noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Cisco Systems Inc.

My Journey of Conservation and Fulfillment: Time2Give with Sea Turtles
University of Wisconsin-Madison

Two deans reappointed after 5-year reviews
University of Wisconsin-Madison

UW–Madison celebrates selection of 11 Fulbright U.S. Scholars for 2024–2025

Finance

Cisco Systems Inc.

08/06/2024 | News release | Distributed by Public on 08/06/2024 06:14

Building a Resilient Network and Workload Security Architecture from the Ground Up

Building network and workload security architectures can be a daunting task. It involves not only choosing the right solution with the appropriate set of capabilities, but also ensuring that the solutions offer the right level of resilience.

Resilience is often considered a network function, where the network must be robust enough to handle failures and offer alternate paths for transmitting and receiving data. However, resilience at the endpoint or workload level is frequently overlooked. As part of building a resilient architecture, it is essential to include and plan for scenarios in which the endpoint or workload solution might fail.

When we examine the current landscape of solutions, it usually boils down to two different approaches:

Agent
Agentless

Agent-Based Approaches

When choosing a security solution to protect application workloads, the discussion often revolves around mapping business requirements to technical capabilities. These capabilities typically include security features such as microsegmentation and runtime visibility. However, one aspect that is often overlooked is the agent architecture.

Generally, there are two main approaches to agent-based architectures:

Userspace installing Kernel-Based Modules/Drivers (in-datapath)
Userspace transparent to the Kernel (off-datapath)

Secure Workload's agent architecture was designed from the ground up to protect application workloads, even in the event of an agent malfunction, thus preventing crashes in the application workloads.

This robustness is due to our agent architecture, which operates completely in userspace without affecting the network datapath or the application libraries. Therefore, if the agent were to fail, the application would continue to function as normal, avoiding disruption to the business.

Figure 1: Secure Workload's Agent Architecture

Another aspect of the agent architecture is that it was designed to give administrators control over how, when, and which agents they want to upgrade by leveraging configuration profiles. This approach provides the flexibility to roll out upgrades in a staged fashion, allowing for necessary testing before going into production.

[Link]Figure 2: Agent Config Profile and On-Demand Agent Upgrades

Agentless-Based Approaches

The best way to protect your application workloads is undoubtedlythrough an agent-based approach, as it yields the best outcomes. However, there are instances where installing an agent is not possible.

The main drivers for choosing agentless solutions often relate to organizational dependencies (e.g., cross-departmental collaboration), or in certain cases, the application workload's operating system is unsupported (e.g., legacy OS, custom OS).

When opting for agentless solutions, it's important to understand the limitations of these approaches. For instance, without an agent, it is not possible to achieve runtime visibility of application workloads.

Nevertheless, the chosen solution must still provide the necessary security features, such as comprehensive network visibility of traffic flows and network segmentation to safeguard the application workloads.

Secure Workload offers a holistic approach to getting visibility from multiple sources such as:

IPFIX
NetFlow
Secure Firewall NSEL
Secure Client Telemetry
Cloud Flow Logs
Cisco ISE
F5 and Citrix
ERSPAN
DPUs (Data Processing Units)

… and it offers multiple ways to enforce this policy:

Secure Firewall
Cloud Security Groups
DPUs (Data Processing Units)

[Link]Figure 3: Agentless Enforcement Points with Secure Workload

Key Takeaways

When choosing the right network and workload microsegmentation solution, always keep in mind the risks, including the threat landscape and the resilience of the solution itself. With Secure Workload, you get:

Resilient Agent Architecture
Application runtime visibility and enforcement with microsegmentation
Diverse feature set of agentless enforcement

Learn more about Cisco Secure Workload

We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format