Cisco Secure Access product overview
Cisco Secure Access is a cloud-delivered SSE solution, grounded in zero trust, that provides seamless, transparent, and secure access from anything to anywhere. It provides core SSE components (Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a Service (FWaaS) plus extended capabilities such as visibility, control, and guardrails for AI apps and AI agents; VPN-as-a-Service (VPNaaS); Data Loss Prevention (DLP); AI Assistant; Digital Experience Monitoring (DEM); reserved IP; Remote Browser Isolation (RBI); and more.
Within Cisco Cloud Control, Secure Access is part of a unified Cisco operating experience that brings security, networking, observability, and infrastructure management into one environment.
|
|
Umbrella |
Secure Access |
|||||||||
|
|
DNS |
SIG |
DNS Defense EDU packages |
Secure Internet Access (SIA) |
Secure Private Access (SPA) |
SIA site-based (onsite users only) |
|||||
|
|
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
| Security, Access, and Control |
|||||||||||
| Recursive DNS-Layer Security |
|||||||||||
| Block access to domains with malware, phishing, and more | App discovery, monitoring, blocking, risk scoring | Filter by domain or category. DNS tunneling threat protection. |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
● |
| Application and Network Access |
|||||||||||
| Secure traffic, all ports/ protocols. When roaming, w/ VPN module or ZTNA module. |
|
|
|
|
|
|
● |
● |
● |
● |
|
| Client-less ZTNA (HTTP/HTTPS) |
|
|
|
|
|
|
|
|
● |
● |
|
| Clientless ZTNA (SSH, RDP) |
|
|
|
|
|
|
|
|
|
● |
|
| SD-WAN tunnel automation; support of 3rd party SD-WAN |
|
|
● |
● |
|
|
● |
● |
● |
● |
● |
| Use VPN-ID or ISE SGT for granular security policy (well suited for IOT) |
|
|
|
|
|
|
● |
● |
● |
● |
● |
| Hybrid Private Access - policy enforcement in cloud and/or on-premise |
|
|
|
|
|
|
|
|
● |
● |
|
| Monitoring |
|||||||||||
| Experience Insights (DEM) of endpoint and SaaS performance (ThousandEyes based) |
|
|
|
|
|
|
● |
● |
● |
● |
|
| Policy verification, reactive and proactive |
|
|
|
|
|
|
|
|
● |
● |
|
| Posture capabilities |
|||||||||||
| Posture checks |
|
|
|
|
|
|
● |
● |
● |
● |
|
| Secure Web Gateway (SWG) |
|||||||||||
| Custom block/allow lists of domains |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
● |
| Custom block/allow lists of URLs |
|
Partial |
● |
● |
|
Partial |
● |
● |
|
|
● |
| Proxy and inspect web traffic |
|
Partial |
● |
● |
|
Partial |
● |
● |
|
|
● |
| Secure Malware Analytics (sandbox/block suspious files, <500 samples/day) |
|
|
● |
● |
|
|
● |
● |
● |
● |
● |
| Secure Malware Analytics (manual file submits, glove box, SMA console/3 seats, unlimited samples/day) |
|
|
Add-on |
● |
|
|
Add-on |
● |
Add-on |
● |
|
| Reserved IP (static external IP address) |
|
|
● |
● |
|
|
● |
● |
|
|
|
| Zero trust for agentic AI |
|||||||||||
| AI intent-based (semantic) inspection; defense for the Model Context Protocol (MCP) |
|
|
|
|
|
|
● |
● |
|
|
● |
| Roaming Security and Client Support |
|||||||||||
| Roaming protection, with SecureClient (roaming module), for DNS & web traffic. |
●* |
●* |
● |
● |
●* |
●* |
● |
● |
|
|
|
| Roaming protection, via Secure Client (VPNaaS and ZTNA modules), for all ports and protocols. Broad device support. |
|
|
|
|
|
|
● |
● |
|
|
|
| Roaming access to private apps via mobile device support for Apple and Android |
|
|
|
|
|
|
|
|
● |
● |
|
| Cloud Access Security Broker (CASB) |
|||||||||||
| User and Entity Behavior Analytics (UEBA) |
|
|
|
|
|
|
● |
● |
|
|
● |
| Advanced visibility and control of cloud app usage (including gen AI, OAuth-approved apps, tenant controls). |
Limited |
Limited |
● |
● |
Limited |
Limited |
● |
● |
|
|
● |
| Scan and remove malware from cloud-based file storage apps |
|
|
● up to 2 |
● |
|
● |
● up to 2 |
● |
|
|
● up to 2 |
| SaaS Security Posture Management (SSPM) + advanced capability via AppOmni purchase |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
● |
| Data Loss Prevention (DLP) including protection of AI usage |
|||||||||||
| DLP - Data inspect/block to avoid sensitive data loss. Real time, SaaS API, endpoint, email (requires Email Threat Defense) |
|
|
Add-on (Real time/ SaaS API only) |
● (Real time/ SaaS API only) |
|
● SaaS API |
Add-on |
● |
Add-on |
● |
|
| AI Access guardrails control use of supported third-party gen AI app |
|
|
|
|
|
|
Add-on |
● |
|
|
|
| Supply Chain Risk Management - Identify/ block malicious code from AI repositories i.e. Hugging Face |
|
|
|
|
|
|
● |
● |
|
|
● |
| Firewall as a Service (FWaaS) |
|||||||||||
| Layer 3 and 4 control of IPs, ports, and protocols |
|
|
● |
● |
|
|
● |
● |
|
|
● |
| Firewall layer 7/IPS |
|
|
Add-on |
● (no IPS decryp) |
|
|
Add-on |
● |
Add-on |
● |
|
| Remote Browser Isolation (RBI) |
|||||||||||
| Isolated browsing (Risky) |
|
|
Add-on |
Add-on |
|
|
Add-on |
|
|
|
|
| Isolated browsing (Advanced for Secure Access; All for Umbrella) |
|
|
Add-on |
Add-on |
|
|
Add-on |
● |
|
|
|
| Enterprise Browser |
|||||||||||
| Integration with Chrome, Edge, Island enterprise browsers for more secure clientless access to private apps |
|
|
|
|
|
|
|
|
● |
● |
|
| Identity (CII) and threat intelligence integrations |
|||||||||||
| Identity behavioral risk levels visible in Secure Access |
|
|
|
|
|
|
● |
● |
● |
● |
● |
| Use trust level in policy for ZTA private traffic |
|
|
|
|
|
|
|
|
● |
● |
|
| Duo Identity for Cisco Apps (limited use Duo licenses entitlement) |
|
|
|
|
● |
● |
● |
● |
● |
● |
● |
| Deep domain, IP, and Autonomous System Number (ASN) data for rapid investigations |
|
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| SIEM and XDR Interoperability |
|||||||||||
| Investigate console for additional users (1 user is entitled, except Umbrella DNS Essentials) |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
|
| Integrations with multiple tools, includ. Cisco Splunk and XDR |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Management, Reporting, and Support |
|||||||||||
| Cisco Cloud Control (SCC) unified management interface |
|||||||||||
| One unified operating experience for security, networking, observability, infrastructure |
|
|
|
|
● |
● |
● |
● |
● |
● |
● |
| AI Canvas - Private App Troubleshooting. More skills coming. |
|
|
|
|
|
|
|
|
● |
● |
|
| AI Assistant (Secure Access, Cisco Cloud Control) |
|
|
|
|
● |
● |
● |
● |
● |
● |
● |
| Management |
|||||||||||
| MultiOrg support (for enterprises) |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
|
| Single management interface |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Customize block page and warn pages (# = customized block pages only) |
●# |
●# |
● |
● |
●# |
●# |
● |
● |
● |
● |
● |
| Reporting and Logging |
|||||||||||
| Real-time activity search, plus API to extract key events |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Choose North America or Europe log storage |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Cisco-managed S3 buckets or customer AWS S3 buckets |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Support |
|||||||||||
| 24x7 Enhanced Software Support Service via email and phone (Premium upgrade available) |
Add-on |
Add-on |
Add-on |
Add-on |
Required |
Required |
Required |
Required |
Required |
Required |
Required |
SPA Ess trial
SPA Adv trial
Notes:
● Features marked as trial are not part of the licensed subscription package. You may use such unlicensed trial features until Cisco either requires you to upgrade to the appropriate subscription package or, at its sole discretion, terminates your access or usage, with or without notice. For more information regarding the limitations of your trial use, please refer to the Secure Access Offer Description.
● Certain Secure Access packages may not include Data Loss Prevention (DLP), layer 7 firewall, Remote Browser Isolation (RBI), Experience Insights (DEM based on Thousand Eyes), and other features. Check with your Cisco representative.