Secure Multicloud Infrastructure with Cisco Multicloud Defense

It’s a multicloud world!

Today purposes are not restricted to the boundaries of a knowledge middle; purposes are deployed all over the place – this modification brings a necessity for an answer that may present end-to-end visibility, management, coverage administration, and ease of administration.

Market Trend

Organizations are embracing the ability of the general public cloud as a result of it offers agile, resilient, and scalable infrastructure, enabling them to maximise enterprise velocity. A current research reveals that 82% of IT leaders have adopted hybrid cloud options, combining non-public and public clouds. Additionally, 58% of those organizations are utilizing between two and three public clouds¹, indicating a rising pattern in the direction of multicloud environments. As organizations lean additional into multicloud deployments, safety groups discover they’re enjoying catch up, tirelessly making an attempt to construct a safety stack that may sustain with the agility and scale of their cloud infrastructure. Teams additionally face an absence of unified safety controls throughout their environments. By definition, cloud service supplier safety options are usually not designed to attain end-to-end visibility and management within the multicloud world, hardening silos and creating higher safety gaps. Organizations want a cloud-agnostic answer that unifies safety controls throughout all environments whereas securing workloads at cloud velocity and scale.

Cisco Multicloud Defense is a extremely scalable, on-demand “as-a-Service” answer that gives agile, scalable, and versatile safety to your multicloud infrastructure. It unifies safety controls throughout cloud environments, protects workloads from each path, and drives operational effectivity by leveraging safe cloud networking.

Secure cloud networking will be damaged down into three pillars:

• Security: Provides a full suite of safety capabilities for workload safety
• Cloud: Integrates with cloud constructs, enabling auto-scale and agility
• Networking: Seamlessly and precisely inserts scalable safety throughout clouds with out handbook intervention

One of the important thing advantages of Cisco Multicloud Defense will not be solely its potential to unify safety controls throughout environments however implement these insurance policies dynamically. With dynamic multicloud coverage administration, you may:

• Keep insurance policies updated in near-real time as your setting modifications.
• Connect steady visibility and management to find new cloud belongings and modifications, affiliate tag-based enterprise context, and routinely apply the suitable coverage to make sure safety compliance.
• Power and shield your cloud infrastructure with safety that runs within the background through automation, getting out of the way in which of your cloud groups.
• Mitigate safety gaps and guarantee your group stays safe and resilient.

Another key good thing about Multicloud Defense is the way it provides enforcement factors (PaaS) in each distributed and centralized architectures.

Cisco Multicloud Defense Overview

Cisco Multicloud Defense makes use of a typical precept in public clouds and software-defined networking (SDN) which decouples the management and information airplane, translating to the Multicloud Defense Controller and the Multicloud Defense Gateways.

The Multicloud Defense Gateway(s) are delivered as Platform-as-a-Service (PaaS) in AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). These gateways are delivered, managed, and orchestrated by a SaaS-based Multicloud Defense Controller.

• Multicloud Defense Controller (Software-as-a-Service): The Multicloud Defense Controller is a extremely dependable and scalable centralized controller (management airplane) that automates, orchestrates, and secures multicloud infrastructure. It runs as a Software-as-a-Service (SaaS) and is absolutely managed by Cisco. Customers can entry an online portal to make the most of the Multicloud Defense Controller, or they could select to make use of Terraform to instantiate safety into the DevOps/DevSecOps processes.
• Multicloud Defense Gateway (Platform-as-a-Service): The Multicloud Defense Gateway is an auto-scaling fleet of safety software program with a patented versatile, single-pass pipelined structure. These gateways are deployed as Platform-as-a-Service (PaaS) into the shopper’s public cloud account(s) by the Multicloud Defense Controller, offering superior, inline safety protections to defend towards exterior assaults, block egress information exfiltration, and stop the lateral motion of assaults.

Multicloud Defense Gateways

In the Cisco Multicloud Defense answer, organizations can use the controller to deploy extremely scalable and resilient Egress Gateways or Ingress Gateways into their public cloud account(s).

Egress Gateway: Protect outbound and east-west site visitors. The egress gateway offers safety capabilities like FQDN filtering, URL filtering, information loss prevention (DLP), IPS/IDS, antivirus, ahead proxy, and TLS decryption.

Ingress Gateway: Protects inbound site visitors and offers safety capabilities like internet software firewall (WAF), IDS/IPS, Layer-7 safety, DoS safety, antivirus, reverse proxy, and TLS decryption.

Note: Multicloud Defense Gateways are an auto-scaling fleet of situations throughout two or extra availability zones, offering agility, scalability, and resiliency.

Figure 2 reveals safety capabilities of the ingress and egress Multicloud Defense Gateway.

The gateway makes use of a single go structure to supply:

• High throughput and low latency
• Reverse proxy, ahead proxy, and forwarding mode
• Flexibility in deciding on related superior community safety inspection engines, together with TLS decryption and re-encryption, WAF (HTTPS and internet sockets), IDS/IPS, antivirus/anti-malware, FQDN and URL filtering, DLP

Security Models

This answer offers a versatile method for safety insertion within the buyer’s infrastructure utilizing three extremely scalable and automatic deployment fashions (centralized, distributed, and mixed).

Centralized safety mannequin

In the centralized safety mannequin, the Multicloud Defense Controller seamlessly provides gateways within the centralized safety VPC/VNet/VCN. In this structure, ingress and egress site visitors is shipped to a centralized safety VPC/VNet/VCN for inspection earlier than it’s despatched to the vacation spot. This structure ensures scalability, resiliency, and agility utilizing cloud deployment greatest practices.

Figure 3 reveals egress and ingress gateways in a safety VPC/VNet/VCN.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled situations are deployed in multi-availability zones.

In a centralized safety mannequin, gateways are deployed in a hub contained in the buyer’s cloud account. However, prospects can select to have a number of hubs throughout accounts/subscriptions.

Distributed safety mannequin

In the distributed safety mannequin, the Multicloud Defense Controller seamlessly provides gateways in every VPC/VNet/VCN. In this structure, ingress, and egress site visitors stays native within the VPC/VNet/VCN.

Based on path, site visitors movement is inspected by egress or ingress gateways. This deployment ensures scalability, resiliency, and agility utilizing cloud deployment greatest practices.

Figure 4 reveals egress and ingress gateways in every VPC/VNet/VCN.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled situations are deployed in multi-availability zones.

Combined safety mannequin (Centralized + Distributed)

This safety mannequin makes use of centralized and distributed fashions. In this case, some flows are protected by gateways deployed within the safety VPC/VNet/VCN, and a few flows are protected by gateways within the VPC/VNet/VCN.

Based on the site visitors movement, site visitors is inspected by egress or ingress gateways. This deployment ensures scalability, resiliency, and agility utilizing cloud deployment greatest practices.

Figure 5 reveals egress and ingress gateways in a centralized safety VPC/VNet/VCN along with gateways deployed within the software VCPs/VNets/VCNs.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled situations are deployed in multi-availability zones.

Use-cases

Egress safety

Figure 6 reveals egress site visitors safety in a centralized and distributed safety mannequin.

• In the centralized safety mannequin, site visitors is inspected by gateways deployed within the safety VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ conscious.
• In the distributed safety mannequin, site visitors is inspected by gateways deployed within the software VPC/VNet/VCN.

Ingress safety

Figure 7 reveals ingress site visitors safety in a centralized and distributed safety mannequin.

• In the centralized safety mannequin, site visitors is inspected by gateways deployed within the safety VPC/VNet/VCN.
• In the distributed safety mannequin, site visitors is inspected by gateways deployed within the software VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ conscious.

Segmentation (east-west)

Figure 8 reveals intra and inter-VPC/VNet/VCN site visitors safety in a centralized and distributed safety mannequin.

• In the centralized safety mannequin, intra and inter-VPC/VNet/VCN site visitors is inspected by gateways deployed within the safety VPC/VNet/VCN.
• In the distributed safety mannequin, intra-VPC/VNet/VCN site visitors is inspected by gateways deployed within the software VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ conscious.

URL & FQDN filtering for egress site visitors

URL & FQDN filtering prevents exfiltration and assaults that use command-and-control. The Multicloud Defense Gateway enforces URL & FQDN-based filtering in a centralized or distributed deployment mannequin.

• URL filtering requires TLS decryption on the gateway.
• FQDN-based filtering will be enforced on encrypted site visitors flows.

Coming quickly: Multicloud Networking use circumstances

In our upcoming launch (2HCY23), we’re including a set of Multicloud Cloud Networking use circumstances that allow safe connectivity — bringing all cloud networks collectively.

Multicloud Networking: Cloud-to-Cloud Networking

An egress gateway with VPN functionality offers a safe connection to different cloud infrastructures. The egress gateway is delivered as-a-Service and offers resiliency and autoscaling. This structure requires deploying the egress gateways with VPN functionality “ON.” These gateways use IPsec connectivity for a safe interconnection.

Multicloud Networking: Site-to-Cloud Networking

An egress gateway with VPN functionality offers a safe connection to on-premises infrastructure. This structure requires deploying the egress gateways with VPN functionality “ON” in safety VPC/VNet/VCN and a tool on the information middle edge for IPsec termination.

Conclusion

It is a multicloud world we dwell in, and organizations want a cloud-agnostic answer that unifies safety controls throughout all environments whereas securing workloads at cloud velocity and scale. With Cisco Multicloud Defense, organizations can leverage a simplified and unified safety expertise serving to them navigate their multicloud future with confidence.

For extra data on Cisco Multicloud Defends consult with cisco.com/go/multicloud-defense

Additional Resources

Announcement weblog: Cisco Multicloud Defense

At-a-glance: Cisco Multicloud Defense

References

¹ 2022 Global Hybrid Cloud Trends Report. S&P Global Market Intelligence, 2022.

We’d love to listen to what you assume. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share: