Constructing community and workload safety architectures generally is a daunting process. It entails not solely selecting the best answer with the suitable set of capabilities, but additionally guaranteeing that the options provide the appropriate stage of resilience.
Resilience is commonly thought of a community perform, the place the community should be sturdy sufficient to deal with failures and provide alternate paths for transmitting and receiving knowledge. Nevertheless, resilience on the endpoint or workload stage is incessantly missed. As a part of constructing a resilient structure, it’s important to incorporate and plan for eventualities during which the endpoint or workload answer may fail.
After we look at the present panorama of options, it normally boils down to 2 completely different approaches:
Agent-Primarily based Approaches
When selecting a safety answer to guard utility workloads, the dialogue typically revolves round mapping enterprise necessities to technical capabilities. These capabilities sometimes embrace security measures reminiscent of microsegmentation and runtime visibility. Nevertheless, one facet that’s typically missed is the agent structure.
Usually, there are two foremost approaches to agent-based architectures:
- Userspace putting in Kernel-Primarily based Modules/Drivers (in-datapath)
- Userspace clear to the Kernel (off-datapath)
Safe Workload’s agent structure was designed from the bottom as much as defend utility workloads, even within the occasion of an agent malfunction, thus stopping crashes within the utility workloads.
This robustness is because of our agent structure, which operates utterly in userspace with out affecting the community datapath or the applying libraries. Subsequently, if the agent had been to fail, the applying would proceed to perform as regular, avoiding disruption to the enterprise.
One other facet of the agent structure is that it was designed to offer directors management over how, when, and which brokers they wish to improve by leveraging configuration profiles. This method gives the pliability to roll out upgrades in a staged style, permitting for vital testing earlier than going into manufacturing.
Agentless-Primarily based Approaches
One of the simplest ways to guard your utility workloads is undoubtedlythrough an agent-based method, because it yields the very best outcomes. Nevertheless, there are situations the place putting in an agent isn’t attainable.
The principle drivers for selecting agentless options typically relate to organizational dependencies (e.g., cross-departmental collaboration), or in sure circumstances, the applying workload’s working system is unsupported (e.g., legacy OS, customized OS).
When choosing agentless options, it’s vital to know the restrictions of those approaches. For example, with out an agent, it isn’t attainable to realize runtime visibility of utility workloads.
Nonetheless, the chosen answer should nonetheless present the required security measures, reminiscent of complete community visibility of visitors flows and community segmentation to safeguard the applying workloads.
Safe Workload gives a holistic method to getting visibility from a number of sources reminiscent of:
- IPFIX
- NetFlow
- Safe Firewall NSEL
- Safe Shopper Telemetry
- Cloud Movement Logs
- Cisco ISE
- F5 and Citrix
- ERSPAN
- DPUs (Knowledge Processing Items)
… and it gives a number of methods to implement this coverage:
- Safe Firewall
- Cloud Safety Teams
- DPUs (Knowledge Processing Items)
Key Takeaways
When selecting the best community and workload microsegmentation answer, all the time bear in mind the dangers, together with the menace panorama and the resilience of the answer itself. With Safe Workload, you get:
- Resilient Agent Structure
- Software runtime visibility and enforcement with microsegmentation
- Numerous function set of agentless enforcement
Be taught extra about Cisco Safe Workload
Â
We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Linked with Cisco Safety on social!
Cisco Safety Social Channels
Share:
