Secure Workload Protection: Extending Micro Perimeters and Automation to Enterprise IaaS

This post was authored by Frank Dickson, Program Vice President, Cybersecurity Products, IDC

The best kept secret in cloud workload security is that Cisco is number two in revenue market share according to IDC, just shy of $100 million in 2019 and almost certain to exceed $100 million in 2020 (please stay tuned). The reason for the “secret” is that the path that Cisco has taken is a bit atypical for Cisco. In other security markets, entry has been made through acquisition, including Duo Security, CloudLock, Sourcefire, Lancope, OpenDNS and Threat Grid to name a few. In cloud workload security, Cisco started in a different place; its organically grown, focusing on the needs of enterprises rather than the cloud native start-ups. Instead of targeting workloads natively developed in greenfield IaaS opportunities, Cisco originally targeted existing applications whether they be in on-premises, private clouds (essentially virtualized datacenters) or in public clouds, the enterprise solution addressed enterprise pain points.

The goal was to help datacenter administrators with security measures for enterprise applications. Application dependencies can be extremely opaque. Thus, protection of “those” applications can be quite challenging. You know “those” applications—the applications critical to the business but written 20 years ago in COBOL by developers who left years ago. And, by the way, “those” applications are typically quite brittle. And there can be a lot of them in a mature datacenter.

The Role of Cisco Secure Workload

Cisco Secure Workload (formally known as Tetration) addressed problem of protecting existing applications in virtualized datacenters as well as in public cloud by changing the enforcement scope from hard perimeter-based strategies (the macro) to the micro (the workload). The solution works by automating application dependency for visibility and policy generation. Thus, allow-list policies could be generated, and enforced right on the workload itself.

Essentially, think of Cisco Secure Workload as creating visibility in a sea of applications and then allow for the careful enforcement of L3 and L4 micro perimeter segmentation policies. A data administrator might not need to understand the functions of all the components of an application. However, now the administrator will know that an application can only communicate only on required ports and protocols to required workloads there by eliminating hackers attempt to laterally move and breach applications.

As enterprise customers migrate some or all of their workloads from on-premises private clouds to IaaS, Cisco Secure Workload essentially extended the micro perimeter segmentation approach to hybrid multicloud workloads.

Today, L3 and L4 micro perimeter policies based on application behavior alone is just not enough for enterprises. Enterprises have security operations centers (SOCs) that address of the needs of the oceans of on-premises and cloud compute resources. These SOCs aggressively leverage automation to tackle the Herculean task of cloud workload security; automation demands integration. To address 2021 enterprise needs, Cisco Secure Workload has a plethora of integrations to extend these micro perimeter policies definitions.

An important security need was addressed by Cisco Secure Workload’s native integration with the Cisco Firepower Management Center (FMC), the cornerstone of Cisco perimeter automation. Within datacenters, datacenter firewalls create the macro perimeter and at the security zone boundaries. Native integration with FMC allows Cisco Secure Workload to push policies to Cisco firewalls, extending micro perimeters with macro perimeter enforcement. A key benefit of this is to effectively segment application workloads where Cisco Secure Workload cannot natively enforce policies on the workload itself. This macro perimeter integration is not Cisco-limited, as integrations are also available for load balancers such as F5 and Citrix and third-party firewall products through orchestration platforms such as AlgoSec and Tufin.

Finally, ingesting security intelligence through STIX/TAXII, the widely accepted standards for threat intelligence, has been become a critical requirement. Organizations may subscribe to numerous threat intelligence feeds. Many of indicators of compromise (IOC) will not be relevant; some IOCs will be critical. Finding the relevant IOCs accurately and at scale via automation is a 2021 enterprise requirement, as SOCs cannot spare valuable analysts perform such repetitive yet important tasks. Cisco Secure Workload will now ingest security intelligence through STIX/TAXII and automate the process.

The larger point is that Cisco took a different approach to workload security, focusing on the needs of the enterprise. The company’s micro perimeter and integration strategies highlight the point. Frankly, greenfield IaaS use cases are easier; Cisco is looking to help address the use cases that are not so easy.