Secure Access

The use case depends upon the vertical, such as manufacturing or enterprise. Mostly customers are looking for secure remote access to their applications. They may have a vendor ecosystem where they do not want to install any client. If they are looking for a clientless VPN like ZTNA , Zero Trust Network Access , that is where it fits. Mostly they want to move away from the centralized filtering point of view, even if it is a proxy. They want to facilitate access wherever they are geographically distributed. Because Cisco Secure Access  PoP is there everywhere in major regions, this helps.

If they have a use case of a user sitting in an office and a user sitting remote, and a vendor accessing their applications from outside their network, you cannot expect anything installed in the vendor laptop, which is a non-domain laptop. That time, you need to have a solution that supports secure access of that application for that vendor who is sitting outside the network and is not a domain user.

Private application access is definitely there with the resource connectors. The concept of resource connectors is there to ensure the backend traffic from the application to the user. I have use cases, but I mainly worked on SaaS web traffic where I position SSE. Internal traffic is there, but not much discussion. It is hybrid only. There are customers who are adopting data center and coming out from cloud to data center, and vice versa. Definitely it will be Hybrid Remote  Access.

The price and license for Cisco Secure Access  are fine. Cisco documentation is always good. As a product, in terms of Cisco SSE, I appreciate the feature set. It is simple. The product is giving whatever you need from a customer point of view. Suppose point A to point B if you have to send data, you need not worry about anything such as your data might get compromised or somebody can do a middleman attack because everything is secure. They are sending the traffic encrypted and categorizing the traffic based on the type, whether web traffic or internet traffic, and doing the security mechanism that is needed for the traffic type. You can tick mark that flexibility is there.

Cisco SSE has an AI model, so you can write the policies if you just write it in plain English, it can do that. It can also drill down to AI Canvas, which is the new product that Cisco has launched.

I sold ThousandEyes  and had done proof of concepts. ThousandEyes  is a good product. However, the major flaw for ThousandEyes is the way they are calculating and giving the costing to the customer. The way the units consumption pricing is structured is not that great. That is the biggest flaw, and that is where people are not adopting it. The success rate of ThousandEyes when going with a digital monitoring concept is that it will address from endpoint to the application level and cover all domains. However, the way you are structuring your pricing with respect to the consumption of the units is a major issue. The pricing structure is not good in ThousandEyes. Apart from this, it is a good product. It can identify the issues related to an endpoint, if it is a remote user, if it is an internet issue, or if it is an application issue. The HTTP response time and latencies, everything it is giving. However, when a customer is trying to adopt it, the pricing structure is not good.

I have been using the solution for one and a half to two years.

Performance is addressed in a different way. Suppose I have a user in a branch in Europe, or if I have a branch in Australia or if I have a branch in India, they are sending to the nearest PoP, SSE PoP. You can form a tunnel from your branch. In that case, the connectivity reaching out to Cisco Secure Access PoP is being addressed. They are having redundancy also because it will have two tunnels. If this tunnel fails, still you can reach out to Cisco Secure Access cloud.

There are no scalability issues because SASE  is scalable.

Cisco TAC support is better compared to any OEM. That is what I feel. However, what happens with the TAC engineers is once their shift timing ends, they will just exit the call. Again, we need to explain to the other engineer. Even they will not refer much to the notes captured by the previous TAC engineer, and we are starting again. When their shift is done, they close the call. That is not proper support.

Cisco's TAC support is better compared to any OEM, but the shift change process needs improvement.

There are some customers who are using VPN still and maybe they are very slow in terms of technology adoption. The flaw of VPN, everyone knows now, and everyone is realizing the flaw because the moment I just enter into the network, I can go and have a lateral movement across the complete IT infrastructure. It is giving the whole access of the particular network. Whereas ZTNA will predominantly give you access as per your role, allowing you to access only that particular subnet or particular URL or particular application. In that way, you are segregating and you are not allowing certain lateral movement. That means they cannot enter into your holistic complete network. That is the basic difference and the basic flaw, and people are realizing it, but few people are not adopting ZTNA in terms of technology.

The setup is an eight out of ten.

We work with Palo Alto and we work with Zscaler, the same kind of thing. Zscaler is the one that started the proxies, the cloud proxies. We are very much aligned with Cisco.

We have done one major project with almost 350 outlets of one of the customers. It is fine.

I am not sure about Cisco Secure Access setup costs as I did not feel any issues. ThousandEyes I can address, but for Cisco SSE, I think the licensing structure is fine and easy to set up, quick, and documentation is good. Everything is fine.

I prefer Zscaler is good. After Zscaler, Cisco is good.

Ask for references and friends feedback. We work with Palo Alto and we work with Zscaler. Zscaler started the proxies, the cloud proxies. We are very much aligned with Cisco. Cisco TAC support is better compared to any OEM. ThousandEyes is a good product, but the major flaw is the way they are calculating and giving the costing to the customer. The units consumption pricing is not that great. My overall review rating for this product is an eight out of ten.

Cisco Secure Access  serves as a major replacement for traditional VPNs with a VPN-as-a-Service offering. This is particularly useful for clients with aging VPN architectures who face challenges in scaling out.

The product also optimizes firewall capabilities for geographically distributed operators and enhances proxy-based architectures with Secure Web Gateways and CASB  for cloud or SaaS applications. By integrating with identity providers like Azure  Entra ID or Okta, Cisco Secure Access  facilitates the transition from VPN to ZTNA  while ensuring compliance with principles like least privilege access.

Additionally, it incorporates identity and device risk scores for dynamic access policies to respond to varying risk thresholds. The service is particularly useful for managing old VPN infrastructure replacements, firewall optimizations, and bridging the gaps between old and new secure access technologies.

The product also addresses unique geographical challenges, such as ensuring secure internet access for oil rigs in remote locations. Furthermore, Cisco Secure Access's multi-tenancy and Policy Verification features are crucial for managing multi-organization environments and ensuring policy accuracy, respectively.

Hybrid Private Access is particularly useful in regions where replacing existing gear isn't feasible due to cost concerns. Lastly, the product's AI-driven features like AI Access and AI Assistant ease policy management and triage, reducing the time and efforts needed in these processes.

Cisco Secure Access offers numerous valuable features. The VPN-as-a-Service replaces traditional VPNs, providing global secure access without installing solutions at each location, allowing geographically distributed operators to benefit from scalability and optimization.

The integration with identity providers facilitates this transition and aligns with Zero Trust Network Access  principles. The platform offers capabilities like Secure Web Gateways, Firewall-as-a-Service, and CASB  for enhanced cloud-based functionality. Its Policy Verification runs checks to prevent policy misconfigurations, a necessary feature for managing multi-organization environments.

Moreover, the product's AI-driven capabilities streamline policy management and triage, enhancing operational efficiency. Hybrid Private Access and multi-tenancy capabilities make it resource-efficient and particularly useful for unique geographical challenges. The product is scalable, adjusting to new requirements easily, and is backed by robust technical support.

Despite being a value-for-money product, there are a few areas for improvement. Transitioning for customers from Palo Alto to Cisco Secure Access has its challenges, primarily due to previous infrastructure setups and migration paths. Cisco Secure Access may not seamlessly integrate into such settings, although it performs well in a Cisco-based environment.

Furthermore, while the AI capabilities of Cisco Secure Access are useful, they are not seen as major differentiators compared to competitors such as Palo Alto.

Additionally, though the existing threat intelligence is sufficient for most use cases, extending the integration scope with other tools, especially concerning AI supply chain risk management, could enhance its functionality.

The first time I came across Cisco Secure Access, it used to be called a different solution. It was a combination of multiple solutions. First they started with Cisco Duo , and then they expanded into Cisco Secure Firewalls  over close to three years. They conducted a lot of branding changes and naming convention changes after that.

While the product offers strong overall stability, there were occasional issues, particularly involving Linux devices. However, these hiccups were more related to endpoint-client interactions rather than being vendor-specific problems. Overall, the solution is stable, but improvements could further enhance reliability.

The scalability of Cisco Secure Access is a strong feature. Initially driven by the need for improved scalability over traditional VPNs, it has proven to scale seamlessly alongside infrastructural growth. Effective collaboration with account teams ensures a robust and flexible solution designed to meet future scaling requirements without significant issues.

The technical support from Cisco is exceptional. They provide geographically distributed, responsive support with strict SLAs. The purchase of premium support ensures rapid response times, upholding high-quality service delivery across the board. The commitment to excellent service reflects positively on client experiences.

I used to work for Deloitte until six months ago. Currently, this is about managing our own internal infrastructure and then managing that of a couple of our operators and partners. Reselling is not something I am doing currently. I used to do that until June of this year.

Installation and deployment of Cisco Secure Access are straightforward. Comprehensive and publicly available documentation supports this, backed by assigned account managers and optional professional services. Despite anticipating complexities by procuring external services, they were unnecessary due to the clear and simplified setup process offered by the existing resources.

We had an account manager who was assigned to us and then we also purchased some professional services for day zero and day one, in case we got stuck.

The integrated capabilities of Cisco Secure Access deliver significant ROI through reduced mean time to detect (MTTD) and mean time to respond (MTTR). The resource efficiency is notably improved as fewer personnel are needed for triage and system management. The AI features further contribute by expediting threat detection and incident response, ensuring tangible returns through operational savings.

Cisco Secure Access offers good value for money. Existing product relationships provide cost advantages, ensuring reasonable pricing without overcharging. Although the solution is cheaper than premium options such as Palo Alto, existing Cisco licenses facilitate replacing previous solutions with Cisco Secure Access smoothly and affordably.

If you were a Cisco house in the past, I would certainly use that. If you are coming from something with a Palo Alto firewall infrastructure, I would prefer going with Palo Alto. It is more about the widespread adoption. When ten different people are doing the same thing, then I guess the other five people would do the same thing.

While client-based solutions serve corporate employees, clientless options cater to third-party contractors and onboarding procedures without equipment. These options ensure seamless transitions to full client-based systems for long-term corporate users.

Regarding the multi-organization management capability, it is akin to multi-tenancy, helpful for service provider infrastructures with multiple clients or single customers with diverse business units. It brings intuitive infrastructure management without providing unique features compared to competitors.

AI supply chain risk management, while theoretically beneficial, may not give an edge unless thorough integrations with additional tools are pursued. Furthermore, the choice of not implementing low-cost workflows was based on a need for higher security enhancements.

I would rate this review overall at a seven out of ten.

Cisco Secure Access  is used as a security tool within the tenant as a firewall and serves as a cloud-delivered Zero Trust access platform. It is used for Microsoft Intune  as conditional access, Global Secure Access, and from Defender for Cloud Apps, working behind before it.

Cisco Secure Access  provides application-level access. Usually, it's full network access, but with this tool, application-level access can be given. It removes the dependency of VPN, and then user authentications are continuously based on identity, device, and risk, which is an add-on there.

The Zero Trust Network Access  feature is being used.

Cisco AnyConnect is used as a VPN tool for SASE  purposes.

The integration of CASB  functionality for exposing shadow IT within the company is smooth. Technical skill and knowledge are needed to evaluate, analyze, and deep dive on those things. From the tool's response, it is very good, and there is visibility on everything that is needed or necessary.

The integration of Cisco Talos  influences threat detection and response capabilities. The integration of Cisco Talos  is similar to every Cisco Umbrella , and the experience has been smooth. The knowledge, their KB, and FAQs are very good, and their support is very good. When in trouble, readily available documents or information are accessible.

Managing Cisco Secure Access in a single cloud management console is moderate in difficulty. Technical skills or an understanding at a base level or moderate level are needed to make it work, configure, and integrate it. The difficulty level is somewhere between easy and difficult.

Cisco Secure Access has been used for one and a half years.

The product has been stable with no crashes or downtime so far, and the SLA is good.

Cisco Secure Access is scalable.

The technical support of Cisco is good and up to the mark.

Regarding deployment and installation, it is straightforward, but having basics is necessary.

No negative aspects have been observed so far; everything seems good. The review rating for this product is 9 out of 10.

I support the US government. From a customer perspective, the use cases tend to be where we are guarding edge devices that we don't have necessarily 100% positive command and control. The devices have data transport that traverses in some cases ISPs, so we can't really control who's adjacent to those networks. We often deploy in those types of environments. Where we can use dark fiber, we prefer to, but that's not always an option.

I'm probably pretty agnostic with respect to that. We have a federal mandate to reach these next-generation firewall requirements. Stateful packet inspection and things of that nature are the things that we're interested in. We have some programs adjacent to us that definitely do that, but my programs don't require that.

We get a significant discount with Cisco, and their support is definitely top-rate.

Cisco does a decent job with logging. Sometimes you may need to tweak a few settings, but with their more recent products that support Python and Java among others, you now have more programmatic control in the latest versions of IOS.

If the FTD devices themselves, the Firepower Threat Detection system, those are the firewalls themselves, the individual appliances, weren't so tightly coupled to FMC, I'd probably appreciate them as a product more. The learning curve was a little higher just because it's a large departure from their original ASA devices. If they could be managed individually as easily as they can be managed through FMC, I'd probably be a bigger fan.

I have used Cisco products for decades at this point. With respect to ASAs and FTDs, FTDs are fairly new, but I have used ASAs for the better part of a decade.

It is definitely top-rate. In fact, I know that my particular group didn't even have a service agreement in place for the better part of a year and those guys were still very responsive to emails and communications.

We've been using them so long, it's hard to remember being a newbie, but I don't find their products particularly hard to set up. They have great documentation.

In our deployments, all of our web-based access to any of those devices is actually cut off. We do everything through a secure socket. The only situation where we are compelled to use a web interface is for the FMC, specifically for configuration; however, our management is primarily conducted at the console level whenever possible.

We don't find them hard to manage, especially as a group. The bigger challenge was managing them outside of their FMC product. They prefer to be federated to some extent, and they really weren't designed to be individually managed. They prefer to be managed from a central location. But if you have an environment that lends itself to central management, for the most part, it's not an issue.

We acquire through an organization, and we are the ones that implement.

Price-wise, we get a significant discount with Cisco. I actually prefer Juniper products. From a professional perspective, I prefer Palo Alto and Juniper probably more than I do anybody else. But I can't make the argument when we get 50% and 60% discounts, which we don't get from Juniper or Palo Alto.

Because we operate with what could only be called a skeleton crew, a monitoring solution to the extent possible is dependent heavily on logging, which these applications allow. We do a heavy amount of logging and we do a great deal of log parsing through ELK stack and SolarWinds and Splunk. Any tool that provides telemetry through logging is a particularly good fit for us because we have to really automate our monitoring. We don't have the manpower to sit there and look at multiple applications and things on a regular basis. It all has to come to a central location and has to be pretty automated, red light, green light type stuff.

If you have the budget, make sure to get a solid understanding of what's out there. There might be some other products that you might prefer, but if your budget is constrained, you can make it work with Cisco products for sure.

I would rate the solution a 10 out of 10.