Company: Cisco Systems, San Jose, CA
Company Description: Cisco is the worldwide leader in IT, helping companies seize the opportunities of tomorrow by proving that amazing things can happen when you connect the previously unconnected. At Cisco, an integral part of our DNA is creating long-lasting partnerships with customers, employees, investors and ecosystem partners, helping them succeed in transforming how people connect, communicate and collaborate.
Nomination Category: New Product & Service Categories - Business Technology
Nomination Sub Category: Identity & Access Security Solution
 Nomination Title: Cisco Systems In Case of Emergency, Break Glass VPN
- Which will you submit for your nomination in this category, a video of up to five (5) minutes in length about the nominated new or new-version product or service, OR written answers to the questions for this category? (Choose one):
Written answers to the questions
- If you are submitting a video of up to five (5) minutes in length, provide the URL of the nominated video here, OR attach it to your entry via the "Add Attachments, Videos, or Links to This Entry" link above, through which you may also upload a copy of your video.
- If you are providing written answers for your submission, you must provide an answer to this first question: If this is a brand-new product, state the date on which it was released. If this is a new version of an existing product, state the date on which the update was released:
This is a new solution architecture, built and launched live in August 2022.
- If you are providing written answers for your submission, you must provide an answer to this second question: Describe the features, functions, and benefits of the nominated product or service (up to 350 words):
Total 344 words used.
Fact: Networks and IT systems break. Always have, always will. However, the new complexities introduced by hybrid work means networks now break in exciting new ways. With the rise of hybrid work, Cisco IT has run into a unique circular dependency issue, which happens when a network outage prevents network operators from accessing the network they need to repair and troubleshoot. Specifically, if our VPN goes down, how do we access the network to troubleshoot and triage the VPN issue? How do we get into our out-of-band network in this situation?
While rare, these kinds of outages have a big impact on the business. The time to repair increases significantly when our network operators cannot remotely access an out-of-band network and must physically travel to the site.
To solve the problem, this team brought together an innovative combination of cloud-based technology and talent. The engineers named the solution ‘Break Glass,’ as in: In Case of Emergency, Break Glass. The solution leverages the Cisco+ Secure Connect offering, alongside Azure Active Directory. Cisco+ Secure Connect is Cisco’s simple and easy SASE offering, which provides VPN-as-a-Service – ultimately allowing for secure connectivity and private access to our out-of-band network. Azure Active Directory allowed us to decouple out-of-band access from the on-prem network and its dependencies. With a cloud-based VPN, it is now completely decoupled from our network and its dependencies, and our network operators can get into the out-of-band network when the in-band network is down. The solution was set up using accounts that are only allowed to connect to the Cisco+ Secure Connect service and the out-of-band network. It leverages a site-to-site VPN tunnel from the Cisco+ Secure Connect service to our network team’s out-of-band infrastructure and provides access to our jump host infrastructure that allows our network engineers to access out-of-band ports on our network devices.
The Break Glass solution has been validated with unannounced business continuity drills. These tests prove the solution successful and maintainable. With the Break Glass solution, this team made Cisco's business a little more resilient than it was before.
- If you are providing written answers for your submission, you must provide an answer to this third question: Outline the market performance, critical reception, and customer satisfaction with the product or service to date. State monetary or unit sales figures to date, if possible, and how they compare to expectations or past performance. Provide links to laudatory product or service reviews. Include some customer testimonials, if applicable (up to 350 words):
Total 304 words used.
Cisco IT participates in many customer briefings, offering an IT operators view on how to solve real world problems (and often, of course, where Cisco products fit). This capability is a frequet request for briefings, and as such we've upleveled our communications on this by releasing blogs and content at Cisco Live.
https://blogs.cisco.com/ciscoit/break-glass-in-case-of-emergency-how-a-sase-approach-can-solve-remote-network-outages
https://www.ciscolive.com/on-demand/on-demand-library.html?search=Woolwine#/session/1670019666942001n078
A key question is "how do you measure the value of insurance or safety if you never have an accident". In IT terms this is often framed around risk, etc. For us, we have a real world example (which was an inspirational point that lead to the creation of this capability). In that incident, a DNS misconfiguration was populated across the network by a remote administrator. This impaired the ability of Cisco workers to perform their job as DNS is key to aspects of authentication, and while key data center assets and production systems remained operating, jobs did back up and there were delays in processing. While there was no revenue, shipping or direct financial loss, there was nearly an entirre business day of lost productivity and work for the bulk of the company while we endeavored to get the right administrators into a facility to connect directly to the network and correct the issue. We were fortunate that there were not external factors (political instability, pandemic restrictions, etc.) preventing the administrators from reach their systems physically, but we knew that was chance. We built this capability to control our own fate.
One additional key requirement we had was that this must NOT BE an un-secured back door. This solution has multiple layers of security, multifactor authentication on the individual users and can be enabled or disabled remotely. Our aim was to reduce risk - not trade operational risk for security risk.
- You have the option to answer this final question: Reference any attachments of supporting materials throughout this nomination and how they provide evidence of the claims you have made in this nomination (up to 250 words):
Total 188 words used.
The attachment includes some summary informatin in a PPT form. It covers the high level informatoin in these questions and has some additional information.
One thing these questions do not address and we feel is a very key component here is the operational reality of this solution paired with the novel deployment design.
- It is not a backdoor, and the links from the Cisco VPN-as-a-Service cloud offering can be enabled or disabled as needed.
- Authentication to the system by end users is also controlled by multi-factor authentication.
- This MFA and identity is sync'd with our standard corporate tooling so that it can be administered as other systems, but has no run-time dependency on our network or systems. Secure, but sperate and sync'd.
- Through our live tests we've demonstrated this is workable, repeatable and an be operated through normal IT lifecycies.
In previous years this may have been very difficult. We feel like this approach makes this as easy as possible and remains secure. And we believe more an more organizations will seek this capability not as a nice-to-have, but a reality of doing business in the ever-changing world.
| Attachments/Videos/Links: |
|---|
|
