Zero Trust framework improves workforce security and productivity, while cutting support costs

Like most companies, Cisco is committed to continually improving security while simultaneously simplifying the user experience.

We’ve learned some important lessons along the way.

There are multiple points where user ID and password credentials can be potentially compromised. For example, employees sometimes chose to ignore best practices by utilizing easy-to-remember passwords such as “123456.” Others would share their Cisco passwords or use them externally for non-business-related applications—essentially utilizing their passwords everywhere.

When we relied only on the password login process, it is estimated that about 80 percent of all hacks were caused by credentials/identity theft. Other points of concern included new-hire onboarding or credentials delivery, password resets on behalf of users, password-related communications, and overall handling or management of password details. All can contribute to potential risks.

Further complicating matters, when most of our workforce went remote in early 2020, it became confusing and taxing for users to know how to access different applications. For example, some apps required a Virtual Private Network (VPN) connection, while others could be accessed directly. Like many other companies, Cisco invested in VPN expansion to support employees working from home, while also rolling out Zero Trust on a limited basis initially (more details below).

As the lines increasingly blurred between work and home life, many remote workers became frustrated at connecting via VPN and enduring the authentication process potentially multiple times a day. It can be tiring for users to keep track of which applications need VPN and which don’t – reducing their productivity. Ultimately, using a VPN when the workforce is almost fully remote can be inefficient, especially when we’re sending data back over the corporate network, only to have it eventually return to the cloud.

Zero Trust framework delivers secure, uniform user experience

As a result, Cisco decided to move from a traditional, network-based perimeter and VPN model to a Zero Trust model. Zero trust is not a single solution but a framework of solutions that verify a device, establish policy, and continually monitor device behavior. Multi-Factor Authentication is a key element of this approach. We started deploying multi-factor authentication in November 2020 for several applications, then expanded its coverage in 2021 to many additional applications, including Microsoft Office 365.

Our overall goal for Zero Trust and multi-factor authentication is to provide a secure, uniform experience while accessing applications, wherever users or applications are located. From a technical perspective, we had four objectives:

1. Implement an architecture that would allow secure, VPN-free access to some of our most-visited internal and SaaS applications

2. Validate user and device trust on a per-app basis, with an ability to set per-app access policies

3. Improve our authentication experience by reducing the burden on users

4. Build this transition seamlessly, requiring zero user action, and without any outages or distractions

Zero Trust helps us achieve these goals by incorporating user/device trust policies for remotely accessing applications. Users enjoy a “borderless experience” by accessing the network from anywhere, without having to connect through a VPN.

Instead of relying only on user ID and password credentials, Zero Trust adds a layer of protection. It leverages a user-identity certificate that is securely deployed to managed endpoints by our device management suite. This certificate then acts as the first factor of authentication, saving users the step of having to type in their username and password. This also reduces the likelihood that users will save their corporate identity and password in their browser for convenience.

After establishing user trust, the solution validates device trust and health—starting with the assumption that if a device is managed by our corporate device management platforms, then it must have a good baseline security posture. We perform an additional device health check during every authentication transaction to ensure that the device is running the latest software, screen lock, disk encryption, firewall, and anti-virus agent. This real-time check is conducted by the Duo Beyond Device Health app, which continuously operates in the device’s background.

With Zero Trust, when a user tries to log in to an application, our corporate SSO identity engine checks the user and device certificate, does a real-time health assessment of the device, and finally triggers a second-factor notification before allowing user access.

Zero Trust saves time, boosts productivity

Since Zero Trust was implemented, adoption metrics show that it is saving Cisco employees more than 410,000 VPN authentications per month. Based on Cisco IT internal analyses, it takes about 45 seconds for each VPN authentication. This represents 307,500 minutes, or 5,125 hours, saved per month – an annual savings of 61,500 hours. Assuming an average hourly cost per employee of $55, we can value this productivity improvement at $3.4 million per year for Cisco employees. This also represents an optimization of the application information traffic flowing over the company’s core network and offloaded through direct internet access.

Since incorporating controls for device health and trust at the application layer, we’ve substantially improved our ability to react to device risk. For example, we’re conducting approximately 5.76 million device health checks automatically per month. This has allowed us to identify 86,000 devices per month that users have self-remediated. That’s 86,000 potential compromises effortlessly averted.

While there were some concerns about increased support call volume when introducing device health checks for borderless access, only 0.6 percent of users have contacted our help desk for support—which is actually less than the 7 percent rate of help-desk requests for security deployment, password reset, device remediation, and support calls for authentication based on internal benchmark. We feel that the easy-to-follow remediation steps within the Duo Device Health App played a key role in minimizing our support numbers. The deployment had a minimal impact, keeping overall costs low and providing a better user experience.

Subsequently, fewer analysts have been required to provide support, leading to an estimated $500,000 per year savings in helpdesk support costs. In addition to cutting support costs and improving security, the Zero Trust Multi-Factor Authentication framework has improved productivity because users don’t need to waste time logging in to the VPN.

Figure 1. Duo Zero Trust benefits

The future of Zero Trust

Implementing Zero Trust as a critical framework and adopting a more rigorous security posture will continue providing opportunities for Cisco. For example, the remote working capabilities that Zero Trust enables has over the past two years allowed Cisco to expand access to a diverse talent pool. According to Darcie Gainer, Cisco’s Security Product Marketing Leader, the remote working capabilities with borderless access and without VPN have already allowed Cisco to grow its intern classes in 2021 and 2022.

Source: cisco.com

Continue reading

Relevant and Extended Detection with SecureX

Al Huger spoke about Cisco’s vision of Extended Detection and Response (XDR); specifically covering the breadth of definitions in the industry and clarifying Cisco’s definition of XDR:

“A unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.”

He also detailed the way Cisco’s approach to XDR is founded upon our cloud-native platform SecureX. In this blog series I’m going to expand on that XDR definition and explore how extended detection and other XDR outcomes can be achieved today leveraging the SecureX platform and integrated products.

The phrase “Extended Detection” conjures up an image of multiple data elements, perhaps many of them otherwise considered low fidelity signals, all merged into a single, high-fidelity alert. This extended detection is so wonderful that an analyst can immediately access the business relevance, the risk, the root cause and the appropriate response actions; perhaps this alert is so explainable that all this can be done automatically at machine-scale. Before we get to this state of nirvana, let’s take a step back and look at the phrase “Extended Detection” and that end state. It all begins with a detection.

But is it important?

That question – “but is it important” – stems from a more fundamental one: what does this alert mean to me? In our security operations centres today, we can have a number of products that generate detections, observations, sightings, etc. that feed into our operational processes. On their own these alerts indicate something potentially of interest in the space of that security tool. For example, an Endpoint Detection and Response product such as Cisco Secure Endpoint makes the observation of a malicious file seen on a host or a Network Detection and Response product such as Cisco Secure Network Analytics makes an observation of a host downloading a suspiciously high amount of data. These alerts tell us that something happened but not what it means in the context of the environment that it fired —your environment — creating that original question: “but is it important?”

In my experience “importance” is in the eye of the beholder. What can be considered a false positive in one environment is that high-fidelity, actionable pure-gold event in another: with the only difference being the environment the alert fired in. If we revisit the notion of the OODA (Observe, Orient, Decide, Act) loop for a moment, this is the second step of Orientation, bringing into account the environment variables that when held against the initial observation accelerate the decision and action phases.

In the Orient stage we are bringing domain variables, such as the user, device, application, severity, etc., together to answer the question “but is it important?” and the essence behind what we are doing is extension: extending the observation, or that initial detection into something more. This is the empirical prioritisation of incidents that matter.

This elevation of an observation or a detection to an incident of importance is a central concept in Extended Detection and Response. The outcome that we are after is the creation of a highly actionable incident, one that is enriched with data and context about the nouns and verbs involved so that we can make an informed decision about the incident and, in an ideal world, playbook a response such that when similar incidents, with similar nouns and verbs appear, automatically trigger the correct response actions.

One of the trickiest parts of this conversation is what those variables – those nouns and verbs – are and what are the ones that matter to an organization. Some customers I’ve worked with treat endpoint events as the highest severity and highest risk, others choose MITRE Tactics, Techniques and Procedures (TTPs) as their primary objects of interest and others might prioritise around users, devices, applications and roles in an organization. This great degree of variability indicates that there must be flexibility in the methodology of incident creation, promotion and decoration.

Risk-Based Extended Detection with SecureX

Our objective is to enable a risk-based approach to incident management. This allows a user of Cisco’s security detection and response products to prioritise detections into incidents based on their own concept of risk – which as discussed, could vary organization by organization.

In Cisco SecureX we have an artifact called an Incident. The SecureX Incident is a combination of events, alerts, and intelligence concerning a possible security compromise, which drives an incident response process that includes confirmation, triage, investigation and remediation. This concept of an Incident, in combination with configuration settings in the integrated products and the investigation features of Cisco SecureX   Response will be used as the basis for our Extended Detection and enrichment in this blog series.

Today, an Incident can be created manually through an investigation or threat hunting exercise, or promoted automatically, based on configuration, from some integrated products. As a construct the Incident is built on the Cisco Threat Intelligence Module (CTIM) and has several core tenants that allow for enrichment with different variables associated with the Incident.

In the below figure for example we have an Incident that was automatically created through promotion from Cisco Secure Network Analytics. In the image below, we see a Custom Security Event “Employees to Bottling Line” with a high severity level (how the severity level was derived will be the topic of a future blog in this series).

Clicking “Investigate Incident” will launch an investigation in Cisco SecureX Threat Response , automatically enriching the Observables in the Incident (in this case consisting of two IP Addresses, a MAC Address and a username) resulting in the below enrichment. This simple investigation enriched (or extended) the incident with data associated from those observables across nine different integrated products, resulting in the below diagram.

At this point we can investigate further, determining the impact or relevancy of the sightings. But first we are going to take a Snapshot and add it to the current incident, saving the enrichment.

While this very simple process took an alert from one product, manufactured an Incident and extended it with data from another product, we haven’t yet dug into some of the fundamentals that we want to explore in this series: namely, how we can triage, prioritise and respond to detections based on risk-driven metrics and variables that matter to our organization. Future posts in this series will explore the different integrated products in SecureX and how their detections can be promoted, enriched and extended in SecureX. In the next post in this series, we will begin with the automatic promotion and triaging of endpoint events into Cisco SecureX.

Source: cisco.com

Continue reading

Service Opportunities for Midsize/Small Service Providers Are Key to Competitive Differentiation

Competitive intensity across the service provider landscape has increased significantly over the past few years. While most pronounced in the large tier 1 service provider segment, the level of competition has recently picked up in the midsize and small communication service provider market. The competitive landscape now includes a broader set of providers such as the following:

◉ Cable providers broadening their portfolio of services beyond traditional video services and expanding into new areas like wireless

◉ Gaming companies offering their content as a service in conjunction with cloud and/or connectivity providers

◉ Electrical cooperatives emerging as the latest new entrants to the communications market as they look to diversify their business and bring broadband access solutions to rural areas

◉ Cloud providers playing an increasing role in hosting small-medium business workloads

To maintain competitiveness, midsize/small service providers must innovate at the service level and focus on key customer segments where they can provide differentiated value. This innovation will include improving the service enablement process to drive efficiencies and accelerating the time to market for new service offerings.

Improving the Service Enablement Process

Most midsize/small service providers interviewed as part of IDC’s SP Digital Readiness Survey are primarily focused on expanding their existing set of services to new customers and broadening their partner channel; these providers see such initiatives as key to expanding their customer base. However, over time, these providers will increasingly look to develop compelling new service offerings to customers. In fact, nearly 40% of midsize/small service providers indicated that the rollout of new services is an essential component of their growth strategy. These providers are either evaluating, planning, or executing a strategy to deliver new services to an expanding base of customers (see Figure 1).

Figure 1 – Midsize/Small Service Provider Growth Strategy

Question – What role does growing your business through adding new services, entering new markets, or targeting new types of customers play in your business strategy?

n = 201

Source: IDC’s SP Digital Readiness Survey, 2021

As midsize/small service providers look to offer new services to market, they are equally focused on making improvements to service enablement and provisioning by targeting process efficiencies and expanding their service portfolio to drive profitable growth. As part of this effort, midsize/small service providers are in the process of upgrading their internal systems with a focus on operational functions critical to stimulate new sales such as:

◉ Billing (monetization)

◉ Customer order management

◉ Pricing models

◉ Partner enablement

IDC believes that data accuracy, the appropriate pricing models, the incorporation of analytics at every step of the service creation process, and work with critical partners (app developers, compute/storage providers, and channel partners) are all essential steps in supporting the efforts of midsize/small service providers to offer new compelling services to their customer base.

New Service Priorities

On the service portfolio side, there are a collection of offerings that midsize/small service providers will emphasize to satisfy customer demand for secure and reliable connectivity solutions. In the enterprise segment, private cellular services, cloud-based network services and managed services will be key areas of focus for midsize/small service providers.

According to IDC’s SP Digital Readiness Survey, midsize/small service providers indicated that private cellular services, network as a service, and managed services were their top three service priorities (see Figure 2).

Figure 2 – Priorities for Expanding Existing Service Portfolio

Question – Which of the following services represent priorities to expand your services portfolio? (Select all that apply.)

n = 147 customer-facing and internal services respondents

Source: IDC’s SP Digital Readiness Survey, 2021

Private Cellular Services. 48% of midsize/small service providers cited private cellular as their top service priority; they should also look to add incremental value on top of their connectivity solutions by partnering with ISVs and bundling industry-specific solutions that address requirements of companies in specific industry segments. IDC believes there is a broad partner ecosystem developing to service the needs of midsize and small enterprises, comprised of communication service providers, managed service providers, ISVs, VARs, and cloud providers.

Network as a Service. – While network as a service (NaaS) is still in its infancy, enterprises see value in the ability to quickly procure, deploy, manage, and retire networking assets. NaaS will enable customers to select the hardware and services to transform their network, which allows for faster access to new technologies with less risk to existing operations, improved management, faster refresh cycles, and the ability to scale with a few clicks.

Managed Services. Given the avalanche of new technologies that enterprises are evaluating, the complexity associated with implementing and operating these solutions will drive demand for managed services. This will particularly be the case in the midsize and small enterprise market segment and remote branch offices of larger enterprises where there is a lack of in-house technical expertise. IDC believes that these companies will prefer to transfer the cost of network ownership to experienced third parties with scale.

Source: cisco.com

Continue reading

Simplify Network Security with Cisco Secure Firewall-as-a-service (FWaaS) on AWS

Introduction

With traditional firewalls, network security teams are charged with the heavy lifting of deploying new solutions. They are responsible for a variety of costs, including licensing, appliance, related infrastructure updates, and ongoing maintenance. From a time-value perspective, inserting firewalls also creates additional complexity for NetOps and SecOps teams, delaying time to deployment in production environments due to design and testing required to integrate the new firewall into the network.

To become more agile, organizations are increasingly moving towards deploying SaaS-based security offerings hosted directly by vendors. According to Gartner, by 2025, 30% of new deployments of distributed branch-office firewalls will switch to firewall-as-a-service, up from less than 10% in 2021.

Reduce management and deployment complexity

Cisco has collaborated with AWS to simplify the way organizations secure their public cloud infrastructure using Firewall-as-a-Service (FWaaS) where Cisco Secure Firewall is integrated with the AWS Gateway Load Balancer (GWLB). AWS Gateway Load Balancer enables elastic scaling, improves availability, and simplifies insertion and management of the Cisco Secure Firewall. Starting with version 7.1 of Cisco Secure Firewall Threat Defense, we support integration with AWS Gateway Load Balancer.

What does this mean for Cisco Secure Firewall customers?

Simply put, experience your firewall working for you, not the other way around. Cisco Secure Firewall-as-a-service on AWS enables you to simply consume our virtual firewall in AWS, without rearchitecting, deploying, or managing new infrastructure. Now, you can simplify security at its core by leaving the heavy lifting to us. Other benefits include:

◉ Simplified security architecture – Provisioning of firewalls and control plane infrastructure are managed by Cisco, saving time and accelerating value.

◉ Flexible and scalable security – Elastic firewall infrastructure meets demand by scaling as throughput requirements change.

◉ Security that works with you – Simplified firewall insertion delivers the security you need, without having to rearchitect your network. Additionally, traffic routing configurations and firewall monitoring are performed by Cisco.

◉ Stay agile – Say goodbye to the traditional refresh cycle and stay instantly up to date with the latest firewall software versions and IPS signatures. No hardware required.

◉ Achieve better ROI, fast – Our OPEX-based model will demonstrate to your CFO that you’re both a technology and business partner. And you’ll reduce upfront costs, paying for only what you need.

Customers also benefit from support for dynamic policies for AWS tags, plus improved threat detection, simplified customization, and enhanced performance of our latest, industry-leading open-source IPS, Snort3.

Architecture and use cases for Secure Firewall-as-a-service on AWS

Cisco Secure Firewall-as-a-service on AWS consists of:

A.) Managed Gateway Load Balancer endpoints (MGE) – MGEs reside in the customer’s VPC/account and are responsible for routing the traffic from the customer’s VPC to the Cisco-managed security VPC, where it will be inspected.

B.) Gateway Load Balancer (GWLB) – GWLB resides on the Cisco managed VPC/account, this is responsible for hosting the Secure Firewall appliance fleet.

Together, these components bring best-in-class managed security infrastructure for customers using AWS.

With Cisco Secure Firewall-as-a-service on AWS, we intend to support:

◉ Inspection for ingress (inbound) and egress (outbound) traffic from and to the internet

◉ East-West (E/W) traffic between subnets (resources) within a VPC (Intra-VPC) and between VPCs (Inter-VPC)

◉ Traffic between the on-premises network and customer VPC’s, when passed over a Transit Gateway using VPN.

East-West traffic

East-west traffic flow for firewall-as-a-service

Ingress and egress traffic

Ingress and egress traffic flow for firewall-as-a-service

 

Choose between fully managed and partially managed Firewall-as-a-service

We recognize some customers want a fully managed service while others wish to configure their own policy. To satisfy both, Cisco is offering a partially managed Firewall-as-a-service option as well. This option provides the customer with most of the benefits of the fully managed service above, but with a partially managed environment where Cisco continues to manage the infrastructure, but lets the customer retain policy management responsibilities.

And if customers wish to manage and deploy their own

Looking to manage and deploy your own Cisco firewalls on AWS? The release of Cisco Secure Firewall Threat Defense 7.1 introduces GENEVE support, integrating Cisco Secure Firewall with AWS Gateway Load Balancer, giving customers full control of their infrastructure while simplifying deployment, management, and scaling of firewalls. This integration ensures traffic to and from AWS VMs are inspected by Secure Firewall without requiring any routing changes. This enables rapidly scalable, highly available security with simplified insertion, removing the need to rearchitect your network.

Source: cisco.com

Continue reading

Cisco CCNP Data Center 300-630 DCACIA: Exam Tips and Benefits

CCNP Data Center certifications is a professional level certification (Data Center) offered by Cisco. This certification is suitable for those aspirants who want to work in data Center Administration. The CCNP Data Center Certification programs establish a foundation for installing, handling, configuring, and managing a Data Center Infrastructure. It also proves your skills as well as your ability to manage data center solutions. By earning this Cisco certification, you will be qualified for a promising IT career in Data Center Technologies. This post will focus on the CCNP Data Center concentration exam, 300-630 DCACIA: Implementing Cisco Application Centric Infrastructure – Advanced.

Cisco 300-630 DCACIA Exam Details

Cisco 300-630 DCACIA, Implementing Cisco Application Centric Infrastructure - Advanced is a 90-minute exam associated with the Cisco Certified Specialist – ACI Advanced Implementation certification. This exam measures an applicant's high-level knowledge and skills of Cisco switching in ACI mode, including configuration, implementation, management, and troubleshooting. The course, Implementing Cisco Application Centric Infrastructure – Advanced (DCACIA), helps applicants prepare for this exam.

Cisco 300-630 Exam Topics

• ACI Packet Forwarding
• Advanced ACI Policies and Integrations
• Multipod
• Multisite
• Traditional network with ACI

Simple Tips for Cisco 300-630 DCACIA Exam Preparation

Many websites claim to be specialists in the Cisco exams and certifications and manage to fill the Internet with information on how to pass the 300-630 DCACIA exam successfully. But most of them advise you of irrational actions or don't advise important anything at all. Though some information can help you get through your exam, you should never misuse your time on any platform that you don't know without checking its trustworthiness.

Here are simple but proven tips that can help you prepare for the Cisco CCNP Data Center 300-630 DCACIA exam with amazing colors:

• Have a reasonable study plan with adequate study targets.
• Organize your revision and design it to help you obtain your preparation goals. Have a proper schedule to spread out all the exam topics you need to complete within a specified time frame.
• Read the exam concepts carefully before starting Cisco 300-630 DCACIA exam preparation. Make sure you avoid cramming. You need to understand the exam concepts.
• Be sure to take advantage of reliable study resources. Otherwise, all other tips described here will not help you pass the 300-630 DCACIA exam.
• Take Cisco 300-630 DCACIA practice test. This is an excellent way to gauge your preparation level. Make them one of your main prep materials.
• Refresh your memory when you are done with your preparation by going through everything you have studied.

Also Read: How Practice Test Will Help You Pass Cisco 300-630 DCACIA Exam Fluently?

• Eat healthy food, stay hydrated, take small breaks in between, and have a good night's sleep to improve your concentration and enhance your overall thinking capacity. Trying to study when you are tired, sleepy, or hungry will not fetch any positive outcome.
• Read each question to understand what it means before giving an answer to it during the actual exam.
• Manage your time correctly and be sure not to spend more than enough time on one question.

Core Benefits of Cisco 300-630 DCACIA Exam for Your Professional Career

The first and most important benefit of passing 300-630 DCACIA is that you will receive the certification from Cisco, which is a leading vendor in networking. Taking this exam successfully paves the way towards CCNP Data Center certification, which the top organizations in the IT field acknowledge. Having such a certification confirms shows recognition to the entire industry and significantly promotes you. Another advantage of adding Cisco DCACIA to your resume is that it unlocks a door to excellent job opportunities in more reputable and more prominent organizations. This certification exam also helps you to go and work overseas as it is accepted worldwide. CCNP Data Center is a very popular certification in the IT market today. It will qualify you for several prestigious positions.

Popular Job Roles in Data Center domain:

• System administrator
• Network administrator
• Systems engineer
• Network engineer

Passing the 300-630 DCACIA exam gives a boost to your professional career by offering advanced potential. CCNP CCNP Data Center is a professional-level certification, and getting it shows that you have gained updated and advanced skills. The employers will be ready to offer you a higher salary because they know that your skill set can lead their organizations to new heights. You should understand that promotion is a crucial affair in your career. Favorably, by taking this Cisco exam, you will have more significant opportunities of being promoted to a more renowned position because you hold advanced skills and expertise for a higher job position.

Last but not least, passing the Cisco 300-630 exam makes you eligible to go for more advanced Cisco certificates that can greatly help in advancing your knowledge and skills in the future. It is acknowledged that the networking industry is loaded with many opportunities, which become simpler to explore as you upgrade your networking expertise. Moreover, there are always many possibilities for growth.

Conclusion

Get started today and take the Cisco 300-630 exam to ace your career because it provides advanced knowledge that is significant for IT professionals. Always remember that the skills learned are applicable for passing the Cisco DCACIA exam and for solving real-world problems. Be CCNP Data Center certified and enjoy the benefits that life brings you. For that, concentrate on your exam preparation.

Continue reading

Accelerating Analytics Workloads with Cloudera, NVIDIA, and Cisco

As today’s leading companies utilize artificial intelligence/machine learning (AI/ML) to discover insights hidden in massive amounts of data, many are realizing the benefits of deploying in a hybrid or private cloud environment, rather than a public cloud. This is especially true for use cases with data sets larger than 2 TB or with specific compliance requirements.

In response, Cisco, Cloudera, and NVIDIA have partnered to deliver an on-premises big data solution that integrates Cloudera Data Platform (CDP) with NVIDIA GPUs running on the Cisco Data Intelligence Platform (CDIP).

Cisco Data Intelligence Platform: a journey to hybrid cloud

The CDIP is a thoughtfully designed private cloud that supports data lake requirements. CDIP as a private cloud is based on the new Cisco UCS M6 family of servers that support NVIDIA GPUs and third-generation Intel Xeon Scalable family processors with PCIe fourth-generation capabilities.

CDIP supports data-intensive workloads on the CDP Private Cloud Base. The CDP Private Cloud Base provides storage and supports traditional data lake environments, including Apache Ozone (a next-generation file system for data lake).

◉ CDIP built with the Cisco UCS C240 M6 Server for storage (Apache Ozone and HDFS), which supports CDP Private Cloud Base, extends the capabilities of the Cisco UCS rack server portfolio with third-generation Intel Xeon Scalable processors. It supports more than 43 percent more cores per socket and 33 percent more memory than the previous generation.

CDIP also supports compute-rich (AI/ML) and compute-intensive workloads with CDP Private Cloud Experiences—all while providing storage consolidation with Apache Ozone on the Cisco UCS infrastructure. The CDP Private Cloud Experiences provide different experience- or persona-based processing of workloads—data analyst, data scientist, and data engineer, for example—for data stored in the CDP Private Cloud Base.

◉ CDIP built with the Cisco UCS X-Series for CDP Private Cloud Experiences is a modular system that is adaptable and future-ready, meeting the needs of modern applications. The solution improves operational efficiency and agility at scale.

This CDIP solution is fully managed through Cisco Intersight. Cisco Intersight simplifies hybrid cloud management, and, among other things, moves server management from the network into the cloud.

Cisco also provides multiple Cisco Validated Designs (CVDs), which are available to assist in deploying this private cloud big data solution.

Integrating a big data solution to tackle AI/ML workloads

Increasingly, market-leading companies are recognizing the true transformational potential of AI/ML trained by their data. Data scientists are utilizing data sets on a magnitude and scale never seen before, implementing use cases such as transforming supply chain models, responding to increased levels of fraud, predicting customer churn, and developing new product lines. To be successful, data scientists need the tools and underlying processing power to train, evaluate, iterate, and retrain their models to obtain highly accurate results.

On the software side of such a solution, many data scientists and engineers rely on the CDP to create and manage secure data lakes and provide the machine learning-derived services needed to tackle the most common and important analytics workloads.

But to deploy the solution built with the CDP, IT also needs to decide where the underlying processing power and storage should reside. If processing power is too slow, the utility of the insights derived can diminish greatly. On the other hand, if costs are too high, the work is at risk of being cost-prohibitive and not funded at the outset.

Data set size a major consideration for big data AI/ML deployments

The sheer size of the data to be processed and analyzed has a direct impact on the cost and speed at which companies can train and operate their AI/ML models. Data set size can also heavily influence where to deploy infrastructure—whether in a public, private, or hybrid cloud.

Consider an autonomous driving use case for example. Working with a major automobile manufacturer, the Cisco Data Intelligence Platform ran a proof of concept (POC) that collects data from approximately 150 cars. Each car generates about 2 TB of data per hour, which collectively adds up to some 2 PB of data ingested every day and stored in the company’s data lake. The cost to move this data into a public cloud would be staggering, and, therefore, an on-premises, private cloud option makes more financial sense.

Furthermore, this data lake contains about 50 PB of hot data that is stored for a month and hundreds of petabytes of cold data that must also be stored.

Considering infrastructure performance

In addition, the performance of the underlying infrastructure in many AI/ML deployments matters. In our autonomous driving use case example, the POC requirement is to run more than a million and a half simulations each day. To provide enough compute performance to meet this requirement takes a combination of general-purpose CPU and GPU acceleration.

To meet this requirement, CDIP begins with top-of-the-line performance, as illustrated through TPC-xHS benchmarks. In addition, CDIP is available with integrated NVIDIA GPUs, delivering a GPU-accelerated data center to power the most demanding CDP workloads. To meet the performance requirements of this POC, 50,000 cores and accelerated compute nodes were utilized, provided by the CDIP solution deploying Cisco UCS rack servers.

Source: cisco.com

Continue reading

Improving Application Experience with Deep Network Visibility

In the not-too-distant past, everything in the application and networking stack was under IT’s control. Workloads lived securely in the on-premises data center—people sat in their campus offices connected to the secure wireless network, and an MPLS service with an SLA connected branch offices to the data center and each other.

Today, workforce productivity depends on cloud and SaaS applications that often rely on the public cloud infrastructure, which in turn depends on the internet as part or all the WAN connectivity. The internet paths depend on a multitude of ISPs, CDNs and advanced network services. Hybrid and native clouds applications are mostly containerized, so performance can be affected by the communication paths among the microservices, both in the data center and cloud. The total application experience as perceived by the workforce is dependent on the performance of all the components of applications and network connections acting in concert. If one element falters, the whole experience can be impacted.

NetOps and DevOps need to understand the interdependencies among the component applications and tune the enterprise network and internet paths accordingly. A unifying view can only be provided by the network fabric that monitors and analyzes the full stack of interlacing components: from the foundational network data layer to the software-defined WAN to application containers in the cloud. With the workforce accessing applications from literally everywhere, all the time, IT requires pervasive, real-time monitoring of network, internet, and application performance with auto-healing capabilities. This is Deep Network Visibility, driven by software-defined controllers and network analytics that enable ​action, policy, and automation.

Visibility Begins with a Comprehensive Historical View

To improve application experience, IT needs tools to record, analyze, and report on network and application activity at a massive scale to build a deep historical data set against which to apply AI and Machine Reasoning tools. Hybrid and cloud applications consist of multiple micro-components connected by east-west traffic in the data center or cloud service. Continuous monitoring and analysis are needed to optimize application experience because many inter-application communication issues are transitory and difficult to replicate. Application performance needs to be recorded for machine analysis to determine recurring issues and root causes. Deep Network Visibility from the perspective of the application requires:

◉ Application experience as measured by ThousandEyes, NetFlow, and AppDynamics.

◉ Dependency graph to the underlying composite application services and infrastructures.

◉ Comprehensive availability and performance data on each of the supporting components such as composite application services, public cloud services, ISPs, networking devices, compute and storage infrastructure.

The irony of having mountains of telemetry and activity logs awaiting analysis by overworked IT teams is that there is too much noise in too much data for humans to deal with in a timely manner. When the volume of data is beyond human scale and below human sensitivity, machine reasoning (MR) can automate the analysis of trillions of bytes of switch and router telemetry, wireless radio fingerprints, and network access point interferences to uncover patterns in the chaos, and turn the findings into actionable insights and automated mitigation actions.

Automated Visibility with AI Network Analytics

To make full use of the deep historical and real-time data, IT can take advantage of an analytics software stack that can:

◉ Use purpose-built applications to augment human engineers in NetSecOps with Insights into network performance and security vulnerabilities.

◉ Leverage machine-speed analytics and knowledge-base Machine Reasoning Engine (MRE) to unburden NetSecOps from mundane monitoring tasks to focus on proactive digital transformation projects with DevOps.

◉ Achieve massive collection, storage, and analysis of diverse data lakes—collections of anonymized network and application telemetry based on volume, velocity, and variety of data to compare performance and security metrics.

For several decades, Cisco has been building a data lake of worldwide, anonymized customer telemetry in parallel with a knowledge-base of expert troubleshooting experience, both of which are available to machine reasoning algorithms under the command and control of Cisco DNA Center. With Cisco AI Network Analytics, NetOps can, for example, be forewarned of increases in Wi-Fi interference, network bottlenecks, uneven device onboarding times, and office traffic loads in the more traditional data center and campus network environments.

Better Outcomes with Data and Automation

Visibility for cloud-based applications, however, needs a different approach as much of the application infrastructure is not under direct control of IT. Direct internet connections to clouds can be unreliable—especially for latency-sensitive applications—unless they are monitored and automatically tuned using cloud onramps.

Gaining deep visibility with Cisco Cloud OnRamps for each of the major cloud services—Microsoft Azure, Amazon AWS, and Google Cloud, as well as colocation, and SaaS platforms—provides the ability to monitor and set performance parameters that are automatically applied to maintain the proper quality of service based on the type of application and cloud provider. Paths are calculated by tracking characteristics including packet loss, latency, and jitter in the data plane tunnels among cloud workloads and edge devices. Cisco AppDynamics and ThousandEyes provide application layer visibility for inter-cloud and intra-cloud dynamics that enables NetOps and DevOps to monitor and identify factors affecting application experience.

Network Analytics + Software-Driven Controllers = Deep Network Visibility

Cisco AI Network Analytics working in conjunction with Software-Driven Controllers also enables Deep Network Visibility. Operational intents and security policies defined in software-driven controllers are compared with telemetry and operational anomalies detected by an MRE to automatically adjust operations or isolate rogue devices. Always-on AI Analytics watch over the distributed workforce and workloads at machine-speed, making automatic adjustments or sending alerts with suggested remediations to appropriate levels of IT personnel or to ITSM applications to log and kickoff trouble tickets. Over time, NetOps and DevOps can fine-tune application performance using a consistent flow of insights from analytics to adapt to changes in workloads, workforce, and workplace.

AI and MRE also provide customized recommendations on updates and patches for controllers. Upgrading controllers carries a certain risk given the complexity and many differences among existing network configurations. Knowing in advance what affect an update can have—and even if it applies to the existing configuration—can bring peace of mind to the process. Does a specific configuration warrant a patch if that issue is not relevant? If not, then there is no reason to force an update that is not required. Are controllers running an OS version with active PSIRT vulnerabilities? NetOps is alerted to put a higher priority on upgrading those specific controllers. Automation and visibility go hand in hand to make operation teams more efficient so they can spend time on more valuable tasks.

Deep Visibility Provides Operational Simplicity and Serviceability

Deep Network Visibility is the foundation of a network and security operating model that ensures application experience and trust. The ultimate outcome of attaining Deep Network Visibility is to make all the operations teams—NetOps, SecOps, DevOps and CloudOps—able to work together to raise the levels of serviceability across the application infrastructure. Automations that support Deep Network Visibility simplify operations by eliminating many of the time-consuming and tedious tasks of network monitoring and troubleshooting. I will address how Cisco DNA Center delivers specific capabilities for the four network personas in a future blog post.

At Cisco, we believe: “The more you can see, the more you can solve. The more you can solve, the more you can automate. And the more you can automate, the more resilient and agile your entire business becomes.” Automation with Deep Network Visibility is key to ensuring that application experience delivered to the workforce and customers meets or exceeds expectations.

Source: cisco.com

Continue reading