Building a Resilient Network and Workload Security Architecture from the Ground Up


Building network and workload security architectures can be a daunting task. It involves not only choosing the right solution with the appropriate set of capabilities, but also ensuring that the solutions offer the right level of resilience.

Resilience is often considered a network function, where the network must be robust enough to handle failures and offer alternate paths for transmitting and receiving data. However, resilience at the endpoint or workload level is frequently overlooked. As part of building a resilient architecture, it is essential to include and plan for scenarios in which the endpoint or workload solution might fail.

When we examine the current landscape of solutions, it usually boils down to two different approaches:

Agent-Based Approaches

When choosing a security solution to protect application workloads, the discussion often revolves around mapping business requirements to technical capabilities. These capabilities typically include security features such as microsegmentation and runtime visibility. However, one aspect that is often overlooked is the agent architecture.

Generally, there are two main approaches to agent-based architectures:

  • Userspace installing Kernel-Based Modules/Drivers (in-datapath)
  • Userspace transparent to the Kernel (off-datapath)

Secure Workload’s agent architecture was designed from the ground up to protect application workloads, even in the event of an agent malfunction, thus preventing crashes in the application workloads.

This robustness is due to our agent architecture, which operates completely in userspace without affecting the network datapath or the application libraries. Therefore, if the agent were to fail, the application would continue to function as normal, avoiding disruption to the business.

Figure 1: Secure Workload’s Agent Architecture

Another aspect of the agent architecture is that it was designed to give administrators control over how, when, and which agents they want to upgrade by leveraging configuration profiles. This approach provides the flexibility to roll out upgrades in a staged fashion, allowing for necessary testing before going into production.

Figure 2: Agent Config Profile and On-Demand Agent Upgrades

Agentless-Based Approaches

The best way to protect your application workloads is undoubtedlythrough an agent-based approach, as it yields the best outcomes. However, there are instances where installing an agent is not possible.

The main drivers for choosing agentless solutions often relate to organizational dependencies (e.g., cross-departmental collaboration), or in certain cases, the application workload’s operating system is unsupported (e.g., legacy OS, custom OS).

When opting for agentless solutions, it’s important to understand the limitations of these approaches. For instance, without an agent, it is not possible to achieve runtime visibility of application workloads.

Nevertheless, the chosen solution must still provide the necessary security features, such as comprehensive network visibility of traffic flows and network segmentation to safeguard the application workloads.

Secure Workload offers a holistic approach to getting visibility from multiple sources such as:

  • IPFIX
  • NetFlow
  • Secure Firewall NSEL
  • Secure Client Telemetry
  • Cloud Flow Logs
  • Cisco ISE
  • F5 and Citrix
  • ERSPAN
  • DPUs (Data Processing Units)

… and it offers multiple ways to enforce this policy:

  • Secure Firewall
  • Cloud Security Groups
  • DPUs (Data Processing Units)
Cisco Secure Workload - Microsegmentation from on-premise to cloud
Figure 3: Agentless Enforcement Points with Secure Workload

Key Takeaways

When choosing the right network and workload microsegmentation solution, always keep in mind the risks, including the threat landscape and the resilience of the solution itself. With Secure Workload, you get:

  • Resilient Agent Architecture
  • Application runtime visibility and enforcement with microsegmentation
  • Diverse feature set of agentless enforcement

Learn more about Cisco Secure Workload

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:





Source link