Constructing a Resilient Community and Workload Safety Structure from the Floor Up

Constructing community and workload safety architectures is usually a daunting job. It entails not solely selecting the best resolution with the suitable set of capabilities, but in addition guaranteeing that the options provide the proper degree of resilience.

Resilience is commonly thought of a community operate, the place the community have to be sturdy sufficient to deal with failures and provide alternate paths for transmitting and receiving knowledge. Nonetheless, resilience on the endpoint or workload degree is steadily ignored. As a part of constructing a resilient structure, it’s important to incorporate and plan for situations wherein the endpoint or workload resolution would possibly fail.

Once we study the present panorama of options, it often boils down to 2 completely different approaches:

Agent-Primarily based Approaches

When selecting a safety resolution to guard software workloads, the dialogue usually revolves round mapping enterprise necessities to technical capabilities. These capabilities usually embrace safety features similar to microsegmentation and runtime visibility. Nonetheless, one facet that’s usually ignored is the agent structure.

Usually, there are two important approaches to agent-based architectures:

  • Userspace putting in Kernel-Primarily based Modules/Drivers (in-datapath)
  • Userspace clear to the Kernel (off-datapath)

Safe Workload’s agent structure was designed from the bottom as much as shield software workloads, even within the occasion of an agent malfunction, thus stopping crashes within the software workloads.

This robustness is because of our agent structure, which operates utterly in userspace with out affecting the community datapath or the appliance libraries. Subsequently, if the agent had been to fail, the appliance would proceed to operate as regular, avoiding disruption to the enterprise.

Transparent Agent to Applications
Determine 1: Safe Workload’s Agent Structure

One other facet of the agent structure is that it was designed to present directors management over how, when, and which brokers they need to improve by leveraging configuration profiles. This method gives the pliability to roll out upgrades in a staged vogue, permitting for crucial testing earlier than going into manufacturing.

Determine 2: Agent Config Profile and On-Demand Agent Upgrades

Agentless-Primarily based Approaches

One of the best ways to guard your software workloads is undoubtedlythrough an agent-based method, because it yields one of the best outcomes. Nonetheless, there are cases the place putting in an agent will not be attainable.

The principle drivers for selecting agentless options usually relate to organizational dependencies (e.g., cross-departmental collaboration), or in sure instances, the appliance workload’s working system is unsupported (e.g., legacy OS, customized OS).

When choosing agentless options, it’s essential to grasp the restrictions of those approaches. For example, with out an agent, it’s not attainable to realize runtime visibility of software workloads.

Nonetheless, the chosen resolution should nonetheless present the required safety features, similar to complete community visibility of visitors flows and community segmentation to safeguard the appliance workloads.

Safe Workload provides a holistic method to getting visibility from a number of sources similar to:

  • IPFIX
  • NetFlow
  • Safe Firewall NSEL
  • Safe Consumer Telemetry
  • Cloud Circulate Logs
  • Cisco ISE
  • F5 and Citrix
  • ERSPAN
  • DPUs (Information Processing Items)

… and it provides a number of methods to implement this coverage:

  • Safe Firewall
  • Cloud Safety Teams
  • DPUs (Information Processing Items)
Cisco Secure Workload - Microsegmentation from on-premise to cloud
Determine 3: Agentless Enforcement Factors with Safe Workload

Key Takeaways

When selecting the best community and workload microsegmentation resolution, at all times have in mind the dangers, together with the risk panorama and the resilience of the answer itself. With Safe Workload, you get:

  • Resilient Agent Structure
  • Software runtime visibility and enforcement with microsegmentation
  • Various function set of agentless enforcement

Be taught extra about Cisco Safe Workload

 


We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Linked with Cisco Safety on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Share: