Avatar

With cloud comes complexity

As organizations accelerate their transition to hybrid cloud, multicloud, and other dynamic environments, static security controls are no longer adequate. The shift of applications and the associated security controls within dynamic cloud environments create challenges for firewall teams to keep up with security requirements. Workloads spin up and down faster than traditional security policy change management can accommodate, straining NetOps and SecOps teams with the rapid pace of change and continuous adjustments in a constantly changing environment.

Firewall teams must leverage an open framework that connects dynamic environments and pulls mappings in real-time to keep security policies up-to-date without human intervention.

Policy enforcement as dynamic as your environment

Secure Firewall Threat Defense 7.0 now connects into these dynamic environments, ingesting attributes when added, deleted, and updated, and creates dynamics objects that enforce access control policy. Utilizing a dynamic attribute within a security policy keeps the policy current (near-real-time) without redeploying to reduce the SecOps team’s operational overhead dramatically. Less time is spent scheduling change windows, getting approvals, checking and double-checking object changes, troubleshooting deployments, or worse, spending nights and weekends resolving critical failures.

Introducing the Cisco Secure Dynamic Attributes Connector

As the list of dynamic environments grows to span public and private clouds, running SaaS applications, homegrown apps, and everywhere in between, it increases the complexity and upkeep for organizations. The new Cisco Secure Dynamic Attributes Connector utility addresses the complexity by making API calls to popular environments such as AWS, Azure, VMware NSX-T, and Office 365.

Let’s take a simple example of limiting your development team’s AWS instances access. You can grant them access, but then how do you limit their access to specific workloads? How do you keep up with virtual machines being spun up and down in AWS? With dynamic attributes and our integration utility, Secure Dynamic Attributes Connector, the Firewall Management Center (FMC) can connect directly using the AWS public APIs. This integration enables you to pull down the service tags and categories to populate a dynamic attribute to deploy an IP address, network, or additional fields (port and protocol in the future) within the access control policy. Then, just like a well-known rotisserie from years ago, you set it and forget it.

Dynamic attributes architecture overview

We will continue to expand on integration capabilities and would love to hear your feedback on what to add. Don’t see a dynamic attribute you need today? Have a propriety application that could leverage a dynamic attribute? If so, you are in luck! Cisco built dynamic attributes using a Push and Pull REST API framework so customers and partners can build integrators without being tied to the firewall release cycle.

To learn more about Cisco Secure Dynamic Attributes Connector and dynamic attributes for Cisco Secure Firewall, please see the additional resource section below.

Additional resources

Cisco Secure Dynamic Attributes Connector

Dynamic Objects Configuration Guide for Firewall Management Center (FMC)

API Guide


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Nicholas Carrieri

Senior Product Manager

Security Business Group