The goal of moving applications to the cloud and integrating with SaaS platforms is to satisfy the growing demand for connectivity to data resources and applications at any time, from anywhere. However, achieving that goal with high levels of Quality of Experience (QoE) for applications depends on the enterprise wide area networks. Managing QoE connectivity among campus, branch, and cloud resources naturally increases network complexity. That translates into an increase in workload for IT teams to keep up with changing prioritization of traffic, network access rules, and data security policies.
But just because a network is complex doesn’t mean it has to be complicated. A Software-Defined Architecture (SDA) is the antidote for complicated. Separating data, control, and management planes makes networks both more flexible and manageable by automating many formerly manual tasks. A significant portion of those tasks are handled by Cisco Software-Defined Access (SD-Access) working at the controller plane level, reducing complexity and improving scalability and mobility of devices and the workforce.
Empowering IT with an Architecture for Access
When people, devices, and applications are located anywhere, automating the onboarding and provisioning of them with the correct access and security policies is paramount to maintaining control and security. SD-Access applies access and security policies generated by network intents. Translating intents into actions is the foundation of Intent-Based Networking, where higher-level business intents create network access and security policies that are automatically applied to devices and people to determine access rights and security privileges.
SD-Access simplifies network management, especially for segmentation and secure access policies, but also for operational consistency, increasing productivity, and a seamless experience. In this post, we will examine the business and security benefits of automating segmentation and access control.
Automation Simplifies Network Segmentation Management
To simplify the complexity of campus-branch-cloud connectivity, SD-Access shifts the workload from IT staff performing routine tasks of onboarding every individual device and managing network configurations, to building intelligence into the network itself. The network learns to manage itself by, for example, automatically onboarding specific device types with pre-ordained security and access policies that follow people and devices across the wired and wireless fabrics, from ground to cloud.
Automating access and segmentation is also critical for the successful integration and security of the Internet of Things (IoT) and the myriad types of devices that are being deployed throughout buildings, campuses, branches, and cloud edge. As sensors, cameras, and edge-processing applications proliferate, they need to be securely added to network segments with tight control over who and what can access them, and with which services they can communicate.
Video cameras, for example, should only communicate with a video server, not an application or web server. Placing cameras and their peer servers in one segment, isolated from other enterprise network assets, is a simple way to secure video devices. As additional cameras are connected, the network recognizes the device type and automatically adds them to the correct segment. Sudden changes in attempts to communicate with resources outside the segment can indicate a takeover attempt by malware, resulting in the network isolating the device and thwarting the malware’s attempt to move laterally through the network.
The business benefits of automating onboarding of devices are plentiful: from eliminating the need to send technicians to remote locations to securely configure devices, denying access to unknown devices to prevent infections from spreading, and enabling IT to move from routine tasks to working on innovative projects.
Enforce Consistent Policies Across the Enterprise
Consistency is key to ensuring people, devices, and data resources all interact according to network policies. For enterprises with many regional locations, it’s common to have instances of Cisco DNA Center for each region to provide location-specific contextual insights for faster issue resolution and capacity planning. That could complicate the consistent application of policies. Fortunately, the regional Cisco DNA Centers can leverage a master instance of Cisco Identity Services Engine (ISE) so that SD-Access can apply access and segmentation policies across each region. With this capability, SD-Access ensures that security and access policies defined by corporate IT are implemented consistently across global networks, while enabling regional control over specific aspects of workforce and device rules.
Segmentation Eases Regulatory Compliance
With all the new privacy regulations coming online across the globe, being able to demonstrate compliance with these rules is paramount to avoiding legal battles and court fines resulting from data breaches. Employing SD-Access to define segmentation to keep private information strictly separated from other business data helps organizations prove they are in compliance.
Compliance with Payment Card Industry (PCI) regulations for protecting payment card information is an example of the business benefits of segmentation that SD-Access can manage. To comply with PCI standards, payment data must be kept separate from any other IT system and limit access to specific people and processes with no external internet connections—thus contained in a “PCI Island”. SD-Access creates microsegments that effectively isolate every device and application that “touches” payment data, effectively creating virtual PCI Islands where they are needed in a global network.
Building this level of segmentation would be difficult with a manual, case-by-case approach. Assigning people and compute resources to a PCI Island security group tag (SGT) simplifies segmentation, helping to maintain compliance, saving time and minimizing rigorous PCI testing. Securing payment and personal information this way also reduces the risk of exposing sensitive data in breaches.
SD-Access Directly Benefits Business Processes Across Industries
Every industry is moving applications and data to the cloud, some faster than others, but all driven by competitive pressures, operational changes, and regulatory demands.
- Healthcare organizations are methodically moving sensitive patient data to cloud platforms where it can be accessed by healthcare providers distributed across regions, while ensuring that access is strictly controlled and monitored for compliance.
- Pharmaceutical enterprises, which use acquisitions as a growth strategy, use SD-Access to simplify their network operations and the process of integrating IT operations by first segmenting resources during the acquisition process, and then uniting them by changing access policies across the board as the acquisition culminates.
- Government branches, consisting of dozens of agencies, use SD-Access to streamline, unite, and secure wired and wireless network operations among the distributed workforce in offices, branches, and in the field.
- Manufacturing facilities, which have a complex mix of IoT devices, mobile computing, and data center resources, use SD-Access to segment traffic to provide the appropriate SLAs for latency for time-critical manufacturing processes, keep malware from spreading should one device be infected, and provide secure workforce access to the appropriate applications.
- Financial institutions with highly distributed sites use SD-Access—along with SD-WAN—to securely connect branch and headquarter networks while ensuring that sensitive data is accessible only to employees with the appropriate access privileges.
While each industry has its own path for designing and building a software-defined architecture based on SD-Access, ISE, and Cisco DNA Center, most achieve breakeven results in about 14 months, an ROI of 300%, and cost savings of over 52%. In addition, business benefits often shared by Cisco customers are a 67% reduction in network provisioning costs, 48% reduction in the cost of a security breach, 80% reduction in cost to resolving networking issues, and 94% reduction in the cost to optimize policies. (Source)
It’s time for your organization to examine how to benefit from software-defined segmentation based on SD-Access.
For more information:
Cisco Software-Defined Access Solution Overview
IDC Report: Cisco SD-Access. A single fabric to support Digital Transformation
Great blog offering vertical use cases for SD-Access
Very thoughtful and good write up
Indeed, SDA makes complex networks uncomplicated as depicted.