With hybrid work models, cloud-first strategies, and a growing reliance on SaaS applications, the traditional security perimeter no longer fits. Solutions like Cisco Secure Access deliver Zero Trust Access to make connectivity both secure and seamless. Here’s how we used the solution to fit our specific needs.
In the last few years, especially after the pandemic, the way we work has significantly changed. On one hand, remote and hybrid workspaces have become a reality. On the other, an expanding array of applications has moved to the cloud. This shift has moved the corporate security perimeter from on-prem infrastructure to the cloud.
While solutions exist to address this shift, they often consist of a myriad of tools from multiple vendors, requiring complex and expensive deployment, maintenance, and operations. The result? Increased burden on IT and security teams, suboptimal user experiences, and gaps in the overall enterprise security posture.
Additionally, the approach to security itself has evolved—from “best-effort” security to Zero Trust Access (ZTA), which is based on least-privilege access, identity and context awareness, device posture verification, and continuous monitoring.
Traditional VPN Access: Been There, Done That
Whether an IT administrator or an end user, you’re probably familiar with the challenges of traditional tools—like on-prem remote access VPNs, proxies, and firewalls.
Consider a typical enterprise, with multiple offices, mobile users, and a data center hosting critical internal applications and some custom tools. For years, such companies relied on site-to-site and remote access VPN solutions using on-prem VPN head-ends and VPN clients. On-prem policies granted remote employees access to internal resources. In this setup, the IT team is responsible for maintaining VPN configurations. This includes tunnels configurations, access control policies, digital certificate lifecycle, and user authentication methods.
User Experience: Connecting Again and Again
From a user’s perspective—especially mobile users—accessing internal resources means opening a VPN application, waiting for it to connect and authenticate. Only then can the user access the needed application. If authentication fails, the user is locked out until IT resolves the issue.
Contractors and third parties? That’s a whole different level of complexity. Provisioning unmanaged users and devices is problematic and time-consuming.
More People, More Resources, More Headaches
As the company grows, more people require access to more resources. And with more people and more resources, segmentation and least privilege access becomes a must. This leads to more complex configuration with multiple group policies and overlapping access control rules. Each new resource and user results in configuration and policy change, causing more work for IT administrators and a security risk if changes are not handled carefully. One misstep can lead to sensitive data exposure or disruption of access.
Cloud Implication, Routing Madness
The real pain begins when the company decides to migrate the applications to the cloud. The applications and data are now in the cloud, but the users still use VPN to connect to the on-prem data center. Traffic from users goes to the on-prem data center through VPN, and then out to the cloud. This introduces unnecessary latency, bandwidth costs, and routing and policy complexity. IT must now manage additional VPN tunnels from the on-prem data center to the cloud, maintain routing configurations, and additional policies, just to maintain reachability to cloud applications.
Internet Access, Wild Wild Web
Every remote and branch user also needs Internet access. Most companies continue backhauling internet-bound traffic to a central location to pass through their on-prem security stack, consisting of firewalls, proxies, and other expensive toys. But this approach does not scale well as introduces latency, clogs the network, and frustrates the users who just want to access their favorite SaaS app. It is like forcing a traveler to fly back home before boarding their next flight—inefficient, costly, and completely out of way with how people work today.
The Result
The result of such a setup is a model, which is costly because of on-prem hardware and licenses. It is inflexible because implementing changes takes too much time, insecure because implementing the least privilege is hard, and frustrating for users and IT staff because of user experience.
Cisco Secure Access – Just Secure Access, to Anywhere, from Anywhere
This is where Security Services Edge solutions, such as Cisco Secure Access change the game. Cisco Secure Access is a cloud-delivered solution that protects access to the Internet, cloud services, SaaS applications, and private applications. It follows the ZTA model by implementing least privilege principle, user authentication, device posturing, and multi-layer security services to protect from threats, data exfiltration, phishing, and malware. These security services include DNS security, cloud-delivered Layer 3/4/7 firewall with intrusion prevention and file inspection, web proxy with remote browser isolation and data loss prevention, and cloud-access security broker capabilities.
Cisco Secure support flexible user connectivity options. These include IPsec VPN tunnels for branch offices and remote access VPN and ZTA for mobile users to secure both private and Internet access. There are also options to secure only Internet traffic by leveraging Proxy Auto-Configuration (PAC) files or by using Umbrella Module for Cisco Secure Client application.
From the Cisco Secure Access cloud, the users break out to private applications in on-prem data center or in a cloud, to SaaS applications, and to the Internet. To connect from Cisco Secure Access to private applications inside an on-prem datacenter or inside your favorite cloud provider, two options are available. The first one is IPsec VPN tunnel, while the second is a resource connector. While IPsec VPN tunnels support all types of access from users’ side, the implementation often requires significant changes in routing and security policy. Resource connectors, on the other hand, only support ZTA access from client side. They can be easily deployed without any changes in the existing infrastructure. These connectors provide connectivity from Cisco Secure Access cloud to private applications by opening outbound, always-on Datagram Transport Layer Security (DTLS) tunnels.
Cisco Secure Access Journey at Flint SI – in a Matter of Minutes
At our Flint SI office, we have been working with Cisco Secure Access since its early days. We have been involved in Cisco Secure Access consulting and learning services. We’ve built and delivered deep-dive 2-day technical training across the globe. However, internally, we were still using legacy remote access VPNs, site-to-site VPN tunnels, and on-prem security controls.
Until now. We began modernizing our private access by implementing a ZTA Proof of Value (PoV). Since our internal apps are mostly web-based, we chose client-based ZTA access using Cisco Secure Client and the Zero Trust Access module. As this is currently the only connectivity method we need to support, we deployed resource connectors inside our VMware environment. Two connectors provided us around 1 Gbps of DTLS capacity—and adding more is as simple as spinning up more resource connectors.
Balancing Zero Trust and VPN: Our Evolving Access Strategy with Cisco Secure Access
Total PoV deployment time was just 2 hours, but we were already familiar with the required configuration and potential “gotchas”. We will continue testing and evaluating the solution, with the focus on user experience, before fully migrating our remote access VPN to ZTA. It’s likely that we won’t completely replace VPN with ZTA. Our current plan is to use ZTA for the most common applications accessed by regular users during day-to-day operations. For power users who require broader access to various applications we will continue to provide remote access VPN, though not on daily basis. However, if we choose to adopt a cloud-first approach with Cisco Secure Access, we’ll migrate our on-prem remote access VPN to Cisco Secure Access VPN-as-a-Service (VPNaaS) functionality.
What’s Next?
We are planning to protect Internet access for our ZTA users. We are considering using Cisco Umbrella Module for Cisco Secure Client, which intercepts DNS and HTTP/S communication and forwards it to Cisco Secure Access for inspection and policy enforcement. For other users, such as VPNaaS users, or branch users, connecting to Cisco Secure Access over IPsec tunnels, Internet traffic is controlled by split-tunneling (full-tunneling) and routing configuration. As long the Internet-bound traffic is routed to Cisco Secure Access, it is secured.
Final Thoughts
ZTA has drastically improved user experience for our mobile users. While on the road, you open an application, and it just works, securely and transparently. No VPN, no hassle, ZTA access is always on, providing access to the application and securing the application at the same time. The success with ZTA PoV has shown us what’s possible when modern solution meets modern work—and we’re excited to help others do the same.
Interested in Cisco Secure Access?
If you’d like to explore Cisco Secure Access for your organisation or team, Flint offers a range of services tailored to your needs—including technical training, expert consulting, PoV design and execution*, or even a full deployment of Cisco Secure Access. Whether you’re just getting started or ready to roll out a production-grade solution, we can help guide you every step of the way.
*Flint does not resell Cisco equipment.
