There has never been a better time to make the workplace smarter.
Work is changing at Cisco. Today, our 72,000 employees can work from any location—a Cisco office, their home, a customer location, a public place—and while they are on the move. More than 50 percent of our employees report to managers in different cities. And while our workforce has increased by 20 percent over the past five years, we also have improved utilization of our more than 23 million square feet of office space across 94 countries. Our use of connected workspace solutions and Cisco collaboration architecture helped us to reduce our total office space by 30 percent.
Meanwhile, the applications we use to collaborate and communicate are also changing, providing better user experiences, automating most manual work, and proactively suggesting actions to users. Cisco employees access these applications from public, private, and hybrid clouds. Our customers, partners, and suppliers consume these applications, too, and use them to collaborate with Cisco.
These and other changes are creating positive impacts for our bottom line. As an example, Cisco has seen more than US$1.7 billion in productivity savings to date through our use of various collaboration solutions. And the addition of video endpoints to every sales person’s desk has helped to accelerate deals worth US$682 million.
The need for agile, secure IT infrastructure
More than three-quarters (78 percent) of businesses said achieving digital transformation will become critical to them in the next two years, according to a recent survey from Capgemini Consulting and MIT Sloane Mangement Review. To succeed, these businesses will need to have an agile and secure foundational IT infrastructure in place.
As Cisco continues to transform our workplace and how we do business, Cisco IT must be able to respond quickly to requests for development and support of our applications and infrastructure. Cisco IT’s agile infrastructure is already creating new workforce and customer experiences, while helping the enterprise to innovate, keep up with customer demands, and maintain our focus on security risks.
In the following sections, we explore four different areas of agile infrastructure that Cisco IT implemented at the Cisco campus. We also discuss some of the challenges we faced and how we solved them, and explain how Cisco will continue to invest in digital transformation—and disruption.
Our approach, outlined in Figure 1, can be summarized in four parts:
Part 1: Collaboration and agile workspace
Part 2: Data center and cloud
Part 3: Flexible, automated network
Part 4: Holistic spproach to security
Figure 1. Foundational capabilities for the digital enterprise
Part 1. Collaboration and agile workspace
Collaboration is central to our work today. Increased competitive pressures, opportunities due to technological shifts (such as cloud computing), and the adoption of agile processes that enable continuous delivery all have contributed to significant changes in work styles. Closed offices with minimal interaction and information sharing have given way to approaches that support a better exchange of information and ideas, and work that is dynamic and interdependent. We also see more project-based teams that are self-forming, short-lived, and focused on delivering quick, innovative solutions to very specific initiatives.
In short, successful organizations are more agile and matrixed. They learn and respond rapidly through an open flow of information. They encourage experimentation, learn on an iterative basis, and organize as a network of employees, customers, and partners motivated by a shared purpose.
As organizations adapt to become agile, collaboration needs become more varied. Employees across organizations are performing different roles and using multiple devices throughout the day while in different locations and time zones. Some organizations still have a “one size fits all” approach to collaboration tools; that approach doesn’t always align with evolving work environments or worker expectations, however.
When corporate tools don’t work, employees use their own technology. That includes devices and apps—Android, Apple, Windows, Box, Dropbox, Skype, Facebook, SlideShare, and YouTube, just to name a few. And when using those devices and apps at work, employees expect the same fast, seamless experience they have as consumers.
To help meet these expectations, Cisco IT implemented a unified, productive collaboration experience. The guiding tenets are security, simplicity, and ease of management. Cisco IT, along with Cisco Workplace Resources, focused on the following three areas to enhance end user experience and productivity:
● Area 1: Connected workplace
● Area 2: Collaborative architecture
● Area 3: Integration of collaboration tools into business processes
Area 1: Connected workplace
To help our people make the most of their innovative talents, Cisco has implemented activity-based environments. Each “neighborhood” offers a choice of different spaces with different collaborative solutions to support variation in worker needs, socialization, and downtime. It’s an ideal approach for our workforce, and helps Cisco to reduce costs through more efficient use of office space.
Figure 2. Elements of activity-based environments at Cisco
Area 2: Collaboration architecture
Bring Your Own Device (BYOD), pervasive wireless, a choice in video endpoints, and extension mobility offer our workforce the freedom to move anywhere at any time with any device.
As Figure 2 shows, we use software options like Cisco Spark™, Cisco WebEx®, and Cisco Jabber®, and physical devices such as traditional IP phones, personal video devices (like our DX series), collaborative room devices (MX and IX devices), and Spark Board to make this happen.
Figure 3. Cisco collaboration solutions used by Cisco IT to meet the end-to-end requirement
Cisco IT matches these solutions to the work style of the individual and tightly integrates them with business processes and applications. This integrated approach lets our employees focus on their work rather than dealing with technological complexity.
Cisco has employed a BYOD policy for nearly a decade, and we were one of the companies that led the way in making BYOD a realistic option for the modern workforce.
The initial focus of our BYOD policy was to provide email and calendar services on any platform. Today, our policy enables workforce mobility and helps business get done faster at Cisco.
As an example, before BYOD, an account manager at Cisco would have to be in the office and log in to a tool to approve a deal. Today, that same account manager can approve a deal from anywhere on any device at any time.
The pervasiveness of BYOD meant that we needed a comprehensive plan to secure Cisco confidential data on trusted mobile devices. (See Figure 3.)
Figure 4. Overview of layered approach to BYOD security at Cisco
Cisco IT uses a set of Cisco technologies for this purpose: MDM, Cisco AnyConnect® for Mobile, FireAMP for Mobile, OpenDNS®, Cisco Umbrella™, and Cisco Identity Services Engine (ISE). We follow an architecture-led approach and make sure that all Cisco and non-Cisco components are interoperable and easier for IT to support.
IT uses Cisco ISE to authenticate users and devices in the network, and to allow the right amount of access based on which device they are using and where they might be accessing the network from. (Note: We cover more details about ISE in the security section of this case study.)
iCAM and eStore
Cisco IT identified Box.com as an effective way to share documents between devices, internal users, and customers. We have developed a customized analytics tool, called iCAM, to look at the profiles of individuals and their network behavior, receiving feeds from external sources like Box.com and analyzing them together. We’re in the process of adopting a more comprehensive approach with cloud access security broker Cisco Cloudlock® to secure Cisco data residing in various public clouds.
Cisco IT also built eStore, an internal IT application shop. eStore is a single self-service portal for delivering IT services to our internal users using Cisco Prime® Service Catalog. Users can search and access any IT service with a few clicks. Most services on this platform are fully automated and can be set up in minutes. Users choose from a list of services with associated costs and can pick any combination of services to match their requirements.
Area 3: Integration of collaboration tools into business processes
We embed collaboration tools inside the applications that Cisco employees use. By using Cisco Spark, for example, we virtualized our Quarter-End Physical War Room. That led to a 70 percent reduction in time spent by engineers and a significant reduction in travel costs.
Faster and easier collaboration from anywhere, anytime brought the global team together, improved transparency, and dramatically reduced the amount of time needed for in-person meetings.
Figure 5. Transforming physical war rooms to virtual team rooms with Cisco Spark
The IT Operations Command Center is another example of how we are integrating Cisco Spark in the business. When an IT incident occurs, a Cisco Spark virtual meeting room is created. That gives visibility to the required IT teams, and reduces duplicate efforts by other teams.
In the event an incident is handed over to another time zone for continued work, the incident history is easily available. This capability has improved incident resolution time as well as post-incident review time.
Part 2. Data center and cloud
The second part of our approach to creating an agile IT infrastructure involves the data center and the cloud, as well as applications. Digitization accelerates the speed of innovation and disrupts prevalent business models. That, in turn, increases the rate at which applications can be transformed.
Not only are changes happening in traditional applications hosted within data centers, but also many new applications are accessed from the public cloud as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS). But business demands more flexible, simpler, cost-efficient consumption models.
Until 2016, Cisco IT’s vision was to:
● Build additional data centers and infrastructure capacity to address growing demand from the business. We took the application migration to new data centers as an opportunity to transform applications.
● Provide application resiliency based on highly available infrastructure.
● Shift to an IT as a service (ITaaS) model. As part of this program, we built clear visibility into cost and quality of service that we delivered to our internal customers. We were also able to build new private cloud capabilities. At the end of the initial shift, we were offering near-zero downtime for the critical applications from infrastructure side. We also reduced infrastructure provisioning time to about 15 minutes.
Figure 5, on the next page, shows the continuous improvement in provisioning service-level agreements (SLAs) and the reduction in cost to application teams.
Cisco IT’s new focus is adapting the infrastructure for application demands and making applications more intelligent, rather than relying solely on infrastructure to provide resilience and security. We are achieving this by:
● Transforming applications to cloud native mode, so they can be adapted quickly to meet new business challenges.
● Making everything in the data center software-defined.
● Automating capacity management and transparent consumption of public and private cloud resources.
● Embedding resiliency and security in every component and process.
● Improving the quality and availability of applications and infrastructure with big data and analytics.
Continuous delivery model
More than 70 percent of IT application teams in Cisco IT have adopted a continuous delivery model, which has led to a considerable improvement in time-to-deliver of new business capabilities, and the quality and security of IT applications. Some of the key benefits for Cisco include:
● 2X increase in delivered capabilities
● 60 percent reduction in vulnerabilities
● 92 percent increase in quality
Application transformation, cloud native, and open source
Traditionally, most enterprise applications were used for commercial purposes and change was infrequent. As business demands new capabilities on the application side, IT teams must transform their applications to be cloud native. (See Figure 6 on next page.)
Figure 6. Different states of application running in cloud
In cloud-tolerant mode, applications are tightly integrated during the design time and don’t have the ability to change on their own, even if the underlying infrastructure supports dynamic changes. For example, when the number of users accessing an application increases, application performance will be degraded. The IT administrator must monitor the usage, increase the resources allocated, and reconfigure the application to use the newly added resources effectively.
In cloud-native mode, applications are designed to fully utilize the scalability of the underlying infrastructure. For instance, when the load on the application increases, it can sense the increased load compared to provisioned capacity, and increase the amount of resources allocated without manual intervention from the IT administrator.
Today, at Cisco, we are:
● Taking full advantage of the cloud using APIs to consume infrastructure
● Handling user demands dynamically, without the need for resources to monitor use or manually make changes
● Self-healing from infrastructure and software component failures
● Lowering costs by using open-source components
Data center infrastructure
Cisco IT has already built an excellent private cloud for our internal users. We support more than 55,000 virtual hosts in our private cloud built on Cisco ACI™, Cisco Unified Computing System™ Servers, and orchestration tools like Cisco Prime Service Catalog and UCS Director. In addition to Cisco components, we leverage third-party hardware and software in areas like SAN, NAS, virtualization, PaaS, and ITIL tools. Cisco IT is also in the process of adding the Cloud OS layer to provide complete API-based programmability of infrastructure to applications.
Figure 7. Overview of Cisco data center infrastructure
Data Center Analytics
In the highly virtualized and containerized environment of the Cisco data center, where change happens frequently, traditional ways to find dependencies and troubleshoot application problems are impractical and time-consuming.
Cisco IT deployed Cisco Tetration Analytics™ to inspect every packet flowing into the data center network. (See Figure 8.) We collect a huge volume of data and provide a near-real-time dependency view of applications. Cisco IT can then speed up application migration from a legacy network to the cloud. Application teams gain visibility to transform applications to cloud native mode quickly. In turn, auditors can see the policy enforcement easily.
Figure 8. Cisco Tetration Analytics use cases in Cisco IT
The application domain has undergone a radical transformation over the past few years. On the surface, an app may look very simple; however, under the hood, the entire application ecosystem is tremendously complex. There are many components, and they all need to cooperate.
Think about the different types of delivery models—the traditional on-premise, SaaS/cloud-based delivery, different platforms such as mobile or web—deployed in all types of environments, and the explosion of unstructured data types. From an application performance monitoring perspective, Cisco has the ability to stitch all these different types and sources of data together, and dissect and manage it all at a per-component level while maintaining visibility and optimizing it end-to-end.
Three groups benefit from Cisco AppDynamics-powered “monitoring as a service”:
● Development community: In the development phase, Cisco IT subjects code to performance testing to detect and remedy issues early in the lifecycle, helping to produce quality code.
● Operations team: This group monitors production and takes proactive steps to correct issues before they impact the business. The team can rapidly identify the root cause of an issue and restore services faster. The history of transaction details and analytics data are used for incident and problem management.
● Business and service owners: Our service owners get real-time visibility into the health and performance of their business and can leverage the data to make faster and better decisions, as well as increase the speed and stability of the service and business.
With the implementation of cloud and data center analytics solutions, application developers can self-provision their infrastructure in just 15 minutes. Also, the data center footprint has decreased by 35 percent because of improved utilization of existing infrastructure.
Our use of data center analytics has helped to improve our ability to detect problems quickly, and reduce the cost of application troubleshooting.
Part 3. Flexible, automated network
Exponential growth in connected devices, cloud-delivered applications, and services, and the increasing frequency and severity of cyber attacks, are some of the key technological implications of digitization. And the way that users access the network has changed dramatically in the last few years. For example:
● Users use Wi-Fi as the primary way of connecting to the IT network.
● Users use multiple devices to access information, and need the ability to share between devices.
● Users connect to the network from any location, not just offices.
● The type of traffic on the network has shifted from data to mostly voice and video. Video is not limited to dedicated collaboration devices; all the devices used generate video and voice traffic.
● The end device mostly encrypts traffic.
● Users are now accessing complex applications that are made up of components from private and public clouds, as opposed to the traditional way of using applications only from IT managed data centers.
● New types of devices, like surveillance cameras, building management systems, lights, and Internet of Things (IoT) gateways, have started appearing in the network.
The network is the core of the digital enterprise and needs to be flexible. And organizations that implement more digital-ready networks can increase revenue, customer retention, and profitability.
Simple deployment, automation, and scalability
Cisco IT considers following four criteria when designing a digital-ready network:
● Simple deployment, automation and scalability
● Unified network for both traditional and new workloads like video, smart buildings, and IoT devices
● Pervasive wireless
● Context-aware policy enforcement
Cisco Digital Network Architecture (DNA), explained in more detail later in this document, allows us to virtualize network services and provides the flexibility to add new services without the need to provision new hardware for each service. DNA architecture is open, programmable architecture that allows for automation and management. The growing number of network components across the enterprise do not need to scale resources linearly, which helps to reduce considerably the cost and time it takes to implement new services.
More and more IT and facilities devices are connecting to the network, including IP cameras, building management systems, power over ethernet (PoE) lights, IoT gateways, and kiosks. Cisco IT works closely with our facilities and physical security teams to deploy a unified IP network instead of creating individual network islands. It’s also critical to consider the security implications of the expanding IoT and have proper tools and processes in place to detect security-related incidents and mitigate them.
The end-user demand to work from anywhere with any device requires a pervasive wireless deployment at the workplace. As users start using wireless as a primary method of connectivity, the network should provide stability. Cisco IT has adopted the latest generation of Cisco 802.11ac Wave2-based solution to meet these requirements.
Users expect the same level of availability as a wired network. Cisco IT leverages some of the unique features in the Cisco Wireless solution to provide functionalities including CleanAir®, Client Link, Client Stateful Switch Over, Improved Radio Resource Management, Flexible Radio, and Assisted Roaming. These features enable Cisco IT to provide wireless network to our users with the same reliability and performance as a wired network.
Benefits of digital-ready networks: examples
Cisco customers are seeing significant benefits from building digital-ready networks with Cisco DNA solutions, according to recent research by IDC.
[End mini sidebar]
Part 4. Security
New distributed networks mean new security challenges. Today’s business landscape has completely changed and so has the threat landscape. Complex and fragmented networks make it very difficult to protect against advanced persistent threats.
Meanwhile, Cisco continues to acquire innovative companies, which means trying to merge IT systems, departments, networks and access, and security policies and tools. Add this to the increased use of cloud services and cloud applications, which are being spun up faster than IT can manage them.
As a result, the enterprise attack surface has expanded to the point where it is now a matter of time before a network is breached. Not if, but when.
Cisco IT can’t defend against what we can’t see. That is why visibility into the network is a critical component of our security. We capture what is happening across the network at a granular level. We understand a baseline of what the traffic flows look like. It’s important to see known and unknown applications, users, and devices across the network to determine whether there may be anomalous behavior that requires action.
Figure 10. The high-level architecture of network access control in Cisco IT
Cisco IT uses Network as a Sensor and Enforcer to leverage our existing Cisco network to perform network analysis and visibility and enforce the policy that is the key element of network security. (See Figure 10.) These solutions help us detect anomalous traffic flows and malware. They also alert us when malware tries to propagate. We have granular visibility into applications and roles by user. That allows us to determine if users are violating access policy, and detect rogue devices rapidly and quarantine them on the network.
A holistic approach to security
There used to be a strong perimeter defined by the network endpoints, which were inside secured corporate buildings or highly secured corporate data centers. But over the past decade a lot has changed. Adding Internet gateways required firewalls, IDS/IPS, and more. Teleworking required better VPN encryption and security. Mobility, in the form of wireless access for mobile workers’ laptops and smartphones and pads, dissolved the concept of a network perimeter and required significantly greater device and data protection.
Cloud services have expanded the highly secure corporate data center into vendor data centers that provide varying, and often unknown, levels of security and regulatory compliance. Meanwhile, infrastructure cybersecurity is now so advanced that, as long as the infrastructure is well-patched and up to date, almost all standard attacks can be stopped.
Today, most successful attacks go around the standard perimeter defenses by finding trusted people to let them (and their malware) into the network via email and cloud. As an example, Cisco employees visit 350 million websites per day—and about 2 percent of those sites are blocked. We avoid more than 500,000 malware downloads per day. We also receive about 4.5 million emails per day from outside the company. Some point to infected websites and about 200 emails per day carry virus payload attachments.
In light of these dynamics, Cisco IT is taking a more holistic approach to security by focusing on shaping policies and practices that help to protect Cisco assets, data, and intellectual property both proactively and reactively. While technology is a large part of Cisco’s security architecture, a watchful eye on trends within the business environment and the impact on users are also important to our comprehensive plan.
Cisco IT’s approach to security is to use a combination of technologies, processes, and awareness and training to educate everyone in Cisco. All these areas spread across the three-attack continuum of before, during, and after.
Cisco Talos™ has successfully neutralized malicious infrastructure in the wild, counteracting attackers on their own ground. Talos is the industry-leading threat intelligence organization with more than 250 researchers.
Let’s look at how Cisco security solutions help us in different phases of an attack. (See Figure 12.) When attackers perform reconnaissance, they research employees online (maybe through social media) and attempt to map the network. Attackers need to prepare their own infrastructure—for example, botnet servers.
Figure 11. Attack lifecycle and Cisco solutions to protect at each stage
Attackers may use a phishing email, malvertising (malicious advertising), or other technique to launch their attack. Regardless of how legitimate a phishing email looks, Cisco Email Security will block the malicious message. By blocking at the DNS layer from the cloud, Cisco Umbrella™ protects users from accessing malicious domains, IPs, and URLs. Users may also use Cisco Web Security to block malicious HTTP and HTTPs websites.
After an initial launch, attackers exploit vulnerabilities in the network to gain a foothold. Cisco’s Next-Generation Firewall (or NGFW) and Cisco Meraki™ MX protect critical assets from being accessed through compromised applications at the edge, the branch, and in the data center. Cisco’s Next-Generation Intrusion Prevention System (or NGIPS) identifies and blocks exploits with industry-leading efficacy.
Attackers want to install malware to accomplish complex tasks—for example, keystroke logging. Advanced Malware Protection (or AMP) blocks malicious files before they can enter your network and continuously monitors file and process activity. Unknown files are analyzed in ThreatGRID®, and when deemed malicious, AMP will issue a retrospective alert.
Attackers use command-and-control traffic to communicate with malicious infrastructure. Cisco Umbrella™ blocks this traffic over any port or protocol when users are on or off the corporate network. This is true even when the VPN is disconnected.
If an attacker has successfully penetrated a network, it will persist until it accomplishes its goals. The Cisco Identity Services Engine (or ISE) mitigates present threats by limiting network access based on the who, what, when, and where of people and devices connected to the corporate network. Cisco TrustSec® technology is embedded in Cisco devices, working with ISE to enforce policy through software-defined segmentation.
To catch intrusions in a network, StealthWatch® establishes a baseline of activity and detects anomalies, analyzing historical and real-time net flow data. And Cisco Cloudlock® blocks the misuse of credentials and the movement of sensitive data within cloud applications when this is what attackers are after.
Simple, open, and automated
Cisco’s products communicate with each other because they are open. By automating and simplifying processes, security is more effective. For example, events from AMP for Endpoints are integrated with Cisco’s Web, Email, Cisco Umbrella™, NGFW, and Cisco Meraki™ security solutions to detect threats quickly.
Policy information is also shared between products. If StealthWatch identifies a compromised user, ISE and TrustSec will change the Secure Group Tag and the Web Security policy for that user automatically changes.
Cisco security products share threat intelligence broadly, especially through Cisco Talos. If an AMP deployment in one location detects a new zero-day ransomware variant, other AMP deployments around the world are updated through Talos. With the threat intelligence from Talos, a customer could block a zero-day variant even if they’ve never been exposed to it before.
Lastly, the sharing of contextual information simplifies workflows. The context in ISE can be applied when setting policy within the NGFW and it is just as easy as creating any other NGFW policy. APIs across the Cisco security portfolio allow integration with third-party solutions in your network.
Cisco is the worldwide leader in networking that transforms how people connect, communicate, and collaborate securely. We are also, as a result, a top target for cyber attacks.
By using a combination of security solutions from our company, as well as from trusted third-parties, Cisco IT has been able to reduce the host infection rate by 48 percent, and prevent major incidents like the ransomware attack WannaCry from affecting our systems.
Cisco IT continues to drive innovations in the workplace to attract new talent, improve productivity, and reduce costs. We are working closely with security and facilities teams to create a unified architecture for the digitized workspace. Through our collaboration, and by helping to support our customers through their digital transformation journeys, we have learned that:
● The design for the modern workplace must consider changing user preferences and new and emerging collaboration and communication tools.
● Those tools should be interoperable, and integrated into business processes and applications.
● Enterprises also must focus on creating the right policies and building user awareness about security risks. Also, policies should be based on context, and not tied to a specific location or device.
We also understand that the network must be highly visualized and automated to respond quickly to changing business needs. It also must be flexible to accommodate new devices, and grow. And lastly, enterprises must design their network to serve as a sensor and policy enforcer so they can meet the challenges of today’s increasingly complex cyber threat environment.
For More Information
To read additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
Security Fueling the Digital Journey - (Spanish)
How Cisco designs the collaborative workspace
How Cisco IT implemented BYOD
How Cisco IT implemented eStore
How Cisco IT Manages Security
How Cisco IT built the private cloud and large-scale enterprise data centers
How Cisco IT Manages Security
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties, therefore this disclaimer may not apply to you.