00:08:54,200 that we had from the umbrella security gateway 195 00:08:54,200 --> 00:08:56,520 which were rebuilt for purpose for secure access 196 00:08:56,520 --> 00:08:57,920 inside the secure access environments 197 00:08:57,920 --> 00:09:00,320 that offering things like the DNS security, 198 00:09:00,320 --> 00:09:03,000 the secure web gateway, which of course has full decryption 199 00:09:03,000 --> 00:09:06,040 to file analysis, sandboxing, remote browser isolation, 200 00:09:06,040 --> 00:09:07,320 file type controls. 201 00:09:07,320 --> 00:09:10,040 There's the firewalls service component to it, 202 00:09:11,680 --> 00:09:12,640 data loss prevention. 203 00:09:12,640 --> 00:09:15,560 There's all kinds of other controls that can be utilized 204 00:09:15,560 --> 00:09:16,720 depending on the traffic flow 205 00:09:16,720 --> 00:09:18,320 and the policy that's being set. 206 00:09:18,320 --> 00:09:21,720 Excellent, just to expand on that a little bit, 207 00:09:21,720 --> 00:09:24,120 all of those controls that David's talking about, 208 00:09:24,120 --> 00:09:26,720 secure access is taking an approach of simplicity 209 00:09:26,720 --> 00:09:29,600 as he mentioned earlier, where it's a unified policy. 210 00:09:29,600 --> 00:09:32,520 So you don't have to worry about what the tool is, 211 00:09:32,520 --> 00:09:34,520 whether it's the firewall, the proxy, DNS, 212 00:09:34,520 --> 00:09:35,600 what's controlling that. 213 00:09:35,600 --> 00:09:39,560 You just configure what you want to happen, 214 00:09:39,560 --> 00:09:41,040 who you want to have access to, what, 215 00:09:41,040 --> 00:09:43,000 and what the action needs to be 216 00:09:43,000 --> 00:09:44,920 and what sort of inspection needs to happen. 217 00:09:44,920 --> 00:09:46,840 And all of that happens in the process. 218 00:09:46,840 --> 00:09:48,280 It happens to happen and all of that happens 219 00:09:48,280 --> 00:09:49,760 in the background. 220 00:09:49,760 --> 00:09:52,040 It is good to be aware of kind of how all of that works. 221 00:09:52,040 --> 00:09:54,640 However, you don't have to be, you're just creating 222 00:09:56,640 --> 00:09:59,800 a flow of who gets to what and what action happens 223 00:09:59,800 --> 00:10:03,960 in between in order for all of those pieces to occur. 224 00:10:03,960 --> 00:10:08,400 And then just to dig a little deeper into some enhancements 225 00:10:08,400 --> 00:10:10,680 that we've made since our last conversation, 226 00:10:11,600 --> 00:10:15,440 one of them is in the secure private access realm 227 00:10:15,440 --> 00:10:17,280 where before we were just sort of, hey, 228 00:10:17,280 --> 00:10:19,320 you are either allowed or not allowed to get to this 229 00:10:19,320 --> 00:10:21,040 based on your posture or user identity. 230 00:10:21,040 --> 00:10:24,720 Now we're actually putting, with IPS, 231 00:10:24,720 --> 00:10:27,920 and now we're actually putting some proxy capabilities 232 00:10:27,920 --> 00:10:32,560 in line where we can analyze and block file types, 233 00:10:32,560 --> 00:10:35,000 as well as malicious files trying to be uploaded 234 00:10:35,000 --> 00:10:37,560 to maybe some local file stores or things like that 235 00:10:37,560 --> 00:10:39,560 so that we can catch them on the way in 236 00:10:39,560 --> 00:10:41,080 or out of your file store, right? 237 00:10:41,080 --> 00:10:45,240 So those types of things are being added in 238 00:10:45,240 --> 00:10:47,520 and that'll continue to be enhanced 239 00:10:47,520 --> 00:10:49,600 with more capabilities like DLP 240 00:10:49,600 --> 00:10:51,400 and some of the things that you're used to 241 00:10:51,400 --> 00:10:53,520 on the secure internet access side. 242 00:10:54,720 --> 00:10:56,400 And with the secure internet access side, 243 00:10:56,400 --> 00:10:59,280 actually DLP has come a long way, right? 244 00:10:59,280 --> 00:11:02,120 So with data loss prevention, we started out 245 00:11:02,120 --> 00:11:05,560 with just sort of standard categories 246 00:11:05,560 --> 00:11:08,440 that were based on- 247 00:11:10,000 --> 00:11:11,480 Data classifiers and- 248 00:11:11,480 --> 00:11:13,640 Yeah, yep, classifiers and everything 249 00:11:13,640 --> 00:11:15,640 that were already predetermined 250 00:11:15,640 --> 00:11:18,240 and you could make some regex entries and things like that, 251 00:11:18,240 --> 00:11:21,400 but now we've gone to being able to see, 252 00:11:21,400 --> 00:11:24,960 to categorizing AI type destinations, 253 00:11:24,960 --> 00:11:29,280 being able to upload like exact data match 254 00:11:29,280 --> 00:11:31,480 and index data match type files 255 00:11:31,480 --> 00:11:34,400 so that you can have a lot more flexibility there. 256 00:11:34,400 --> 00:11:37,680 And then beyond that, we've actually implemented some AI 257 00:11:37,680 --> 00:11:40,160 to analyze things like IRS forms 258 00:11:40,160 --> 00:11:42,200 and other types of standard forms 259 00:11:42,200 --> 00:11:45,000 that we can train an AI to recognize 260 00:11:45,000 --> 00:11:47,640 so that you don't have to try to match something 261 00:11:50,400 --> 00:11:52,040 on the actual document itself. 262 00:11:52,040 --> 00:11:53,800 It's going to intelligently figure out, 263 00:11:53,800 --> 00:11:56,320 okay, this is very close to what I've seen before, right? 264 00:11:56,320 --> 00:11:58,200 And it could be a combination of factors 265 00:11:58,200 --> 00:12:00,400 depending on what form it is, right? 266 00:12:00,400 --> 00:12:05,240 So there's a lot of enhancements continuously going in there. 267 00:12:05,240 --> 00:12:08,960 The final one that I've seen was OCR, right? 268 00:12:08,960 --> 00:12:11,640 So now if the text is in an image, 269 00:12:11,640 --> 00:12:14,640 whether it's PDF, JPEG, and several other formats, 270 00:12:14,640 --> 00:12:16,880 we can pull that out and be able to recognize, 271 00:12:16,880 --> 00:12:18,400 hey, that's a credit card number. 272 00:12:18,400 --> 00:12:20,000 We need to block that from going up 273 00:12:20,000 --> 00:12:22,680 to this third-party file share site, right? 274 00:12:22,680 --> 00:12:27,160 So there's a lot of enhancements going into that security, 275 00:12:28,120 --> 00:12:31,760 security pathway that we're using in secure access 276 00:12:31,760 --> 00:12:36,040 on both sides of the internet and private access. 277 00:12:36,040 --> 00:12:39,000 And to tie back to the policy a little bit as well, 278 00:12:39,000 --> 00:12:41,840 not only is it a single policy stack 279 00:12:41,840 --> 00:12:45,440 where it's intent-based, it's based on user action destination 280 00:12:45,440 --> 00:12:47,640 and then the controls you wanna have in place with it, 281 00:12:48,800 --> 00:12:52,560 but Cisco's going a step further in adding an AI assistant 282 00:12:52,560 --> 00:12:55,120 that will eventually be uniform across multiple things 283 00:12:55,120 --> 00:12:59,040 in this Cisco security stack as we get into things 284 00:12:59,040 --> 00:13:01,200 that I don't know if they're fully out yet, 285 00:13:03,080 --> 00:13:06,280 but it's going a step further to help administrators 286 00:13:06,280 --> 00:13:08,720 see kind of what's being utilized, 287 00:13:08,720 --> 00:13:11,040 where's the redundancy, where can I place a rule, 288 00:13:11,040 --> 00:13:13,720 change a rule, what would the impact of the rule be? 289 00:13:14,680 --> 00:13:16,680 So not only can you block something, 290 00:13:16,680 --> 00:13:19,000 but you can also make sure that you are doing the thing 291 00:13:19,000 --> 00:13:20,360 that you want to be doing. 292 00:13:22,080 --> 00:13:24,600 Absolutely, yeah, that's definitely coming to secure access. 293 00:13:24,600 --> 00:13:26,160 You may have seen some of those features 294 00:13:26,160 --> 00:13:28,080 in the Cisco secure firewall. 295 00:13:28,080 --> 00:13:32,280 They've been implemented there more comprehensively today, 296 00:13:32,280 --> 00:13:34,800 but we're definitely working on all aspects, actually, 297 00:13:34,800 --> 00:13:37,440 of the dashboard, not just policy, 298 00:13:37,440 --> 00:13:40,920 but also experience insights and things like that, 299 00:13:40,920 --> 00:13:42,880 which we'll probably get into a little bit later 300 00:13:42,880 --> 00:13:45,680 to be able to analyze reporting and logs 301 00:13:45,680 --> 00:13:49,440 and user experience so that we can help administrators 302 00:13:49,440 --> 00:13:52,040 understand how their users are accessing applications, 303 00:13:52,040 --> 00:13:53,360 how their policies are being used 304 00:13:53,360 --> 00:13:56,760 and where there may be redundancies or inefficiencies. 305 00:13:56,760 --> 00:13:58,200 And I'm a little bit of a fraud 306 00:13:58,200 --> 00:13:59,120 because I always forget this 307 00:13:59,120 --> 00:14:00,480 and it's an important part of security, 308 00:14:00,480 --> 00:14:04,320 but availability is like one of the three aspects 309 00:14:04,320 --> 00:14:07,720 of the CIA triad, because I'm lazy, Justin, 310 00:14:07,720 --> 00:14:08,560 would you mind talking a little bit 311 00:14:08,560 --> 00:14:11,960 about experienced insights and how that would relate 312 00:14:11,960 --> 00:14:15,640 to availability and experience for end users 313 00:14:15,640 --> 00:14:17,720 and how an administrator could leverage those? 314 00:14:17,720 --> 00:14:19,840 Sure, so with experience insights, 315 00:14:19,840 --> 00:14:23,440 we've taken our capabilities within Thousand Eyes 316 00:14:23,440 --> 00:14:25,560 and integrated them into secure access. 317 00:14:25,560 --> 00:14:28,080 So it's all within the secure access dashboard 318 00:14:28,080 --> 00:14:31,360 and integrates with the secure client 319 00:14:31,360 --> 00:14:34,280 that you deploy to your users, 320 00:14:34,280 --> 00:14:36,160 the same one that you use for VPN and ZTA. 321 00:14:36,160 --> 00:14:39,440 And what it does is it runs two standard tests 322 00:14:39,440 --> 00:14:40,720 from those clients, right? 323 00:14:40,720 --> 00:14:43,960 So it'll check and make sure that, hey, 324 00:14:43,960 --> 00:14:46,720 if they're using WebEx or they're using some other 325 00:14:49,000 --> 00:14:52,480 video conferencing software, what their experience is there, 326 00:14:52,480 --> 00:14:54,960 what delay did her over time. 327 00:14:54,960 --> 00:14:57,960 So you're able to see whether or not 328 00:14:57,960 --> 00:15:01,760 they're having a good experience on conversations 329 00:15:01,760 --> 00:15:04,760 like this webinar, as well as other internal meetings. 330 00:15:04,760 --> 00:15:08,160 And then you're able to also see what their experience is 331 00:15:08,160 --> 00:15:12,360 at to secure access with one of our standard tests as well. 332 00:15:12,360 --> 00:15:15,000 So are they able to get to their closest 333 00:15:16,080 --> 00:15:17,560 secure access data center? 334 00:15:17,560 --> 00:15:20,400 And is there a particular amount of delay there? 335 00:15:20,400 --> 00:15:24,680 On top of that, monitoring the resources on the device. 336 00:15:24,680 --> 00:15:27,520 So right now we're showing summary information 337 00:15:27,520 --> 00:15:32,520 about CPU utilization, what their network experience is 338 00:15:33,880 --> 00:15:36,080 or configuration is, whether it's one gig, 339 00:15:36,080 --> 00:15:39,600 a hundred meg, whatever on their device itself. 340 00:15:39,600 --> 00:15:42,600 And so you can start seeing where with a map, 341 00:15:42,600 --> 00:15:44,280 you can start seeing a delay, 342 00:15:44,280 --> 00:15:45,720 where the delay might be occurring, 343 00:15:45,720 --> 00:15:46,840 where they might be having issues. 344 00:15:46,840 --> 00:15:48,600 Are they over utilizing their memory 345 00:15:48,600 --> 00:15:51,680 because they have too many tabs open, things like that, 346 00:15:51,680 --> 00:15:54,400 which would lead to a poor experience. 347 00:15:54,400 --> 00:15:59,000 In the future, we're actually going to be able to show, 348 00:15:59,000 --> 00:16:00,440 and actually not too far in the future 349 00:16:00,440 --> 00:16:01,280 so I can talk about it. 350 00:16:01,280 --> 00:16:04,680 We're gonna be able to show what specific processes 351 00:16:04,680 --> 00:16:06,320 are being utilized on that device. 352 00:16:06,320 --> 00:16:11,480 So more in-depth information on what exactly is going on 353 00:16:11,480 --> 00:16:13,320 to help troubleshoot if somebody calls in and say, 354 00:16:13,320 --> 00:16:16,840 hey, I'm having an issue or to proactively interact 355 00:16:16,840 --> 00:16:18,560 with users if you wanna go and say, 356 00:16:18,560 --> 00:16:20,160 hey, you need to reboot your machine 357 00:16:20,160 --> 00:16:22,440 or you need to do this or that to help 358 00:16:22,440 --> 00:16:24,880 if you're having issues, right? 359 00:16:24,880 --> 00:16:29,880 And then we're also monitoring the delay between our cloud 360 00:16:30,480 --> 00:16:34,720 and common cloud services based on every single region. 361 00:16:34,720 --> 00:16:37,400 So you'll know when your users call in 362 00:16:37,400 --> 00:16:38,760 from the East Coast of US, 363 00:16:38,760 --> 00:16:40,800 or if they're calling in from somewhere in Europe, 364 00:16:40,800 --> 00:16:43,280 hey, it looks like Secure Access 365 00:16:43,280 --> 00:16:45,720 is having great response time from Google 366 00:16:45,720 --> 00:16:49,080 or bad response time from Google in this particular region. 367 00:16:49,080 --> 00:16:52,520 So you kind of know what could be the issue, right? 368 00:16:54,520 --> 00:16:56,520 There's a lot to talk about here, David. 369 00:16:57,520 --> 00:16:59,680 The final thing though that I'll mention 370 00:16:59,680 --> 00:17:02,760 is that we did add custom tests 371 00:17:02,760 --> 00:17:07,760 to the repertoire, I guess, of Experience Insights, 372 00:17:08,760 --> 00:17:11,440 which gives you the ability to say, 373 00:17:11,440 --> 00:17:14,880 okay, I want to make sure that X users 374 00:17:14,880 --> 00:17:18,240 can get to this application 375 00:17:18,240 --> 00:17:22,240 and you define the application by domain name or IP address 376 00:17:22,240 --> 00:17:23,280 and give it a port number, 377 00:17:23,280 --> 00:17:26,520 and you can do a full network map of that user's access 378 00:17:26,520 --> 00:17:28,600 to that application real time 379 00:17:28,600 --> 00:17:33,600 and set it to occur continuously as you need it 380 00:17:33,920 --> 00:17:36,680 so that you can know and have historical data 381 00:17:36,680 --> 00:17:40,280 on exactly if that user's having issues, 382 00:17:40,280 --> 00:17:42,240 when they have issues, where they are when they have issues, 383 00:17:42,240 --> 00:17:43,320 how they're connected, 384 00:17:43,320 --> 00:17:45,480 all of that information with the full path 385 00:17:45,480 --> 00:17:48,320 so that you can monitor either C-suite devices 386 00:17:48,320 --> 00:17:51,400 or you can monitor somebody who's constantly calling in 387 00:17:51,400 --> 00:17:53,640 and saying, hey, I can't get to Salesforce 388 00:17:53,640 --> 00:17:55,600 or I can't get to X app. 389 00:17:55,600 --> 00:17:59,480 Now you can have real data over time to say, 390 00:17:59,480 --> 00:18:01,000 okay, yeah, when you're at Starbucks, 391 00:18:01,000 --> 00:18:01,840 it doesn't work very well. 392 00:18:01,840 --> 00:18:04,120 You can go work from home or whatever, right? 393 00:18:04,120 --> 00:18:06,120 So you can have a lot more data 394 00:18:06,120 --> 00:18:07,440 to be able to tell what's going on 395 00:18:07,440 --> 00:18:09,760 as opposed to the internet's down 396 00:18:09,760 --> 00:18:11,320 and the limited information that you have 397 00:18:11,320 --> 00:18:13,240 on those remote users today. 398 00:18:13,240 --> 00:18:15,840 So secure access being an all-in-one 399 00:18:15,840 --> 00:18:20,840 kind of connectivity solution, security on top of it 400 00:18:21,080 --> 00:18:24,520 and then it can also diagnose a lot of troubleshooting 401 00:18:24,520 --> 00:18:26,240 like end user experience, 402 00:18:26,240 --> 00:18:28,080 you mentioned even monitoring resources 403 00:18:28,080 --> 00:18:29,400 on the local computer, 404 00:18:30,520 --> 00:18:33,480 which could be the root cause of the experience 405 00:18:33,480 --> 00:18:35,600 that they are going through. 406 00:18:35,600 --> 00:18:36,440 That's great. 407 00:18:36,440 --> 00:18:37,280 Absolutely. 408 00:18:37,280 --> 00:18:38,680 We can try to build connectivity, 409 00:18:38,680 --> 00:18:41,640 but if the end user doesn't have, you know, 410 00:18:41,640 --> 00:18:44,960 a path to it, like it doesn't matter how secure it is, 411 00:18:44,960 --> 00:18:45,800 they can't get to it. 412 00:18:45,800 --> 00:18:48,280 So, you know, you've got all ports there. 413 00:18:48,280 --> 00:18:50,560 And I know tomorrow we're doing the live demo. 414 00:18:50,560 --> 00:18:52,960 So that'll, I think everyone's gonna really love 415 00:18:52,960 --> 00:18:54,360 seeing that experience inside. 416 00:18:54,360 --> 00:18:56,560 So I'm glad you brought that up, David. 417 00:18:57,480 --> 00:19:01,080 All right, so back in 1999, 25 years ago, 418 00:19:01,080 --> 00:19:02,160 there was a quote, 419 00:19:02,160 --> 00:19:06,280 the worst enemy of security is complexity. 420 00:19:06,280 --> 00:19:07,560 And then that quote goes on to say, 421 00:19:07,560 --> 00:19:09,960 this has been true since the beginning of computers 422 00:19:09,960 --> 00:19:14,560 and is likely to be true for the foreseeable future. 423 00:19:14,560 --> 00:19:16,920 So related to that quote, 424 00:19:16,920 --> 00:19:21,680 I know Secure Access has a strong focus on that simplicity 425 00:19:21,680 --> 00:19:24,800 from the administrator experience, 426 00:19:24,800 --> 00:19:28,120 as well as the just the end user experience. 427 00:19:28,120 --> 00:19:31,120 We talked about a frictionless user experience. 428 00:19:31,120 --> 00:19:33,040 Can you talk a little bit about how Secure Access 429 00:19:33,040 --> 00:19:34,960 makes life less complex? 430 00:19:34,960 --> 00:19:37,520 Maybe just a minute for both the users 431 00:19:37,520 --> 00:19:40,520 and maybe the SecOps teams? 432 00:19:42,080 --> 00:19:46,120 Sure, I'll talk about it from the admin and the SecOps side. 433 00:19:46,120 --> 00:19:48,040 And David, I'll pass it over to you 434 00:19:48,040 --> 00:19:50,040 to talk about the end user experience. 435 00:19:50,040 --> 00:19:50,880 I'll just ramble. 436 00:19:50,880 --> 00:19:51,720 Take it that way? 437 00:19:51,720 --> 00:19:55,200 All right, so from a connectivity standpoint, 438 00:19:55,200 --> 00:20:00,200 basically being able to define applications one time 439 00:20:00,800 --> 00:20:05,040 and not have to revisit how they're being accessed 440 00:20:05,040 --> 00:20:06,480 is key, right? 441 00:20:06,480 --> 00:20:08,160 So normally you have a bunch of different tools 442 00:20:08,160 --> 00:20:10,400 if they're accessing via VPN versus on-prem 443 00:20:10,400 --> 00:20:13,160 versus some other access methods. 444 00:20:13,160 --> 00:20:15,640 So you have to create new application definitions, 445 00:20:15,640 --> 00:20:19,120 new rules that from an admin standpoint 446 00:20:19,120 --> 00:20:21,800 is simplified in Secure Access where you define it once, 447 00:20:21,800 --> 00:20:23,160 you say how it's gonna be accessed, 448 00:20:23,160 --> 00:20:26,360 and then you determine who can access that application 449 00:20:26,360 --> 00:20:29,040 and what the criteria is. 450 00:20:29,040 --> 00:20:31,600 When you're talking about connectivity, 451 00:20:31,600 --> 00:20:33,840 we provide a couple of different methods, right? 452 00:20:33,840 --> 00:20:37,960 So we make redundancy just built in, 453 00:20:37,960 --> 00:20:40,240 just a no-brainer within Secure Access 454 00:20:40,240 --> 00:20:42,560 by creating network tunnel groups, right? 455 00:20:42,560 --> 00:20:44,160 So you connect up to regions 456 00:20:44,160 --> 00:20:46,320 and each region has two availability zones. 457 00:20:46,320 --> 00:20:49,120 Those availability zones are completely separated 458 00:20:49,120 --> 00:20:52,640 physically from each other so that you can have connectivity, 459 00:20:52,640 --> 00:20:55,280 you can build redundant tunnels that can fail over 460 00:20:55,280 --> 00:20:57,160 in case there is something that happens on our side 461 00:20:57,160 --> 00:20:59,680 or on your side, so, or on the far side 462 00:20:59,680 --> 00:21:01,360 at the data center rather, 463 00:21:01,360 --> 00:21:04,000 so that you do have that redundancy, 464 00:21:04,000 --> 00:21:07,920 but we can make, but we make that simple and easy 465 00:21:07,920 --> 00:21:10,160 every time you build one, you get all the information 466 00:21:10,160 --> 00:21:12,560 you need to make that connectivity happen 467 00:21:12,560 --> 00:21:16,000 and build those tunnels and share routes via BGP. 468 00:21:16,000 --> 00:21:17,840 We do have some more flexibility there 469 00:21:17,840 --> 00:21:20,160 depending on your connectivity method 470 00:21:20,160 --> 00:21:24,160 and what your needs are with different tunnel types, 471 00:21:24,160 --> 00:21:26,840 but we may dive deeper into that a little bit later 472 00:21:26,840 --> 00:21:29,600 if we have time, but wait, 473 00:21:29,600 --> 00:21:31,600 because I really wanna get to resource connectors. 474 00:21:31,600 --> 00:21:35,480 Resource connectors really simplify the way you connect up 475 00:21:35,480 --> 00:21:38,040 because the way those work is there an all-in-one 476 00:21:38,040 --> 00:21:43,040 virtual appliance that we actually can run in Azure, 477 00:21:43,040 --> 00:21:47,200 AWS or ESXi on VMware today, 478 00:21:47,200 --> 00:21:49,440 and we have a containerized version 479 00:21:49,440 --> 00:21:52,320 as well as TCP coming very shortly 480 00:21:52,320 --> 00:21:55,560 where you basically deploy this all-in-one appliance, 481 00:21:55,560 --> 00:21:58,720 virtual appliance, configure it up with an IP address, 482 00:21:58,720 --> 00:22:03,080 put it on a subnet, and it checks in to secure access, 483 00:22:03,080 --> 00:22:06,600 builds its own tunnel and basically creates a pathway 484 00:22:06,600 --> 00:22:09,200 through your network to your applications 485 00:22:09,200 --> 00:22:11,160 without needing to change firewall rules, 486 00:22:11,160 --> 00:22:13,720 without needing to change routes or share anything. 487 00:22:13,720 --> 00:22:17,200 You just say, hey, this application needs to be accessed 488 00:22:17,200 --> 00:22:19,080 via this resource connector group 489 00:22:19,080 --> 00:22:20,480 because we do deploy them in groups, 490 00:22:20,480 --> 00:22:22,880 so the redundancy again is built in 491 00:22:22,880 --> 00:22:25,600 as well as load balancing and everything else. 492 00:22:26,480 --> 00:22:28,440 Once you have that connectivity in place, 493 00:22:28,440 --> 00:22:30,600 users can connect to that application 494 00:22:30,600 --> 00:22:33,120 that you're allowing through the platform. 495 00:22:33,120 --> 00:22:35,680 And so David, I'll let you address 496 00:22:35,680 --> 00:22:36,520 the user experience on that. 497 00:22:36,520 --> 00:22:37,760 Before we go to David, real quick, 498 00:22:37,760 --> 00:22:39,840 the resource connector, that's really cool. 499 00:22:39,840 --> 00:22:41,680 So I don't even have to build a, 500 00:22:41,680 --> 00:22:42,880 I've got some on-prem location. 501 00:22:42,880 --> 00:22:44,440 I don't even need to manually build 502 00:22:44,440 --> 00:22:47,840 an IPsec network tunnel into this. 503 00:22:47,840 --> 00:22:50,040 Resource connector will expose the applications. 504 00:22:50,040 --> 00:22:51,960 I wanna give my users access to it. 505 00:22:51,960 --> 00:22:55,400 Absolutely, and with the way it's designed actually, 506 00:22:55,400 --> 00:22:57,360 it not only gives you those benefits, 507 00:22:57,360 --> 00:23:00,520 but also if you have an acquisition or for IP management, 508 00:23:00,520 --> 00:23:03,520 you have duplicate IPs across parts of your network, 509 00:23:03,520 --> 00:23:05,720 the resource connector can obfuscate all of that 510 00:23:05,720 --> 00:23:08,600 from both the end user side and the application side. 511 00:23:08,600 --> 00:23:10,320 So you no longer have to worry about 512 00:23:10,320 --> 00:23:12,800 what the IP addresses are on both ends. 513 00:23:12,800 --> 00:23:15,120 You can connect it up regardless. 514 00:23:15,120 --> 00:23:15,960 It's awesome. 515 00:23:17,920 --> 00:23:21,600 Yeah, and I would really say it's in line 516 00:23:21,600 --> 00:23:24,480 with Cisco's overall strategy with security, 517 00:23:24,480 --> 00:23:26,400 looking toward simplicity. 518 00:23:26,400 --> 00:23:28,600 And like the administrator experience, right? 519 00:23:28,600 --> 00:23:32,760 I think the overarching vision with Cisco 520 00:23:32,760 --> 00:23:35,480 is that we will become a platform ecosystem 521 00:23:35,480 --> 00:23:38,880 where you import or set up objects like once, 522 00:23:38,880 --> 00:23:41,840 and you can use those across everything, right? 523 00:23:41,840 --> 00:23:45,080 So, I mean, today you'd have to do a directory sync 524 00:23:45,080 --> 00:23:47,800 with firewall, you'd have to do one with secure access, 525 00:23:47,800 --> 00:23:50,080 you'd have to do one with Duo, you'd have to do one 526 00:23:50,080 --> 00:23:52,680 with all, like every single layer, 527 00:23:52,680 --> 00:23:54,920 and then have objects created for each 528 00:23:54,920 --> 00:23:57,640 that you then have to reference to the policies. 529 00:23:57,640 --> 00:24:00,080 I think the overarching goal is that you'll be able to have 530 00:24:00,080 --> 00:24:02,760 all the objects that you use across all of them, 531 00:24:02,760 --> 00:24:03,920 you'll be able to set a policy, 532 00:24:03,920 --> 00:24:05,800 and that policy be implemented at each layer 533 00:24:05,800 --> 00:24:08,040 that it made sense to apply that, 534 00:24:08,040 --> 00:24:10,480 which is what we currently have today with secure access 535 00:24:10,480 --> 00:24:13,560 when it comes to the DNS, the firewall traffic, 536 00:24:13,560 --> 00:24:18,560 the Web Gateway, private access and internet access, 537 00:24:18,840 --> 00:24:22,400 where you set the one rule for either internet or private, 538 00:24:22,400 --> 00:24:25,320 and it applies that. 539 00:24:25,320 --> 00:24:28,120 From a end user perspective, 540 00:24:30,120 --> 00:24:33,920 I mean, remote access VPN is great for a lot of things. 541 00:24:33,920 --> 00:24:37,320 It's still a better option for certain applications 542 00:24:37,320 --> 00:24:39,800 or certain tasks you're trying to do, 543 00:24:39,800 --> 00:24:42,680 but there can be a lot of friction for end users 544 00:24:42,680 --> 00:24:43,520 with remote access VPN. 545 00:24:43,520 --> 00:24:45,680 It can be generally annoying. 546 00:24:45,680 --> 00:24:48,800 Even myself, right, I can get aggravated 547 00:24:48,800 --> 00:24:52,760 and having to hop on VPN access something, 548 00:24:52,760 --> 00:24:55,800 and then I wanna drop off it afterwards and whatever. 549 00:24:55,800 --> 00:24:57,640 It's just kind of annoying. 550 00:24:57,640 --> 00:24:59,800 With secure access from the end user perspective, 551 00:24:59,800 --> 00:25:01,920 there'll be a separate module, 552 00:25:01,920 --> 00:25:03,480 and it's still using secure client, 553 00:25:03,480 --> 00:25:05,120 which is a rebranding from AnyConnect. 554 00:25:05,120 --> 00:25:08,240 The AnyConnect VPN component has been changed 555 00:25:08,240 --> 00:25:10,480 into the name of the specific VPN module, 556 00:25:10,480 --> 00:25:13,520 and then there's a separate zero trust access module 557 00:25:14,480 --> 00:25:17,280 that would be used for the client-based access. 558 00:25:17,280 --> 00:25:21,800 You would enroll and authenticate at the interval 559 00:25:21,800 --> 00:25:24,440 determined by the administrator within the dashboard, 560 00:25:24,440 --> 00:25:28,400 and then it does the rest, right? 561 00:25:28,400 --> 00:25:32,200 So that can be weekly, it could be whatever they set, 562 00:25:32,200 --> 00:25:35,440 and then when I go to build that connection, 563 00:25:35,440 --> 00:25:39,280 it's going to dynamically build a per session tunnel 564 00:25:39,280 --> 00:25:41,880 using QuickonMask, which Justin talked about earlier, 565 00:25:43,120 --> 00:25:45,480 to secure access, and it's gonna do the posture check, 566 00:25:45,480 --> 00:25:48,240 and it's gonna build that gap, policies can be checked, 567 00:25:48,240 --> 00:25:49,240 am I allowed access? 568 00:25:49,240 --> 00:25:51,520 If not, I'm not gonna be allowed, 569 00:25:51,520 --> 00:25:53,200 and then of course the traffic can be encrypted 570 00:25:53,200 --> 00:25:55,560 and inspected with the other security controls. 571 00:25:56,880 --> 00:25:59,600 So it's all with the goal of end users 572 00:25:59,600 --> 00:26:01,800 not having to choose how they're connecting. 573 00:26:02,680 --> 00:26:06,440 They log into the device, they enroll, 574 00:26:06,440 --> 00:26:09,800 and then they just access things they need to for work, 575 00:26:09,800 --> 00:26:12,360 and the posture controls, the security, 576 00:26:12,360 --> 00:26:13,800 all that's applied without the end user 577 00:26:13,800 --> 00:26:15,480 having to do anything. 578 00:26:15,480 --> 00:26:17,440 And from an administrative perspective, 579 00:26:17,440 --> 00:26:19,320 it's trying to make it as easy as possible 580 00:26:19,320 --> 00:26:21,480 with the intent-based policy, the AI, 581 00:26:21,480 --> 00:26:24,760 the common resources they can leverage 582 00:26:24,760 --> 00:26:26,160 within the security access dashboard, 583 00:26:26,160 --> 00:26:28,040 future vision across multiple things. 584 00:26:29,280 --> 00:26:32,920 So really trying to get that direction. 585 00:26:32,920 --> 00:26:37,120 Now, I will say as an engineer myself, 586 00:26:38,680 --> 00:26:40,240 engineer in air quotes, 587 00:26:40,240 --> 00:26:41,200 those that don't know my background 588 00:26:41,200 --> 00:26:42,280 in exercise and sports science, 589 00:26:42,280 --> 00:26:44,120 and that doesn't really play that much of a part 590 00:26:44,120 --> 00:26:44,960 in this role. 591 00:26:46,520 --> 00:26:51,520 But complexity to me long felt like job security 592 00:26:53,800 --> 00:26:57,440 because if things were complex, you had to have me. 593 00:26:57,440 --> 00:26:58,960 You can't just replace me. 594 00:26:58,960 --> 00:27:03,720 And so when the move to simplify things 595 00:27:03,720 --> 00:27:05,640 like introducing GUI instead of CLI, 596 00:27:05,640 --> 00:27:09,640 and now with AI, I've first experienced 597 00:27:09,640 --> 00:27:12,160 a little bit of concern about 598 00:27:12,160 --> 00:27:14,040 maybe my role will be seen as redundant 599 00:27:14,040 --> 00:27:15,600 or I'll be kind of exited out, 600 00:27:16,600 --> 00:27:19,520 but there's still gonna be the need to have 601 00:27:19,520 --> 00:27:21,120 your design, decision-making, 602 00:27:21,120 --> 00:27:22,760 how things should be implemented, 603 00:27:22,760 --> 00:27:24,520 best practice for that implementation. 604 00:27:24,520 --> 00:27:26,000 And I think it's making an opportunity 605 00:27:26,000 --> 00:27:30,200 where as engineer, I can become less of a 606 00:27:30,200 --> 00:27:33,040 fully technical, fully tactical resource 607 00:27:33,040 --> 00:27:36,040 and then become more strategic, 608 00:27:36,040 --> 00:27:37,200 more toward the business. 609 00:27:37,200 --> 00:27:40,880 How can I on the engineering or security team 610 00:27:40,880 --> 00:27:42,360 enable the business? 611 00:27:42,360 --> 00:27:44,640 And instead of having to spend all my time 612 00:27:44,640 --> 00:27:48,440 dealing with nerd knobs and how am I gonna deploy this thing 613 00:27:48,440 --> 00:27:51,000 and read through a hundred pages of documentation 614 00:27:51,000 --> 00:27:52,880 to do it and then break it and do it again 615 00:27:52,880 --> 00:27:55,680 and then break it again and spend weeknights and stuff 616 00:27:55,680 --> 00:27:57,720 just prying in the corner, 617 00:27:59,400 --> 00:28:01,400 I'll instead be able to have an easier deployment, 618 00:28:01,400 --> 00:28:04,040 reach those outcomes that we're looking to achieve 619 00:28:04,040 --> 00:28:07,360 and be involved in bigger things 620 00:28:07,360 --> 00:28:11,240 than just turning dials. 621 00:28:11,240 --> 00:28:16,240 So it feels like an opportunity to do more 622 00:28:16,680 --> 00:28:17,840 and to do it better. 623 00:28:19,880 --> 00:28:21,400 Not only that, but it's also helping balance out 624 00:28:21,400 --> 00:28:23,040 the number of tools. 625 00:28:23,040 --> 00:28:24,200 I feel like no one talks about it, 626 00:28:24,200 --> 00:28:26,480 but in my opinion, back in the day, 627 00:28:26,480 --> 00:28:27,600 when you first started networking, 628 00:28:27,600 --> 00:28:30,480 it was, you had a handful of devices on the network, 629 00:28:30,480 --> 00:28:32,160 you had phones connected to switches 630 00:28:32,160 --> 00:28:34,120 and then you had a computer connected to the phone 631 00:28:34,120 --> 00:28:36,600 and it was like layer two. 632 00:28:36,600 --> 00:28:39,200 You had VLANs you had to worry about, 633 00:28:39,200 --> 00:28:40,400 you had voice VLANs, 634 00:28:40,400 --> 00:28:42,880 like it's a different game out there these days. 635 00:28:43,840 --> 00:28:47,320 So having these additional things trying to make it simpler 636 00:28:47,320 --> 00:28:50,920 and easier to use offsets that 637 00:28:50,920 --> 00:28:53,520 because now there's dozens of tools you have to leverage 638 00:28:53,520 --> 00:28:55,880 and it's not just a firewall on your network 639 00:28:55,880 --> 00:28:57,360 you have to deal with. 640 00:28:57,360 --> 00:28:58,520 Yeah, absolutely. 641 00:28:58,520 --> 00:29:01,200 Just real quick, that makes you write an enabler 642 00:29:01,200 --> 00:29:02,040 instead of a blocker 643 00:29:02,040 --> 00:29:04,680 and a lot of these types of applications 644 00:29:04,680 --> 00:29:06,640 and types of business needs, right? 645 00:29:06,640 --> 00:29:09,240 And so that I don't know that I've ever been on a team 646 00:29:09,240 --> 00:29:11,320 where we've been able to do every project 647 00:29:11,320 --> 00:29:13,400 that was put forth to us, 648 00:29:13,400 --> 00:29:15,880 not that we didn't want to, but we just didn't have time. 649 00:29:15,880 --> 00:29:19,000 So this simplification definitely gives you that time 650 00:29:19,000 --> 00:29:23,840 to be able to address some of those additional asks 651 00:29:23,840 --> 00:29:28,440 and be able to think about what your, 652 00:29:28,440 --> 00:29:31,480 again, what your business needs and security needs are 653 00:29:31,480 --> 00:29:32,960 and make sure that those are in alignment 654 00:29:32,960 --> 00:29:34,520 as opposed to just putting out fires 655 00:29:34,520 --> 00:29:38,800 and trying to just manage the complexity always. 656 00:29:39,760 --> 00:29:40,600 Yeah. 657 00:29:40,600 --> 00:29:45,320 This definitely talks really good about simplification 658 00:29:45,320 --> 00:29:49,520 and all the things that can be just made easier. 659 00:29:49,520 --> 00:29:54,160 I know we talked a little bit about the resource connectors 660 00:29:54,160 --> 00:29:57,960 and also the way that the users connect to the solutions. 661 00:29:57,960 --> 00:30:01,000 It's very, remove some of the friction 662 00:30:01,000 --> 00:30:02,280 and we've seen that 663 00:30:02,280 --> 00:30:04,400 and we're gonna see some of that tomorrow 664 00:30:04,400 --> 00:30:06,000 just on the demo. 665 00:30:06,000 --> 00:30:11,000 But the other question that I have in this one, 666 00:30:11,600 --> 00:30:12,480 it's kind of interesting, 667 00:30:12,480 --> 00:30:17,400 this is kind of like a report that we saw back in 2022. 668 00:30:17,400 --> 00:30:22,360 It's a Gartner survey that showed 75% of organizations 669 00:30:22,360 --> 00:30:25,600 are pursuing security vendor consolidation. 670 00:30:25,600 --> 00:30:29,720 And I'm pretty sure a lot of you on this webinar 671 00:30:29,720 --> 00:30:31,720 have heard about that, have seen that 672 00:30:31,720 --> 00:30:34,960 and we're thinking that a lot, 673 00:30:36,840 --> 00:30:40,720 that that number is gonna grow with time 674 00:30:40,720 --> 00:30:43,600 and then customers are really seeing the benefit 675 00:30:43,600 --> 00:30:46,760 and that's one of the things that we have with, 676 00:30:46,760 --> 00:30:49,200 for example, secure access. 677 00:30:49,200 --> 00:30:53,360 But if you don't mind, I think David, you're next. 678 00:30:53,360 --> 00:30:56,640 What are the products that you think 679 00:30:56,640 --> 00:30:58,920 it's gonna help customers replace 680 00:30:58,920 --> 00:31:01,640 or consolidate with secure access? 681 00:31:01,640 --> 00:31:05,400 Yeah, yes, I mean, as far as cloud-hosted security services 682 00:31:05,400 --> 00:31:06,920 go, there's a lot of stuff that you get 683 00:31:06,920 --> 00:31:08,360 within the single dashboard. 684 00:31:10,200 --> 00:31:12,400 There is DNS layer security, 685 00:31:12,400 --> 00:31:14,080 again, building off what we had with Umbrella, 686 00:31:14,080 --> 00:31:15,360 formerly OpenDNS. 687 00:31:16,560 --> 00:31:19,280 We have the secure gateway from Umbrella as well 688 00:31:19,280 --> 00:31:20,920 that's been added, so that's full proxy. 689 00:31:20,920 --> 00:31:24,640 You have traffic encryption, including TLS 1.3. 690 00:31:24,640 --> 00:31:26,840 You have file analysis, you have sandboxing 691 00:31:26,840 --> 00:31:28,200 using Scrum Analytics. 692 00:31:28,200 --> 00:31:30,440 You have, you know, forming ThreadGrid 693 00:31:30,440 --> 00:31:33,280 and then file analysis is through advanced mile protection, 694 00:31:33,280 --> 00:31:37,440 but there's also, I think, some other file scanning with AV, 695 00:31:37,440 --> 00:31:39,360 but I digress. 696 00:31:39,360 --> 00:31:43,240 You have DLP, both out of band using API 697 00:31:43,240 --> 00:31:46,400 for SaaS applications, it is like seven now, 698 00:31:46,400 --> 00:31:47,840 as well as cloud mile detection, 699 00:31:47,840 --> 00:31:50,240 again, using the same API for the same applications, 700 00:31:50,240 --> 00:31:51,840 where it is able to look at files 701 00:31:51,840 --> 00:31:53,320 that are being hosted on the cloud storage. 702 00:31:53,320 --> 00:31:55,960 So you have out of band CASB controls there, 703 00:31:55,960 --> 00:31:58,360 as well as real-time or inline DLP 704 00:31:58,360 --> 00:31:59,680 that's inline with the web proxy, 705 00:31:59,680 --> 00:32:02,000 so we can look at files that are being uploaded, 706 00:32:02,000 --> 00:32:03,280 we're able to look at web forms 707 00:32:03,280 --> 00:32:06,320 that are being put in posts on web pages 708 00:32:06,320 --> 00:32:10,000 for the different data classifiers that, 709 00:32:10,000 --> 00:32:13,360 or identifiers that Justin talked about earlier. 710 00:32:13,360 --> 00:32:15,320 We have the firewalls of service, 711 00:32:15,320 --> 00:32:18,080 which has layer three, layer four, and layer seven controls, 712 00:32:18,080 --> 00:32:20,240 as well as IDS and IPS using SNORT3. 713 00:32:20,240 --> 00:32:25,240 You have remote access controls, 714 00:32:25,240 --> 00:32:28,520 so you have the remote access VPN as a service 715 00:32:28,520 --> 00:32:30,640 where you can use secure access as the head end, 716 00:32:30,640 --> 00:32:32,680 instead of having a head end on-premise, 717 00:32:32,680 --> 00:32:34,320 and then you can provide backhaul connectivity 718 00:32:34,320 --> 00:32:37,520 to any device that can pretty much build an IPsec tunnel. 719 00:32:39,320 --> 00:32:43,320 To us, in addition to the ZTA, 720 00:32:43,320 --> 00:32:45,680 and with the ZTA, we have both client-based, 721 00:32:45,680 --> 00:32:48,160 using the ZTA module that can, 722 00:32:48,160 --> 00:32:51,480 in most cases, client to server application 723 00:32:51,480 --> 00:32:54,760 that can leverage it, 724 00:32:54,760 --> 00:32:57,080 and then you have browser-based, 725 00:32:57,080 --> 00:32:59,640 which today is web applications, 726 00:32:59,640 --> 00:33:02,240 but they're expanding that very shortly. 727 00:33:02,240 --> 00:33:04,840 I'll let Justin talk on that if we're able to. 728 00:33:07,240 --> 00:33:08,280 Am I missing anything? 729 00:33:08,280 --> 00:33:09,600 Oh, experience monitoring, 730 00:33:09,600 --> 00:33:11,440 so you have the Thousand Eyes endpoint component, 731 00:33:11,440 --> 00:33:13,040 you have all the reporting that's in there, 732 00:33:13,040 --> 00:33:14,320 both from a security perspective, 733 00:33:14,320 --> 00:33:16,240 from an app discovery perspective, 734 00:33:16,240 --> 00:33:19,160 all of that can be pulled into a Sim or a SOAR, 735 00:33:19,160 --> 00:33:20,920 you have an S3 bucket you can use, 736 00:33:20,920 --> 00:33:22,760 either from Cisco or you can bring your own, 737 00:33:22,760 --> 00:33:24,480 so you can adjust all of that there. 738 00:33:26,560 --> 00:33:27,400 Anything else? 739 00:33:28,480 --> 00:33:30,960 So I will just add the roaming module 740 00:33:30,960 --> 00:33:33,520 in case there's devices that you want to, 741 00:33:33,520 --> 00:33:36,560 have that continuous DNS and SWG 742 00:33:36,560 --> 00:33:39,320 or web proxy analysis going on, 743 00:33:39,320 --> 00:33:41,960 so there's a lot of different pieces together, 744 00:33:41,960 --> 00:33:44,600 and what all of this means is that now, 745 00:33:44,600 --> 00:33:47,840 if you have branches that you used to have to manage 746 00:33:47,840 --> 00:33:50,640 decryption or put larger boxes in 747 00:33:50,640 --> 00:33:52,520 because you needed local security on, 748 00:33:52,520 --> 00:33:54,600 now you can build tunnels up to secure access 749 00:33:54,600 --> 00:33:58,080 and have a smaller box and have a unified policy. 750 00:33:58,080 --> 00:33:59,960 You may not have been able to, 751 00:33:59,960 --> 00:34:04,080 across your distributed firewalls, proxies, VPN services, 752 00:34:04,080 --> 00:34:06,960 have a single place to configure, single policy, 753 00:34:06,960 --> 00:34:09,680 so we can consolidate all of those things 754 00:34:09,680 --> 00:34:13,760 and replace the need for the hardware that you need, 755 00:34:13,760 --> 00:34:15,840 the hardware replacement in case of, 756 00:34:15,840 --> 00:34:18,720 and management in the case of like VPNs 757 00:34:18,720 --> 00:34:20,880 and proxies and things like that. 758 00:34:20,880 --> 00:34:23,880 Instead now just provide a method, 759 00:34:23,880 --> 00:34:26,400 whether it's, again, whether it's an edge device, 760 00:34:26,400 --> 00:34:29,680 like a catalyst ISR, 761 00:34:29,680 --> 00:34:32,480 whether it's a firewall connected up to us 762 00:34:32,480 --> 00:34:35,600 and or a resource connector out of your ESXi host, 763 00:34:35,600 --> 00:34:38,400 and you don't, and everything else is taken care of 764 00:34:38,400 --> 00:34:40,120 in the cloud and you just worry about policy, 765 00:34:40,120 --> 00:34:43,080 and what is best for your business, again, 766 00:34:43,080 --> 00:34:46,280 so that you don't have to decide on new hardware every year 767 00:34:46,280 --> 00:34:47,960 and figure out all of the different pieces 768 00:34:47,960 --> 00:34:50,080 on what you're trying to support at the different sites 769 00:34:50,080 --> 00:34:54,360 and having a disconnected experience for your users. 770 00:34:54,360 --> 00:34:58,120 Yeah, and tied to the intent-based policy aspect, right? 771 00:34:58,120 --> 00:34:59,400 You have all those controls, 772 00:34:59,400 --> 00:35:01,520 but when you set like the internet access rule 773 00:35:01,520 --> 00:35:06,520 and you say, David cannot access YouTube, right? 774 00:35:07,800 --> 00:35:10,240 That action will be taken wherever the traffic seems. 775 00:35:10,240 --> 00:35:12,680 So if we see a DNS request for, 776 00:35:12,680 --> 00:35:15,160 you know, ChinaResolveYouTube.com, we're gonna block it. 777 00:35:15,160 --> 00:35:16,040 If we were to see, you know, 778 00:35:16,040 --> 00:35:17,760 layer three, layer four traffic related to it, 779 00:35:17,760 --> 00:35:18,880 we can take an action on it. 780 00:35:18,880 --> 00:35:20,480 If you were to see web traffic related to it, 781 00:35:20,480 --> 00:35:21,760 we can take an action on it. 782 00:35:21,760 --> 00:35:23,440 And so you're not having to choose the layer 783 00:35:23,440 --> 00:35:24,720 with which you want to apply that. 784 00:35:24,720 --> 00:35:27,600 It's going to do that for you. 785 00:35:27,600 --> 00:35:28,880 And then of course, in the report, 786 00:35:28,880 --> 00:35:31,720 you can see where the action was taken itself 787 00:35:31,720 --> 00:35:34,120 based on just, you know, breaking it down. 788 00:35:34,120 --> 00:35:36,120 That's a great point. 789 00:35:36,120 --> 00:35:37,520 In the intent-based policy, 790 00:35:37,520 --> 00:35:39,440 you guys talking about that unified policy, 791 00:35:39,440 --> 00:35:40,480 I just put it in the policy. 792 00:35:40,480 --> 00:35:42,360 I don't need to worry about like where this is happening 793 00:35:42,360 --> 00:35:43,760 in the network or at what layer. 794 00:35:43,760 --> 00:35:46,920 So, I mean, message on simplicity there. 795 00:35:46,920 --> 00:35:51,000 Now AWS is where secure access lives, right? 796 00:35:52,880 --> 00:35:54,480 Well, yes or no? 797 00:35:54,480 --> 00:35:58,520 So that's actually changing. 798 00:35:58,520 --> 00:36:00,600 We will continue to stay in AWS 799 00:36:00,600 --> 00:36:03,200 and that is a long-term plan 800 00:36:03,200 --> 00:36:06,160 to continue to leverage their network, right? 801 00:36:06,160 --> 00:36:10,000 Because AWS does have a lot of peering relationships. 802 00:36:10,000 --> 00:36:12,640 We can add those to our peering relationships 803 00:36:12,640 --> 00:36:14,960 and we can stand up in different regions 804 00:36:14,960 --> 00:36:16,720 very quickly through AWS. 805 00:36:16,720 --> 00:36:19,240 But we also don't want to be completely reliant 806 00:36:19,240 --> 00:36:21,080 on a single public cloud. 807 00:36:21,080 --> 00:36:23,160 So actually just this last week, 808 00:36:23,160 --> 00:36:25,840 we announced that we're in four new data centers 809 00:36:25,840 --> 00:36:28,000 that are our own edge data centers, right? 810 00:36:28,000 --> 00:36:31,240 So the reason we're in four is because we're in two regions. 811 00:36:31,240 --> 00:36:33,680 We stood up US East and US West first. 812 00:36:33,680 --> 00:36:38,680 So we're in places like LA and San Jose and Reston. 813 00:36:38,680 --> 00:36:40,840 And I think DC. 814 00:36:41,920 --> 00:36:43,960 And so those are our data centers. 815 00:36:43,960 --> 00:36:47,320 There are hardware, there are hypervisor, everything. 816 00:36:47,320 --> 00:36:50,840 But it's still the same secure access on the top layer. 817 00:36:50,840 --> 00:36:54,640 So we've been able to abstract the, 818 00:36:54,640 --> 00:36:58,760 or yeah, create the ability to have a generalized version 819 00:36:58,760 --> 00:37:02,840 of our cloud security platform to be anywhere, right? 820 00:37:02,840 --> 00:37:07,840 And we can manage just a single deployment 821 00:37:07,840 --> 00:37:10,880 so that we can keep everything up to date and sync. 822 00:37:10,880 --> 00:37:12,560 There's not gonna be a difference in service 823 00:37:12,560 --> 00:37:16,360 between one cloud or one region versus the other. 824 00:37:16,360 --> 00:37:18,600 Everything's gonna continue to be seamless 825 00:37:18,600 --> 00:37:20,800 and you don't have to worry about 826 00:37:20,800 --> 00:37:22,320 where you need to connect up. 827 00:37:22,320 --> 00:37:23,880 We handle that distribution 828 00:37:23,880 --> 00:37:25,400 and we're gonna continue to move through 829 00:37:25,400 --> 00:37:27,400 our edge data centers throughout the year. 830 00:37:27,400 --> 00:37:29,840 The plan is to have around 12 more. 831 00:37:29,840 --> 00:37:32,960 So if you think about how quick that is 832 00:37:32,960 --> 00:37:35,200 compared to some of the other cloud solutions, 833 00:37:35,200 --> 00:37:37,560 even Umbrella, when we were trying to deploy that 834 00:37:37,560 --> 00:37:38,720 and we were talking to customers like, 835 00:37:38,720 --> 00:37:40,520 hey, we need this in this region, 836 00:37:40,520 --> 00:37:41,800 it would take us a year or more 837 00:37:41,800 --> 00:37:44,160 to get even just a couple data centers stood up. 838 00:37:44,160 --> 00:37:48,440 So we're rapidly expanding our footprint 839 00:37:48,440 --> 00:37:51,800 across both AWS and our edge data centers. 840 00:37:51,800 --> 00:37:55,200 And you may see us in other public clouds in the future. 841 00:37:56,440 --> 00:37:59,040 And yeah, I'll leave it at that for now. 842 00:37:59,040 --> 00:38:01,120 And so there's a lot of big things to come. 843 00:38:01,120 --> 00:38:02,920 We're able, we're very flexible 844 00:38:02,920 --> 00:38:06,040 and can provide that connectivity and redundancy 845 00:38:06,040 --> 00:38:08,360 wherever users are. 846 00:38:08,360 --> 00:38:10,200 That's pretty awesome. 847 00:38:10,200 --> 00:38:14,560 Yeah, that actually resonates with a lot of our customers 848 00:38:14,560 --> 00:38:18,400 and just that we are the ones doing it also. 849 00:38:18,400 --> 00:38:20,360 So that's pretty cool to hear about. 850 00:38:20,360 --> 00:38:22,560 It's the Cisco cloud I was gonna call it. 851 00:38:22,560 --> 00:38:23,880 Exactly, exactly. 852 00:38:23,880 --> 00:38:26,280 The world is hybrid, so we are too, right? 853 00:38:27,520 --> 00:38:30,240 Whether you're a worker or you're cloud, you're hybrid. 854 00:38:31,120 --> 00:38:32,200 That's so true. 855 00:38:32,200 --> 00:38:33,320 Cool, cool. 856 00:38:33,320 --> 00:38:38,320 Now, I do have another thing that if David or you Justin 857 00:38:39,680 --> 00:38:41,320 can talk a little bit about, 858 00:38:41,320 --> 00:38:43,680 and this is about SSL decryption. 859 00:38:45,000 --> 00:38:47,400 I was talking to a customer last week about this 860 00:38:47,400 --> 00:38:50,280 precisely a few, I think it was last week 861 00:38:50,280 --> 00:38:54,160 or a few days ago, and they wanted to understand 862 00:38:54,160 --> 00:38:58,200 a little bit more of how we do the SSL decryption 863 00:38:58,200 --> 00:39:00,640 if anything with secure access. 864 00:39:00,640 --> 00:39:02,480 And if you guys don't mind going over 865 00:39:02,480 --> 00:39:04,880 just the highlight details, that'll be awesome. 866 00:39:05,760 --> 00:39:08,520 I mean, so I can't tell you exactly how we do it 867 00:39:08,520 --> 00:39:10,080 on the backend because proprietary, 868 00:39:10,080 --> 00:39:14,320 but I can say there's two aspects to it. 869 00:39:14,320 --> 00:39:18,080 Today, the firewall layer three, layer four decryption 870 00:39:18,080 --> 00:39:20,200 is global across the dash. 871 00:39:20,200 --> 00:39:23,000 So if you enable it, it's decrypted everywhere. 872 00:39:23,000 --> 00:39:27,680 And then for the web traffic, we can determine per policy 873 00:39:27,680 --> 00:39:30,520 that's set or per rule within the policy stack 874 00:39:30,520 --> 00:39:32,000 where you wanna have it enabled. 875 00:39:32,000 --> 00:39:33,160 And so once you have it enabled, 876 00:39:33,160 --> 00:39:38,000 there's also the aspect of choosing what to not decrypt. 877 00:39:38,000 --> 00:39:39,920 And so by default, it's gonna be everything. 878 00:39:39,920 --> 00:39:41,840 And then you can choose to selectively 879 00:39:41,840 --> 00:39:44,600 not decrypt specific destinations. 880 00:39:44,600 --> 00:39:48,320 And so often that would be things like healthcare or finance. 881 00:39:48,320 --> 00:39:51,480 Sometimes you might see like social media, web email. 882 00:39:51,480 --> 00:39:54,000 It really comes down to the organization 883 00:39:54,000 --> 00:39:56,080 and where they are located, 884 00:39:56,080 --> 00:40:00,000 will kind of inform what they can decrypt and look at. 885 00:40:00,000 --> 00:40:01,400 And then also the vertical, right? 886 00:40:01,400 --> 00:40:03,600 If you're healthcare or a bank or something, 887 00:40:03,600 --> 00:40:04,760 you probably wanna decrypt that 888 00:40:04,760 --> 00:40:07,360 because you care about PHI being extra traded 889 00:40:07,360 --> 00:40:09,480 and that's something you wanna have visibility into. 890 00:40:10,560 --> 00:40:12,160 But you can choose to not decrypt certain traffic 891 00:40:12,160 --> 00:40:16,480 and after you set that component. 892 00:40:19,240 --> 00:40:23,160 And just to add to that, the functionality aspect 893 00:40:23,160 --> 00:40:26,200 is we do fully decrypt TLS 1.3 today. 894 00:40:27,520 --> 00:40:31,080 And with decryption within the web proxy, 895 00:40:31,080 --> 00:40:34,600 it gives us a lot of advanced capabilities 896 00:40:34,600 --> 00:40:36,560 to be able to block Facebook Messenger 897 00:40:36,560 --> 00:40:37,880 and not just all of Facebook 898 00:40:37,880 --> 00:40:40,720 or block different aspects of an application. 899 00:40:40,720 --> 00:40:42,440 Hey, you can get to Dropbox and download, 900 00:40:42,440 --> 00:40:44,640 but you can't upload to it, right? 901 00:40:44,640 --> 00:40:47,080 So you have some more advanced controls 902 00:40:47,080 --> 00:40:48,920 and we handle the scalability. 903 00:40:48,920 --> 00:40:53,920 So whether it's decryption in our IPS or in the web proxy, 904 00:40:54,760 --> 00:40:56,600 or even connecting up VPN users 905 00:40:56,600 --> 00:40:59,080 when everybody all of a sudden works from home, right? 906 00:40:59,080 --> 00:41:01,560 We handle that scalability in our cloud. 907 00:41:01,560 --> 00:41:04,120 The admin no longer has to worry about, 908 00:41:04,120 --> 00:41:07,600 we had 50 users going to this page yesterday 909 00:41:07,600 --> 00:41:08,640 and it was getting decrypted. 910 00:41:08,640 --> 00:41:10,800 Today we have 5,000, right? 911 00:41:10,800 --> 00:41:14,680 Or we had 50 users working from home, now we have 5,000. 912 00:41:14,680 --> 00:41:19,360 Secure access will dynamically expand and scale 913 00:41:19,360 --> 00:41:21,800 to be able to handle that traffic, handle that decryption, 914 00:41:21,800 --> 00:41:25,360 and you no longer have to worry about your boxes turning over 915 00:41:25,360 --> 00:41:26,920 or a poor user experience 916 00:41:26,920 --> 00:41:31,920 just because your traffic flows and destinations have changed. 917 00:41:31,960 --> 00:41:33,600 Yeah, and that's- 918 00:41:33,600 --> 00:41:35,240 Go ahead, David, go ahead. 919 00:41:35,240 --> 00:41:36,280 I was gonna say, that's an aspect 920 00:41:36,280 --> 00:41:39,680 I hadn't actually considered in my answer was that 921 00:41:39,680 --> 00:41:42,080 as the quantity of internet traffic 922 00:41:42,080 --> 00:41:43,480 that's encrypted increases 923 00:41:45,200 --> 00:41:47,640 and the need for decrypting that traffic for inspections, 924 00:41:47,640 --> 00:41:48,800 if you don't know what's inside it, 925 00:41:48,800 --> 00:41:50,880 you don't know if it's malicious or not. 926 00:41:50,880 --> 00:41:53,000 And now with Firepower, there's methods 927 00:41:53,000 --> 00:41:55,720 to get visibility into encrypted traffic 928 00:41:55,720 --> 00:41:57,120 without having to decrypt it. 929 00:41:59,200 --> 00:42:00,920 But I've seen a lot of organizations 930 00:42:00,920 --> 00:42:04,240 will leverage secure access for internet access 931 00:42:04,240 --> 00:42:07,840 for branch sites or even their main sites 932 00:42:07,840 --> 00:42:11,320 and offload that web decryption to secure access 933 00:42:11,320 --> 00:42:13,960 rather than enabling it on the reg device. 934 00:42:14,960 --> 00:42:18,360 Even going a step past what you might see with a branch 935 00:42:18,360 --> 00:42:21,840 where they wanna do a bring your own SD-WAN 936 00:42:21,840 --> 00:42:23,920 to make a secure access surface edge solution 937 00:42:23,920 --> 00:42:27,000 where you have both the networking and the security side 938 00:42:28,440 --> 00:42:30,040 and you're wanting to offer security services 939 00:42:30,040 --> 00:42:33,000 for that branch that are having to add a firewall online 940 00:42:33,000 --> 00:42:34,680 or enable it on an edge device. 941 00:42:36,320 --> 00:42:39,200 Now you can also offload decryption to secure access 942 00:42:39,200 --> 00:42:40,880 and it does that scalability that 943 00:42:40,880 --> 00:42:43,160 or offers a scalability that Justin mentioned. 944 00:42:43,160 --> 00:42:44,760 Yeah, and we have to talk about that 945 00:42:44,760 --> 00:42:48,120 because I mean, Google says 95% of the traffic it sees 946 00:42:48,120 --> 00:42:48,960 is encrypted. 947 00:42:48,960 --> 00:42:50,680 So you can write all the great policies 948 00:42:50,680 --> 00:42:51,760 in the world that you want 949 00:42:51,760 --> 00:42:56,400 and they can be bypassed by very common encryption otherwise. 950 00:42:56,400 --> 00:42:58,440 So I think that's a really important point 951 00:42:58,440 --> 00:42:59,720 that we're talking about. 952 00:42:59,720 --> 00:43:02,760 And I think part of the reason why both Justin and I 953 00:43:02,760 --> 00:43:06,400 have mentioned that specifically that we support TLS 1.3 954 00:43:06,400 --> 00:43:09,560 is for those that aren't familiar with the TLS standards. 955 00:43:09,560 --> 00:43:13,640 With TLS 1.2 and below, the Serum indicator 956 00:43:13,640 --> 00:43:15,120 which could be seen or SNI 957 00:43:15,120 --> 00:43:18,000 should be seen in the earlier handshakes 958 00:43:18,000 --> 00:43:22,720 for establishing the TLS encryption 959 00:43:22,720 --> 00:43:25,760 for the session with the web server, 960 00:43:25,760 --> 00:43:26,600 you can see the SNI. 961 00:43:26,600 --> 00:43:28,440 And so you could see the SNI 962 00:43:28,440 --> 00:43:29,560 the end user was communicating with 963 00:43:29,560 --> 00:43:30,840 even without decryption. 964 00:43:30,840 --> 00:43:34,160 And so when I reach out to the web server for Facebook, 965 00:43:34,160 --> 00:43:36,240 you would know that I'm communicating with Facebook. 966 00:43:36,240 --> 00:43:38,920 And so you could have like content level controls 967 00:43:38,920 --> 00:43:40,640 without having to decrypt. 968 00:43:40,640 --> 00:43:44,120 With TLS 1.3, that entire payload is encrypted. 969 00:43:44,120 --> 00:43:45,680 And so you no longer have that visibility 970 00:43:45,680 --> 00:43:47,240 unless you're decrypting it 971 00:43:47,240 --> 00:43:48,560 or you're doing some of the fun stuff 972 00:43:48,560 --> 00:43:51,440 that Cisco does with the encrypted visibility engine 973 00:43:51,440 --> 00:43:53,600 that I'm not gonna tell you how we do 974 00:43:53,600 --> 00:43:55,960 because I have a mortgage. 975 00:43:58,680 --> 00:43:59,760 Well, that's awesome. 976 00:43:59,760 --> 00:44:01,320 But no, that's great. 977 00:44:01,320 --> 00:44:04,160 The encrypted conversation just comes up more and more 978 00:44:04,160 --> 00:44:06,920 because that's what most traffic is. 979 00:44:06,920 --> 00:44:08,920 We didn't have this conversation 10 years ago 980 00:44:08,920 --> 00:44:11,000 and everything was clear text. 981 00:44:12,680 --> 00:44:16,360 Okay, so guys, great conversation today. 982 00:44:16,360 --> 00:44:18,520 I have so many more questions I wanna ask you guys, 983 00:44:18,520 --> 00:44:20,920 but for the sake of time, 984 00:44:20,920 --> 00:44:23,840 Andres probably get into the Halloween questions 985 00:44:23,840 --> 00:44:25,480 at this time. 986 00:44:27,320 --> 00:44:28,720 I'll take the first one. 987 00:44:28,720 --> 00:44:30,280 David, I'll ask you this. 988 00:44:31,800 --> 00:44:36,400 If you could pick one candy when you go trick or treating 989 00:44:36,400 --> 00:44:39,440 that you don't wanna get, what would it be? 990 00:44:40,480 --> 00:44:43,240 Oh, a candy that I do not wanna get. 991 00:44:43,240 --> 00:44:45,080 Oh, geez. 992 00:44:45,080 --> 00:44:50,080 I never liked the candy that was in the wrapped plastic 993 00:44:51,240 --> 00:44:53,600 because it just felt less sanitary. 994 00:44:55,320 --> 00:44:57,120 I was a fat kid, so I still ate it, 995 00:44:57,120 --> 00:44:58,920 but I didn't really like it as much 996 00:44:58,920 --> 00:45:01,040 because it just seems like, you know. 997 00:45:01,040 --> 00:45:01,880 Yeah. 998 00:45:03,080 --> 00:45:04,880 What about a Tootsie Roll of something? 999 00:45:04,880 --> 00:45:06,480 You're not talking about that, but like a... 1000 00:45:06,480 --> 00:45:07,680 Yeah, yeah, like Tootsie Roll, 1001 00:45:07,680 --> 00:45:08,520 like wrapped popcorn, 1002 00:45:08,520 --> 00:45:11,320 like the bag of popcorn somebody made. 1003 00:45:11,320 --> 00:45:13,440 Because someone could unwrap it, do something, 1004 00:45:13,440 --> 00:45:14,520 and then put it back. 1005 00:45:14,520 --> 00:45:17,640 Yeah, yeah, like sometimes I buy that candy at the store, 1006 00:45:17,640 --> 00:45:19,840 and some of them are unwrapped in the bag by accident. 1007 00:45:19,840 --> 00:45:21,960 I don't wanna accidentally get your fingerprints 1008 00:45:21,960 --> 00:45:22,920 in my candy, you know? 1009 00:45:22,920 --> 00:45:24,240 Yes. 1010 00:45:24,240 --> 00:45:26,360 Those are the ones that I'm used to. 1011 00:45:26,360 --> 00:45:28,120 I like the ones where I can press on the bag, 1012 00:45:28,120 --> 00:45:29,080 and it still has the air seal. 1013 00:45:29,080 --> 00:45:30,720 I'm like, this still has the air seal. 1014 00:45:30,720 --> 00:45:31,560 Yeah. 1015 00:45:31,560 --> 00:45:32,400 I don't know who's opened this. 1016 00:45:32,400 --> 00:45:33,240 All right. 1017 00:45:34,240 --> 00:45:37,360 I thought maybe you were gonna say the candy corn thing. 1018 00:45:37,360 --> 00:45:38,440 I know a lot of people. 1019 00:45:38,440 --> 00:45:40,160 Look, again, I was a fat kid, man. 1020 00:45:40,160 --> 00:45:41,200 I loved the candy corn. 1021 00:45:41,200 --> 00:45:42,040 It was just strange. 1022 00:45:42,040 --> 00:45:46,040 I was like, there's a reason why I had weight problems. 1023 00:45:46,040 --> 00:45:49,320 You know, like it was delicious, I'm gonna tell you. 1024 00:45:49,320 --> 00:45:52,440 There's a huge debate on that one. 1025 00:45:52,440 --> 00:45:53,560 I've seen that. 1026 00:45:53,560 --> 00:45:54,400 Yes. 1027 00:45:54,400 --> 00:45:56,160 Whether candy corn's good or not, I haven't seen that, 1028 00:45:56,160 --> 00:45:57,680 but I can imagine, yeah. 1029 00:45:59,400 --> 00:46:00,880 Cool, cool, cool. 1030 00:46:00,880 --> 00:46:03,800 I do have the next one, and this one's simple, 1031 00:46:03,800 --> 00:46:05,200 and for you, Justin. 1032 00:46:07,480 --> 00:46:11,120 If, so classic movie monster, 1033 00:46:11,120 --> 00:46:13,280 which one would you want to be in? 1034 00:46:13,280 --> 00:46:16,200 Why Dracula or werewolf? 1035 00:46:17,320 --> 00:46:20,480 Or if you have another one, that would be nice too. 1036 00:46:20,480 --> 00:46:21,800 I'm glad you gave me a choice, 1037 00:46:21,800 --> 00:46:23,920 because there's, go ahead, David. 1038 00:46:23,920 --> 00:46:25,480 Oh, I just wanted to make sure we verify, 1039 00:46:25,480 --> 00:46:28,560 like Nosferatu, Dracula, or like, you know, 1040 00:46:28,560 --> 00:46:31,160 Dracula where you have like the big cow in the suit. 1041 00:46:32,120 --> 00:46:32,960 Right. 1042 00:46:32,960 --> 00:46:34,600 I guess that would go into my reasons, right? 1043 00:46:34,600 --> 00:46:37,200 Like, if you want to be like, 1044 00:46:37,200 --> 00:46:38,720 interviewing with the vampire vampire 1045 00:46:38,720 --> 00:46:39,560 or something like that. 1046 00:46:39,560 --> 00:46:40,400 Exactly. 1047 00:46:40,400 --> 00:46:42,800 You already do kind of have the werewolf thing going. 1048 00:46:42,800 --> 00:46:44,920 Yeah, no, I was going to say werewolf, 1049 00:46:44,920 --> 00:46:47,480 but yeah, just because it, 1050 00:46:47,480 --> 00:46:50,280 I like to go hiking and go on adventures, 1051 00:46:50,280 --> 00:46:52,040 and it seems like having some of those werewolf powers 1052 00:46:52,040 --> 00:46:55,360 would allow me to get to places that I can't get to today. 1053 00:46:55,360 --> 00:46:56,360 You wouldn't have to hike anymore. 1054 00:46:56,360 --> 00:46:58,040 You can just jump tree to tree. 1055 00:46:58,040 --> 00:46:59,880 Exactly, exactly. 1056 00:46:59,880 --> 00:47:01,480 That's true. 1057 00:47:01,480 --> 00:47:04,920 Well, it's been a great conversation, guys. 1058 00:47:04,920 --> 00:47:06,680 Let me kick it over to you guys real quick 1059 00:47:06,680 --> 00:47:08,640 for any closing remarks, Justin and David, 1060 00:47:08,640 --> 00:47:09,680 that you may have. 1061 00:47:09,680 --> 00:47:12,760 David, I know you have a Secure Access, 1062 00:47:12,760 --> 00:47:14,080 some stuff up on YouTube, 1063 00:47:14,080 --> 00:47:16,880 but anything you want to wrap it up with 1064 00:47:16,880 --> 00:47:19,200 from your personal viewpoint? 1065 00:47:19,200 --> 00:47:20,040 Yeah, yeah. 1066 00:47:20,040 --> 00:47:21,720 If you're interested in seeing me give an overview 1067 00:47:21,720 --> 00:47:23,440 on Secure Access, check out my channel. 1068 00:47:23,440 --> 00:47:26,840 I think it's Decrypt-Ed is the channel name. 1069 00:47:26,840 --> 00:47:29,760 I think it's at security-decrypted or maybe. 1070 00:47:30,840 --> 00:47:32,400 You can tell I'm active on it. 1071 00:47:34,640 --> 00:47:36,040 Keep an eye on Secure Access. 1072 00:47:36,040 --> 00:47:37,400 I mean, it's SaaS solutions. 1073 00:47:37,400 --> 00:47:41,200 Cisco's doing a ton to add features and functions 1074 00:47:41,200 --> 00:47:43,880 to all their SaaS, especially the security ones. 1075 00:47:45,320 --> 00:47:47,240 There's a lot of stuff on the roadmap, 1076 00:47:47,240 --> 00:47:48,560 all of it moving real quick. 1077 00:47:48,560 --> 00:47:51,200 So if there's something that you want to see 1078 00:47:51,200 --> 00:47:53,520 Secure Access doing or able to do, 1079 00:47:54,760 --> 00:47:56,280 there's a decent chance it might get added 1080 00:47:56,280 --> 00:47:57,880 in the next couple months even. 1081 00:47:57,880 --> 00:48:00,440 So reach out to whoever you're engaged with 1082 00:48:00,440 --> 00:48:02,440 on the Cisco side, talk to them, 1083 00:48:02,440 --> 00:48:03,800 look at what's being posted online. 1084 00:48:03,800 --> 00:48:05,440 Like it's moving fast. 1085 00:48:05,440 --> 00:48:07,520 And Justin, I know we'll definitely see you 1086 00:48:07,520 --> 00:48:09,480 on the demo tomorrow. 1087 00:48:09,480 --> 00:48:10,320 Yes. 1088 00:48:10,320 --> 00:48:11,480 But for today's conversation, 1089 00:48:11,480 --> 00:48:13,360 any closing remarks that you have? 1090 00:48:13,360 --> 00:48:14,200 Sure, yeah. 1091 00:48:14,200 --> 00:48:15,720 No, I'll just echo what David said 1092 00:48:15,720 --> 00:48:18,960 is as far as like Secure Access is moving fast, 1093 00:48:18,960 --> 00:48:21,040 you're going to see a lot of things coming 1094 00:48:21,040 --> 00:48:26,040 for clientless ZTA very shortly. 1095 00:48:26,040 --> 00:48:27,560 You're going to see a lot of things coming 1096 00:48:27,560 --> 00:48:29,800 in the way of ICE integrations. 1097 00:48:29,800 --> 00:48:31,320 Some of them are already there today 1098 00:48:31,320 --> 00:48:33,000 that we didn't get to get into. 1099 00:48:33,000 --> 00:48:35,720 You're going to see a lot of enhancements 1100 00:48:35,720 --> 00:48:40,720 in our ability to check the health of identities even 1101 00:48:41,240 --> 00:48:42,960 if you're familiar with how Duo 1102 00:48:42,960 --> 00:48:44,960 and some of our identity health is working 1103 00:48:44,960 --> 00:48:46,400 and be able to apply policy 1104 00:48:46,400 --> 00:48:48,520 and do a lot of very exciting things 1105 00:48:48,520 --> 00:48:53,520 to get closer to that zero trust sort of ideal, right? 1106 00:48:53,520 --> 00:48:55,440 Because zero trust is really a framework, 1107 00:48:55,440 --> 00:48:59,000 it's really a journey and nobody's all the way there yet. 1108 00:48:59,000 --> 00:49:01,080 And I don't know if we ever will be, 1109 00:49:01,080 --> 00:49:04,680 but we're going to start picking it all of the things, right? 1110 00:49:04,680 --> 00:49:06,800 We need to trust the device, we need to trust the user, 1111 00:49:06,800 --> 00:49:08,840 we need to know more about what the user's doing, 1112 00:49:08,840 --> 00:49:11,120 we need to know more about what that device is doing 1113 00:49:11,120 --> 00:49:14,080 so that we know that they are not just, 1114 00:49:14,080 --> 00:49:18,000 should they access it, or not just can they access it, 1115 00:49:18,000 --> 00:49:19,840 but should they access that application 1116 00:49:19,840 --> 00:49:21,680 from that device as that user, 1117 00:49:21,680 --> 00:49:26,680 or should we make more, check them additionally, right? 1118 00:49:27,880 --> 00:49:30,280 Give them a little bit of a sense of what's going on 1119 00:49:30,280 --> 00:49:32,360 and give them a little bit more of a push 1120 00:49:32,360 --> 00:49:34,520 to figure out whether they are who they say they are 1121 00:49:34,520 --> 00:49:35,600 and things like that. 1122 00:49:35,600 --> 00:49:39,360 So all of it's continuing to develop, 1123 00:49:39,360 --> 00:49:40,200 there's going to be, 1124 00:49:40,200 --> 00:49:42,120 there's been a couple announcements over the last two weeks, 1125 00:49:42,120 --> 00:49:43,360 there's going to be more announcements 1126 00:49:43,360 --> 00:49:45,800 towards the beginning of November, 1127 00:49:45,800 --> 00:49:48,000 and then every quarter we're coming up 1128 00:49:48,000 --> 00:49:51,600 with a lot of new stuff, so stay tuned. 1129 00:49:51,600 --> 00:49:53,760 Okay, great, great stuff. 1130 00:49:53,760 --> 00:49:57,920 Andres, for me, the zero trust access in general, 1131 00:49:57,920 --> 00:50:01,040 I'm able to have this solution 1132 00:50:01,040 --> 00:50:03,840 that's giving me the flexibility 1133 00:50:03,840 --> 00:50:07,520 on how I'm going to connect in remotely or on-prem, 1134 00:50:07,520 --> 00:50:09,840 and then having that connected, 1135 00:50:09,840 --> 00:50:12,080 we talked about Cisco being the plumber, 1136 00:50:12,080 --> 00:50:13,720 and I don't have to worry about all the piping 1137 00:50:13,720 --> 00:50:15,120 behind the scenes. 1138 00:50:15,120 --> 00:50:18,280 Just keeping that simplistic approach, 1139 00:50:20,120 --> 00:50:21,720 complexities, the enemy's security, 1140 00:50:21,720 --> 00:50:26,480 and this is, I think, a good product to showcase that. 1141 00:50:26,480 --> 00:50:28,160 The tools, the consolidation, 1142 00:50:28,160 --> 00:50:29,800 a lot of stuff being consolidated. 1143 00:50:29,800 --> 00:50:32,360 David, you were talking about bonus of umbrella, 1144 00:50:32,360 --> 00:50:34,840 we're talking about duo, we're talking about IPS stuff, 1145 00:50:34,840 --> 00:50:37,400 so just again, further simplifying all that 1146 00:50:37,400 --> 00:50:39,320 into the one dashboard. 1147 00:50:39,320 --> 00:50:41,600 I don't know what you thought, Andres. 1148 00:50:41,600 --> 00:50:46,600 Yeah, on my mind, the benefits of being on AWS 1149 00:50:46,840 --> 00:50:49,760 and what we're doing right now with our own data centers, 1150 00:50:50,600 --> 00:50:54,360 that's, I guess, we're not expecting that one, 1151 00:50:54,360 --> 00:50:57,720 so it is going to be developing in the future, 1152 00:50:57,720 --> 00:50:59,520 and that's pretty cool. 1153 00:50:59,520 --> 00:51:03,560 The SSL decryption, thank you, David, for that explanation. 1154 00:51:03,560 --> 00:51:07,400 That actually gives us a lot of information 1155 00:51:07,400 --> 00:51:08,800 to share with our customers, 1156 00:51:08,800 --> 00:51:12,720 and the new developments on PLP are also another thing 1157 00:51:12,720 --> 00:51:17,280 that is really cool, and I know I was thinking 1158 00:51:17,280 --> 00:51:20,320 about the user experience, the visibility that we have 1159 00:51:20,320 --> 00:51:24,480 on that user's computer, the connectivity, 1160 00:51:24,480 --> 00:51:28,320 all those things, those are pretty new and super impressive. 1161 00:51:28,320 --> 00:51:32,960 So if you have the chance to take a look at Secure Access, 1162 00:51:32,960 --> 00:51:34,800 I recommend you just going for it, 1163 00:51:34,800 --> 00:51:38,840 and it's a lot of stuff that we're doing into it. 1164 00:51:38,840 --> 00:51:40,840 Good stuff, good stuff. 1165 00:51:40,840 --> 00:51:44,160 Well, Justin, David, appreciate you guys joining us today. 1166 00:51:44,160 --> 00:51:46,000 Great conversation. 1167 00:51:46,000 --> 00:51:48,480 We'll all be tuning in tomorrow, noon Eastern, 1168 00:51:48,480 --> 00:51:51,120 to the live demo of Secure Access. 1169 00:51:52,080 --> 00:51:55,200 You can see the dashboard, see the experience insights, 1170 00:51:55,200 --> 00:51:57,120 I think will be pretty cool, as well as anything else 1171 00:51:57,120 --> 00:51:59,080 you want to show there, Justin. 1172 00:51:59,080 --> 00:52:01,360 So stay secure, everybody, 1173 00:52:01,360 --> 00:52:04,880 and we will see you on the next episode. 1174 00:52:04,880 --> 00:52:05,720 Thank you all. 1175 00:52:05,720 --> 00:52:06,560 Always. 1176 00:52:06,560 --> 00:52:07,400 Thank you. 1177 00:52:07,400 --> 00:52:22,400 Take care, y'all.