Since employees, equipment, and IT applications are in a variety of locations, network administrators have a critical need for automation. Otherwise, the processes of enrollment and access control, configuration and application of security rules become complicated and expensive. The Cisco Software-Defined Access (SD-Access) solution was specifically designed as an antidote to complexity, reducing network management and security costs.

 

Benefits and challenges of the network segmentation

Network segmentation is the best example for showing the benefits of SD-Access, as it represents a method to improve cybersecurity, with the following features:

• reduces the area of attack, which is especially important for companies with several subsidiaries or offices;
• limit the lateral movements of threats that have managed to bypass IT security systems;
• improve compliance with existing regulations and simplify audit processes;
• increase the performance and availability of the entire network.

Even if the benefits are important, network segmentation is not currently a standard security measure adopted by all organizations with multiple subsidiaries. The main cause is the complexity of its application in networks that use traditional technologies, the application of network segmentation requiring to:

• find and identify all active equipment in the company’s network;
• determine which equipment communicates with each other, with which applications and data sources and through which protocols and ports;
• group equipment and define group-level policies, as well as role-based rules for groups’ communication.

Traditional methods of creating VLANs and ACLs, configuring firewalls and enforcing policies in the in the configuration of equipment and applications are time consuming and requests specialized effort. According to an ESG study, 80% of companies need hours or days just to change network security policies. And another study – McKinsey this time – shows that 75% of OpEx’s network management expenses are actually consumed by operating configuration changes and troubleshooting operations. SD-Access eliminates these problems by simplifying network management and segmentation, reducing costs and reducing security risks.

 

How SD-Access works 

To provide answers to all these requirements, SD-Access introduces – over the physical infrastructure of the network – a virtual layer in which wired and wireless users are connected and grouped and in which services are defined and policies are applied. The Cisco solution works as a “Network Fabric,” which streamlines the management of fixed, wireless, and remote connections via VPN. Thus, through SD-Access, the entire infrastructure is managed with the help of the Cisco DNA Center. The DNA Center runs a number of key services, such as:

• AI Endpoint Analytics – identifies and profiles all users and equipment connected to the network, collecting and analyzing data from a variety of sources;
• Group-Based Policy Analytics – analyzes the traffic made by equipment, allowing you to view flows and discover communications between them, groups, and applications;
• Group-Based Access Control – simplifies the creation and implementation of policies between equipment groups.

Through these services, SD-Access provides:

• Improved network visibility – Deep Packet Inspection (DPI) and network telemetry services help quickly identify connected equipment and groups;
• Increased level of security – end-to-end segmentation uses policies defined by groups of equipment and roles, a more flexible and simpler method than control based on IP addresses.
• Network management efficiency – DNA Center ensures the management, orchestration, and automation of the application of network policies from a single point.

Where do the savings come from? 

Centralized management of LANs, WLANs and WANs, increased visibility and the uniform and automatic application of security policies ensure solid operational gains.

For example, the increase in the number of employees working remotely and mobile equipment, as well as the evolution of IT threats, force IT administrators to constantly update network policies. The larger the network, the more complex and time-consuming the process and the higher the risk of configuration errors. According to the McKinsey study, 70% of network policy violations are due to human error. This can lead to network malfunctions, problems delivering services and/or applications, and even unplanned downtime. And remedying such situations involves troubleshooting operations, which increase operational spending.

With SD-Access the challenges are solved quickly, the necessary time to update the equipment configuration within the data network decreasing by up to 94%, and the troubleshooting costs – by 80% (according to Cisco data). SD-Access earnings can be enhanced by using them in conjunction with other solutions in the Cisco portfolio. Thus, according to IDC, the Cisco DNA Assurance – SD-Access tandem provides:

• a Return on Investment (RoI) of 462%;
• reduced risk of unplanned downtime by 86%;
• increased installation speed of new network equipment by 67%;
• improved efficiency of the network management team by 49%;
• reduced risks of degrading the quality of applications by 41%.

However, SD-Access can be integrated with other Cisco applications, such as ISE, ACI, Stealthwatch, ASA + FirePower, as well as with Cloud services delivered from Amazon and Azure platforms.

Possibilities for reuse and staged migration

Datanet specialists can provide technical support  for the gradually adoption of SD-Access technology into the company’s infrastructure. The solution offers the possibility to use the existing network equipment, and by reusing the access LAN switches the conversion process can be staged.

For more information about Cisco DNA and SD-Access, read the article Gain control of the network with Cisco SD Access, and for Datanet’s commercial offer, please contact us at sales@datanets.ro.