Cisco Secure Access - Umbrella's replacement

Back in 2015 when Cisco acquired OpenDNS, even the most optimistic Cisco employee probably wouldn't believe how powerful a product Umbrella would become. Not only that, it is one of the easiest deployments I've ever had and can literally be setup in minutes to provide DNS security.

Umbrella SIG was not far behind in 2017, and offered the enhancements that the market was calling out for; Secure Web Gateway (SWG), Cloud Malware Detection, Malware Sandboxing, Data Loss Prevention (DLP), Cloud delivered Firewall (cdFW), Intrusion Prevention System (IPS), Cloud Access Security Broker (CASB).

Here we are, 10 year on from that initial acquisition, and it looks like the writing is on the wall for Umbrella. There is a new kid in town and their name is Secure Access.

But is it really new? Is this just a "Jif to Cif" rebranding? Secure Access certainly boasts new features and a new portal, but it's so much more than that. It feels like the logical evolution of umbrella, a true 'next step' where the features we love remain intact with a range of modern solutions for the challenges of 2025 and beyond.

Cisco haven't fallen into the trap of creating something new from the ground up, and why would they? Umbrella and Umbrella SIG are strong cloud-native security offerings in their own right. Cisco Secure Access adds VPNaaS, Zero Trust Network Access (ZTNA) and your traffic insights (separate ThousandEyes subscription) into a fully fledged SSE offering, to better connect and protect your business.

Secure Access uses a single endpoint agent (Secure Client), that is managed through a single portal, and licensed by single subscription. It has been built how all good security products should be - easy to operate and deploy. Even from a end user's perspective, this product has a strong focus on Simplicity for users and efficiency for IT admins.

An advantage of using the same endpoint agent (Secure Client) as your current Umbrella deployment is that you get to set the pace of the migration to Secure access. The portals are similar, easy to follow, and Cisco will (hopefully) soon release a migration tool.

Another major difference between Umbrella and Secure Access is that although Umbrella SIG does provide a cdFW this is for outbound traffic only. The cdFW provided by Secure Access provides inbound and outbound firewalling

The figure above details the architecture of Secure Access. The first thing that comes to mind for me (a person actively studying for their CCIE Security Lab) is the definition of a attack surface; "Any User, using any device, on any network, accessing any application can be attacked". This is exactly where Secure Access solution comes in. It facilitates secure connectivity for any user, on any device, on any network connecting to any application in your business.

Another big thing in Secure Access is the AI security tooling and AI assistant. Now AI assistant is going to be massive across the Cisco tooling for the next couple of months/years and is well worth it's own blog post (I wonder when I'll write it?) the easy way to describe it is this; imagine ChatGPT/Alexa/Siri, but secure and for Network Tools.

I'll provide you with a single use case of AI Assistant: you type "write me a firewall rule to restrict access to X.com" in a chat box, the Assistant creates the rule in a disabled state ready for you to enable/review/test

The AI security tooling is also very impressive! Want to restrict your employees from carelessly copying company or customer sensitive information into ChatGPT? You can make a rule for that! Suspect a document has been created by AI? Upload it into Secure Access and see a probability % report! Want to see what AI apps are being used in your environment? The portal will tell you

This whistle stop tour of Secure Access hopefully gives you an insight into the product and I'm hoping to do some more hands on with this product soon. The key takeaway for anyone currently on Umbrella SIG is this - Your replacement product is waiting and the price difference may not be as massive as you think.