Embed Size (px)
Citation preview
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 15
Cisco IT Case Study
Secure Digital Transformation of Cisco Campus
EXECUTIVE SUMMARY
WHY
Digital transformation is triggering disruptive trends in today’s business world. The pace of change is accelerating at our workplace.
Employees are demanding customized responses to their individual needs and a consumer-class user experience.
HOW
Connecting people, businesses, and things sets the stage for personalized customer experiences, groundbreaking new business models, and workforce innovation.
These changes are already in motion, and demand a technology foundation that is more flexible, secure, scalable, and efficient.
WHAT
● Realizing a digital enterprise vision requires a holistic approach to integrating new technologies.
● Cisco offers:
◦ Digital Network Architecture™ for agile networks
◦ End-to-end integrated collaboration solutions for every device and activity
◦ A platform approach to security, so the full benefits of investment can be gained
◦ Data center, automation, and analytics solutions
● Cisco IT is building the foundation for digital transformation with various Cisco and third-party solutions to connect, secure, collaborate, and digitize the enterprise.
Secure Digital Transformation of Cisco Campus
There has never been a better time to make the workplace smarter.
Overview
Work is changing at Cisco. Today, our 72,000 employees can work from any location—a Cisco office, their home, a
customer location, a public place—and while they are on the move. More than 50 percent of our employees report
to managers in different cities. And while our workforce has increased by 20 percent over the past five years, we
also have improved utilization of our more than 23 million square feet of office space across 94 countries. Our use
of connected workspace solutions and Cisco collaboration architecture helped us to reduce our total office space
by 30 percent.
Meanwhile, the applications we use to collaborate and communicate
are also changing, providing better user experiences, automating
most manual work, and proactively suggesting actions to users.
Cisco employees access these applications from public, private, and
hybrid clouds. Our customers, partners, and suppliers consume
these applications, too, and use them to collaborate with Cisco.
These and other changes are creating positive impacts for our
bottom line. As an example, Cisco has seen more than US$1.7
billion in productivity savings to date through our use of various
collaboration solutions. And the addition of video endpoints to every
sales person’s desk has helped to accelerate deals worth US$682
million.
The need for agile, secure IT infrastructure
More than three-quarters (78 percent) of businesses said achieving
digital transformation will become critical to them in the next two
years, according to a recent survey from Capgemini Consulting and
MIT Sloane Mangement Review. To succeed, these businesses will
need to have an agile and secure foundational IT infrastructure in
place.
As Cisco continues to transform our workplace and how we do
business, Cisco IT must be able to respond quickly to requests for
development and support of our applications and infrastructure.
Cisco IT’s agile infrastructure is already creating new workforce and
customer experiences, while helping the enterprise to innovate, keep
up with customer demands, and maintain our focus on security risks.
In the following sections, we explore four different areas of agile infrastructure that Cisco IT implemented at the
Cisco campus. We also discuss some of the challenges we faced and how we solved them, and explain how Cisco
will continue to invest in digital transformation—and disruption.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 2 of 15
Our approach, outlined in Figure 1, can be summarized in four parts:
Part 1: Collaboration and agile workspace
Part 2: Data center and cloud
Part 3: Flexible, automated network
Part 4: Holistic spproach to security
Figure 1. Foundational capabilities for the digital enterprise
Source: Cisco
Part 1. Collaboration and agile workspace
Collaboration is central to our work today. Increased competitive pressures, opportunities due to technological
shifts (such as cloud computing), and the adoption of agile processes that enable continuous delivery all have
contributed to significant changes in work styles. Closed offices with minimal interaction and information sharing
have given way to approaches that support a better exchange of information and ideas, and work that is dynamic
and interdependent. We also see more project-based teams that are self-forming, short-lived, and focused on
delivering quick, innovative solutions to very specific initiatives.
In short, successful organizations are more agile and matrixed. They learn and respond rapidly through an open
flow of information. They encourage experimentation, learn on an iterative basis, and organize as a network of
employees, customers, and partners motivated by a shared purpose.
As organizations adapt to become agile, collaboration needs become more varied. Employees across
organizations are performing different roles and using multiple devices throughout the day while in different
locations and time zones. Some organizations still have a “one size fits all” approach to collaboration tools; that
approach doesn’t always align with evolving work environments or worker expectations, however.
When corporate tools don’t work, employees use their own technology. That includes devices and apps—Android,
Apple, Windows, Box, Dropbox, Skype, Facebook, SlideShare, and YouTube, just to name a few. And when using
those devices and apps at work, employees expect the same fast, seamless experience they have as consumers.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 3 of 15
To help meet these expectations, Cisco IT implemented a unified, productive collaboration experience. The guiding
tenets are security, simplicity, and ease of management. Cisco IT, along with Cisco Workplace Resources, focused
on the following three areas to enhance end user experience and productivity:
● Area 1: Connected workplace
● Area 2: Collaborative architecture
● Area 3: Integration of collaboration tools into business processes
Area 1: Connected workplace
To help our people make the most of their innovative talents, Cisco has implemented activity-based environments.
Each “neighborhood” offers a choice of different spaces with different collaborative solutions to support variation in
worker needs, socialization, and downtime.1 It’s an ideal approach for our workforce, and helps Cisco to reduce
costs through more efficient use of office space.
Figure 2. Elements of activity-based environments at Cisco
Source: Cisco
Area 2: Collaboration architecture
Bring Your Own Device (BYOD), pervasive wireless, a choice in video endpoints, and extension mobility offer our
workforce the freedom to move anywhere at any time with any device.
As Figure 2 shows, we use software options like Cisco Spark™
, Cisco WebEx®, and Cisco Jabber
®, and physical
devices such as traditional IP phones, personal video devices (like our DX series), collaborative room devices (MX
and IX devices), and Spark Board to make this happen.
1 For more information, see Office Design Case Study: How Cisco Designed the Collaborative Connected Workplace Environment:
https://www.cisco.com/c/en/us/about/cisco-on-cisco/collaboration/connected-workplace.html.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 4 of 15
Figure 3. Cisco collaboration solutions used by Cisco IT to meet the end-to-end requirement
Source: Cisco
Cisco IT matches these solutions to the work style of the individual and tightly integrates them with business
processes and applications. This integrated approach lets our employees focus on their work rather than dealing
with technological complexity.
Secure BYOD
Cisco has employed a BYOD policy for nearly a decade, and we were one of the companies that led the way in
making BYOD a realistic option for the modern workforce.
The initial focus of our BYOD policy was to provide email and calendar services on any platform. Today, our policy
enables workforce mobility and helps business get done faster at Cisco.
As an example, before BYOD, an account manager at Cisco would have to be in the office and log in to a tool to
approve a deal. Today, that same account manager can approve a deal from anywhere on any device at any time.
The pervasiveness of BYOD meant that we needed a comprehensive plan to secure Cisco confidential data on
trusted mobile devices. (See Figure 3.)
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 5 of 15
Figure 4. Overview of layered approach to BYOD security at Cisco
Source: Cisco
Cisco IT uses a set of Cisco technologies for this purpose: MDM, Cisco AnyConnect® for Mobile, FireAMP for
Mobile, OpenDNS®, Cisco Umbrella
™, and Cisco Identity Services Engine (ISE). We follow an architecture-led
approach and make sure that all Cisco and non-Cisco components are interoperable and easier for IT to support.
IT uses Cisco ISE to authenticate users and devices in the network, and to allow the right amount of access based
on which device they are using and where they might be accessing the network from. (Note: We cover more details
about ISE in the security section of this case study.)
iCAM and eStore
Cisco IT identified Box.com as an effective way to share documents between devices, internal users, and
customers. We have developed a customized analytics tool, called iCAM, to look at the profiles of individuals and
their network behavior, receiving feeds from external sources like Box.com and analyzing them together. We’re in
the process of adopting a more comprehensive approach with cloud access security broker Cisco Cloudlock® to
secure Cisco data residing in various public clouds.
Cisco IT also built eStore, an internal IT application shop. eStore is a single self-service portal for delivering IT
services to our internal users using Cisco Prime® Service Catalog. Users can search and access any IT service
with a few clicks. Most services on this platform are fully automated and can be set up in minutes. Users choose
from a list of services with associated costs and can pick any combination of services to match their requirements.
Area 3: Integration of collaboration tools into business processes
We embed collaboration tools inside the applications that Cisco employees use. By using Cisco Spark, for
example, we virtualized our Quarter-End Physical War Room. That led to a 70 percent reduction in time spent by
engineers and a significant reduction in travel costs.
Faster and easier collaboration from anywhere, anytime brought the global team together, improved transparency,
and dramatically reduced the amount of time needed for in-person meetings.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 6 of 15
Figure 5. Transforming physical war rooms to virtual team rooms with Cisco Spark
Source: Cisco
The IT Operations Command Center is another example of how we are integrating Cisco Spark in the business.
When an IT incident occurs, a Cisco Spark virtual meeting room is created. That gives visibility to the required IT
teams, and reduces duplicate efforts by other teams.
In the event an incident is handed over to another time zone for continued work, the incident history is easily
available. This capability has improved incident resolution time as well as post-incident review time.
Part 2. Data center and cloud
The second part of our approach to creating an agile IT infrastructure involves the data center and the cloud, as
well as applications. Digitization accelerates the speed of innovation and disrupts prevalent business models. That,
in turn, increases the rate at which applications can be transformed.
Not only are changes happening in traditional applications hosted within data centers, but also many new
applications are accessed from the public cloud as software as a service (SaaS), platform as a service (PaaS), or
infrastructure as a service (IaaS). But business demands more flexible, simpler, cost-efficient consumption models.
Until 2016, Cisco IT’s vision was to:
● Build additional data centers and infrastructure capacity to address growing demand from the business. We
took the application migration to new data centers as an opportunity to transform applications.
● Provide application resiliency based on highly available infrastructure.
● Shift to an IT as a service (ITaaS) model. As part of this program, we built clear visibility into cost and
quality of service that we delivered to our internal customers. We were also able to build new private cloud
capabilities. At the end of the initial shift, we were offering near-zero downtime for the critical applications
from infrastructure side. We also reduced infrastructure provisioning time to about 15 minutes.
Figure 5, on the next page, shows the continuous improvement in provisioning service-level agreements (SLAs)
and the reduction in cost to application teams.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 7 of 15
Source: Cisco
Cisco IT’s new focus is adapting the infrastructure for application demands and making applications more
intelligent, rather than relying solely on infrastructure to provide resilience and security. We are achieving this by:
● Transforming applications to cloud native mode, so they can be adapted quickly to meet new business
challenges.
● Making everything in the data center software-defined.
● Automating capacity management and transparent consumption of public and private cloud resources.
● Embedding resiliency and security in every component and process.
● Improving the quality and availability of applications and infrastructure with big data and analytics.
Continuous delivery model
More than 70 percent of IT application teams in Cisco IT have adopted a continuous delivery model, which has led
to a considerable improvement in time-to-deliver of new business capabilities, and the quality and security of IT
applications. Some of the key benefits for Cisco include:
● 2X increase in delivered capabilities
● 60 percent reduction in vulnerabilities
● 92 percent increase in quality
Application transformation, cloud native, and open source
Traditionally, most enterprise applications were used for commercial purposes and change was infrequent. As
business demands new capabilities on the application side, IT teams must transform their applications to be cloud
native. (See Figure 6 on next page.)
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 8 of 15
Figure 6. Different states of application running in cloud
Source: Cisco
In cloud-tolerant mode, applications are tightly integrated during the design time and don’t have the ability to
change on their own, even if the underlying infrastructure supports dynamic changes. For example, when the
number of users accessing an application increases, application performance will be degraded. The IT
administrator must monitor the usage, increase the resources allocated, and reconfigure the application to use the
newly added resources effectively.
In cloud-native mode, applications are designed to fully utilize the scalability of the underlying infrastructure. For
instance, when the load on the application increases, it can sense the increased load compared to provisioned
capacity, and increase the amount of resources allocated without manual intervention from the IT administrator.
Today, at Cisco, we are:
● Taking full advantage of the cloud using APIs to consume infrastructure
● Handling user demands dynamically, without the need for resources to monitor use or manually make
changes
● Self-healing from infrastructure and software component failures
● Lowering costs by using open-source components
Data center infrastructure
Cisco IT has already built an excellent private cloud for our internal users. We support more than 55,000 virtual
hosts in our private cloud built on Cisco ACI™
, Cisco Unified Computing System™
Servers, and orchestration tools
like Cisco Prime Service Catalog and UCS Director. In addition to Cisco components, we leverage third-party
hardware and software in areas like SAN, NAS, virtualization, PaaS, and ITIL tools. Cisco IT is also in the process
of adding the Cloud OS layer to provide complete API-based programmability of infrastructure to applications.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 9 of 15
Figure 7. Overview of Cisco data center infrastructure
Source: Cisco
Data Center Analytics
In the highly virtualized and containerized environment of the Cisco data center, where change happens frequently,
traditional ways to find dependencies and troubleshoot application problems are impractical and time-consuming.
Cisco IT deployed Cisco Tetration Analytics™
to inspect every packet flowing into the data center network. (See
Figure 8.) We collect a huge volume of data and provide a near-real-time dependency view of applications. Cisco
IT can then speed up application migration from a legacy network to the cloud. Application teams gain visibility to
transform applications to cloud native mode quickly. In turn, auditors can see the policy enforcement easily.
Figure 8. Cisco Tetration Analytics use cases in Cisco IT
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 10 of 15
Source: Cisco
The application domain has undergone a radical transformation over the past few years. On the surface, an app
may look very simple; however, under the hood, the entire application ecosystem is tremendously complex. There
are many components, and they all need to cooperate.
Think about the different types of delivery models—the traditional on-premise, SaaS/cloud-based delivery, different
platforms such as mobile or web—deployed in all types of environments, and the explosion of unstructured data
types. From an application performance monitoring perspective, Cisco has the ability to stitch all these different
types and sources of data together, and dissect and manage it all at a per-component level while maintaining
visibility and optimizing it end-to-end.
Three groups benefit from Cisco AppDynamics-powered “monitoring as a service”:
● Development community: In the development phase, Cisco IT subjects code to performance testing to
detect and remedy issues early in the lifecycle, helping to produce quality code.
● Operations team: This group monitors production and takes proactive steps to correct issues before they
impact the business. The team can rapidly identify the root cause of an issue and restore services faster.
The history of transaction details and analytics data are used for incident and problem management.
● Business and service owners: Our service owners get real-time visibility into the health and performance
of their business and can leverage the data to make faster and better decisions, as well as increase the
speed and stability of the service and business.
With the implementation of cloud and data center analytics solutions, application developers can self-provision their
infrastructure in just 15 minutes. Also, the data center footprint has decreased by 35 percent because of improved
utilization of existing infrastructure.
Our use of data center analytics has helped to improve our ability to detect problems quickly, and reduce the cost
of application troubleshooting.
Part 3. Flexible, automated network
Exponential growth in connected devices, cloud-delivered applications, and services, and the increasing frequency
and severity of cyber attacks, are some of the key technological implications of digitization. And the way that users
access the network has changed dramatically in the last few years. For example:
● Users use Wi-Fi as the primary way of connecting to the IT network.
● Users use multiple devices to access information, and need the ability to share between devices.
● Users connect to the network from any location, not just offices.
● The type of traffic on the network has shifted from data to mostly voice and video. Video is not limited to
dedicated collaboration devices; all the devices used generate video and voice traffic.
● The end device mostly encrypts traffic.
● Users are now accessing complex applications that are made up of components from private and public
clouds, as opposed to the traditional way of using applications only from IT managed data centers.
● New types of devices, like surveillance cameras, building management systems, lights, and Internet of
Things (IoT) gateways, have started appearing in the network.
The network is the core of the digital enterprise and needs to be flexible. And organizations that implement more
digital-ready networks can increase revenue, customer retention, and profitability.2
2 See “Digital Transformation by Cisco”: https://discover.cisco.com/en/us/digital-business/whitepaper/transformation/drivers-626F-817OJ.html.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 11 of 15
Simple deployment, automation, and scalability
Cisco IT considers following four criteria when designing a digital-ready network:
● Simple deployment, automation and scalability
● Unified network for both traditional and new workloads like video, smart buildings, and IoT devices
● Pervasive wireless
● Context-aware policy enforcement
Cisco Digital Network Architecture (Cisco DNA), explained in more detail later in this document, allows us to
virtualize network services and provides the flexibility to add new services without the need to provision new
hardware for each service. Cisco DNA architecture is open, programmable architecture that allows for automation
and management. The growing number of network components across the enterprise do not need to scale
resources linearly, which helps to reduce considerably the cost and time it takes to implement new services.
Unified network
More and more IT and facilities devices are connecting to the network, including IP cameras, building management
systems, power over ethernet (PoE) lights, IoT gateways, and kiosks. Cisco IT works closely with our facilities and
physical security teams to deploy a unified IP network instead of creating individual network islands. It’s also critical
to consider the security implications of the expanding IoT and have proper tools and processes in place to detect
security-related incidents and mitigate them.
Pervasive wireless
The end-user demand to work from anywhere with any device requires a pervasive wireless deployment at the
workplace. As users start using wireless as a primary method of connectivity, the network should provide stability.
Cisco IT has adopted the latest generation of Cisco 802.11ac Wave2-based solution to meet these requirements.
Users expect the same level of availability as a wired network. Cisco IT leverages some of the unique features in
the Cisco Wireless solution to provide functionalities including CleanAir®, Client Link, Client Stateful Switch Over,
Improved Radio Resource Management, Flexible Radio, and Assisted Roaming. These features enable Cisco IT to
provide wireless network to our users with the same reliability and performance as a wired network.
[Mini sidebar]
Benefits of digital-ready networks: examples
Cisco customers are seeing significant benefits from building digital-ready networks with Cisco DNA solutions,
according to recent research by IDC.
Source: IDC
[End mini sidebar]
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 12 of 15
Part 4. Security
New distributed networks mean new security challenges. Today’s business landscape has completely changed
and so has the threat landscape. Complex and fragmented networks make it very difficult to protect against
advanced persistent threats.
Meanwhile, Cisco continues to acquire innovative companies, which means trying to merge IT systems,
departments, networks and access, and security policies and tools. Add this to the increased use of cloud services
and cloud applications, which are being spun up faster than IT can manage them.
As a result, the enterprise attack surface has expanded to the point where it is now a matter of time before a
network is breached. Not if, but when.
Cisco IT can’t defend against what we can’t see. That is why visibility into the network is a critical component of our
security. We capture what is happening across the network at a granular level. We understand a baseline of what
the traffic flows look like. It’s important to see known and unknown applications, users, and devices across the
network to determine whether there may be anomalous behavior that requires action.
Figure 10. The high-level architecture of network access control in Cisco IT
Source: Cisco
Cisco IT uses Network as a Sensor and Enforcer to leverage our existing Cisco network to perform network
analysis and visibility and enforce the policy that is the key element of network security. (See Figure 10.) These
solutions help us detect anomalous traffic flows and malware. They also alert us when malware tries to propagate.
We have granular visibility into applications and roles by user. That allows us to determine if users are violating
access policy, and detect rogue devices rapidly and quarantine them on the network.
A holistic approach to security
There used to be a strong perimeter defined by the network endpoints, which were inside secured corporate
buildings or highly secured corporate data centers. But over the past decade a lot has changed. Adding Internet
gateways required firewalls, IDS/IPS, and more. Teleworking required better VPN encryption and security. Mobility,
in the form of wireless access for mobile workers’ laptops and smartphones and pads, dissolved the concept of a
network perimeter and required significantly greater device and data protection.
Cloud services have expanded the highly secure corporate data center into vendor data centers that provide
varying, and often unknown, levels of security and regulatory compliance. Meanwhile, infrastructure cybersecurity
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 13 of 15
is now so advanced that, as long as the infrastructure is well-patched and up to date, almost all standard attacks
can be stopped.
Today, most successful attacks go around the standard perimeter defenses by finding trusted people to let them
(and their malware) into the network via email and cloud. As an example, Cisco employees visit 350 million
websites per day—and about 2 percent of those sites are blocked. We avoid more than 500,000 malware
downloads per day. We also receive about 4.5 million emails per day from outside the company. Some point to
infected websites and about 200 emails per day carry virus payload attachments.
In light of these dynamics, Cisco IT is taking a more holistic approach to security by focusing on shaping policies
and practices that help to protect Cisco assets, data, and intellectual property both proactively and reactively. While
technology is a large part of Cisco’s security architecture, a watchful eye on trends within the business environment
and the impact on users are also important to our comprehensive plan.
Cisco IT’s approach to security is to use a combination of technologies, processes, and awareness and training to
educate everyone in Cisco. All these areas spread across the three-attack continuum of before, during, and after.
Cisco Talos™
has successfully neutralized malicious infrastructure in the wild, counteracting attackers on their own
ground. Talos is the industry-leading threat intelligence organization with more than 250 researchers.3
Let’s look at how Cisco security solutions help us in different phases of an attack. (See Figure 12.) When attackers
perform reconnaissance, they research employees online (maybe through social media) and attempt to map the
network. Attackers need to prepare their own infrastructure—for example, botnet servers.
Figure 11. Attack lifecycle and Cisco solutions to protect at each stage
Source: Cisco
Attackers may use a phishing email, malvertising (malicious advertising), or other technique to launch their attack.
Regardless of how legitimate a phishing email looks, Cisco Email Security will block the malicious message. By
blocking at the DNS layer from the cloud, Cisco Umbrella™
protects users from accessing malicious domains, IPs,
and URLs. Users may also use Cisco Web Security to block malicious HTTP and HTTPs websites.
3 For more information about Talos, see https://www.cisco.com/c/en/us/products/security/talos.html.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 14 of 15
After an initial launch, attackers exploit vulnerabilities in the network to gain a foothold. Cisco’s Next-Generation
Firewall (or NGFW) and Cisco Meraki™
MX protect critical assets from being accessed through compromised
applications at the edge, the branch, and in the data center. Cisco’s Next-Generation Intrusion Prevention System
(or NGIPS) identifies and blocks exploits with industry-leading efficacy.
Attackers want to install malware to accomplish complex tasks—for example, keystroke logging. Advanced
Malware Protection (or AMP) blocks malicious files before they can enter your network and continuously monitors
file and process activity. Unknown files are analyzed in ThreatGRID®, and when deemed malicious, AMP will issue
a retrospective alert.
Attackers use command-and-control traffic to communicate with malicious infrastructure. Cisco Umbrella™
blocks
this traffic over any port or protocol when users are on or off the corporate network. This is true even when the
VPN is disconnected.
If an attacker has successfully penetrated a network, it will persist until it accomplishes its goals. The Cisco Identity
Services Engine (or ISE) mitigates present threats by limiting network access based on the who, what, when, and
where of people and devices connected to the corporate network. Cisco TrustSec® technology is embedded in
Cisco devices, working with ISE to enforce policy through software-defined segmentation.
To catch intrusions in a network, StealthWatch® establishes a baseline of activity and detects anomalies, analyzing
historical and real-time net flow data. And Cisco Cloudlock® blocks the misuse of credentials and the movement of
sensitive data within cloud applications when this is what attackers are after.
Simple, open, and automated
Cisco’s products communicate with each other because they are open. By automating and simplifying processes,
security is more effective. For example, events from AMP for Endpoints are integrated with Cisco’s Web, Email,
Cisco Umbrella™
, NGFW, and Cisco Meraki™
security solutions to detect threats quickly.
Policy information is also shared between products. If StealthWatch identifies a compromised user, ISE and
TrustSec will change the Secure Group Tag and the Web Security policy for that user automatically changes.
Cisco security products share threat intelligence broadly, especially through Cisco Talos. If an AMP deployment in
one location detects a new zero-day ransomware variant, other AMP deployments around the world are updated
through Talos. With the threat intelligence from Talos, a customer could block a zero-day variant even if they’ve
never been exposed to it before.
Lastly, the sharing of contextual information simplifies workflows. The context in ISE can be applied when setting
policy within the NGFW and it is just as easy as creating any other NGFW policy. APIs across the Cisco security
portfolio allow integration with third-party solutions in your network.
Results
Cisco is the worldwide leader in networking that transforms how people connect, communicate, and collaborate
securely. We are also, as a result, a top target for cyber attacks.
By using a combination of security solutions from our company, as well as from trusted third-parties, Cisco IT has
been able to reduce the host infection rate by 48 percent, and prevent major incidents like the ransomware attack
WannaCry from affecting our systems.
Summary
Cisco IT continues to drive innovations in the workplace to attract new talent, improve productivity, and reduce
costs. We are working closely with security and facilities teams to create a unified architecture for the digitized
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. September 2017 Page 15 of 15
workspace. Through our collaboration, and by helping to support our customers through their digital transformation
journeys, we have learned that:
● The design for the modern workplace must consider changing user preferences and new and emerging
collaboration and communication tools.
● Those tools should be interoperable, and integrated into business processes and applications.
● Enterprises also must focus on creating the right policies and building user awareness about security risks.
Also, policies should be based on context, and not tied to a specific location or device.
We also understand that the network must be highly visualized and automated to respond quickly to changing
business needs. It also must be flexible to accommodate new devices, and grow. And lastly, enterprises must
design their network to serve as a sensor and policy enforcer so they can meet the challenges of today’s
increasingly complex cyber threat environment.
For More Information
To read additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
Security Fueling the Digital Journey - (Spanish)
How Cisco designs the collaborative workspace
How Cisco IT implemented BYOD
How Cisco IT implemented eStore
How Cisco IT Manages Security
How Cisco IT built the private cloud and large-scale enterprise data centers
How Cisco IT Manages Security
Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may
have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties, therefore this disclaimer may not apply
to you.
