When I take a look at the development of network security and how IT and security professionals have actually safeguarded the network for the last thirty years, I can’t assist however observe how conventional network security enforcement points (insert your preferred firewall software here) are still utilized to protect networks and work. They have actually progressed to provide a varied set of functions (i.e., IPS, decryption, application detection) to deeply examine traffic can be found in and out of the network to safeguard work. Nevertheless, while firewall softwares are extremely capable home appliances, it has actually been shown that they are insufficient to keep destructive stars at bay, particularly if those stars handle to breach the firewall software defenses and move laterally in the network. However why is this?
We remain in the digital period, where the idea of the boundary is no longer included to an area or a network section. To offset this brand-new truth and offer a more tailored-based policy control for safeguarding work, suppliers have actually moved security closer to the work.
There are 2 techniques to do this -, utilizing representative or agentless strategies to construct a micro-perimeter around the work.
Which technique is the appropriate one to take? Well, this depends upon several elements, consisting of companies, kind of application, or group structure. So, let’s begin untangling this.
The difficulty( s)
The most direct technique to safeguard applications is to set up software application representatives on every work and stop. Why? Since then every work has its own micro-perimeter, enabling access to just what is needed.
Nevertheless, it is not constantly possible to set up a software application representative. Possibly it is a mainframe application or a tradition os that needs fine-grained policies due to a compliance required. Or application work that remain in the cloud and the representative setup is just not possible due to organizational restraints.
And this is not the only difficulty or factor to consider for selecting your technique. The groups or groups that consist of any business typically have various security requirements from each other, resulting in the triad difficulty: individuals, procedures, and innovation
Let’s begin with individuals (policy owner) and procedure (policy execution). Typically, each company has its own set of special requirements to safeguard its application work, and a specified procedure to carry out those requirements in the policy. To support this, a tool (innovation) is needed, which should adjust to each company’s requirements and need to can specifying a typical policy throughout representative and agentless work.
To begin unwrapping this, you require to ask yourself:
- What are we safeguarding?
- Who is the owner of the policies?
- How is policy execution done?
As an example:
State you wish to safeguard a financing application ( what) utilizing an agent-based technique ( how), and the owner of the policies is the App Team/Workload Group ( who) In this circumstance, as long as the application does not break and the group can continue to concentrate on coding, this is normally an appropriate technique. Nevertheless, when carrying out the typical policy, the translation from human language to device language tends to create additional guidelines that are not always needed. This is a typical by-product of the translation procedure.
Now, let’s presume that in your company the defense of a tradition application ( what) is entrusted to the Network/NetSec group ( who) utilizing an agentless enforcement technique with network firewall softwares ( how) due to the fact that in this case, it is not possible to set up software application representatives due to the unsupported tradition os. As in the very first example, additional guidelines are produced. Nevertheless, in this case, these unneeded additional guidelines develop unfavorable effects due to the fact that of firewall software guidelines auditing requirements for compliance requireds, despite the fact that they belong to the typical policy.
Geography as the source of reality– pressing just what is needed
Cisco Secure Work has actually been attending to individuals, procedure, and innovation obstacles given that its creation. The option welcomes both approaches– setting up software application representatives on work no matter kind element (bare-metal, VM, or container) or by utilizing agentless enforcement points such as firewall softwares. Protect Work adapts to each company’s requirements by specifying the policy, such an absolutely no trust microsegmentation policy, to successfully use micro-perimeters to application work in assistance of the absolutely no trust technique. All within a single pane of glass.
Nevertheless, as discussed in the example above, we still required to align our policy to the compliance requirements of the Network/NetSec group, just utilizing the policy guidelines that are needed.
To take on the extra guidelines challenge, we asked ourselves, “What is the most effective method to press policies into a network firewall software utilizing Secure Work?”
The response come down to a typical idea for Network/NetSec groups– the network geography.
So how does it work?
With Secure Work, the term geography is intrinsic to the option. It leverages the geography idea utilizing a construct called “Scopes”, which are absolutely facilities agnostic, as displayed in Figure 1.
It enables you to develop a geography tree in Secure Work based upon context, where you can organize your applications and specify your policy by utilizing human intent. For instance, “Production can not speak to Non-Production” and use the policy following the geography hierarchy.
The Scope Tree is the geography of your application work within the company, however the secret is that it can be formed for various departments or organizational requirements and adjusted to each group’s security requirements.
The idea of mapping a work Scope to a network firewall software is called “Geography Awareness.”
Geography Awareness allows the Network/NetSec groups to map a specific Scope to a particular firewall software in the network geography, so just the pertinent set of policies for a provided application is pressed to the firewall software.
So, what does this execution appear like? With the Scope mapping attained, Secure Work presses the pertinent policy to the Cisco Secure Firewall software by method of its management platform, Secure Firewall software Management Center (FMC). To preserve compliance, just the needed policy guidelines are sent out to FMC, preventing the additional unneeded guidelines due to the fact that of Geography Awareness. An example of this is displayed in Figure 2:
Secret takeaways
Operationalizing an absolutely no trust microsegmentation method is not unimportant, however Secure Work has a tested performance history of making this an useful truth by adjusting to the requirements of each personality such as Network/NetSec admins, Workload/Apps owners, Cloud Architects, and Cloud-Native engineers– all from one option.
With geography awareness, you can:
- Meet compliance and audit requirements for firewall software guidelines
- Safeguard and take advantage of your present financial investment in network firewall softwares
- Operationalize your absolutely no trust microsegmentation method utilizing both representative and agentless techniques
For additional information on agentless enforcement please read: Secure Work and Secure Firewall Program Unified Division Blog Site
Wish to discover more? Discover more at by taking a look at our Secure Work resources
We ‘d enjoy to hear what you believe. Ask a Concern, Remark Below, and Stay Gotten In Touch With Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share:
.