Secure connections in the cloud – utopia or Cisco+ Secure Connect technology? Well, the latter. Cisco packaged its cloud-based technologies for secure network traffic into the Meraki portfolio, and I’ve had the privilege of exploring and testing them within the Meraki portfolio recently. In this context, Cisco talks about SASE technology (Secure Access Service Edge) and refers to Zero Trust architecture in its terminology. So what is it really about?
Network usage is changing – and so must security!
I have witnessed a market disruption where various organizations are increasingly utilizing only SaaS services, gradually abandoning more and more services published in their own environments. When I heard that Cisco’s security technologies would arrive in the form of Secure Connect services for the Meraki portfolio, I took our own FullCloud model as the starting point for our review, because when we are fully in the cloud, security must be approached from entirely new perspectives. Scanning network traffic for threats within one’s own network is largely a wasted effort today, as employees often work from locations not typically anticipated by management.
As I hinted in my previous blog post in the spring, in addition to the AnyConnect VPN application, Cisco offers interesting Umbrella-based security technologies for protecting network traffic at the endpoint level. These have now been renamed and packaged into Cisco+ Secure Connect services, bringing alongside Cisco Duo’s access verification and new Zero Trust Access (ZTA) traffic, which is a complete leap to the next level in VPN technologies compared to AnyConnect. When this entire package is integrated into Meraki cloud management as a subscription-based service, we are talking about something interesting. You manage remote access and security according to your Zero Trust architecture from your network device cloud management, for the protection of your end-users. You also publish your own private applications for secure use. You enable secure remote access, without traditional VPN connections that need to be manually activated.
FullCloud model?
When we are fully in a cloud model, why on earth do we need this type of Zero Trust Access VPN technology approach? Practically, we don’t. A fully cloud-based existence can be implemented with practically the lightest Cisco+ Secure Connect license level, where endpoints are protected by Umbrella’s DNS-based technology. At its basic level, this is a completely sufficient additional protection for the majority of companies operating purely with cloud services. At least I personally prefer to implement the Zero Trust architecture in the Microsoft cloud and manage cloud service access there. There is no need to duplicate efforts.
What if one wants a bit more protection for this cloud traffic? Umbrella can also perform SSL decryption for traffic and examine it more deeply. In this case, traffic practically exits Cisco’s cloud services, and Cisco’s cloud acts as an intermediary for examining traffic. An Umbrella certificate for endpoints allows Umbrella to decrypt SSL traffic on Cisco’s cloud side, forwarding the traffic re-encrypted to the endpoint. This enables a more detailed examination of traffic content, preventing malicious content and threats.
With the same Umbrella rules, decrypted SSL traffic can also be used to test “Tenant Control” features, if one desires rules for using their own cloud services with data loss prevention in mind. However, I found it detrimental to restrict usage solely to my own Microsoft 365 tenant, as it immediately caused issues with guest access to cloud services. This immediately showed that excessive security can also be cumbersome and increase maintenance, but perhaps it works for some organizations for whom restricting usage is vital?
Hybrid model?
What if there were internal or external network services to which traffic should be securely enabled and connections ensured according to the organization’s security requirements? And how does all this integrate into the Meraki environment and remote access traffic? Well, this is the broader use case where that new Zero Trust Access model is needed. With it, private destinations can be published from one’s own environment. Traffic to these may require Zero Trust architecture-compliant observations regarding user rights and the communicating endpoint. Traffic is securely allowed from anywhere into one’s own networks – or alternatively, to one’s own services located in the external network.
A device-independent browser-based remote connection is also available – essentially a Reverse Proxy implementation that takes into account secure login and your defined policies related to browser requirements. The good thing about this is that it can be implemented entirely SaaS-based – without any intermediary servers, cloud-based. And when we talk about the next-generation Zero Trust Access VPN solution, we are talking about interesting technology where traffic is isolated service-specifically into its own micro-tunnels and where traffic can be handled Zero Trust-style one service at a time. And the end-user no longer needs to manually activate any VPN tunnel. Everything should work automatically on the endpoint according to the defined policy, with security holistically considered and verified by Duo. In my opinion, this is the future of hybrid remote access.
For Your Specific Needs!
In recent years, various SASE solutions have become available from several different manufacturers. For example, in addition to these Cisco solutions, Microsoft’s Global Secure Access solution is available, not to mention other manufacturers. So how does one identify the best remote access and network security solutions for their own needs? This is a good question that should be considered with your current solutions in mind. If your organization already uses Cisco Meraki-based networks and SD-WAN technology, and there is a need to enable secure access to internal network services, the solution may be quite clear. Similarly, Umbrella provides excellent and almost indispensable additional security for small organizations that utilize purely cloud services. The subscription-based nature speaks in favor of Cisco+ Secure Connect. At its best, you don’t need a single Cisco device in the background and can utilize the technology supported by Cisco’s cloud. On the other hand, the technology also flexibly supports devices from other manufacturers in terms of remote access, so it is often worth investigating.
Different needs should always be approached on a case-by-case basis, and in that, we want to support your IT departments with our experience. Sometimes the solution protecting and isolating usage can be an Azure cloud virtual desktop, other times a light Umbrella is sufficient to increase daily network security on a DNS basis. Please also note that when implementing various security solutions, data protection and legal-technical aspects must always be considered, which I did not want to address in this blog post. But when you are considering remote access solutions and want to do things a bit more modernly and securely, reach out to us, and let’s together figure out the best overall solution to support your organization.
Above IT is a partner and resource for IT departments. As our client, you receive genuine expertise regarding network security solutions, based on our strong experience. So click the button below and book a short meeting, and we can map out your needs.