In this blog we introduce the Cisco Cloud Native Security SPOT-On demo video series. In this series we will take you through how to provide a cloud native infrastructure to run applications. We’ll look at what tools are needed to make this happen and, most importantly, how we can secure these environments using the Cisco Secure portfolio.
In this part 1 of the series, we will introduce:
- what we will be building
- what types of security technologies we will be implementing
- how the Cisco Secure portfolio provides visibility and security policy in a cloud native environment.
Each blog in the series will include a demo video! You can also find more information at Cisco Application-First Security.
What and where will we be building?
First, we need somewhere to deploy our infrastructure. We will be deploying our infrastructure in Amazon Web Services (AWS). In AWS we will provision a Virtual Private Cloud (VPC) with all the necessary subnets, security groups, interfaces, route tables, internet gateways, elastic IP addresses, and elastic compute (EC2) instances. We will also be deploying an Elastic Kubernetes Service (EKS) cluster to manage and orchestrate our cloud native applications. There will be two EC2 instances provisioned, the first will host our Next Generation Firewall. The second will host the EKS worker node, which will host our microservices applications.
What tools do we need?
We also need some tools to help us with provisioning and configuring our environment. We built a DevBox with all the necessary DevOps tools to accomplish this. On this DevBox we will install the latest versions of Terraform, Ansible, Jenkins and AWS CLI. We will use Terraform and the AWS CLI to provision the cloud infrastructure and applications. Ansible will be used to configure the Next Generation Firewall policy. Jenkins will automate and orchestrate the build and deployment of the environment. Other tools we will be using include GitHub for source code management and version control, Docker for deploying Ansible playbooks and Python scripts in our CI/CD pipeline, and the Kubernetes CLI (kubectl) to monitor and manage the cluster itself.
How to secure cloud native environments?
Securing the cloud native environment can become a little bit tricky. What exactly are we trying to secure? There are so many questions that can arise when deploying your cloud-native app in AWS (or another IaaS provider):
- Are we securing the public cloud infrastructure? or the Kubernetes cluster? or the microservices running in the cluster? or how about the containers and the apps running inside the containers?
- What about the APIs (Application Programming Interfaces) they are exposing? What about the authentication and authorization of the APIs?
- How is the data encrypted in transit and at rest?
- How many connections or requests can the app support?
- Are there any vulnerable libraries being used in these apps?
Luckily for us, the Cisco Secure portfolio provides solutions for all these questions.
Different solutions for different use cases
In this series we will start with the infrastructure and make our way up in the stack to the application and users. Depending on the deployment, some of the infrastructure layers might not be controlled (e.g., in serverless computing deployments). Therefore, it is important to note that not all these solutions will be needed for every cloud-native deployment. During this blog series, we will explain the different use cases, and when you need which solution. Check the diagram below to see how the different solutions play a role in the application stack.
Different solutions play different roles in the application stack
From infrastructure to application – going up the stack
At a high level, going up in the stack from the infrastructure to the application, looks like this:
- We will secure the cloud edge using Cisco Secure Firewall (NGFW) which will be provisioned on an EC2 instance that will be the entry point into the VPC. The NGFW will provide North/South layer 3-7 access control, intrusion prevention, and anti-malware protections to and from our applications. This solution provides an option to secure the cloud infrastructure (AWS VPC) itself. The other option is to deploy Cisco Secure Firewall Cloud Native (SFCN) directly into the Kubernetes cluster. SFCN is a full NGFW, built to run in a managed Kubernetes environment in public cloud. This provides automated scaling features for security services based on demand.
- We will also dive into other emerging technologies such as Cloud Security Posture Management (CSPM) using Cisco Secure Cloud Insights. Secure Cloud Insights gives us complete visibility into cloud security posture while continually monitoring and detecting policy violations and misconfigurations and mapping relationships between all assets to understand the entire attack surface.
- We will then provide visibility and security analytics into the cloud infrastructure and Kubernetes cluster using Cisco Secure Cloud Analytics (SCA). SCA detects indications of compromise such as insider threat activity and malware within the microservices environment. This solution gives us the option to secure public cloud (AWS VPC) and cloud native (Kubernetes) infrastructures. SCA also has integration with serverless computing platforms such as AWS Lambda.
- Cisco Secure Workload can provide micro-segmentation inside of the cloud infrastructure and micro-service applications. Secure Workload can be deployed using an agent on the cloud instances (EC2) or a daemonset on the Kubernetes cluster. This solution provides options to segment cloud instances and micro-apps at Layer 3-4, meaning policy is still being enforced by IP address and service port.
- Cisco Secure Application for cloud native will deliver Kubernetes and Container security providing, CI/CD pipeline integration and API visibility and risk detection. Since this solution is a container security solution, it can be used with your Kubernetes cluster.
- Now we will secure the application itself by detecting code dependencies while continuously monitoring vulnerabilities and blocking exploits all during application runtime using Cisco Secure Application for AppD. Cisco Secure Application is part of the AppDynamics suite and runs on its Application Performance Monitor (APM), which is deployed inside of the application code. Since this solution is embedded inside of the application runtime via an agent it can be used wherever the application is running.
- Using Cisco Secure Access by Duo will establish user-device trust and highly secure access to applications to help you identify corporate versus personal devices with easy certificate deployment, block untrusted endpoints, and give users secure access to internal applications without using VPNs. Furthermore, Duo Network Gateway provides granular user and endpoint access control to CI/CD applications and infrastructure over HTTPS, SSH and RDP.
Follow the series
This is the first blog in my 3-part Cisco Cloud Native Security series. Each blog will introduce the next demo video. Check out the first video, Cisco Secure Cloud Native Security – Part 1 – Introduction, for more detailed information and demo. And please visit the Cisco Application-First Security website for access to tools, learning labs, and more information. Got questions, or things you’d like to discuss?… join us in the Security Developer Community
Cisco Secure Cloud Native Security – Part 1 – Introduction
We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!