Building network and workload security architectures can be a daunting task. It involves not only choosing the right solution with the right set of capabilities, but also ensuring that the solution offers the right level of resiliency.
Resilience is often considered a network function where the network must be robust enough to handle failures and offer alternative paths for data transmission and reception. However, resilience at the endpoint or workload level is often overlooked. As part of building a resilient architecture, it is essential to include and plan for scenarios in which an endpoint or workload solution may fail.
When we examine the current landscape of solutions, it usually boils down to two different approaches:
Agent-based approaches
When choosing a security solution to protect application workloads, the discussion often revolves around mapping business requirements to technical capabilities. These capabilities typically include security features such as micro-segmentation and runtime visibility. However, one aspect that is often overlooked is the agent architecture.
In general, there are two main approaches to agent-based architecture:
- Userspace installation of kernel-based modules/drivers (in-datapath)
- User space transparent to the kernel (outside the datapath)
The Secure Workload agent architecture was designed from the ground up to protect application workloads, even in the event of an agent failure, preventing application workload crashes.
This robustness is due to our agent architecture, which operates entirely in user space without affecting the network data path or application libraries. Therefore, if the agent were to fail, the application would continue to operate as usual and there would be no disruption to the business.
Another aspect of the agent architecture is that it was designed to give administrators control over how, when, and which agents they want to upgrade through the use of configuration profiles. This approach provides the flexibility to roll out upgrades in stages, allowing for the necessary testing before going into production.
Agent-based approaches
Without a doubt, the best way to protect application workloads is an agent-based approach, as it delivers the best results. However, there are cases when installing the agent is not possible.
The main reasons for choosing an agentless solution are often related to organizational dependencies (e.g. cross-departmental collaboration) or in certain cases the operating system of the application workload is not supported (e.g. legacy OS, custom OS).
When choosing an agentless solution, it’s important to understand the limitations of these approaches. For example, without an agent, it is not possible to achieve runtime visibility of application tasks.
However, the chosen solution must still provide the necessary security features, such as comprehensive network visibility of traffic flows and network segmentation, to secure the application workload.
Secure Workload offers a holistic approach to gaining visibility from multiple sources such as:
- IPFIX
- Network flow
- NSEL Secure Firewall
- Secure client telemetry
- Cloud Stream Protocols
- Cisco ISE
- F5 and Citrix
- ERSPAN
- DPU (data processing units)
…and offers several ways to enforce this policy:
- Secure firewall
- Cloud security groups
- DPU (data processing units)
Key things
When choosing the right network and workload micro-segmentation solution, always keep risks in mind, including the threat landscape and the resilience of the solution itself. With Safe Workload you get:
- Resilient Agent Architecture
- Visibility and application runtime enforcement with micro-segmentation
- A diverse feature set for agentless enforcement
Learn more about Cisco Secure Workload
We’d love to hear what you think. Ask questions, comment below, and stay connected with Cisco Security on social media!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: