Integrating Perimeter and Internal Defenses: 5 Facts That May or May Not Surprise

IDC recently had the opportunity to talk to CISOs regarding the integration of Cisco Secure Workload and Secure Firewall. As analysts, we can articulate the technical benefits. The realized benefits can be different when real-life budget and time constraints are applied. Our conversations were quite illuminating. Below are 5 realities that may or may not surprise you when it comes to integrating perimeter and internal defenses:

1. Time is the currency of the day—Ransomware, cryptomining, and supply chain attacks are top of mind until we get into the office; business needs drive the fires to be fought during the day. The ever-present need to move quickly to stay ahead of cybercriminals require tools to “just work. ” According to the CISOs we spoke with, “if you’re limited on funds and don’t have a 20-person security team, you have to do a lot quickly…being able to get these overlapping protections…and they’re talking to each other really shines.”

2. Perimeter and internal defenses is not an “either-or” issue; it is an “and” issue—Firewalls have a prime vantage point, being able to observe all traffic traversing into and out of our infrastructure. But internal defenses are a bit more complicated. Digital transformation though does not wait for pristine security measures and policies to be put in place. Rather, digital transformation can force us to wrap devices or application like workloads and IoT devices in zero-trust policies elegantly or inelegantly; digital transformation does not care. According to the CISOs, “For organizations like hospitals that have IoT devices and new technologies, it’s going to be hard to wrap policies around all those devices. You’ve got some new scanner or a new handheld; how can you protect and lock them down? Maybe you can’t put an agent on some of them. So in a situation like that, with this [Secure Workload + Secure Firewall integration] you can wrap a zero trust policy around securing all those devices.”

3. Integration is real—Let’s acknowledge the elephant in the room; vaporware is a word for a reason. In this instance though, the integration of perimeter and internal defenses is actually happening already.  The integration is going beyond a single pane of glass management console and being driven by a real need to solve real problems. According to the CISOs, “You can get that data from the firewall and then you can use that data to wrap a Tetration [Cisco Secure Workload] workload protection policy around those, even without an agent on there.”

4. Integration enables automation—Time poverty is omnipresent. The holy grail of security is automation, which isn’t possible without deep integration. According to the CISOs, “I can have one block list in SecureX. When I right click on an IP address or SHA-256, I’ve got some automation set up and block it at the AMP level, the firewall level, and a number of places, Stealthwatch…everywhere.”

5. “One throat to choke”—Budget, time and management constraint are real and painful. The CISO of a top 10 bank may not serve these masters, but the CISOs with whom we spoke do. Deeper discounting, simplified buying process, and a “one throat to choke” are intangible, but invaluable benefits of integration. According to the CISOs, “With one company, it makes it a lot easier to get people to work together.”

Integration is a key aspect of digital transformation, and in the security realm can mean the difference between an intrusion attempt and a data breach. However, integration has to mean more than simple co-existence. True integration will improve workflows, productivity, and security outcomes. The level of integration between perimeter and internal defenses may well be the difference maker, as CISOs continue to navigate new and emerging threats, technologies, and business requirements.

Source: cisco.com

Continue reading

Solving Multi-vendor Network Management Complexity with OpenConfig

As the industry moves towards controller managed networks, where the operator describes what and not how to manage, configuring and maintaining networks from a single vendor remains very complex. Add in the need to manage devices from multiple vendors, and the complexity is multiplied.  Yet network operators typically have devices from multiple vendors and must use their models to configure, integrate, test, and manage those devices.

A better way to manage multi-vendor networks is here: The use of models from OpenConfig, which is fully supported in Cisco IOS XE Software.

Why use OpenConfig?

OpenConfig is an effort by network operators in collaboration with vendors to build open, software-defined, vendor-neutral, and model-driven principles for network configuration and management. OpenConfig enables the use of:

◉ Data models for configuration and management using Yang 1.0 that are vendor neutral

◉ Streaming telemetry for monitoring and obtaining incremental updates (SNMP is passé), which enables a Pub/Sub interface that alerts the collector of changes almost as soon as they occur on the device

The OpenConfig participants include large corporations and service providers like Google, British Telecom, Microsoft, Facebook, Comcast, Verizon, and Level 3.

OpenConfig also allows vendors like Cisco to add their own tweaks via extensions to the models.

Figure 1 shows the OpenConfig models, which are published on GitHub.

Figure 1. OpenConfig Models

Cisco’s Embrace of OpenConfig

Many customers with Massively Scalable Data Centers (MSDCs), such as Microsoft, are very interested in OpenConfig as they run huge data centers with devices from multiple vendors. Various other networking vendors such as Juniper and Arista also support OpenConfig models.

The Cisco IOS XE architecture in Figure 2 lends itself to implementation of OpenConfig models with little effort because Cisco IOS XE already supports the OpenConfig enabler:  streaming telemetry.

Figure 2: Cisco IOS XE – Functional Architecture

Cisco developers have tested and implemented many native models for most of the Cisco IOS XE features. Native models are specific to Cisco devices and platforms. We can implement the OpenConfig models so there is no duplication of effort. The request for an OpenConfig data element is converted to the corresponding native data element because Cisco models are typically a superset of what OpenConfig offers.

The architecture diagram in Figure 2 shows how the configuration and operational databases are common for native and OpenConfig models. We only need a way to translate between the native and the OpenConfig model elements.

Typically, we request a configuration or operational data elements, like those listed in Figure 3, and a corresponding native data element associated with it. Cisco IOS XE provides infrastructure to translate the OpenConfig data element to the corresponding native data element. So, the process of supporting OpenConfig models is typically not very hard if the native models for the corresponding OpenConfig models exist.

Figure 3. OpenConfig and Native Interfaces

Implementing Operational Telemetry with Cisco IOS XE

Cisco IOS XE provides two ways to implement operational telemetry, depending on whether the elements have performance implications, such as the number of interfaces and statistics on all the interfaces. These can be large numbers, since Cisco supports modular switching platforms with multiple line cards. Cisco IOS XE provides a way to get the data from the database using FastPath. For environments with fewer interfaces, the mapping infrastructure can be used to get the data from the corresponding native element.

Over the last few months, Cisco IOS XE developers have been actively involved in developing the OpenConfig models in multiple areas on Catalyst 9000 Series switch platforms for a customer in order to fulfill very interesting use cases which involve migration from SNMP. This entailed testing with the use of the customer’s network data platform and optimizing the implementation for scale and performance. The implementation catered to various telemetry types including on-change and periodic notification.

We engaged the customer in a co-development model where we provided an image with the new model implementation and the customer tested it in the network and gave us feedback. This ensured a quick turnaround time for any issues found at the customer site and completion of the use cases with verification in an actual deployment. The development cycle was completed once we completely automated the testing. We used Genie for operations and telemetry and an in-house tool for configuration models. This model of development eliminated the need for tradition DevTest and resulted in quicker delivery to the customer.

We have occasionally run into issues when a certain data element couldn’t be supported, due to the lack of functionality on the device. We have also encountered scenarios when the representation of a data element was inaccurate. Aside from working with the customer on that issue, Cisco is also raising the problem with the OpenConfig taskforce to make changes to the models.

Cisco continues to develop more OpenConfig models and will also upgrade the revision of the current models to the newer versions published in the upcoming releases of Cisco IOS XE. If you’re a network operator struggling with configuring and managing a multi-vendor network, struggle no more—OpenConfig is the way forward.

Source: cisco.com

Continue reading

Securely connecting the hybrid workforce and network edge: SD-WAN’s role in a SASE architecture

Over the last 20 years of enterprise computing, we’ve seen big changes in work environments and IT setups.

Read More: Cisco Certifications

At the turn of the millennium, most employees worked at headquarters or in a branch office, and most software ran from on-site servers. Networks were designed with centralized architecture, with all traffic being routed through the corporate data center over MPLS or VPN. As a result, the entire security stack could be deployed on-premises in a single place.

Remote work has been around for decades (the term “telecommuting” was coined in 1973 by a NASA engineer), but it gathered momentum in the 2000s as laptops and Wi-Fi became commonplace while startup culture gained traction. Employers started recognizing the need for remote-work guidelines and digital nomads evangelized the lifestyle of “working from anywhere.”

Around the same time, cloud computing took shape with the reinvention of virtual machines and the emergence of application service providers and multi-tenant SaaS providers in the late 1990s. Public cloud services and productivity apps emerged in the 2000s and exploded in the 2010s, driven by cost savings and flexibility.

As workers have moved out of the office and computing has moved into the cloud, there’s been a steep rise in internet traffic, and more work is being done off-network. Backhauling this traffic through MPLS lines and VPNs is more expensive and leads to performance problems. But direct internet access is risky because it bypasses the central security stack.

In the wake of this transformation in work and IT environments, your organization is likely running into challenges in two specific areas: securing your remote workers and securing your network edge. Today’s answer to these challenges is a redesigned network architecture. Secure access service edge (SASE) incorporates a software-defined WAN, bringing networking and security together in the cloud where computing is happening.

You can get a thorough overview of SASE architecture by reading the e-book, The House That SASE Built.

Let’s delve into the specifics of these two use cases and the SASE and SD-WAN benefits for each.

Use case 1: Secure remote workers

Protecting employees, customers, and other users from cyber threats while providing seamless connectivity is challenging on several fronts:

◉ Enforcing safe access: Provisioning remote workers and connecting branches at scale creates a lot of complexity across IT, security, and networking teams. The demand for broader access also intensifies security threat vectors. Since employees need secure access everywhere, security services must be everywhere too. But it’s difficult to verify users’ identities and the health of their devices, and security policies aren’t consistently applied across environments. In addition, users are left unprotected when they decide to bypass the VPN and on-prem security stack.

◉ Keeping up with evolving threats: Gaps in protection are hard to pinpoint and fix consistently. Responses take more time when stronger integrations across the security stack are lacking.

◉ Maintaining performance: When remote environments and connectivity aren’t under organizational control, it can be hard to pinpoint the source of performance problems and get them resolved with providers.

According to the three Cs, an integrated approach for SASE, here’s how SD-WAN helps address these challenges, delivering secure consistent access to apps and data from anywhere:

Connect

◉ Internet traffic moves directly and securely from the user to the web and SaaS apps.

◉ Users can access frequently used internal apps without logging in to the VPN.

◉ SD-WAN “overlay” networks can seamlessly connect users, machines, and applications across clouds and data centers. An SD-WAN solution that is fully aware of SaaS applications can provide an optimal path to them by programming the network with the best path selection and adjusting it according to application and network telemetry.

Control

◉ Network administrators can enforce security and access policies consistently across remote locations.

◉ User identity and device health are verified before connecting to apps.

Converge

◉ Combining networking and security provides observability across the environment, including the network, internet, and cloud. Administrators get actionable insights from every user and app over any network.

◉ Investigations and threat response are streamlined because of integrated security.

Use case 2: Secure edge

Multicloud environments, which use cloud services from more than one public cloud provider, are driving the need to secure the cloud and access edge.

Organizations adopt multicloud strategies in order to hit their business objectives and take advantage of cost savings and innovation while reducing risk. With distributed users needing to access applications in multiple clouds from anywhere, at any time, organizations must provide security closer to the user and edge to minimize network latency and stay agile.

Finding an optimal balance between protection and performance is challenging in cloud environments:

◉ Managing complexity: Multi-vendor cloud deployments bolted onto a traditional network architecture often lead to inconsistent performance and poor user experience.

◉ Resolving performance issues: Without visibility, it’s difficult to identify performance problems for end-users. Without insights, it’s difficult to know what action to take to solve them.

◉ Applying consistent security: Policies need to protect users, devices, and applications from the latest cyberattacks while being scalable for access from anywhere. Authentication needs to be seamless.

Again, SASE and SD-WAN solve these problems, safeguarding the network edge.

Connect

◉ Multicloud access is optimized for secure, consistent application performance.

◉ Cloud-delivered WAN architecture connects users to apps through a single fabric with zero-touch provisioning, intelligent path selection, and automated cloud connectivity.

Control

◉ Access to the internet is secure, fast, and reliable.

◉ Users access all applications through a zero-trust framework, whether they’re on-premises or in the cloud.

Converge

◉ Consumption is simplified and deployment is faster thanks to the integration of networking and security.

◉ Observability supplies actionable insights to resolve issues.

◉ A common cloud-delivered security policy is enforced consistently, everywhere.

Source: cisco.com

Continue reading

Enabling Workers in the Mine

The mine worker is critical to successful mine operations. This may seem obvious, but in an industry that is focused on moving toward automation and remote operations, this essential worker is not always featured prominently in future scenarios. Today’s mining environment is still very hands-on, with clipboards, manual valves, and unconnected systems. It could be dozens of years before all systems are fully digital and can be automated or remotely managed. Until then, the online tools we’re using in private life need to also be leveraged in the field environment. 

The Connected Field Worker

The effectiveness of any mine worker is primarily impacted by two things: 

◉ The need for strong collaboration with others to leverage the strength of the greater on-site or remote community 

◉ The ability to access the right information in a timely way through online applications for workflow and asset management – improving efficiency and safety

Industrial Collaboration

Our personal social media apps have made video calls to family members or friends, common place. This same technology can use secure industrial video apps to bring experts and mentors into a plant or mine site virtually.   This can eliminate hazardous travel requirements, or loss of productive time in the cab of a truck. The field worker’s video endpoint can be built into a hardhat, be a separate purpose-built appliance, or be a simple phone with a camera to support trouble shooting and discussions. 

Again borrowing from our personal lives, industrial sites could benefit from the ease and effectiveness of asynchronous messaging. Sharing photos, sound recordings, and quick questions left for a delayed reply can improve productivity throughout the day. This messaging and the video calls mentioned earlier can be mixed with conferencing, voice activated calls, voice to text and then connected with the push to talk systems still commonplace in mining. 

As the workforce becomes filled with younger workers and remote operation centers become more conventional, these tools will be essential to maximizing the productivity of personnel in the mine. 

Secure Mobile Online Work 

In the same way that banking and shopping are now possible from a tablet, managing field assets and completing workflows can be done online as well. Data that is recorded on clipboards or bulletin boards, can be moved online and accessed from anywhere in the mine or off site. This shift from physical records to electronic ones will make them easier to update from anywhere, resulting in more accurate and timely reporting. This will improve the effectiveness of everyone’s work. 

Moving from binders, clipboards, and bulletin boards to tablets and software is a major undertaking, but there are several industry services that can help build the business case and manage the transition with you.

Online Everywhere: An overview 

The underlying technology that builds a foundation for the online mine worker is connectivity. Since workers are mobile, this connectivity needs to be wireless. Let’s take a quick tour through the technologies required for connectivity, electronic work flows, and collaboration tools. 

Wireless Connectivity 

There are many wireless technologies present at mine sites today, but the two that are most important for connecting mine workers are Wi-Fi and LTE/5G. It’s unlikely that one of these will displace the other since Wi-Fi is much more cost effective for localized, high bandwidth use cases and LTE/5G is much more effective at covering large open areas. Tablets and mobile video endpoints can connect to either technology. 

Since both technologies act as an extension of the enterprise network, their characteristics should be consistent with this as well. Access policies, prioritization policy, and security frameworks need to map seamlessly across these wireless environments, as well as existing IT and OT environments. 

Online Workflows 

A good place to start the transition to online workflows is with the existing ERP, asset management, project management, and control systems. Most of these already have workflow modules that can extend to mine workers. Online training and online documentation tools typically require new software, but there are multiple Cisco partners that make this transition more effective. 

Collaboration Tools 

Cisco has a broad portfolio of collaboration tools in the Webex suite as well as endpoints that lead the industry. Existing phone systems and push to talk systems can be integrated into these video and messaging platforms. For specialized industrial collaboration endpoints like hard hat systems and voice activated remote expert systems, there are multiple partners that Cisco has worked with to make those elements an effective part of the system. 

Connected for Safety 

Another benefit to a strongly connected workforce is virtual proximity. A very interactive and digital environment increases awareness of field worker location and activity. This promotes safety as it becomes immediately obvious when something isn’t right. Having digital reporting tools instantly accessible encourages much more timely reporting of minor irregularities with photos and quick descriptions. A culture of care and safety for the employee at industrial sites becomes more accessible and actionable.  

“No matter what is happening in the world, we believe it is vitally important to help support the continued operation of technical infrastructure for utilities, oil and gas, mining and manufacturing organizations. Cisco helps provide solutions to keep critical industries up and running.”

Wes Sylvester – Vice President, Industry Solutions Group – Growth Marketing Segments & Industries at Cisco

Source: cisco.com

Continue reading

Cisco Nexus Dashboard Fabric Controller: A New Era in Data Center Network Automation

Cisco DCNM Evolves into a Fabric Controller

The world of data centers is changing rapidly. Businesses are being faced with the ever-growing complexity of handling data in multiple locations and the increasing costs to maintain and manage changing data center environments. This growth is happening at an accelerating pace and pushing the scalability limits of data center environments. Spending on global data center infrastructure is projected to reach $200 billion in 2021, up 6 percent from 2020, and is expected to grow through 2024 as organizations recover from the pandemic slowdown and gear up to serve their customers in new and innovative ways.

Growing data centers require an easy to use, agile, and scalable end-to-end lifecycle automation toolchain. This toolchain should support not just typical fault, configuration, accounting, performance, security (FCAPS) functionality, but also fabric control capabilities with a scale out model to automate large data centers in multiple locations—either on-premises or in the cloud. With these objectives in mind, I am very excited to announce the availability of Cisco Nexus Dashboard Fabric Controller (NDFC)—formerly known as the Cisco Data Center Network Manager (DCNM) version 12. Cisco NDFC is fully integrated within the Nexus Dashboard, enabling a totally new user experience that simplifies and enhances the solution while providing the traditional capabilities of DCNM.

Figure 1. Nexus Dashboard Fabric Controller in DC App Store

NDFC provides end-to-end automation for data centers that are distributed in multiple locations and either on-premises or in a public cloud, reducing the complexities and costs of operating multiple fabric types such as Virtual Extensible LAN and Ethernet VPN (VXLAN-EVPN) protocol, Layer 3 routed network, or traditional Layer 2 virtual private cloud (VPC) designs. NDFC can also be operated in fabric discovery (read-only) mode—a.k.a Nexus Dashboard Fabric Discovery—for IT teams that want to automate their configuration and provisioning by different means (Figure 2). Finally, NDFC can be transformed to a Nexus Dashboard SAN Controller to manage storage networks with Cisco MDS multilayer SAN switches and Cisco Nexus switch platforms.

Figure 2. Feature Enabler UI

What’s New in Cisco NDFC Version 12.0

NDFC 12.0 offers new features for Cisco’s data center network automation solution.

◉ As a service on Cisco Nexus Dashboard: NDFC is fully integrated and will run exclusively as a service on the Cisco Nexus Dashboard, providing a single sign-on and a simplified user experience across the entire data center software portfolio.

◉ Micro-services architecture: NDFC embraces a complete Kubernetes-based micro-services architecture on Nexus Dashboard. By moving away from a monolithic infrastructure to a containerized and modular infrastructure, IT can leverage this new model to enable elastic scale out and improve performance and reliability.

◉ Active-Active HA model: NDFC also supports active/active high availability with Layer 2 reachability for 3-node clusters and Layer 3 reachability coming in future releases.

◉ New and consistent user interface: NDFC implements a new look and feel with an intuitive react JavaScript GUI that aligns to the Nexus Dashboard GUI and supports modernized topology views.

◉ Feature enabler: NDFC no longer requires IT to select a mode for LAN, SAN, or IPFM at the time of installation. Instead, NDFC uses a runtime feature enabler. This feature management capability selectively enables or disables different features, including Fabric Controller (LAN), SAN, IP Fabric for Media (IPFM), and Fabric Discovery.

◉ Smart Licensing Using Policy: Implementation of Smart Licensing Using Policy with NDFC will further enhance the current smart licensing capabilities. The Cisco Smart Licensing Using Policy aims to increase ease of use by enforcing fewer restrictions with a goal of not interrupting the operations of customer networks.

◉ Incremental enhancements: NDFC also introduced several ongoing enhancements in the areas of SAN management and media fabrics management.

Figure 3. Sample NDFC Topology

Better Together: NDFC with Nexus Dashboard Services

Cisco NDFC seamlessly integrates with other services running on Nexus Dashboard.

◉ Nexus Dashboard Orchestrator: NDFC integrates with Nexus Dashboard Orchestrator to scale out deployment to more than one NDFC instance and extend an on-premises NDFC managed data center into a public cloud

◉ Nexus Dashboard Insights: NDFC integrates with Nexus Dashboard Insights to provide granular and scalable visibility for Day 2 operations such as deep dive troubleshooting and maintenance operations that benefit data center operation teams.

Cisco NDFC Release 12 runs on the Nexus Dashboard platform and is supported on both the virtual and physical Nexus Dashboard.

Sneak Peek into Coming Releases

What’s next on the roadmap for NDFC in the next 6 to 9 months? We will focus on further improving the user interface and the user experience, designing a better HA model with Layer 3 reachability between cluster nodes, and ongoing fabric automation features for LAN, SAN, and media. We will also focus on increasing the switch scale per NDFC instance to meet ever-increasing data center workloads.

Source: cisco.com

Continue reading

300-515 SPVI | CCNP Service Provider | Syllabus | Questions | Exam Info | All You Need to Know

Cisco 300-515 SPVI Exam Description:

The Implementing Cisco Service Provider VPN Services v1.0 (SPVI 300-515) exam is a 90-minute exam associated with the CCNP Service Provider and Cisco Certified Specialist - Service Provider VPN Services Implementation certifications. This exam tests a candidate's knowledge of implementing service provider VPN services, including Layer 2, Layer 3, and IPv6. The course, Implementing Cisco Service Provider VPN Services, helps candidates to prepare for this exam.

Cisco CCNP Service Provider 300-515 Exam Overview:

• Exam Name- Implementing Cisco Service Provider VPN Services
• Exam Number- 300-515 SPVI
• Exam Price- $300 USD
• Duration- 90 minutes
• Number of Questions- 55-65
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Implementing Cisco Service Provider VPN Services (SPVI)
• Exam Registration- PEARSON VUE
• Sample Questions- Cisco 300-515 Sample Questions
• Practice Exam- Cisco Certified Network Professional Service Provider Practice Test

Must Read:-

Why Should You Try to Pass Cisco 300-515 SPVI Exam?

Continue reading

How Cisco IT is solving multi-cloud management: a single pane of glass

Management of multi-cloud matures

Figure 1. Multi-cloud strategy adoption

For enterprise IT organizations, the public cloud has become a staple at delivering software, infrastructure, security, and other capabilities at scale. Companies primarily adopt public cloud services for greater flexibility, faster time-to-market, and to take advantage of best-of-breed solutions while avoiding vendor lock-in. While SaaS platforms are the lion’s share of services consumed (48%), IaaS and PaaS combined make up 51% of public cloud spending (IDG).

When combined with an organization’s private cloud, the collective services available for business units to spin up applications and services rapidly help drive innovation and decrease the time-to-market. It’s no surprise that 74% of enterprises are now taking the best of both worlds and defining hybrid or multi-cloud strategies. In fact, the Boston-based research firm, IDC, has declared 2021 as the year of multi-cloud.

While cloud offerings have matured and consumption continues to increase, one could argue that how we manage multiple private and public cloud services has lagged consumption and is just now beginning to mature. Most IT organizations are experiencing a common set of challenges in how they and their internal customers manage their cloud services, how they can account for and identify owners of cloud services within their company, and a lack of visibility into the usage and costs for these services. In response, enterprises are now adopting a “deliberate” multi-cloud strategy — up from 49% in 2017 to 75% projected for 2021 by Gartner.

Evolving our multi-cloud management strategy

Like most enterprise organizations, Cisco has seen dramatic growth in the use of public cloud-based services over the past decade or more. In parallel, our internal infrastructure offerings continue to evolve in response to customer demand, and technological and feature advancements. Our challenges — which I’m sure we share with many — have included a lack of visibility into all the cloud services consumed (shadow IT), poor budgeting and cost control, inconsistent governance and security, and disparate user experiences.

Read More: 300-735: Automating and Programming Cisco Security Solutions (SAUTO)

To respond, Cisco IT set out in 2017 to craft a strategy with “single pane of glass” visibility into multi-cloud services. We drafted a blueprint to include a knowledge base about services and how to choose them, methods to ease integration with data- and API-driven capabilities, holistic audit and compliance capabilities with security in mind, and consolidated monitoring and metering capabilities with pay-as-you-go modeling.

“Our goal has been to build a solution that provided a unified experience for all of our customers, regardless of whether they were consuming public or private cloud services,” notes Mayank Jain, Director of Software Engineering at Cisco and a member of the team that has worked on the problem. “We needed a solution that provided the ability for our customers to consume different cloud services and see what it’s costing them over time, all through a single pane of glass.”

Figure 2. Value proposition

From the early stages, we looked to four sources to gain insight and understand how best to craft our solution — the industry for analysis and best practices, our customers for their cloud consumption needs and experiences, our internal service providers for their offerings and product roadmaps, and the solution providers. Our goal was to have a clear understanding of how cloud services are consumed, identify what patterns consumption follows, and gain insight into the best practices for managing multi-cloud, all while maintaining a healthy security and compliance stance. We also worked to understand how what we propose will impact our internal service providers and customers alike.

Not all clouds are alike

Our first challenge: Anyone who has tried to address this challenge knows that there is no single, unified way providers deliver account data and information, and APIs and management interfaces vary. This lack of uniformity makes it difficult to provide a single pane of glass for all cloud services being consumed. When modeling our solution, we worked to develop methodologies at the abstraction layer to pull the data from all providers that is then translated to a uniform display in the user interface.

As we were building our cloud management solution, Cisco IT was building its own private cloud. The new cloud service offerings are API-driven and engineered as an “as-a-Service” offering with faster deployment capabilities. Our goal has been to make these services behave and operate like public cloud offerings, moving away from traditional delivery methods that were customized for every instance. The resulting private cloud model is easily consumable, automated, measured, and based on pay-as-you-go pricing models. In this case, the multi-cloud management strategy influenced our internal provider teams but also allowed us to make public and private cloud models on par with each other for better standardization at the management level.

“We needed to understand better how to cost a service,” noted Kenny Jones, Principal Engineer and a key member of the team. “This change in mindset — one where infrastructure and services are commoditized through cloud-centric models — was one of the biggest challenges for our internal teams and this project. We changed our thinking to that of a service provider and educated our different providers in our private cloud.”

A purpose-built multi-cloud management solution

The Cisco IT MultiCloud Management Platform provides a unified management environment with a consistent experience for customers, regardless of what they’re ordering and managing. It offers automated purchasing and provisioning, reducing delays in getting applications and services to market — often in minutes rather than days or weeks.

“A key feature we felt vital to include in our solution was the ability to meter and measure hybrid cloud services over time,” states Kenny Jones. “This capability also allows our customers to project their cost obligations into the future. That type of visibility is key to maximizing the value of the service while also aiding in maximizing the lifecycle of the service required. That’s a game-changer in avoiding infrastructure sprawl and having assets live beyond their usefulness.”

The MultiCloud Management Platform incorporates a multi-tiered, persona-based administration environment. Based on their role, administrators and users are granted visibility and management capabilities through the same environment for viewing, operating, and administering their cloud service. It also provides key approval processes, including funding approvals and quota approval flows, where a customer wants to order specific services beyond standard levels.

The MultiCloud Management Platform also supports multi-tenancy for different groups. With this capability, business units within Cisco have visibility into and can manage multiple cloud services under one umbrella. These capabilities allow our customers to manage their costs as a single-tenant — an ability many service providers struggle to provide.

What’s next?

Already, the MultiCloud Management Platform has made a tremendous impact on productivity and started us down the road in managing infrastructure lifecycles and costs. In a recent conversation, one of our business unit leads and internal customers, noted to me, “You’re empowering us to make sure that we can oversee our resources correctly, optimize them for our budgets, and do our job the best we can. Through the tools you’ve made available, you’re going to help us a lot — and we’ve made some tremendous strides already.”

This new environment is more than just a new and updated interface. It has changed our strategic thinking by providing data that we didn’t have before or had to generate offline through spreadsheets and manual processes. Now, when spinning up and managing resources, we’re able to get a true picture of our costs, project their costs over time, and do it all faster than we could before.”

To date, the environment incorporates compute platforms, PaaS services, network and storage services, analytics, and other services. We will expand the services in the solution to include more public cloud services, like cloud-based software subscriptions in addition to enrolling private cloud solutions as they become available. Our goal is to continue evolving the solution to reduce the time involved in getting services by automating context-specific areas. Plus, we’re advancing multi-tenant capabilities by developing features that allow organizations to share templated setups and configurations that can straddle a customer group’s service subscriptions while sharing common traits, policies, and structures.

Source: cisco.com

Continue reading