Application security is top-of-mind for all of our customers. Companies are expanding to the cloud, and with the proliferation of Bring Your Own Device (BYOD) accessing applications, the environment outside of the data center is becoming more difficult to secure. That is why it is imperative that our security defenses move closer to the application.
Top international security agencies such as the NSA and the Australian Signals Directorate list network segmentation as one of the most valuable tools to prevent your company from being on the front page of the news for the wrong reasons. And industry research firm Gartner names application segmentation as one of the foundational pillars of effective cloud workload protection.
Whether you call it micro-segmentation, application segmentation, cloud workload protection, or Zero Trust, limiting how an application can communicate on the network is a security imperative.
But I have a firewall
Although we’ve been talking about segmentation for more than 10 years, until this point firewalls have been a strong first line of defense. After conversations with thousands of our customers, we recognize that firewalls can now only be part of the solution. The more users, devices, applications, and data you’re managing, the more difficult securing your network becomes. Firewalls are required, but they’re simply not enough anymore. With micro-segmentation enabling a zero-trust model, users experience holistic workload protection for multicloud data centers. This approach allows you to identify security incidents faster, contain lateral movement, and reduce the company’s attack surface.
Ok, let’s take the Yankees for example
Imagine going to a Yankees baseball game where you have great seats right behind home plate. Like any sports event, we’re used to going through security at the stadium entrance where they check our tickets, walk us through a metal detector, and inspect our bags. This works well as a first layer of security, but what if the only place where they check your tickets is at the entrance? Once you get inside, there is no way to enforce whether you or someone else sits in your seat. Do you think you’ll get your seat? Probably, but the only reason this works is because we trust that everyone going to the game plays fair. What if it’s a championship game and because there is no security inside, there aren’t any consequences if someone takes your seat? We’re starting to trust a little less.
Now, imagine that your seat at the game is actually a database of social security numbers or credit card credentials. This is how lots of customers build data centers today. The next-generation firewall applies security at the entrance, but once inside, they can go anywhere.
Let’s go back to that same championship game. We still need extensive security at the entrance. But this time, once you get inside everyone is personally escorted to their correct seats. That is what Zero Trust micro-segmentation looks like. To implement this level of security, you need more than just the escort. You need to ratify your identity, which is essentially a validated ticket with your name (who you are) and your seat (where you are allowed to go).
Attempting to deliver micro-segmentation with only a software-defined firewall is like hiring thousands of security escorts but forgetting to print seat numbers on all of the tickets. It only addresses part of the problem.
Cisco is revolutionizing micro-segmentation and workload protection
Cisco Tetration delivers true application segmentation security. Along with enforcing segmentation, it helps customers automate and operationalize segmentation, delivering risk management and exponentially increased time-to-value.
Tetration was built from the ground-up to rethink how customers implement micro-segmentation, breaking down barriers by automating the segmentation process. Specific Tetration details include:
- Automatic rule discovery leveraging the power of big data and machine learning;
- Simulation of micro-segmentation rules prior to (optionally) enforcing them;
- Fully-integrated enforcement capabilities in any cloud WITHOUT any major infrastructure changes;
- Day two troubleshooting and lifecycle management.
But segmentation is only the first step. Tetration is uniquely designed to protect workloads by understanding vulnerabilities, integrating threat intelligence, and analyzing behavior to identify zero-day attacks like Spectre and Meltdown.
In addition, Tetration dramatically reduces the time it takes for our customers to achieve increased application security. It applies segmentation with a level of detail that will make applications invisible to attackers, and an attacker can’t hack what they can’t see.
With last year’s launch of Tetration SaaS, it’s now accessible to every customer. It’s time to think bigger than just implementing a “software-defined firewall” and start securing applications with Cisco Tetration.
Learn more:
- Cisco Application-First Security
- Cisco Tetration
- Cisco Tetration Platform – Cloud Workload Protection
- Cisco Zero Trust Security
very interesting
Very cool. Segmentation seems to be a key strategy in securing your network.
If only companies had the processes to put these technologies in place. In my years of auditing organizations, I've found this to be a common situation. IT departments invest hundreds of thousands or millions in technologies like ISE or ACI that fully leverage good security practices, but they failed to implement.
Yes, the technology is there and the LEDs of the costly devices blink but the actual policies never get implemented. Just in my last visit I found a nice Tetration/ICE implementation that is on, but there are no enforcement of policies and the company continues in monitoring mode with no actual plans to enforce those policies. What a waste.