When I take a look at the evolution of community safety and the way IT and safety practitioners have protected the community for the final 30 years, I can’t assist however discover how conventional community safety enforcement factors (insert your favourite firewall right here) are nonetheless used to safe networks and workloads. They have developed to supply a various set of options (i.e., IPS, decryption, utility detection) to deeply analyze site visitors coming out and in of the community to guard workloads. However, whereas firewalls are very succesful home equipment, it has been confirmed that they don’t seem to be sufficient to maintain malicious actors at bay, particularly if these actors handle to breach the firewall defenses and transfer laterally within the community. But why is that this?
We are within the digital period, the place the idea of the perimeter is now not contained to a location or a community phase. To offset this new actuality and supply a extra tailored-based coverage management for safeguarding workloads, distributors have moved safety nearer to the workload.
There are two approaches to do that -, utilizing agent or agentless strategies to construct a micro-perimeter across the workloads.
Which strategy is the proper one to take? Well, this is dependent upon a number of components, together with organizations, sort of utility, or workforce construction. So, let’s begin untangling this.
The problem(s)
The most direct strategy to guard purposes is to put in software program brokers on each workload and name it a day. Why? Because then each workload has its personal micro-perimeter, permitting entry to solely what is critical.
However, it isn’t at all times attainable to put in a software program agent. Perhaps it’s a mainframe utility or a legacy working system that requires fine-grained insurance policies resulting from a compliance mandate. Or utility workloads which are within the cloud and the agent set up is just not attainable resulting from organizational constraints.
And this isn’t the one problem or consideration for selecting your strategy. The groups or teams that comprise any firm typically have completely different safety necessities from one another, resulting in the triad problem: folks, processes, and know-how.
Let’s begin with folks (coverage proprietor) and course of (coverage execution). Usually, every group has its personal set of distinctive necessities to guard its utility workloads, and an outlined course of to implement these necessities within the coverage. To help this, a instrument (know-how) is required, which should adapt to every group’s wants and needs to be able to defining a standard coverage throughout agent and agentless workloads.
To begin unwrapping this, you could ask your self:
- What are we defending?
- Who is the proprietor of the insurance policies?
- How is coverage execution executed?
As an instance:
Say you need to shield a finance utility (what) utilizing an agent-based strategy (how), and the proprietor of the insurance policies is the App Team/Workload Team (who). In this state of affairs, so long as the appliance doesn’t break and the workforce can proceed to give attention to coding, that is usually an appropriate strategy. However, when implementing the frequent coverage, the interpretation from human language to machine language tends to generate further guidelines that aren’t essentially required. This is a standard byproduct of the interpretation course of.
Now, let’s assume that in your group the safety of a legacy utility (what) is tasked to the Network/NetSec workforce (who) utilizing an agentless enforcement strategy with community firewalls (how) as a result of on this case, it isn’t attainable to put in software program brokers as a result of unsupported legacy working system. As within the first instance, further guidelines are generated. However, on this case, these pointless further guidelines create unfavourable penalties due to firewall guidelines auditing necessities for compliance mandates, despite the fact that they’re a part of the frequent coverage.
Topology because the supply of reality – pushing solely what’s required
Cisco Secure Workload has been addressing the folks, course of, and know-how challenges since its inception. The resolution embraces each approaches – putting in software program brokers on workloads no matter kind issue (bare-metal, VM, or container) or by utilizing agentless enforcement factors similar to firewalls. Secure Workload adapts to every group’s wants by defining the coverage, such a zero belief microsegmentation coverage, to successfully apply micro-perimeters to utility workloads in help of the zero belief strategy. All inside a single pane of glass.
However, as defined within the instance above, we nonetheless wanted to align our coverage to the compliance wants of the Network/NetSec workforce, solely utilizing the coverage guidelines which are required.
To deal with the extra guidelines problem, we requested ourselves, “What is the most efficient way to push policies into a network firewall using Secure Workload?”
The reply boiled right down to a standard idea for Network/NetSec groups – the community topology.
So how does it work?
With Secure Workload, the time period topology is intrinsic to the answer. It leverages the topology idea utilizing a assemble named “Scopes”, that are completely infrastructure agnostic, as proven in Figure 1.
It lets you create a topology tree in Secure Workload based mostly on context, the place you may group your purposes and outline your coverage by utilizing human intent. For instance, “Production cannot talk to Non-Production” and apply the coverage following the topology hierarchy.
The Scope Tree is the topology of your utility workloads inside the group, however the hot button is that it may be formed for various departments or organizational wants and tailored to every workforce’s safety necessities.
The idea of mapping a workload Scope to a community firewall is known as “Topology Awareness.”
Topology Awareness allows the Network/NetSec groups to map a specific Scope to a selected firewall within the community topology, so solely the related set of insurance policies for a given utility is pushed to the firewall.
So, what does this execution appear to be? With the Scope mapping achieved, Secure Workload pushes the related coverage to the Cisco Secure Firewall by means of its administration platform, Secure Firewall Management Center (FMC). To preserve compliance, solely the required coverage guidelines are despatched to FMC, avoiding the additional pointless guidelines due to Topology Awareness. An instance of that is proven in Figure 2:
Key takeaways
Operationalizing a zero belief microsegmentation technique is just not trivial, however Secure Workload has a confirmed monitor document of constructing this a sensible actuality by adapting to the wants of every persona similar to Network/NetSec admins, Workload/Apps house owners, Cloud Architects, and Cloud-Native engineers – all from one resolution.
With topology consciousness, you may:
- Meet compliance and audit necessities for firewall guidelines
- Protect and leverage your present funding in community firewalls
- Operationalize your zero belief microsegmentation technique utilizing each agent and agentless approaches
For extra data on agentless enforcement please learn: Secure Workload and Secure Firewall Unified Segmentation Blog
Want to be taught extra? Find out extra at by trying out our Secure Workload sources.
We’d love to listen to what you assume. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: