Securing Remote and Mobile Workers the Webex Way

In this unprecedented time where remote work has expanded and become the norm – Webex continues to innovate to give our customers the tools they need to keep their remote workers secure – whether they’re on the go on their personal mobile devices or safely working from home using company managed devices.

New Mobile Security and Granular Controls

Mobile Webex IT Administrators have been clamoring for more granular policy enforcement tools and also more integrations with their existing tool sets. To solve for both of these, Webex now has integration with Microsoft Intune Mobile Application management, including:

◉ Passcode/Touch ID

◉ Document sharing

◉ Preventing application backup

◉ Disabling screen capture

◉ Enforcing Application Encryption

◉ Disabling Copy and Paste

◉ Remote Application Wipe

And for those customers who aren’t using Intune, Webex allows them to secure the Webex mobile apps by self-wrapping it with their preferred Mobile Application Management solution SDK by providing app binaries.

In addition, Webex now supports AppConfig – the industry standard for Mobile Application Management. Customers can deploy several policies like disable copy and paste across virtually any MDM solution.

Finally, Webex is continuing to augment native Control Hub Mobile Application Management controls and just released a capability to block message notifications on mobile screens to prevent against data loss on unattended devices.

Securing Your Remote Workforce with Granular Tools 

Another capability that we’ve added blocking file share for groups. For instance, you may have a group of contractors in your company and you don’t want to run the risk of your contractors sharing sensitive data files from their desktop – so now you set up policies for groups from sharing their files – based on their group classification in your active directory. Using Cisco Directory Connector – Webex administrators can get group information directly from their active directories – directly from the Webex Control Hub. They can set up groups of people – like contractors vs. employees; investment bankers vs. retail bankers; or groups of those who provide patient care vs. those in financial administration.

Figure 1 – Active Directory groups in Webex Control Hub

Without having to back to their active directories – Webex admins can:

◉ View all active directory groups

◉ Search for a specific active directory group

◉ View all members in an active directory group

◉ View group attributes like usage, type, owner and number of members

Webex Control Hub gets this information by syncing with the customer’s active directory. And customers can choose how frequently they sync and when and what to sync. This is such a streamlined workflow for customers who are accustomed to having to sync by individual user. And we’ll be adding new security controls based on Active Directory groups in the future.

Additionally, Webex Admins can:

◉ Control file upload control or file upload and download control

◉ Only allow people to upload when they are on the corporate VPN network

◉ Define their network location by IP range and IP addresses – and they can enable file sharing restrictions based on those addresses & ranges

New Webex Space Classifications

Webex space classifications can help enable companies to safeguard content by labeling spaces and then having 100 characters of explainer text for each.

Figure 2 – Webex Teams space classifications

Webex administrators can set up any five labels that they want within Control Hub.  Many companies will elect to set their policies around security – for instance:

◉ Public

◉ Private

◉ Confidential

◉ Highly confidential

◉ Restricted

And then the creator of the space would label and add up to 100 characters of explainer text for each space he or she creates.

Additionally, Webex administrators can build data loss prevention policies in their Cloud Access Security Broker – using the APIs that Webex provides – for instance – they could prohibit file uploads in a space that’s classified as “Top Secret.”  Or they can set up policies for when users collaborate with someone outside of their company – and those external users will get an alert that the space they are entering has a classification.

Users also have the ability to elevate the space classification – but they can’t lower the space classification. For instance, if someone in a space starts introducing confidential information in a public space, the creator or space owner could change that space classification to “confidential.”

Unparalleled Security for Remote Work

Whether it’s the ability to secure mobile devices so users can safely use Webex on the go, or granular tools to prevent data leakage – Cisco has unparalleled security to secure your remote work force.

Continue reading

Introducing Stealthwatch product updates for enhanced network detection and response

We are very excited to announce new features of Cisco Stealthwatch! With release 7.3.0, we are announcing significant enhancements for the Stealthwatch Administrator and the Security Analyst to detect and respond to threats faster and manage the tool more efficiently.

Automated Response updates

Release 7.3, introduces automated response capabilities to Stealthwatch, giving you new methods to share and respond to alarms through improvements to the Response Management module, and through SecureX threat response integration enhancements.

New methods for sharing and responding to alarms

Stealthwatch’s Response Management module has been moved to the web-based UI and modernized to facilitate data-sharing with 3rd party event gathering and ticketing systems. Streamline remediation operations and accelerate containment through numerous new ways to share and respond to alarms through a range of customizable action and rule options. New response actions include:

◉ Webhooks to enhance data-sharing with third-party tools that will provide unparalleled response management flexibility and save time

◉ The ability to specify which malware detections to send to SecureX threat response as well as associated response actions to accelerate incident investigation and remediation efforts

◉ The ability to automate limiting a compromised device’s network access when a detection occurs through customizable quarantine policies that leverage Cisco’s Identity Services Engine (ISE) and Adaptive Network Control (ANC)

Figure 1. Modernized Response Management module with new response action options

SecureX threat response integration enhancements

Get granular and be specific with flexible rule configurations that provide the ability to:

◉ Define which alarms from Stealthwatch are shared with SecureX threat response

◉ Base shared alarms off multiple parameters, such as alarm severity, alarm type, and host group

◉ Share alarms from mission critical services with the ability to define incident confidence levels, how target objects are formed, and rule conditions based off targets created for internal or external hosts

Figure 2. Customize which alarms are sent to SecureX threat response by severity

SecureX platform integration enhancements

Cisco’s SecureX platform unifies visibility, centralizes alerts, and enables automation across your entire security infrastructure on a single dashboard. Maximize operational efficiency, eliminate repetitive tasks, simplify business processes, and reduce human errors by:

1. Automating responses with pre-built workflows through SecureX’s orchestration capabilities

2. Creating playbooks with all your integrated security tools through SecureX’s intuitive interface

Figure 3. SecureX’s pre-built workflows and customizable playbooks

Enhanced security analytics

As threats continue to evolve, so do the analytical capabilities of Stealthwatch to deliver fast and high-fidelity threat detections. The cloud-based machine learning engine (Cognitive Intelligence) has been updated to include:

◉ New confirmed detections

◉ New machine learning classifiers for anomalous TLS fingerprint, URL superforest, and content spoofing detections

◉ Smart alert fusion in the new user interface (currently available in beta)

◉ New Stealthwatch use cases including Remote Access Trojan and Emotet malware detections

Figure 4. An example of the new content spoofing detector classifier in action.

Figure 5. Stealthwatch’s new GUI with smart alert fusion.

Easier management

Web UI improvements

Don’t let the setup process slow you down! Optimize installation with web UI enhancements that reduce deployment time and support full configuration of (both?) the appliance and vital services before the first reboot to save time.

Flow Sensor versatility and visibility enhancements

Get visibility into more places than ever before through ERSPAN (Encapsulated Remote Switch Port Analyzer) support now added to Flow Sensors. Benefits include:

◉ Visibility improvements through the ability to see within VMware’s NSX-T data centers to facilitate Flow Sensor deployment and network configuration

◉ Removed requirement of direct physical connectivity

◉ ACI traffic monitoring from Spine and Leaf nodes

Continue reading

Teleworker Solution Using OEAP on Catalyst 9800 WLC

As knowledge workers continue to work remotely, work from home has rapidly escalated from one of many remote work options to “the remote work option”. For Network Administrators, this means enabling employees with the basics –  laptops and corporate network connectivity, and optimizing application delivery despite unpredictable network performance due to bandwidth contention and latency. This can also result in increased tech support calls from the end-user complaining about the VPN connectivity and poor network performance.

Cisco’s OfficeExtend Access Point (OEAP) allows a Network Administrator to extend the secure, scalable, and manageable corporate WLAN across the internet to the Teleworker’s (employee’s) home. This allows the Teleworker to securely connect back to the private network from their home simply using their regular wireless profile and not having to set up a VPN or other type of remote access.  Remote users will be able to connect, have access to corporate resources, and “feel” just like they are connected to the wireless network at the corporate office.

The ease of work from home for employees should not come at a cost of increased administrative load and pre-configuration of access points for network admins. To address this, Cisco’s Office Extend feature makes the remote work option seamless for employees as well as for network administrators using zero-touch deployment.

The simple architecture of OfficeExtend consists of the remote site and corporate office components. The remote site is the home network of the Teleworker and consists of a home router and Cisco’s OfficeExtend Access Point. The Office component consists of Cisco PnP cloud and Catalyst 9800 Wireless LAN Controller.

Cisco OfficeExtend architecture.

How does it work?

Cisco’s Teleworker Solution using OfficeExtend AP focuses on zero-touch deployment and significantly reduces the extra efforts of employee-specific access point configuration. The network administrator does not have to preconfigure the access points and it can be directly shipped to the Teleworker’s home with no configuration. Teleworker will just need to power up the Cisco AP and connect it behind the home router. The AP will boot, connect to the corporate Wireless LAN Controller (WLC), and will start broadcasting the corporate wireless network at the Teleworker’s home.

Admins can use Cisco’s Network Plug and Play (PnP) to provision the AP’s. On the PnP cloud, admins will have the profiles defined for AP’s based on the AP serial number. The controller profile has information about the primary and secondary IP address of the corporate WLC. The admin can simply import the AP serial numbers using a CSV file and assign them a controller profile.

Workflow for Cisco Teleworker Solution using OfficeExtend AP.

Let’s explore the workflow in detail. After initial boot up, the AP will get the IP address from the home router and connect to the PnP cloud at software.cisco.com. When the PnP cloud receives redirection requests from the AP, it will check for the serial number, assign controller profile, and send the details of corporate wireless controller’s IP address to the AP.  The AP will then use this IP address to form a secure CAPWAP tunnel with the corporate WLC.

Once the Control and Provisioning of Wireless Access Points (CAPWAP) tunnel is formed, the AP will download the latest available software and all the advanced configurations from the corporate WLC. After the AP joins the controller as OEAP it will start broadcasting the corporate wireless network at the Teleworker’s home. The teleworker now can connect to this wireless network using secure enterprise authentication, and access the corporate resources and the internet. To make sure that unauthorized AP’s should not join the corporate WLC, the admin can enable the AP authentication on WLC.

What are the Added Advantages of OfficeExtend AP over VPN?

The OfficeExtend establishes a secure Datagram Transport Layer Security (DTLS) connection between the access point and the controller. With simple onboarding, the end-user does not need to install any VPN software and can connect multiple devices to the corporate network. Having corporate SSID broadcasted at home makes it easy to connect and eliminates the need to ever sign on to a VPN.

Advantages of OfficeExtend AP over VPN.

How does the Teleworker Solution Benefits Network Admin and Teleworker?

Teleworker:

Cisco OfficeExtend AP provides the highest level of security and enables the deployments of additional hardware such as Cisco IP phones. This effectively creates a small office for the employee giving them all the access they will expect while at the office. In addition, the solution allows spouses and children to access the Internet, using custom personal SSID, without introducing additional security risks to corporate policy.

Network Administrators:

By using the same management, operations, and infrastructure as the corporate WLAN, the OfficeExtend solution simplifies the process of extending real-time, high-performance network services to remote locations. Network admins have more control and visibility which helps in troubleshooting any connectivity issues from the Teleworker side and gives them the ability to differentiate issues between ISP versus corporate. Admins do not have to define new security policies and the existing Cisco TrustSec policies can be extended to have a more secure network.

Recommended Products for Teleworker Solution on IOS XE Software 17.3.1 release:

Teleworker Solution on IOS XE Software 17.3.1

Continue reading

Cisco User Defined Network: Defining the Boundaries of Your Network

Networks are the roadways that connect and allow communication to occur between our devices. We take several aspects of our home network for granted. On our home networks, we can have smartphones, personal computers, smart TVs, smart internet-connected video playback devices (i.e., Apple TV and Google Chromecast), and much more. And there’s something unique that our personal home network allows us to do with these devices. It builds routes — paths for data to communicate amongst the various devices — and only amongst the devices on that network. Pretty simple, user-friendly, and convenient stuff, right?

Let’s discuss a specific use case: sharing content from an iPhone to an Apple TV. If we want to share content from an iPhone to an Apple TV, it starts by simply clicking on the AirPlay icon on an iPhone; which allows us to view the Apple TV that may be on our network. This is because our private home network realizes which devices are connected to it, and it is maintaining that information in cache, allowing for quick streaming access from the iPhone to the Apple TV. At home, with just one SSID — of course, you may have more in your particular setup, for example, an additional Guest SSID, but let’s assume we only have one for our scenario — we have simplicity because we’re able to see and utilize the particular link-local-multicast-based protocols (like mDNS based AirPlay) that the smart-devices allow. We can use these services securely and seamlessly on our private network.

That means a neighbor cannot cast to the Apple TV that resides on my personal network from her iPhone unless she joins my home network. Amazing right? And that’s how it should work. Our home network is where we get to define who gets to utilize the functionalities that our smart devices offer.

But now let’s take that same use case and place it into a different setting: we have a university student named Eddy, living at the campus dormitory at his university, with multiple smart devices, including an iPhone, MacBook, Apple TV, gaming console, printer, and more. Just like Eddy, there are many other students in the dormitory that also have smart devices. But there’s only one SSID for Eddy and all the other students to connect to; and all of Eddy’s smart devices (and also those of others) are all connected to the same SSID. Which is fine. Everyone gets to have routes to the internet and can stream content.

So far, so good. But there’s a caveat now. When Eddy tries to AirPlay from his iPhone, not only does he see his own Apple TV, but he also sees all the other Apple TVs connected to his dormitory’s SSID (see Figure 1). He can cast content to his, or any of the other Apple TVs on the network. This can be a problem as there is no ability to control who uses whose personal devices.

Figure 1: Multiple AirPlay sources available for use on a large network.

This is where Cisco User Defined Network (UDN) comes into the picture. With the Cisco UDN solution, networks (even those with the largest pools of devices within the same SSID) can be segmented into smaller, defined networks that allow for users to privatize their smart-device use. For example, in terms of a university dormitory, we can segment the network, so each student is only allowed to use mDNS services amongst their own devices. This way, Eddy’s next-door roommate Mary won’t be able to cast to his Apple TV, and in turn, Eddy won’t be able to cast to hers—while all being connected to the same SSID! Each student will have their own private network, their own unique UDN (see Figure 2). But that’s not all. With the Cisco UDN solution, additional privileges can be assigned so others can use someone else’s smart devices as guest users—which we will discuss later in this blog. It is truly a smart method to privatize and secure your personal set of smart devices on a large enterprise network.

Figure 2: University dormitory network with multiple users.

Your Network, Defined by You

Cisco User Defined Network allows for the segmentation of a large network into smaller pieces, providing for a similar experience to that of a private home network. Cisco User Defined Network’s main intent is the ability to privatize and secure any individual’s set of devices, within a large, centrally switched network.

Privatize

With Cisco UDN, Eddy (see Figure 2) is the only person who has access to his devices. Therefore, Mary and John will not even be able to view the particular devices that Eddy possesses. If for example, they try using an mDNS service, they will be restricted to being able to view and use only the devices on their personal UDN. Now, Eddy can be at peace in knowing that no one will accidentally (or intentionally) try to cast or share content to his devices without his permission. He has created a private network around his set of devices.

Secure

With the ability to be private comes the benefit of security. As Mary cannot share content with Eddy’s devices (without his consent), he has the additional peace of mind of security. This of course, is in addition to the standard security measures taken by the dormitory’s network!

Getting Started

From a user perspective, the only aspect that is required for the Cisco User Defined Network is the Cisco UDN mobile app, and some information from the smart devices that are to be onboarded onto the network (see Table 1). The solution is built with simplicity in mind. Device on-boarding can happen without even being on the network on which the UDN will reside! In our university example, Eddy can onboard his devices to his university’s network and have his UDN created before he even arrives to the location.

*In most cases, the MAC address information will not be required, as the Cisco User Defined Network mobile app will be able to retrieve this information by scanning the home network on which the smart device resides.

The Onboarding Process

The user will download the Cisco UDN app on their smartphone or tablet, and from there will be able to log into the application using the credentials provided to them from their organization’s network administration team. For example, upon signing into the mobile app, Eddy will have the ability to on-board devices using multiple methods: (1) scanning the network for all the devices connected to the network and selecting which ones he would like to onboard or (2) manually adding the information for the device(s) he’d like to onboard by either doing a camera scan for the MAC addresses or by physically entering the MAC address of the device(s) into the Cisco UDN app.

Device Sharing with Guests

Not only can we utilize and use the personal devices we have allocated within our created User Defined Network, but we also have the ability to invite guests and provide access to others to utilize the devices on our personal UDN. This is also done through the Cisco UDN mobile app.

Let us assume that Eddy and John are friends and would like to play video games together on their gaming console. Or let’s say that John has a smart speaker and wants to bring it to Eddy’s dorm and allow for Eddy to also be able to cast music from his personal phone to that speaker. Eddy can invite John to his personal UDN, allowing John the ability to use the devices on Eddy’s UDN. And once John leaves Eddy’s room, Eddy can then remove John from his UDN with just a touch of a button—reclaiming control of his devices. Which is awesome!

Monitor and Control

Not only can devices and guests be added to a specific UDN using the Cisco UDN mobile app, but monitoring and maintenance of the UDN is also a great functionality allowed through the Cisco UDN app. A user can view all the devices on their UDN, see their information, add more devices, reclaim the devices that may be on a different UDN, and remove devices that they don’t want on the UDN as well. With Cisco’s User Defined Network, the privatization, security, and control of one’s own network has never been easier.

Continue reading

Why You Should Renew Your Cisco DNA Software Subscription for Access

As Cisco releases new enterprise networking devices, such as switches, routers, and wireless solutions, you can always count on us to be on the cutting-edge of technology. Capabilities are steadily increasing and improving, and, in today’s devices, this is made possible through software. In the past, devices were mostly static, meaning that the capabilities were built into the hardware where they live and die with the device. Our current Cisco DNA solutions, like our Catalyst 9000 series switches, are completely software-defined, with innovative features in security, policy, assurance, and ease of use. These new features rely on two software components: The software stack which resides on the device, and the software within the network controller which is the orchestrator for the intelligence of today’s intent-based networks.

Why do we need software-defined devices? Networks are becoming more complex as people are connecting through many different applications in the cloud. Let’s look at the healthcare field as an example. Internet of Things (IoT) in healthcare is about using networking technologies to connect life-saving medical devices and applications, which enables machine-to-machine communication and connection, to the cloud. Delivering an intelligent zero-trust network for these many IoT devices requires a combination of software capabilities on network devices, as well as centralized intelligence on the network controller software to see the big picture. As networking demands increase and trends in technology change, Cisco delivers upgrades via software subscriptions in order to keep our devices on the cutting-edge of technology.

There are 2 main reasons why you should renew your subscriptions:

1. Software support. In the past, software support was delivered in its own subscription contract. With Cisco DNA software, SWSS (Software Support Service) is embedded in the subscription stack. You receive our innovative features and support for these features in one contract.

2. Increase the longevity of your hardware with access to innovation. We are able to deliver the latest features and capabilities to you through our software subscriptions at no additional cost to you.

Cisco DNA Software is available in 3 tiers: Cisco DNA Essentials, Cisco DNA Advantage, and Cisco DNA Premier, which offer flexible options for our customers, depending on the complexity of their enterprise network. When we talk about the benefits of software subscriptions, access to innovation is usually at the top of the list. Here at Cisco, this continuous access to innovation is not just an empty claim; let’s show you what we mean. Below you’ll find a series of tables for the features we’ve added to Cisco DNA software, since our launch of Cisco DNA Software subscriptions in 2017.

Let’s start with 2018. Here is a list of features that we added to our Cisco DNA software tiers. If you were a Cisco DNA customer in 2017, you received these features at no additional cost to you:

Cisco DNA Software Features 2018.

Remember, Cisco DNA software subscriptions are nested, so all features in Cisco DNA Essentials are in Cisco DNA Advantage, and all features in Cisco DNA Advantage are in Cisco DNA Premier.

In 2019, we added these additional features and benefits, with no additional cost to you:

Cisco DNA Software Features 2019 Set A.

Cisco DNA Software Features 2019 Set B.

Cisco DNA Software Features 2019 Set C.

Cisco DNA Software Features 2019 Set D.

And then again in 2020 we added the following at no additional cost to you:

Cisco DNA Software Features 2020 Set A.

Cisco DNA Software Features 2020 Set B.

If you were a customer of Cisco DNA software subscriptions back in 2017, you would have received all of these features above on top of the original feature set. We will continue to add more features in 2020 and beyond. We are constantly innovating Cisco DNA software and Cisco DNA Center to keep your network and devices at the forefront of the newest technology.

Continue reading

VDI Rapid Deploy – Enable Remote Work Fast!

Life as we all knew it changed in early 2020. Not only our personal lives, but our professional lives as well. Working from outside the office for most of us was a one-off, requiring our boss’s approval to do it for a day or two. Lots of organizations didn’t allow working remotely at all. Others had established remote work policies and had deployed the tools to enable it for a portion of their workforce.

When we were all suddenly thrown into the situation where we ALL had to work remotely, no one was prepared. The pandemic created demand for remote work that was unprecedented, unexpected, and impossible to support with existing infrastructures. Demands for collaboration tools like Cisco WebEx and Cisco WebEx Teams skyrocketed. Demands for secure access to corporate networks went through the roof. Cisco AnyConnect secure VPN services, Cisco DUO two factor authentication and Cisco Umbrella secure DNS service filled the secure access requirements.

We’ve now come to find that those foundational tools don’t provide the full remote work experience that you and I need as we transition into long-term remote work. We need access to all our applications and all our data. And it’s critical that the applications and data be in the same physical location for acceptable performance.

Enter Virtual Desktop Infrastructure, or “VDI” for short. VDI has been around for a long time, as far back as the mid-80s. The technology is continuously evolving and improving. It’s considered a mainstream, virtually risk-free technology for supporting secure remote work. VDI is deployed at scales of 100,000 users or more at some of the largest organizations on the planet. It is also deployed at scales as low as 400 users, thanks to the economics of hyperconvergence.

VDI brings some very key benefits for remote work to organizations and end users:

Two of the challenges for bringing a VDI environment online in the past in your environment has been complexity and time to deploy. There is typically a fair amount of evaluation, analysis and planning that goes into a deployment upfront. Depending on the organization, that phase can take weeks or even several months depending on size. Then there’s the hardware design phase to support the VDI environment. Bills of Materials are built, considered, modified and finally settled on. By the time the design and infrastructure are settled on, the purchase order is cut, the equipment is delivered and installed, another month or so has gone by. At this point we usually start the VDI deployment.

The typical planning and hardware design phase take too long for the environment we are operating in. Recognizing this, in March 2020, the Cisco VDI and Graphic Solutions team created a program called Quick Ship. The intent was to pre-engineer Cisco UCS converged infrastructure and Cisco HyperFlex hyperconverged infrastructure options that could support a specified number of specific Microsoft Windows 10 virtual machines. Here is the Windows 10 Virtual Machine configuration the pre-engineered bundles support:

By using a target user Windows 10 VM configuration and the engineered Quick Ship UCS and HyperFlex bundles, we were able to eliminate the typical planning and hardware design phases.

That brought us to the VDI deployment phase. What we realized is that the deployment of the VDI system was a challenge for many customers.

Enter Rapid Deploy. We launched Rapid Deploy on August 24th to replace the Quick Ship program and address the deployment challenge. Rapid Deploy is built on the same tenants of eliminating the upfront planning and hardware design phases. What we added were offers from Cisco Customer Experience (CX,) formerly known as Cisco Advanced Services.

Rapid Deploy includes optional deployment service offers from Cisco CX for Citrix Apps and Desktops or VMware Horizon target user Windows 10 virtual desktops in increments of 500 or 1000 users. By utilizing the optional Cisco CX services offered in Rapid Deploy, a customer could go from their hardware and software order to a minimum 500 seat VDI environment in as little as a month.

We currently have 15 Rapid Deploy offers in our ordering tool that Cisco sellers and Cisco Partner sellers can leverage to build greenfield environments or add capacity to existing VDI environments. The offers can be created in less than five minutes by leveraging the solution identifier (SID) as the quote template. They can be customized to add more memory or NVIDIA GPUs.

Now customers can build out a highly performant, pre-engineered Cisco HyperFlex hyperconverged infrastructure or a Cisco UCS converged infrastructure and deploy the VDI infrastructure and virtual desktops in an amazingly short time!

Continue reading

Tools to Help You Deliver A Machine Learning Platform And Address Skill Gaps

Public Clouds have set the pace and standards for satisfying Data Scientist’s technology needs, but on-premise offerings are starting to be viable using innovations such as Kubernetes and Kubeflow.

…but it still can be hard!

With expectations  set very high in Public Cloud, ML platforms delivered on-premise by IT teams have been made even more difficult because the automation flows and their associated tooling  to power these, have been well-hidden behind public cloud customer consoles and therefore, the process to replicate these is not very obvious.

Even though abstraction technologies, such as Kubernetes, reflect and relate well to the underlying infrastructure, the education needed to bridge current Data Center skills over to  cloud native tools takes enthusiasm and persistence in the face of potential frustration as these technology ‘stacks’ are learned and mastered.

Considering this, the Cisco community has developed an open source tool named “MLAnywhere” to  assist with the skills needed for  cloud native ML platforms.  MLAnywhere provides an actual, usable deployed Kubeflow workflow (pipeline) with sample ML applications, all of this on top of Kubernetes via a clean and intuitive interface. As well as addressing the educational aspects for IT teams, it significantly speeds up and automates the deployment of a Kubeflow environment including many of the unseen essential aspects.

How MLAnywhere works

MLAnywhere is a simple Microservice, built using container technologies, and designed to be easily installed, maintained and evolved. The fundamental goal of this open-source project is to help IT teams understand what it takes to configure these environments whilst providing the Data Scientist a usable platform, including real world examples of ML code built into the tool via Jupyter Notebook samples.

The installation process is very straight forward — simply download the project files from the Cisco DevNet repository, follow the instructions to build a container using a Dockerfile, and launch the resulting container on an existing Kubernetes cluster.

Image 1: MLA Installation Process

MLAnywhere layers on top of technologies such as the Cisco Container Platform, a Kubernetes cluster management solution. Cisco Container Platform greatly simplifies both  day-1 deployment, and day-2 operations of Kubernetes and does so in a secure, production-grade and fully- supported fashion.

Importantly for ML workloads, Cisco Container Platform also eases the burden of having to align GPU drivers and software as MLAnywhere uses the Cisco Container Platform provided APIs to seamlessly consume the underlying GPU resources upon the deployment of the supporting Kubernetes clusters, and exposes these into the Kubeflow tools.

So what’s in it for IT Operations teams?

For IT teams, clear descriptive explanatory steps are presented within the ML interface for deploying the relevant elements, including the all-important logging information to help educate the user on what is going on under the surface, and what it takes within the underlying Kubernetes platform to prepare, deploy and run the Kubeflow tooling.

Image 3: MLAnywhere driven Kubeflow deployment

Not forgetting the Data Scientists

On the Data Scientist’s side, many  will have experience using traditional methodologies in the ML space and therefore will see the benefits that container technology can bring in areas such as dependencies, environment variables management and GPU driver deployments. But importantly, they get to do this whilst leveraging the scale and speed that Kubernetes brings, from the comfort of the abstraction away from the infrastructure, and still uses well known frameworks such as Tensorflow and Pytorch.

As the ML engineers and data scientists are generally more concerned about getting access to the actual dashboards and tools than the underlying plumbing, appropriate links are provided within MLAnywhere to the Kubeflow interface as the environments are dynamically built out on-demand.

Image 4: Kubeflow Interface

What does the future hold?

Hopefully you can see that MLAnywhere can bring quick and instant value to various teams involved in the ML process with a focus on the educational aspects helping Data Scientists and IT Operation teams make the transition over to cloud native methodologies.

Moving forward, we will continue to add further nuggets of value into MLA but an important aspect to point out is we intend to merge this project with another Cisco initiative around Kubeflow called “The Cisco Kubeflow Starter Pack”  as these two complementary approaches when combined, will bring their best aspects together into a compelling open source project.

Finally, we will leave you with a practical note, a well used phrase in the ML world is “it takes many months to deliver an ML platform into the hands of data scientists”, MLAnywhere can do this in less than 30 minutes!!

Continue reading