If you’re running Cisco Umbrella today, it’s probably performing as expected. DNS security is strong, users are protected on and off the network, and nothing appears to be broken. That level of stability can create a sense of comfort, yet comfort can be risky in security.
The challenge is not that Umbrella has stopped delivering value, rather it’s the way users access applications, data and the internet has changed faster than the platform was originally designed to handle. When you combine this with more sophisticated threat actors, new attack vectors and the rise of AI‑driven techniques, it’s clear that controls built for yesterday’s environment are no longer enough.
This is why Cisco Secure Access is positioned as the natural evolution. Despite that, most customers we speak with are asking the same questions. Do we really need to move? Are we still protected? What would actually change if we did?
This blog doesn’t cover features, but you can read a follow-on blog that explores this upgrade from that perspective. Instead, this is about how to upgrade without turning a stable network into a science experiment.
Umbrella was ahead of its time. Long before Secure Service Edge (SSE) was recognised as an architecture, Umbrella delivered cloud-based DNS security while most organisations were still backhauling traffic through firewalls. Over time, Cisco added secure web gateway features, Cloud Access Security Broker (CASB) capabilities and more advanced controls. What changed was not Umbrella’s effectiveness, but the market around it.
Today, user security is no longer anchored to the perimeter, and the network edge has shifted to the user, the application and the cloud. Secure Access is Cisco’s response to that reality, consolidating DNS, web security, application access and inspection into an all-encompassing, cloud-delivered security solution that’s easy to manage, consume and scale.
This response aligns with customers’ own initiatives to consolidate the number of security vendors and improve their operations, insights, integration/interoperability and security posture, all while reducing complexity and risk exposure.
Doing nothing does not mean an immediate issue or outage, but it does introduce risks. These include falling out of step with current security trends and creating potential gaps in security posture due to new threats. It can also mean leaving the transition to the very last moment, which does not allow time to plan the transition based on your company’s readiness.
One of the biggest sources of confusion is that Secure Access looks like Umbrella under a new name, but this is only partially true. Secure Access consolidates capabilities that were previously separate products or bolt-ons. Secure web gateway, CASB, DLP, private access and advanced DNS controls are all part of the same platform.
From a network perspective, this matters because policy enforcement moves closer to the user, regardless of the user’s location. From a security operations perspective, it matters because controls are managed centrally rather than across multiple tools, ensuring consistent security policies.
However, you are not required to turn everything on at once, as the solution can grow as your needs evolve and you seek to consolidate or add new security controls. Secure Access supports both DNS-centric deployments and full secure service edge, and that flexibility is the key to a sensible migration.
For most Umbrella customers, particularly the majority who are DNS-only, the DNS Defense upgrade is the logical starting point. The technical migration is straightforward, typically taking around an hour of platform work, with additional professional services time for policy migration, enablement and familiarisation.
This move delivers three important outcomes. First, it places you on the Secure Access platform, where Cisco’s future development is focused. Second, it gives you access to additional DNS-level protections without changing your network architecture. Third, it creates a clean pathway to enable other Secure Access services later without re-platforming.
Importantly, this upgrade does not require a full SASE deployment. You remain DNS-centric until you are ready to transform.
If you are running Umbrella SIG, the conversation is a bit different. Migrating secure web gateway and private access functions into Secure Access is not a one-click upgrade. Cisco recognises this complexity and has provided an extra year’s subscription to allow customers to thoroughly plan and execute the migration to Cisco Secure Access.
This is where network and security teams need to work together. Policy models and traffic flows change, and user experience needs to be carefully validated. The good news is that Cisco supports a dual-run model, allowing Umbrella and Secure Access to operate in parallel while services are migrated and tuned.
Rushing this step is where most migration pain comes from. Taking a staged approach is what keeps the network stable.
A simple way to think about the migration is in three steps:
This approach turns migration from a forced upgrade into an architectural decision.
A common objection is that Secure Access does not unlock radically new capabilities on day one, and that is mainly true. The immediate value is platform alignment and operational consolidation, not shiny features.
The problem with waiting, though, isn’t functionality, but control. While there are no official statements on the future of Umbrella DNS and SIG, actions such as the end-of-support for the Umbrella Roaming Client in 2025 and the development focus on Cisco Secure Access are clear signals that migrating sooner rather than later is a smart choice. Migration programs exist to ease the transition, but they will not last forever, so taking advantage of some great offers now makes sense to avoid a reactive upgrade later.
If you are running Cisco Umbrella today, the question is not whether Secure Access is the next logical step, but when and how it makes sense for your security ecosystem and team. For some organisations, that starts with a straightforward DNS Defense upgrade. For others, it means planning a staged transition to Secure Internet Access and/or Secure Private Access.
Data#3 can help you map your current Umbrella deployment to a realistic Secure Access pathway aligned with how your network operates. The first step is a simple migration discussion to assess where you are today and what the right next move looks like before timelines are driven by product change rather than business need. Contact your account manager or complete the form below for more information.
Information provided within this form will be handled in accordance with our privacy statement.