Public Sector: Five Steps to Accelerate Digital Transformation Towards eGovernment

If the past two years have taught us anything, it’s if, given the chance, we’ll choose the ease of clicking a button or an automated service over waiting in line any day. Renew my driver’s license online instead of going to the Department of Motor Vehicles? Yes please! I can opt to have my local government agency call me back when it’s my turn in the call queue instead of waiting on hold for hours? Sign me up!

Yes, delighting customers goes beyond traditional customer service industries. It also applies to the superior digital experiences public sector citizens expect from their local and federal municipalities and government agencies. A 2021 study of U.S. state CIOs showed that 90 percent felt the pandemic increased demand for digital government services, with 75 percent stating that the biggest driver behind expanding digital services was to provide a “better online experience for citizens.” And globally, it’s estimated that more than 60 percent of governments will triple citizen digital services by 2023, and half of all digital government key performance indicators will include a citizen/customer experience metric to ensure that services delivered are citizen-centric.

Accelerating digital transformation

Public Sector’s ability to digitally transform and adopt new technologies is key to providing a superior digital experience. But in an industry known for dealing with legacy-driven infrastructures and siloed strategies and resources, this transformation can be a bit of a challenge. Below are five key strategies which should be of keen focus.

1. Empower hybrid work

Now that hybrid work has proven to be technically viable, government needs to create better online experiences for citizens and employees. Empower employees to work from wherever they are – at home or in the field. Expand work-from-home options to include work from anywhere. The key is to enable secure and wireless connections combined with various multi-faceted collaboration tools. This effort allows employees to work, maintain productivity, enhance civic life, and stay mobile.

2. Unify and secure network connectivity

This powers hybrid work and enables employees to work from anywhere. There’s a need to invest in the unifying and hardening of networks. Now more than ever is the need to identify and resolve events faster and keep vigilant for threats. As a government agency, it is imperative to offer encryption and security for work-at-home devices and expand your identity and access management (IAM) solution to employees and your citizen users. A must-have is a zero-trust secure network and sturdy endpoint detection to accompany that expansion. Proactively stopping breaches and automating updates with an expanded unified network and security solution vs. chasing threats and risking vulnerabilities is now a reality.

3. Accelerate cloud migration

One thing we learned from recent events – It’s now time to “Go to the Cloud”. Digital transformation means a better online experience for citizens as well as employees. It also represents productivity increases and cost savings. If you don’t have a cloud smart strategy in place now, you should be working on it. Most public sector agencies see the benefit of modernizing by moving applications to the cloud where feasible. Whether via infrastructure-as-a-service or a hybrid model with a state-owned data center for many legacy applications. Low code intuitive and friendly apps are replacing web-based forms. These and the new breed of cloud-based applications enable instant flexibility, scalability, and accessibility. Combined with low development and start-up cost via SaaS vendor models enables testing, refinement, and ability to scale as needed. Pilot early, pilot often. Migrate what you can and combine a solid external identity and access management (IAM) cloud security solution, your team can be twice as productive with lower cost.

4. Leverage built-in data analytics

Speaking of budget. Forward-thinking agencies also leverage the innovation built into cloud platforms to leap their public services ahead. With big data and predictive analytics tools, they can purchase and use only what they need, when they need it. The ability to stand up new services and enhance existing ones by processing massive amounts of transactional data enables giant leaps of civic lifestyle, from wait times in lines to stoplight optimization, even public health emergencies. The ability to leverage data analytics is a game-changer for understanding public data.

5. Power automation with AI/Machine Learning 

There is no greater game-changer than the ability to use Artificial Intelligence and Machine Learning. AI and ML are now available for even the smallest agencies with limited budgets to make life better for their citizens. Small agencies now can run license plate cameras at heavy thoroughfares; police agencies can process massive amounts of audio/video from stoplights and drone cameras. These smaller agencies can run valuable lifesaving and revenue-producing public services with little to no staff with simple automation.

Make public sector digital transformation a reality

Adoption of these strategies and new technologies shines a light on the widening skills gap in public sector.  Case in point, a recent study of European health, government, and education organizations showed that 63 percent said lack of skills and experience is a barrier to their cloud migrations.

Cisco Business Critical Services provides expert, analytics-driven guidance throughout the entire lifecycle to create transformative, adaptive, and resilient IT to improve digital experience for public sector citizens. Steeped in 35 years of experience, Business Critical Services expertise transcends architectures and provides in-country experts to ensure data sovereignty and security clearance needs are met in over 20 countries.

Reach out to your Cisco sales representative or partner today and accelerate your digital transformation journey today.

Source: cisco.com

Continue reading

Cisco stands on guard with our customers in Ukraine

Summary

◉ As the Russia-led invasion intensifies, Ukraine is being attacked by bombs and bytes. Cisco is working around the clock on a global, company-wide effort to protect our customers there and ensure that nothing goes dark.

◉ Cisco Talos has taken the extraordinary step of directly operating security products 24/7 for critical customers in Ukraine while over 500 employees across Cisco have come together to assist in collecting open-source (public) intelligence.

◉ In critical Ukrainian networks, we are taking advantage of advanced product features to create Ukraine-specific protections based on intelligence we have received.

◉ We are closely monitoring telemetry and aggressively convicting threats to protect both our Ukrainian and global customers.

◉ Customers with a mature security model should design their intelligence programs to drive changes in the organization’s defensive posture based on their findings.

◉ We have been successful in our work in Ukraine up to this point and will continue to support our partners there

Introduction

You may not have noticed, but Cisco has been a different place in the past month. The unjust invasion of Ukraine, and the sense of helplessness we all have felt, has created a motivated collection of Cisco employees working to make life just a little safer and easier in a part of the world many have never been. Teams have set aside their normal tasks and now watch over Ukranian networks, some have focused on caring for and protecting refugees and others have turned their obsession with social media into a critical component of our open-source intelligence work. The plans have been creative and, while many would have been unthinkable just a week ago, approvals have come fast and everyone has been stretching far beyond their normal workload.

In today’s situation in Ukraine, lives and livelihoods depend on the up-time of systems. Trains need to run, people need to buy gas and groceries, the government needs to get messages out to civilians for morale and for safety. Cybersecurity can be invisible behind all of this. In this blog we talk about a small part of Cisco’s response to this crisis. It is just one of many stories about how the people that make Cisco what it is have responded to an unprecedented crisis. There are lessons here for the defender as well, on what a world-class intelligence team can do when handed a network to defend and a capable set of security tools. But mostly this is a story about the people – from the cubicle to the C-Suite – who would do what little they could.

Calm Before the Storm

This effort has extended through all parts of Cisco and started with Talos – Cisco’s threat intelligence arm – more than a month ago, when we initiated an internal process to manage large-scale events. We began by increasing monitoring in Ukraine as the Russian troop buildup continued. Telemetry from Ukraine customers was closely scrutinized by intelligence analysts and our SecureX Hunting team. At that point, we were not working with customers directly, just quietly watching over them.

As it became clear that there was a real possibility that Russia would invade, our intelligence team began its quiet work. We do not talk about this a lot, but speaking broadly, any major event will have many small groups of researchers who have grown to trust each other cooperating and sharing information that is not publicly available. Most of these groups are informal, but one of the newer ones, the Joint Cyber Defense Collaborative (JCDC), which works out of the Cybersecurity and Infrastructure Security Agency (CISA), has been public that it is serving as a platform for collaboration between public and private sector partners. Whether organized or informal, public or private, all these groups have been eager to work together to protect Ukraine and the world from Russian aggression online.

When both the website defacements and the first WhisperGate malware deployments occurred in mid-January, we were contacted by three Ukrainian government agencies we have worked with in the past. From that point on, we have continued to support the State Special Communications Service of Ukraine (SSSCIP), the Cyberpolice Department of the National Police of Ukraine and the National Coordination Center for Cybersecurity (NCCC at the NSDC of Ukraine). This support has largely taken the form of incident response, and we have turned the lessons learned in those responses into protections for all our customers.

Our investigations with our government partners in Ukraine led to additional protections for our customers globally as well as a blog post to inform the world of the threats we were aware of and our perspective on those threats. This is a common cycle that has been repeated both before and after the WhisperGate deployments: Ukraine experiences an event, we help investigate, we publish new protections based on what we learned and share our understanding of what happened.

A Growing Threat

As the invasion approached, there were other minor events, but none that had any appreciable impact. These were distributed denial-of-service (DDoS) or unsuccessful wiper attacks and an unconfirmed manipulation of Border Gateway Protocol (BGP) routing. Our assessment is that the best of Russia’s cyber capability was focused elsewhere, likely in espionage activities trying to understand the global response to Russia’s invasion. Regardless of the reason, there were no major cyber incidents against Ukraine in the days leading up to the invasion.

Once the invasion began, things moved very quickly. The amount of information to be processed about what was happening in Ukraine exploded. Talos would like to thank the over 500 Cisco employees from a variety of backgrounds and with many different skillsets who have joined a space dedicated to sharing open-source intelligence about Ukraine to ensure that the intelligence team didn’t miss anything.

Early on, we deployed Secure Endpoint in some new environments under a demo license that was set to expire. When we went to the business to extend it, the decision was made to extend all security licenses for all Cisco customers in Ukraine. During this chaotic period, no customer would lose protection because they were dealing with more important matters than license renewals.

Defending Critical Networks

Additionally, we extended a new offer to critical organizations in Ukraine: Talos would monitor their Secure Endpoint configurations, modify them based on our intelligence and aggressively hunt in their environments for threats at no cost. For each organization that accepted this offer, we assigned a set of engineers to manage the protections and configurations and two hunters from Talos to work with that specific data set.

One of our frequent recommendations to mature organizations is to have an intelligence operation that drives material protections into their defensive tools. Here is an example of why we make this recommendation: In reviewing several pieces of malware, we found multiple command and control (C2) servers in a certain network. Typically, we would block those IPs and move on. But within the context of a nation under an existential threat, for Secure Endpoint installations we control we blocked the entire network so that if additional C2s opened, they were already blocked. This isn’t appropriate globally – we have no idea what the connectivity needs are for all our customers – but when tasked only with making decisions for Ukranian critical infrastructure, it’s an easy call.

Another example is the case of HermeticWiper. As part of its activity, the malware drops one of several drivers to support its wiper actions. In Ukraine, for networks we’re actively protecting, we chose to block all of these drivers. Again, globally, we can’t do that – some of our customers may well be using the software that those drivers were stolen from. But when we are looking only from Ukraine’s perspective, we can check the network quickly to confirm those hashes aren’t in use and block them.

In both cases, we are building our defense in depth. Ideally, we block HermeticWiper or a variant when it drops – but if we don’t, then the drivers are blocked. Hopefully, we block any trojan that uses the network we described above when it is dropped by a loader, but if we don’t, then the C2 communications themselves will be blocked. We are always looking for ways to layer defenses so if the adversary out-maneuvers us in one area, we have protections waiting for them.

So far, this activity has been successful in protecting our customers, including blocking what we assess to be wiper attacks very early in the attack chain. The work of our intelligence group – and let me be clear that this includes our cooperation with organizations and individuals outside of Cisco – has allowed us to have insight into several different attack chains. While we can’t publish this information because of information-sharing restrictions (mainly to protect operational security), we can leverage that information in specific networks, blocking certain things or writing advanced content signatures that look for certain patterns. This intelligence work has led directly to successful defense in Ukraine. For that, we thank all the unnamed partners – corporations and individuals – who have quietly worked with us.

Guidance for Customers

Now is not the time to tell every story, but we shared these examples because of the risk that this conflict will extend beyond the borders of Ukraine. Organizations globally should look at their intelligence teams and work to ensure they are directly driving the defensive posture of the organization. Organizations should consider how their tolerance for false positives has changed given the current threat environment and allow their teams to move more aggressively if possible.

The world right now is more dangerous than it has been in decades, and organizations need to be creative in how they restructure their defenses. We often say that in the end, humans are the most critical part of your defense. This is the kind of threat we have in mind when we make that statement.

Source: cisco.com

Continue reading

How Diverse Experience and Simplicity Drive Innovation

I’ve found that there are many ways to innovate. In my current role in Cisco’s Customer Partner Experience Chief Technology Office, I generate and collect insights that shape our strategy, interface with our teams around the globe and mentor innovators from ideation to iteration to execution. In my 40 years of experience in networking and related fields, including 22 years at Cisco and 17 years as a Distinguished Engineer, I’ve seen innovation work best through the following general process:

1. First, you’ve got to Think of an idea.

2. Then, you need to make that idea real: Create a prototype.

3. Your idea has to have some Value that others want. Now, this value can either be a standalone invention or something that is innovative but part of a bigger system.

4. A natural next step after thinking about your idea’s value is whether it will sell in the marketplace. I’ve put value in the 3rd spot, but it could equally be after the thinking step. But you need to be careful not to stifle your creativity by fixating too much on whether your idea will sell, lest you get so distracted you lose your innovation-mojo (Innomojo).

5. The ultimate aim of innovation is to create better outcomes for people, so once you have your gizmo, hopefully you have created something that people will want/Use.

Figure 1: There’s More To Thinking

In this blog, I’ll go into more detail into the “Think” step (Figure 2). Thinking requires some knowledge of the subject, a bit of know how or practical experience in making similar items — those nuances learnt over time of what and what not to do — and, of course, imagination! (I, for one, think you need a lot of this last ingredient).

Figure 2: There’s More To Thinking

How Diverse Experience Leads to Minimal Bias

Now sometimes you can have too much knowledge or overthink things to the point where your biases and preconceived notions of what to create start to kick in, which may be more of a hindrance. You start to go down the path of pessimism, saying things like, “This is why we shouldn’t,” or “This is why it can’t be done,” or “It’s too hard” and so on. You then need to introduce diverse experiences and opinions into the innovation process to give you a more balanced approach.

Diversity comes in many forms: gender, race, age, skills, experience level (such as novice to expert), location, culture, and so on. By seeking different points of view for an idea, you are more likely to end up with a more solid innovation proposal.

Figure 3 shows an example of what can happen when you have minimal bias and experience. Back in the mid-1980s a young student by the name of Rob Newman at the University of Western Australia came up with a new way of providing high speed connections across an urban city area (referred to as a Metropolitan Area Network). Ethernet in those days was still confined to the local area — i.e., buildings and floors — so there needed to be a way to connect those buildings across a cityscape. His invention, which was called QPSX, went on to become the global Metropolitan Area Network standard called IEEE 802.6.

The interesting part to this story was that Rob had no practical experience in running WAN/LAN networks, only theoretical experience, and had no preconceived ideas!

Figure 3: An Example Of No Bias

A great example (Figure 4) of how innovation can come from viewing at a problem through a different lens is how what3words.com made GPS coordinates easier to use and remember. By statically assigning every 3 sq meters on earth with a unique combination of three words, you can now find, share and navigate to precise locations using three simple words. For example it is possible to enter a phrase like “warns.booed.snoring”  to describe your location instead of making you deal with confusing number co-ordinates like 250 20‘22.3.

Figure 4: what3words are you?

The Power of Simplicity

Not all innovation needs to be complex. Some of the best ideas might come from complex minds, but they still can be simple in nature. In some cases, to execute a simple idea is usually complex behind the scenes, but from the layman’s point of view, they seem straightforward. Take, for instance, the flush system in a toilet. Simple? Sure, but wait until you have to replace a washer!

An example of a patent that was simple, novel, and at the time, not obvious is one that was thought up by two of the top inventors at Cisco, Pascal Thubert and Eric Levy-Abegnoli, when they were at IBM 20+ years ago. It was called CAPTCHA; Implementing a robot-proof website.

You most certainly have come across the “I am not a robot” box on websites. This is the essence of CAPTCHA. It’s a simple, yet ingenious invention. As simple as it may be, has protected websites from malicious actors for many years now.

Figure 5: CAPTCHA A Robot Proof Website

To Innovate, Embrace Diversity and Simplicity

The process of thinking up the next new big idea can be daunting, but you can help the process along by employing diverse and even seemingly irrelevant perspectives and backgrounds. Part of the art of innovation is being able to view the same problem, mechanism, or process through a different lens — or, thinking outside of the box, if you will. The quote below from Dr. Szent-Györgyi remains relevant for eternity.

“Innovation is seeing what everybody has seen and thinking what nobody has thought.”

Combining such cognitive diversity with the drive to make using an invention as simple as possible can result in innovation magic.

Source: cisco.com

Continue reading

Cyber Asset Attack Surface Management with Cisco Secure Cloud Insights: Beyond CSPM

In today’s digital-first world having enterprise grade information, services, and workloads in the cloud is becoming increasingly important for success. Nonetheless the lack of asset visibility that haunted private networks has not disappeared in the cloud era; it has been transferred, or some may say even aggravated.

In its Hype Cycle for Security Operations, Gartner has defined Cyber Assets Attack Surface Management (CAASM) as “an emerging technology focused on enabling security teams to solve persistent asset visibility and vulnerability challenges”. This tackles our lack of visibility concerns. However, it extended CAASM’s definition to include “enables organizations to see all assets (both internal and external) through API integrations with existing tools, query against the consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.”  This highlights the fact that while there is no lack of data, processing and assessing remains challenging due to silos. This is where Secure Cloud Insights (SCI) steps in.

Secure Cloud Insights (SCI) is a technology that delivers multiple CAASM’s benefits:

◉ Ease of provisioning: Native API integrations make provisioning and deploying SCI a simple task. A wide range of integration types are supported such as cloud providers, vulnerability assessment tools, code repositories, identity sources, endpoint solutions, workflow

◉ Cyber asset visibility and classifications: Numerous pre-defined integrations feeds SCI with diverse assets and asset types and their associated “state” or “configuration” that defer from one integration to the other. The graph database and the classification engine play a big role in grouping assets by their class and type. For example a data store class contains asset types such as an S3 bucket, EFS, google storage bucket, etc.

Mapping asset relationships: SCI maps asset based on their relationships as shown below: A security group ‘Allows’ access to the internet and ‘Protects’ an EC2 instance (Figure 1).

Figure 1

This Instance ‘Uses’ a specific role (Figure 2)

Figure 2

This role is ‘Assigned’ a policy that ‘Allows’ full control to an S3 bucket(Figure 3)

Figure 3

This graph not only reveals the connected asset types with various relationships but also expands to disclosing the risk of having the publicly accessible instance compromised, which leads to the exposure of data in the private S3 bucket to leakage or destruction.

◉ Flexible asset querying: SCI’s simple query language and relationship graph database structure make it easy to query the data to answer questions that are the bread-and-butter of security teams, such as:

    ◉ Which hosts are vulnerable in my environment?

    ◉ Who has not completed the required security training?

    ◉ Are my data stores encrypted at rest?

    ◉ …

◉ Expansive Question Library: The querying language is expanded in SCI with a built-in library of more than 650 security questions that makes it easier to answer challenging enquiries with simple spoken language without having to learn the technicalities of the underlining querying language.

◉ Compliance reporting and configuration drifts detections: SCI supports pre-built security compliance frameworks including SOC2, HIPAA, FedRAMP, CIS benchmarks etc. SCI simplifies configuration drift detection with always-on compliance and gap analysis that does not wait for auditors to knock asking for reports. Moreover, SCI eliminates another layer of time-consuming processes by removing the need to contact system owners for evidence collection by automating it where applicable.

Secure Cloud Insights ticks all the boxes for a CAASM solution and goes beyond by offering simplicity and flexibility in operation with built-in customizable question library and reporting features that focus on security gaps and compliance drifts.

In fact, every feature is built on top of graph relationship database and the simple querying language that makes any piece of data accessible and visible with a simple modification of the query as per the user needs. SCI emerges from the realm of CAASM and CSPM by turning into a framework that answers security team challenges around visibility, compliance, threat risk, incident impact investigation, threat blast-radius and many others with simple few clicks.

Source: cisco.com

Continue reading

Cisco MDS 64G SAN Analytics: Architecture evolution

Cisco recently announced software availability of NX-OS 9.2(2) with support for SAN Analytics on the Cisco MDS 9700 Series switches with 64G Modules. This software release begins the next phase in the architecture evolution of SAN Analytics.

In this blog we will do a high-level comparison of SAN Analytics Architecture between the Cisco MDS 32G and 64G platforms and look at some of the new innovations of Cisco MDS 64G SAN Analytics.

But first, let’s cover methodologies used for performance monitoring. Utilization, Saturation and Errors (USE) is a generic methodology for effective performance monitoring of any system. The USE metrics identify performance bottlenecks of a system. In the context of a storage system, we can add Latency as an additional element into the USE methodology to create LUSE. A full visibility into LUSE metrics of a storage infrastructure is critical for performance monitoring and troubleshooting.

SAN Analytics and SAN Insights are advance features of the Cisco MDS 32G switches since NX-OS 8.3(2):

◉ SAN Analytics is an advance feature of Cisco MDS switches that collects storage I/O metrics from switches independent of host and storage systems. Over 70 metrics are collected per-port, per-flow (ITL/ITN) and streamed out. These metrics can be classified into one of the ‘LUSE’ categories.

◉ SAN Insights is a capability of Cisco Nexus Dashboard Fabric Controller (Formerly DCNM) SAN that receives the metrics stream from SAN Analytics. It provides the visualization and analysis of fabric wide I/O metrics using the ‘LUSE’ framework.

Cisco MDS 32G SAN Analytics

Access Control Lists (ACL) enforce access control on every frame switched by the ASIC. The ACLs are matched extracting certain fields from the frame header and on a match the action corresponding to the entry is taken. On an F-port, FC Hard Zoning entries are programmed as ACLs in the ingress direction based on Zoning configuration to match on the frame SID and DID with an action to “forward” the frame to the destination.

On Cisco MDS 32G switches, the I/O metrics are computed by capturing FC frame headers in the data path using an ACL based ‘Tap’ programmed in the ASIC on ingress and egress direction of the analytics enabled ports. These Tap ACLs match on frames of interest for Analytics viz. CMD_IU, 1st DATA_IU, XRDY_IU, RSP_IU and ABTS. A copy of the frame matching the Tap ACL is forwarded to an on-board NPU connected to the 32G ASIC.

When SAN analytics is enabled on a port, the ACLs are programmed depending on the port type and direction as shown in Figure 1 below:

◉ F_Port Ingress: Analytics Tap ACLs + Zoning ACLs

◉ F_Port Egress, E_Port Ingress, E_Port Egress: Analytics Tap ACLs only

Figure 1: Port Analytics Tap and Zoning

 

The Cisco MDS 32G NPU software Analytics Engine can be modified to accommodate custom metrics (Eg: NVMe Flush command metrics) or futuristic storage command sets (Eg: NVMe-KV) with the required ACL Taps in place.

Cisco MDS 64G SAN Analytics

The Analytics Engine moves into the ASIC on Cisco MDS 64G switches, giving it a hardware acceleration. The Cisco MDS 64G Module has two 64G ASICs and each ASIC has six hardware Analytics Engines (one for every four ports). These Analytic Engines can compute I/O metrics at line rate on all ports simultaneously with capacity to analyze upwards of 1 billion IOPS per Module. The hardware Analytics Engines have built-in Taps and do not need the ACL based Taps to be programmed.

The metrics computed by hardware Analytics Engines are stored in a database inside the ASIC and periodically flushed to the NPU. The NPU runs a lightweight software process on top of DPDK (an open source highly efficient and fast packet processing framework) that collects and accumulates the metrics pushed periodically from the hardware Analytics Engine. Even though the NPU does not run an Analytics Engine, it maintains the persistent metrics database per-flow and remains the critical element of the solution. The shipping of metrics from the NPU database to the Supervisor is identical to the Cisco MDS 32G Architecture. The Cisco MDS 64G hardware Analytics Engine does not preclude a NPU software Analytics Engine to be enabled in a future software release for flexibility and programmability benefits.

A comparison of the Cisco MDS 32G and MDS 64G architectures are shown in Figure 2 below:

Figure 2: Cisco MDS 32G and MDS 64G SAN Architectures

The Cisco MDS 64G hardware Analytics Engine computes some additional metrics for deeper I/O visibility:

◉ Multi-sequence write I/Os are large writes involving multiple XRDY sequences. The write exchange completion time for these writes include delays introduced by the Host (Rx XRDYn to Tx first DATAn+1) and the Storage (Rx Last DATAn-1 to Tx XRDYn). These metrics provide better analysis and accurate pinpointing of large write performance issues. The Analytics Engine separately tracks:

    ◉ Avg/Min/Max host write delay

    ◉ Avg/Min/Max storage write delay

◉ The total busy time metric tracks the total time there was at least one outstanding I/O per-flow. This metric helps to characterize the ‘busyness’ of a flow relative to other flows.

The hardware Analytics Engine by default tracks SCSI and NVMe I/O metrics at ITL/ITN granularity. However, it can also be programmed to track metrics for various flow granularity of IT, ITL-VMID, ITN-NVMeConnectionID or ITN-NVMeConnectionID-VMID. This gives flexibility in choosing the granularity of metrics and I/O visibility.

The 1GbE analytics port on the Cisco MDS 64G Module can stream the per-flow metrics directly (without involvement of Supervisor) in an ASIC native or standard gPB/gRPC format. This can serve future use-cases that require visibility into micro telemetry events, which would require high frequency telemetry streaming.

Source: cisco.com

Continue reading

The SASE story: How SASE came to be, and why it has quickly become the default architecture

Secure Access Service Edge (SASE) has quickly become one of the hottest topics related to cloud, networking, and security architectures. As Cisco engineers, we have seen hesitation and confusion among some customers on what SASE really means. We hope to answer most of those questions here.

What is SASE, and how is it related to the Cloud Edge, Zero Trust, and SD-WAN? SASE has positively impacted how we run our IT organization, and how we envision Enterprise IT customers will run theirs. To accurately explain what SASE is, and why SASE came to be, we must look at the evolution of how data is stored and transported within an enterprise.

Our journey started inside the data center

A decade ago, many of us lived in a data Center-centric world, and security was simpler to implement.  Here at Cisco, we were moving data inside the four walls of our data centers, and  we assumed complete trust. The corporate office, the MPLS circuits between sites, and the Cisco data centers were all within a trusted environment, which enabled us to meet our security and compliance requirements.

Move to hybrid cloud and hybrid work

However, while many enterprises still focus on data center-centric applications for their core business needs, the world is shifting towards cloud-based application development. This enables faster and more efficient deployment of software and services to meet ever-changing business needs.

IT organizations have also shifted from a model of only managed devices (PC or laptop) for use within the trusted corporate network to allowing users to work on multiple devices from just about anywhere. The emergence of BYOD (Bring Your Own Device) as well as remote work had already been gaining traction in the industry over the past few years, and this trend significantly accelerated with the onset of the COVID-19 pandemic. Now, employees are expected to be able to work from anywhere, and any device. Combined with the distribution of resources across on-prem networks and the cloud, Hybrid Work presents a significant security problem as business users and application providers are no longer fully controlled by the IT organization.

To address security concerns in the interim, network architects designed a model where all user/cloud interactions were routed back, or backhauled, through a data center — i.e. the trusted entity — prior to being redirected to the cloud application. While meeting the security needs, this model has performance and cost challenges.

Arriving at SASE

To improve security and efficiency, a SASE-like architecture was developed internally by Cisco IT. The model we used for the architecture provides every user with a security profile tailored to their access privileges and uses a Zero-Trust approach to identify and authenticate users and devices before allowing a direct connection between the cloud and the access edge.

Ultimately, SASE is the convergence of networking and security functions in the cloud to deliver reliable, secure access to applications, anywhere users work. The Cisco SASE model works by combining SD-WAN for network, with cloud-based security capabilities such as Secure Web Gateway, Firewall as a Service, Cloud Access Security Broker, and Zero Trust Network Access into one, single, integrated cloud service.

CloudPort and the evolution of SASE at Cisco

Cisco’s SASE journey started with CloudPort, which was a hardware-based, on-prem, self-managed Cloud Edge platform, delivered at Colocation data centers around the world. While CloudPort provided a single platform that delivered network and security, it also brought cost challenges, used a traditional perimeter security, and required both agility to scale up/down as well as specialized skillsets.

To address these challenges, we first modernized the on-prem CloudPort solution, and put in motion a plan to move from on-prem to as a service or hosted SASE capabilities. The Customer Zero team, which deploys emerging technology in real life environments to provide critical feedback to the BU early in the product lifecycle, created a strategy to move to SASE, testing do-it-yourself and as-a-service models. The findings from the Customer Zero internal testing have guided our external offering strategy.

During this testing period, Cisco IT has moved from a ‘do-it-yourself’ model to a Cisco hosted/managed solution.

Source: cisco.com

Continue reading

Moving Towards a Culture of Systemic Software Quality at Cisco

When software development involves many developers and components, the tools and techniques that are used to maintain software quality need to evolve beyond simply code and test. With bugs still making it into releases, we clearly do not have a foolproof process. So, what will it take to enhance software quality from development to release?

Here are key considerations that go into maintaining software quality.

Beyond Unit Testing

Bugs, or  software defects, are regular part of  software engineering. For smaller projects, it is enough to write the code, put it through some tests, fix any bugs resulting from the tests, and then declare it done. If you are a fan of Test-Driven Development, (TDD) you can do the reverse, where you write the tests first and then write the code to pass the tests.

Both approaches are unit test approaches and can be used to validate that the unit under test performs the function that it was designed to do. Furthermore, if you archive the tests, you have the beginning of a set of regression tests that will allow the developer to validate that any changes made to the unit still allow the unit to function as originally designed.

The development of a strong unit-testing framework is one of the foundations of software quality but this, alone, is not enough to ensure software quality. This type of testing assumes that if the units are working fine, then the sum of the units is working fine. The other issue is that as the number of software units grows, maintaining and running the increased number of tests—that can grow to thousands—becomes an onerous chore.

Tests of Tests

Taking testing to the next level, unit tests move into feature and solution tests. These tests start with a functioning system and then exercise the interfaces from the perspective of an end operator. Configuration changes, different packets, different connecting systems, topologies, and other elements are tested using automated tests that try to ensure that the software works as intended. These tests do a good job of ensuring that what has been tested works, but the runtime and the resources involved can be staggering. It is not uncommon to have to book test runs six months in advance and a run can take a week or two to complete.

Code Analysis

Another aspect of software quality is the software itself. From the bottom up, the code needs to be well written to reduce software defects. Beginning with the assumption that the developer knows what they are doing, the code is inspected by both other developers in code reviews and by automated tools via static analysis. Both are important, but they often suffer from a lack of context. The static analysis tools can only identify  an objective problem with the code. It raises the bar to eliminate language and coding errors, but semantic and contextual details are required to ensure quality.

Code reviews by other developers are invaluable and catch lots of issues. But of all the quality review techniques that are used, they vary the most in efficiency.  A good reviewer can dig through issues, interactions, and problems that automated tools and testing don’t find. But a reviewer who is unfamiliar with the code can do little more than check the style guidelines

Designing for Quality Software

Creating quality code is sometimes not just about translating functional ideas into code. Some quality defects, though avoidable in perfectly written code, are common enough to be a recognized fact in certain environments. For example, when writing in C, there is no memory management, so memory leaks are prevalent in the code. Other programming languages have automatic garbage collection where leaks that show up as memory exhaustion are not an issue.

There are two general approaches to designing quality into software.

The first approach is the more traditional route where explicit software constructs are introduced, and the software is migrated to use them. Introducing standard libraries for common functionality is an obvious approach, but this can be very extensive with entire frameworks being developed to corral the application code to only focus on what is core to its functionality. Another twist on this is using code rewrite tools that will migrate existing applications to new infrastructure.

The second approach is something that the Cisco IOS XE development team has been experimenting with for the past five years and that is to insert structural changes underneath the application code without any changes to the code. This means instrumenting the common point that the code needs to use the compiler, to add the infrastructure changes across the entire code base. The benefit here is that a large amount of code can be changed to a different runtime. The downside is that often the application code has no awareness of a runtime underneath it, which can lead to some surprising behaviors. Since these are compiler instrumented changes, the surprises generally involve the Assembler code not matching the C code.

Quality Framework

All these different quality measures amount to a process that is somewhat like the Swiss cheese model of quality (Figure 1). Only when all layers have failed does an issue get through to the field.

Figure 1. The Swiss Cheese Model of Software Problem Visibility

The process has accidently evolved into this and there are continual improvements to be made to the system. Additional layers need to be added that ensure quality from different perspectives. Efficiency between the test layers also needs to be improved so that the same tests are not being run in multiple layers. Finally, engineers need to be aware of the interplay between the layers so that they can accurately diagnose and fix issues.

The process by which quality software is delivered to the market continues to evolve. By structuring the process to cover a diverse range of activities—from unit, feature, and solution testing to code reviews by humans, static analysis tools, and quality design frameworks —Cisco IOS XE developers can deliver software that can reliably run enterprise networks around the world.

Source: cisco.com

Continue reading