Solution Overview

Modern organizations like PseudoCo face increasing challenges in deploying consistent security policies across their hybrid environments, encompassing headquarters, data centers, branches, and remote users. The evolving threat landscape, distributed workforce, and the complexity of rapidly onboarding new locations, users, and devices often lead to inconsistent policy enforcement and dangerous visibility gaps.

PseudoCo recognized that when their users and IoT devices move between locations—from office to home or branch to cloud—inconsistent policy enforcement created dangerous visibility gaps, leaving their security teams blind to threats as policies failed to follow users in real-time.

To address these critical security and access challenges, PseudoCo has decided to deploy Cisco SASE with Cisco Secure Access and Duo, aiming to achieve the best in Zero Trust Access. This lab provides a hands-on experience in configuring and validating such a solution.

What is Cisco Secure Access 

Cisco Secure Access is a comprehensive Zero Trust Access solution designed to provide secure, identity-based access to private applications and resources, regardless of user location or device. It ensures that security policies are consistently applied and follow users in real-time, eliminating visibility gaps and enhancing overall security posture. For PseudoCo, Cisco Secure Access is the cornerstone of their strategy to overcome the complexities of securing a distributed workforce and hybrid IT infrastructure.

What it delivers

Cisco Secure Access delivers a unified approach to security and access, enabling organizations like PseudoCo to implement:

• Consistent Security Policy Enforcement: Deploy and enforce uniform security policies across diverse environments, including headquarters, data centers, branches, and for remote users, ensuring that security travels with the user and device. 
• Enhanced Visibility and Control: Eliminate dangerous visibility gaps by ensuring policies follow users in real-time, providing security teams with continuous insight into access patterns and potential threats.
• Simplified Onboarding: Streamline the process of onboarding new locations, users, and devices rapidly and securely, reducing operational overhead.
• Zero Trust Access: Implement a robust Zero Trust framework where every access request is verified, minimizing the attack surface and protecting critical private applications.
• Secure Connectivity: Provide secure and optimized connectivity for remote users to private applications hosted in data centers, improving user experience while maintaining stringent security. 

What You Will Learn

In this guided, hands-on course, you will explore how to design, deploy, and validate a modern Zero Trust Access solution using Cisco Secure Access, specifically tailored to PseudoCo's needs. You will learn:

• How to onboard private data center routers and create Network Tunnel Groups (NTGs).
• How to deploy and configure Resource Connectors to enable secure access to private applications. 
• How to integrate Active Directory and Duo Security with Secure Access for identity-based access control.
• How to implement SAML-based authentication for Zero Trust proxy workflows.
• How to configure device posture profiles, private resources, and access policies that follow users and devices based on Identity.
• How to validate route propagation, tunnel health, and user access through CLI and dashboard tools. 
• How to integrate ThousandEyes for performance visibility.

Explore Key Features

During this lab, you will actively configure and explore key features of Cisco Secure Access that PseudoCo is leveraging to secure their environment:

• Network Tunnel Groups (NTGs): You will learn to establish secure tunnels from PseudoCo's private data center to Cisco Secure Access, enabling secure access to internal applications. 
• Resource Connector: Learn to deploy and configure Resource Connectors to provide secure, policy-driven access to private applications in PseudoCo’s environment.
• Identity-Based Access Control: Experience integrating PseudoCo's existing Active Directory with Duo Security and Cisco Secure Access to enforce granular access policies based on user identity and multi-factor authentication.
• SAML-based Authentication: Implement SAML for seamless and secure authentication workflows, critical for PseudoCo's Zero Trust proxy model.
• Device Posture Profiles: Configure policies that assess the security posture of PseudoCo's user devices, ensuring only compliant devices can access sensitive resources. 
• Dynamic Access Policies: Create and test access policies that dynamically adjust based on user identity, device posture, and application, ensuring consistent security as PseudoCo's users move between locations.
• ThousandEyes Integration: Understand how to integrate ThousandEyes to gain end-to-end visibility into the performance and availability of PseudoCo's applications and network paths through Secure Access.

Customer Business Outcomes

Upon completing this lab, you will understand how PseudoCo achieves significant business outcomes through their Cisco Secure Access deployment, including: 

• Enhanced Security Posture: A robust Zero Trust architecture that consistently protects PseudoCo's private resources from evolving threats.
• Operational Efficiency: Streamlined security management and reduced complexity in securing a hybrid and distributed environment.
• Improved User Experience: Seamless and secure access for PseudoCo's remote and branch users to critical applications, fostering productivity.
• Regulatory Compliance: The ability to enforce consistent policies helps PseudoCo meet compliance requirements across their global operations. 
• Reduced Risk: Minimized visibility gaps and proactive threat detection through real-time policy enforcement and integrated monitoring.

Lab Requirements

To complete this lab, you will need a laptop or desktop, a mobile phone, and the Duo Mobile app.

Attendees will be provided with all necessary access and environments for this hands-on lab:

• Full admin access to a virtual data center environment deployed in one of Cisco's dCloud Data Center locations. This environment will simulate PseudoCo's own infrastructure.
• Full access to a unique Cisco Secure Access organization, representing PseudoCo's Secure Access implementation. These Secure Access Orgs are fully provisioned to be configured for infrastructure in any Secure Access region.
• Basic understanding of networking concepts and security principles is recommended. 
• You will act as both a Security Administrator and an End-User for PseudoCo during this lab.
• You will be given step-by-step guided tasks using virtual lab infrastructure, performing CLI verification, dashboard workflows, and real-world attack simulation scenarios.

If you are unsure which dCloud Data Center your lab infrastructure is located in, please check with your proctor.

Components 

This lab focuses on the integration and configuration of the following key Cisco and related technologies for PseudoCo's Zero Trust Access solution:

• Cisco Secure Access: The core Zero Trust Access platform.
• Cisco Duo Security: For multi-factor authentication and identity-based access policies.
• Cisco SASE: The broader Secure Access Service Edge framework that Cisco Secure Access is part of. 
• Active Directory: PseudoCo's existing identity provider for user authentication.
• ThousandEyes: For network and application performance monitoring and visibility.
• Private Data Center Routers: Representing PseudoCo's on-premises network infrastructure.

Recommendation

Attendees will connect to a unique Cisco Secure Access organization, which acts as the policy enforcement point. It is recommended that Tunnels, IP Pools, and VPN configurations are set up in the Secure Access region closest to the dCloud Data Center virtual data center environment you are using, optimizing connectivity between PseudoCo's simulated private resources and the Secure Access cloud. This setup allows for hands-on configuration of secure connectivity between remote users and private applications within PseudoCo's secure data center.