Six Essentials for B2B Email Marketing Success

“That might work in B2C, but we’re B2B,” said my client, as if B2B marketers are from Mars and B2C from Venus. And true, while it sometimes seems that way the good news is we’re both inhabiting planet Earth which is populated by human beings. Luckily human beings – whether they’re receiving email in a business or a consumer context – tend to think and act in remarkably predictable ways.

So now whenever I hear the all too common “but we’re B2B” refrain, I sympathetically respond that whether your company sells to other businesses or to consumers, people are on the other end of your email making decisions about if and how to engage.

Nonetheless, as a B2B marketer myself I am acutely aware of the differences between B2B and B2C. I know the challenges we face specific to email; like smaller email list sizes, longer and more complex sales cycles, business models that don’t (or can’t) support ecommerce, and difficulty in reaching the inboxes of (let alone influencing) decision-makers.

With the business-to-business marketer’s unique distinctions in mind, here are six essentials for B2B email marketing success. As we explore them in more detail, let’s also take a lesson or two from our B2C cousins who’ve paved the way to optimal performance in this powerful marketing channel.

Right Mindset: Long-term Commitment

It’s time for B2B marketers to take the channel as seriously as B2C marketers do. Consumer-facing retailers and ecommerce brands have mastered the use of email to directly drive sales revenue (and a lot of it). Even though the path to sales may be indirect vs. directfor B2B marketers, email goes a long way toward progressing prospects through the sales funnel faster, empowering the customer journey, and strengthening confidence and loyalty. “Taking it seriously” means committing toconsistentintentional messaging, a channel budget, integration with sales, human/agency resources, and strategy while avoiding an on-again, off-again approach.

Think Dialog, not Blast

The days of “batch and blast” email campaigns are long gone (or should be!).B2C email marketers learned this during the fledgling days of marketing automation when they began pioneering “sense-and-respond” emails that were deployed to recognize high-value actions or prevent conversion attrition; like welcome, onboarding, repurchase and abandonment-recovery campaigns. Programs such as these are intentionally designed and sequenced to align tightly with the customer lifecycle and natural inflection points on the customer journey. They mirror a conversation vs. simple one-way communication. It’s time for B2B email to do so as well.

Mine Data for Gold

B2C email marketers have long treated their email lists as a high-value asset, but also know data isn’t limited to merely the subscriber information they collect and campaign response metrics tracked. When married with CDP (customer data platform) and ecommerce data, email subscriber data can be mined for all sorts of nuggets that make segmentation and customization a powerful reality. Gone are the days of one-size-fits-all campaigns. Now that we can identify subscriber segments based on behavior, we can dynamically and intentionally message them to reflect their actions preferences, present ultra-relevant offers and entice with timely calls to action. Today’s more advanced systems, APIs and middleware solutions mean data integration from across multiple platforms is practically seamless and far from the painful tech miasma it once was.

Content is King 

Because of B2B’s longer sales cycles often necessitating prospect nurturing to foster eventual conversion, content marketingplays a more important role in B2B than B2C. Yet even with their often direct route from inbox to sales, B2C emailers know that constant promotional messaging without breaks for education, entertainment and information lead to subscriber fatigue and eventual burnout – or worse yet, complaints. So, content-oriented messages designed more to sell by way of serving are an integral part of the mix. B2B marketers are often content-rich and should leverage and extend their content assets into email. Content like case studies, success stories, white papers, webinars, worksheets, comparison grids, feature lists, and research findings make for excellent subscriber engagement and confidence builders. Plus, interaction with content can be scored to identify hot vs. warm vs. cold leads and segment them for unique and appropriate automated follow-up emails

Personality Please!

Once upon a time, B2B marketing became synonymous with “boring” while B2C marketing was allowed to be edgy, creative and fun. I say no more! B2B email can be just as personality-driven as B2C, and is more memorable and welcomed when it is. Take Phrasee for example (a language optimization AI company). They have a distinct brand personality and tone unmistakable in every one of their weekly email newsletters, down to the emojis in subject lines. If your brand or company has a unique personality – or is known for the personality of your founder (think Steve Jobs and Apple) – your email should be letting it shine. In fact, we need more B2B email with personality and style like this one:

Measure Engagement Every Step of the Way

Finally, B2B marketers must close the loop by measuring the results of all our hard work. B2C marketers invest heavily in accountability and attribution, tracking both basic process and key success metrics like completed CTAs, Average Order Value (AOV), sales, revenue, and repeat buyers. Even if channel attribution is more difficult in B2B than B2C, you still need to know what’s working and what isn’t to generate opens, clicks, completed CTAs and more on a campaign-to-campaign or month-over-month basis. But don’t stop there!

What does engagement mean to you? Is it an open, a click, time spent with content, time on site, a call to a sales rep, or some other measure of response such as time to conversion, # of emails opened/clicked per quarter/year, content downloads? Take the time to define what types of engagement prompted by your email are meaningful measures for you, then keep track of them.

If you’re a B2B marketer, there’s no reason that second “B” needs to equate to “blast” or “boring”. With a little ingenuity and a quick study of your B2C contemporaries, B2B email can be just as relevant, timely, tech-savvy and fun as B2C email. Remember these lessons and challenge yourself the next time you’re tempted to say “… but we’re B2B”.

Continue reading

VXLANv6 – VXLANv-what?

Virtual Extensible LAN (also known as VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. With the recent launch of Cisco’s VXLANv6, we’ve added the the Cisco overlay, and run it over an IPv6 transport network (underlay). Not only is our VXLANv6 fully capable of transporting IPv6, it can also handle IPv4 payloads, an important distinction as many application and services still require IPv4.

In the near future, VXLANv6 will allow a consistent IPv6 approach, both in the underlay as well as the overlay. With the newly shipped Cisco NX-OS 9.3(1) release that delivers VXLANv6, our customers can take advantage of this new exciting technology today.

In this blog we are going to talk about

◈ A brief overview of VXLANv6

◈ Expansibility and Investment Protection with VXLANv6

◈ IPv4 and IPv6 Coexistence

◈ Where are we going with VXLANv6

Many years ago whenI was struggling to get my modem working, I remember reading that an IETF draft for Internet Protocol version 6 (IPv6) had been filed. At that point of time, the reality of IPv6 was so far away we talked about retirement before we even considered widespread adoption. But as it always is in tech, everything comes around much sooner than one anticipates. While IPv6 had a difficult start, it’s now become a table stakes requirement for Applications and Services.

With Network Virtualization, it became easy to tunnel both IPv6 and IPv4 over the top of networks built with IPv4. In these traditional IPv4-Overlay cases, the Tunnel Endpoint (TEP) as well as the transport network (Underlay) reside in the IPv4 address space. The Applications and Services exist in a different addressing space (Overlay), which could be IPv4, IPv6 or Dual-Stack enabled; v4v6-over-v4 is a common theme these days. In the last few years, VXLAN has become a defacto standard for an overlay as it is employed both as a network-based overlay as well as a host-based overlay. VXLAN as the data plane, together with BGP EVPN as a control-plane, has become the prime choice of deployment for the new-age spine-leaf based data centers.

With the expansion of network virtualization using virtual machine and container workloads, infrastructure resources like IP addresses have to be reserved not only for the applications and services, but also for the infrastructure components itself. As a result, overlap of the IP address space is often seen between the underlay and overlay, given the exhaustion in the uniqueness of RFC1918 addresses.

Below are the top reasons you should care about VXLANv6

Reason 1: One of the most difficult scenarios for overlapping address space is when it comes to network operations, trouble-shooting, and monitoring. The IP addresses used for the management and monitoring of the infrastructure are often required to be unique across the different devices. Also, the IP subnets for the management and monitoring stations have the same requirement, and, there should be no overlap between management and managed devices.The alternative is network address translation (NAT).

Reason 2: The exhaustion of unique IP addresses is just one of many cases that drives us towards IPv6. Other use-cases include government regulation, compliancy demands, or simple ease of infrastructure IP addressing. While we were reviewing the use-cases around IPv6 infrastructure addressing together with the current install base of technology and devices, one simple solution became obvious – VXLAN over an IPv6 underlay or in short VXLANv6.

Reason 3: VXLANv6 allows us to use a well-known overlay technology, namely VXLAN, and run it over an IPv6 transport network (Underlay). In the case of VXLANv6, the VXLAN Tunnel Endpoints (VTEPs) are addressed with a global IPv6 address associated with a loopback interface. The reachability of the VTEPs is achieved by using either IPv6 Link-Local or IPv6 global addressing along with an IPv6 capable routing protocol like IS-IS, OSPFv3 or BGP. Considering the option of using IPv6 Link-Local addressing, the subnet calculation and address assignment can be optimized and the underlay setup duration can be significantly reduced.

In addition to the VTEP and underlay topology and reachability, the overlay control-plane also needs to be IPv6 enabled. This is true in the case of Multi-Protocol BGP, especially with the EVPN address-family, peering, next-hop handling, and exchange of routes has been enabled for IPv6.

At this point, we have not configured a single IPv4 address for the purpose of routing or reachability, neither for the underlay nor for the overlay itself because IPv6 does the job well. Remaining numbering that leverages an IPv4 notation are the fields like Router-ID and Route Distinguisher. Even as these numbers look like IPv4 addresses, they are only identifiers that could be of any combination of numbers.

Capabilities

VXLANv6 and vPC: Connecting Servers Redundantly 

Once the VTEPs are running VXLANv6, the next step is to connect servers redundantly. VPC is the answer. The vPC Peer Keepalive has been elevated to employ IPv6, either on the management interface or via the front panel ports. With VXLAN and vPC, we used the concept of Anycast to share the same VTEP IP address between both vPC members. While in secondary IP addresses are used in IPv4, in IPv6 all the addresses on a given interface are of equal priority. This little detail led us to expand the VTEPs source-interface command to allow the selection of the loopback for the Primary IP (PIP) and the loopback for the Virtual IP (VIP) separately.

There is no IPv4 address configured for the purpose of routing or reachability.With vPC you’re good to go.

IPv4 and VXLANv6: Transporting IPv4 and IPv6 payloads

At this point we probably have some Applications or Services that require IPv4. WithVXLANv6, you can transport not only IPv6, but also IPv4 payloads. The Distributed IP Anycast Gateway (DAG) that provides the integrated routing and bridging (IRB) function of EVPN is supported for IPv4, IPv6, and dual-stacked endpoints residing in the overlay networks. Seamless host-mobility and Multi-Tenant IP Subnet routing is also supported, along with the counterpart VXLAN deployment running over an IPv4 transport network (VXLANv4). Cisco also supports Layer-2 transport over VXLANv6. Broadcast, Unknown Unicast, and Multicast (BUM) is handled through Ingress-Replication (aka Head-End Replication).

With IPv4, IPv6 or both payloads in VXLANv6, we have to somehow make the associated endpoints reachable to the rest of the world. The Border node has the capability to terminate VXLANv6 encapsulated traffic, whereas the decapsulated payload is sent via Sub-Interfaces with per-VRF peering (aka inter-AS Option A) to the External Router. Again, no IPv4 addressing in the infrastructure necessary.

What’s next for VXLANv6?

Overlays went a long way to support IPv6 migrations. Even so, underlays are predominantly deployed with IPv4 addressing. VXLANv6 changes the landscape and allows a consistent IPv6 approach, in the underlay, in the overlay, or wherever you need it.

VXLANv6 is enabled for individual VTEPs, vPC VTEPs, Spines with BGP Route-Reflector, and in the role as a Border node. In the near future, VXLANv6 will use PIMv6 for BUM replication in the underlay and subsequently Tenant Routed Multicast (TRM) over VXLANv6 will become a reality. And, VXLANv6 will be enabled on the Border Gateway (BGW), where our Multi-Site architecture can be used with a complete IPv6 only infrastructure, with new DCNM functionality enabling support for all these newer functionalities for all NX-OS devices.

Continue reading

Network automation: offering choices now key

Since that time, the approach has not evolved much. But some of the solutions available have, as well as moving past the SDN term towards network automation. So it’s a perfect time to revisit the subject and explore some of options now available for turnkey and open source solutions around network automation.

Options for network automation

Every IT organization is at a different stage of their in-house operational expertise and business requirements to execute and deliver IT services faster. Plus, no two network environments are the same. And it’s almost certain that 90%+ of the IT organizations looking to leverage automation, have a current install base they need to support. This is where the approach of offering various levels of network automation is critical.

Figure 1. The three categories of options for network automation.

The various options available can be aligned into three categories (see figure 1) that give IT organizations the power of choice. While the solutions themselves have evolved, these three categories have not. They are:

◈ Prescriptive “turnkey”

◈ Open source/standard tools and API’s with Cisco hardware/virtual network functions (VNF)

◈ Support for Heterogeneous Hardware/VNF Environments.

Prescriptive “turnkey”

The prescriptive “turnkey” options work best for organizations that have a limited amount of automation and programmability skill sets within the operations teams. Cisco’s offerings in this option have a set of common attributes, such as:

◈ Hiding of complex configurations that are typically done via the CLI

◈ Prescriptive on-boarding of new network elements (plug-n-play, zero-touch-provisioning)

◈ Pre-built GUI application

◈ A controlled fabric domain

◈ Some form of analytics and assurance

◈ And an “under the covers” device/fabric configuration which normal operations (CLI) could take days/weeks to accomplish.

Turnkey solutions typically target Cisco-specific hardware/software to allow the simplification of all of these tasks and offerings. Examples of these solutions include Cisco Software Defined-Access (SDA) with the DNA Center controller, Cisco Software Defined WAN (SD-WAN), Cisco Application Centric Infrastructure (ACI) for on-prem data center build-outs, and in the large enterprise and SP space, the recent Cisco CrossWork framework for closed-loop automation.

Open source/standard tools and VNF

Open source/standard tools and API’s with Cisco hardware/virtual network functions (VNF) can be used by those wanting to use Cisco hardware and/or VNF’s, but who prefer to leverage a more open set of controllers (API’s, SDK’s and open source tool sets and applications).

The typical customer using this approach already embraced a NetDevOps model and “do it yourself” mentality within their IT operations team. Plus, they have the in-house expertise to support it on a daily basis. And they are driving Cisco hardware/VNF’s to offer and support a rich set of standard API’s and overall management stack to allow them to leverage this type of NetDevOps approach.

Figure 2. The Model-Driven Manageability Stack

To support IT operations team using this approach, Cisco has created an open source management protocol stack (see figure 2) in some of its new software releases. This gives do-it-yourself type IT operations the ability to configure and collect valuable telemetry from Cisco hardware/VNF’s via third-party API’s (YANG models) and open protocols to/from the Cisco devices.

Leveraging YANG models

The goal of this model-driven protocol stack is to decouple the protocol, encoding and transport options from one another while leveraging the YANG models for both device configuration and telemetry collection. The result is that any application north of the network element has a consistent protocol stack to leverage for development of applications.

For example, an application written in Python can take advantage of the YANG Development Kit for Python (YDK-py) SDK. It leverages gRPC, with GBP encoding, using either native Cisco YANG models or OpenConfig models for configuration and operations of the Cisco device.

The exact same combination can also be used to stream telemetry from the devices to some collection stack, further simplifying the communication channels required. For customers embracing Cisco hardware/VNF’s, but who prefer developing their own applications to configure/modify the devices and collect telemetry, the model-driven management stack offers those capabilities through open source protocols, encoding and API’s (YANG models).

While there are many other open source tools that fit into this category, Ansible is a highly regarded one in the network operations space. This is because it doesn’t require a device agent to communicate with the device, it’s modules are widely available, it’s open source, and it’s viewed by many as a more readable language.

Heterogeneous hardware/VNF environments

The third option, support for heterogeneous hardware/VNF environments, targets customers like those in option two. They’ve embraced the NetDevOps model and have critical in-house expertise to fully support it. They’re able to leverage the exact same approach and capabilities as option two (if all their vendors can support the management protocol stack offerings).

What differentiates this multi-vendor option is the additional need to support an open standard transport (control and data plane) common to all of the vendors in the network. This could include IPv4/v6 and Multiprotocol Label Switching (MPLS) with multi-protocol BGP (MP-BGP), which has existed in multi-vendor environments for years. More recently, E-VPN/VXLAN in data center and campus fabrics, as well as Segment Routing with a Path Computational Element (PCE), is gaining traction in large service capable backbones.

Empowering network automation

As I discussed in the first blog, offering options similar to those above empowers customers with a variety of approaches as their network operations teams transition to automation.

As with any transformational shift of this scale, there are trade-offs to consider; ones that clearly align with the operational skill set of the organization (specifically the DevOps skills they are capable of injecting into their daily operations).

In the end, offering choices to customers as they move down the path of SDN, automation and programmability is, in my opinion, no longer an option but a necessity. But the choices offered should include common ground for supporting automation in a multi-vendor environment. The key challenge will be aligning the options offered by single or multiple vendors to the business needs of the IT organization. Lastly, if your IT organization is new to automation, don’t attempt to boil the entire ocean. Just focus on automating the day-to-day repeatable processes found in your network operations. By doing that, your organization can more quickly gain value from network automation.

Continue reading

Cisco Co-Innovation Centers are Giving Connectivity a Health-Check

Healthcare is something that, at one point or another, touches upon every single person – whether it’s their own health or that of older or more vulnerable relatives.

Yet, across Europe, access to both reactive and preventative healthcare resources is being stretched as a result of people living longer and under-resourcing of health professionals.

One way in which connectivity can help tackle this strain is through allowing more advanced technology to be used, alongside enabling better access to existing technology.

One of the biggest hurdles though is not the lack of this technology, but the high levels of digital exclusion. Despite many people taking things such as the internet or digital literacy for granted, millions of people lack basic skills or access to digital tools.

I believe that everyone should have access to these digital tools as a basic right.

The Digital Exclusion Epidemic

Digital exclusion is the term that we give to members of a society who are unable to access many tools and services that we take for granted. This can affect everything from access to digital resources around health conditions to being able to book appointments online.

Across the continent, 80 million Europeans never use the internet because of the cost, with many of these being vulnerable citizens who would benefit most from access. In the UK, 10% of people have never used the internet, with 4/5 of these being over 65.

This lack of access has a number of negative consequences:

Firstly, individuals are unable to access online resources which could help provide information around existing or likely health conditions. This also rules out advanced services such as remote healthcare provisioning or wearable tracking. This not only limits the individual’s ability to help themselves, but makes them more likely to have to seek help at hospitals or from local doctors.

Secondly, a lack of connectivity makes the job of care workers visiting homes more difficult, as they are not able to do their job as quickly or as effectively. This means that resources are again stretched further. Ultimately, there is a need to shift between the capabilities of health and social care in order to maximise both resources. Look at hospitals for example: they’re already over-populated, including patients who remain on wards as they don’t have the means to be looked after if they return home. We need to be looking at how technology and connectivity can help give patients the same type of care at home as they are receiving in the hospital.

Finally, it’s not just physical health, but mental health as well which is impacted. Digital exclusion means being unable to use social networks or other tools to stay in touch with family and friends.

All of these don’t just have an impact on the individuals involved, but the wider healthcare ecosystem and society as a whole too.

This is not something which can be fixed overnight, but it’s something that can be solved if public health bodies, technology companies, governments and individuals work together.

How We Are Helping

We’re working alongside the government and councils of Suffolk on a project called Connected Together. This is a digital connectivity inclusion project, trialled in Haverhill, Suffolk, which aims to support greater independence through the use of digital services to citizens currently with care and support needs, while also providing quick, secure connectivity for the public sector workers who routinely visit them.

We believe that by installing connectivity for free into the homes that need it most, we can help spark positive changes that will benefit local councils, care workers and those living in the community.

We believe in the power of advanced technology to make a real difference in the future, but we also realise that having basic internet access is the bedrock for this to happen. There is a cost to this, but it’s one that pales in significance to the savings that will be seen further down the line.

Another initiative I’m excited by is the Center of Connected Health established in Cisco’s German Innovation Center, openBerlin. This innovation centre is one of many that we have set up worldwide, with the intention of showcasing digital solutions to complex problems and making those tangible for the healthcare sector.

The role of Cisco’s Center of Connected Health is to demonstrate the innovative ways in which we can connect different healthcare silos with the goal of significantly improving the efficiency and quality of care for care providers and patients at the same time.

It deploys consistent standards to help hospitals, clinics, care providers, insurers and patients securely and responsibly access patient data. In the future we expect to see multiple electronic health record solutions maintained by multiple providers. The real challenge then becomes the ability to securely connect those sources.

By demonstrating and explaining the value of connected health-data solutions, the Center of Connected Health will smooth the healthcare sector’s journey towards digitalisation.

What’s more, in our co-innovation centre in Dubai, we’re continuing to look at the role of connectivity in improving healthcare. The centre provides a test-bed for innovative telemedicine solutions, with an example being an application that allows for a patients’ vitals to be tested and then analysed alongside all other health records. This helps identify the need for medical care more effectively and helps collaboration across the eco-system. Elsewhere, a new Cisco co-creation pilot, developed by the Cisco Saudi Arabia CDA team, has pioneered virtual, smartphone-enabled consultations between patients and physicians.

Solutions such as these will become all the more significant as more and more people in the Middle East and Africa get online for the first time.

If we are to truly benefit from the improved care technology allows us, then we need to make sure everyone has the basic digital tools, abilities and access. Connectivity will allow for better technology and data to be shared, making life better for everyone.

Continue reading

Cisco SX350X and SX550X 10GE Switches for SMB

With cloud, virtualization, internet of things, 11ac and Wifi 6, businesses need a high-performance network to support the growing devices, applications and traffic. 10 Gigabit Ethernet (10GE) may sound like an overkill for small and midsize businesses (SMB) a few years ago, but today it has increasingly become a necessity.

Cisco Small Business team develops networking technologies tailored for SMB. In 2014, we launched our 1st 10GE switch for SMB market. In 2016, we expanded our 10GE switch line to 8 models. And now, we’re bringing our 10GE offering to the next level.

Cisco SX350X and SX550X 10GE Switches

The new offering includes 11 models – 5 in the 350X series and 6 in 550X series. The port density starts from just 8 ports of 10GE all the way to 52 ports. And there is a diverse selection of 10GE copper, 10GE fiber or mixed config models for different use cases. Most importantly, these switches are now more affordable – perfect for SMB to upgrade their network with limited investment.

The switches also come with a bunch of exciting features including

◆ 4 x combo 10GE uplinks for maximum flexibility

◆ Larger packet buffer to handle burst in traffic

◆ Trustworthy systems including secure boot and run time defense for security

◆ Stackable with existing SG550XG and SG350XG 10G switches for investment protection

Embedded FindIT Probe and Cisco PnP Connect

In the recent software updates, we have introduced some exciting new capabilities. These are all to make the deployment and operation of the switches even more intuitive and secure. Download the software updates for your switches at Cisco Software Central.

Why Cisco 100-500 series switches an ideal option for SMB?

SMB loves 100-500 series switches for the following reasons

◈ Simple, easy to use UI – No CLI skill required

◈ Warranty support model – limited lifetime hardware warranty and software updates

◈ No service contracts or licensing required

◈ Everyday affordable price

Continue reading

Managing your SAP Digital Transformation Journey

Digital Transformation.

We’ve heard the words, but have you wondered what it is all about? Digital Transformation is a strategic directive to redefine your business practices and processes to gain competitive advantage. It is all about making the inevitable tide of change work for you, rather than against you. It is also a disruptive force.

Digital Transformation requires a Plan

Amid all the talk of digital transformation, we lose sight that the process of change must be purposeful to have impact. Digitizing marketing content, hiring social media marketing millennials or modernizing your ERP applications is not digital transformation and will fail to yield any measurable advantage without a strategic vision, direction and careful planning.

You need to address where the beating heart of change resides – the data center. The data center is a critical component that factors into making any digital transformation plan successful.

Digital Transformation Requires a Next Generation Data Center

The classic architecture of the data center was primarily silos of design, implementation and operation. There were networking organizations, compute organizations, storage organizations, security organizations, and procurement organizations. The list goes on. And each of these silos was responsible for the operation and interaction with the other silos. This has proved to be very inefficient and created extra lag in the system. In fact, most early cloud adoption happened because data centers took too long to respond to new application demand or new data sources. Cloud adoption was an operational imperative, not a strategic directive for many organizations.

So, to drive digital transformation, the next generation data center has to be all about the Data, and the functionality that will move the data center anywhere the data is.

It’s all about the Data

Traditionally, data centers were built like bastions to protect the crown jewel data assets of the corporation. Security protected the storage vault and the data was replicated across multiple systems for different reporting and analytic purposes. Integrating new data or non-IP data with those crown jewels required a herculean effort. The result was an under performing application delivered far to late to be remotely advantageous. What has become clear is that data center designs based on siloed architectures and 4-walled bastions of data management will no longer work.

A new data center model is needed as executive visionaries drive new business practices. Data will be coming from everywhere and it won’t be curated. It will be public. It will be messy. And there will be a lot of it. Data gravity may shift from the core of the data center to multiple locations forcing a hybrid data center solution.

Accelerated change will force a new generation of application development running concurrent with operations. These applications will be distributed to run closer to their data sources and will be part of a network of applications spread across multiple locations.

Cisco can help you on your Digital Transformation Journey

Cisco is designing the next generation data center for SAP applications. Cisco Validated Designs are focusing on aspects of programmability, automation, operational insights, application performance and security in depth. Each of these aspects will be covered in a series of blogs to help understand the technology and the competitive advantage available to Cisco data center customers.

Hopefully it is becoming evident that gaining competitive advantage for your business is this area requires a plan. It requires comprehensive alignment across all departments in your business, inbound and outbound marketing aligning with product design, manufacturing and supply chain partnerships with greater flexibility and visibility to operations, and finance and accounting systems delivering a competitive advantage where only cost centers existed.

Embrace change. It is inevitable. And Cisco is building the bridge between data and business advantage to help you succeed in your digital transformation journey.

Continue reading

Cybersecurity for Federal Networks: It All Starts with Visibility

A configuration mistake or purposeful mis-configuration is no joke. But it does illustrate how a misconfigured network can quickly become a security event (or it may already be one and your team does not know it). But how do you distinguish normal network activity from abnormal? Without visibility into every corner of the network (including the virtual world of the data center), and some ability to compare current vs. baseline, it can be extremely difficult and there may be many “little events” that remain hidden to you.

Deeper network visibility enabled

This story does raise the question, how do you enable the benefits of deeper network visibility? That capability is provided by Cisco Stealthwatch. It enables you to strategically analyze the collective telemetry from NetFlow and IP Flow Information Export (IPFIX), two protocols every network device can export (see figure 1).

Figure 1. Stealthwatch collects NetFlow and IPFIX from every network device for Visibility.

You can also add value to your data center through Cisco Tetration. It provides unmatched visibility into behavioral deviations, whether terrestrial or cloud-based. While “behavioral visibility” is a bit different than the visibility discussion so far, it is critical to the protection and operation of the modern data center. A good example is one we saw recently with one of our customers, where a seemingly insignificant and otherwise undetected data stream out of the data center turned out to be a command and control channel. Thankfully for the customer, Tetration uncovered the threat in less than 30 seconds.

Deeper visibility + identity = attribution

Visibility in modern IT networks must go beyond the mere identification of packet flows. User identity should also be linked to packet flows wherever possible. Look at it this way, if you want to reach max visibility, think:

Visibility + Identity = Attribution

With attribution, you can see unexpected or undesired network behavior, plus you can link that behavior back to individual actors on your network. It is no longer just “some machine that did something weird.” Instead it is a concrete action with a concrete identity: such as “RedGuy” at “3:20pm” reached out to a “Command and Control” site (whether he meant to or not), becoming patient zero for your next computer epidemic.

The power of deeper visibility into your network

To help illustrate the power of deeper visibility on your network, consider another actual event we can all relate to. A contractor (let’s call him BlueGuy) goes to work. It’s Saturday and the office is empty. In the quiet loneliness all around, he begins downloading terabytes of data from another site. This continues, with downloads sprinkled throughout the day. Some may consider this suspicious behavior.

On most networks this might go unnoticed. But as Stealthwatch observes network activity in its entirety, it understands this behavior is not normal, based on previous baselines. As a result, this behavior is considered excessive. As Stealthwatch constantly monitors all the network transactions, it detects BlueGuy’s activity and it reports on it. In its communication with the Cisco Identity Services Engine (ISE), individual identity is assigned to the network data flows, and attribution is achieved. BlueGuy is busted.

Initially, it may seem that no good can come of this type of network activity. But upon further investigation, it turns out that BlueGuy uses the office on weekends to study for his Cisco CCNA. While he does this on his own time, he must do so from the office network because the courseware is on a corporate network at another site (this explains the enormous data exchanges). So it is revealed as a harmless event, rather than a massive data breach. Yet the entire episode would have remained unknown without complete network visibility. What if it had been a breach? Would your network have seen it?

SGTs, NetFlow, IPFIX and the world of packet flow

In this latest example, the two primary tools used are Cisco Stealthwatch and Cisco ISE. ISE adds attribution to the NetFlow/IPFIX packet flow collected by Stealthwatch. With Scalable Group Tags (SGTs), ISE tags all packets as they enter the network. SGTs can be used for both identification and enforcement anywhere in the network.

Of course, Stealthwatch sees all packet flows via NetFlow/IPFIX and performs analysis based on all network data, including the SGTs. Individual attribution is achieved via pxGrid communications between Stealthwatch and ISE. These results can then be presented to an administrator for disposition, including quarantine (see Figure 2).

Figure 2 – ISE adds Attribution to the Visibility story.

What about firewalls?

You may have noticed in both Figures 1 and 2 there are far more network devices than there are security devices. This is typical in any network. However, both visibility and attribution must rely on the entire network fabric to assist with the goal of complete visibility.

As you can see in the diagrams, putting your faith in security devices alone for visibility can fail (or certainly fall short). While the deployment of additional firewalls (or other assorted security devices) may add more points of visibility, no number of firewalls can achieve what you can by using the entire network as a sensor.

The Zero Trust wasteland

When it comes to securing Federal government networks, a few Zero Trust models have emerged recently, along with the thought that a network should be viewed as an untrusted wasteland of packet freeways where all security should focus on data. But it would be unwise to simply dismiss the incredible power of identity and visibility combined (attribution).

For IT leaders, the track record is clear: controlling entry and monitoring activity of users in the corporate/government network is the best way to track offensive behavior or bad actors. This approach can give you the capability to control, or even eliminate, threats before they reach your data.

Or, to relate it in everyday language, when we let strangers into our homes, we don’t pause and quickly weld the refrigerator door shut and disable the WiFi. Instead, we use common sense: screening them before they enter, watching their behavior as they do so and ensuring their actions inside our home are acceptable. If they do take a peek into our fridge, we may trust (thanks to attribution) that they are not necessarily going after the last of the cupcakes. But if they do, we’ll be ready.

Continue reading