Cisco Cloud Native Safety – Half 1, Going Up the Stack from Infrastructure to Utility

0/5 No votes

Report this app



On this weblog we introduce the Cisco Cloud Native Safety SPOT-On demo video collection. On this collection we are going to take you thru the way to present a cloud native infrastructure to run functions. We’ll take a look at what instruments are wanted to make this occur and, most significantly, how we will safe these environments utilizing the Cisco Safe portfolio. 

On this half 1 of the collection, we are going to introduce:

  • what we can be constructing
  • what sorts of safety applied sciences we can be implementing
  • how the Cisco Safe portfolio gives visibility and safety coverage in a cloud native setting.

Every weblog within the collection will embrace a demo video! You can even discover extra info at Cisco Utility-First Safety.

What and the place will we be constructing?

First, we’d like someplace to deploy our infrastructure. We can be deploying our infrastructure in Amazon Net Providers (AWS). In AWS we are going to provision a Digital Non-public Cloud (VPC) with all the mandatory subnets, safety teams, interfaces, route tables, web gateways, elastic IP addresses, and elastic compute (EC2) cases. We will even be deploying an Elastic Kubernetes Service (EKS) cluster to handle and orchestrate our cloud native functions. There can be two EC2 cases provisioned, the primary will host our Subsequent Technology Firewall. The second will host the EKS employee node, which is able to host our microservices functions. 

Secure Cloud Native

What instruments do we’d like?

We additionally want some instruments to assist us with provisioning and configuring the environment. We constructed a DevBox with all the mandatory DevOps instruments to perform this. On this DevBox we are going to set up the newest variations of Terraform, Ansible, Jenkins and AWS CLI. We are going to use Terraform and the AWS CLI to provision the cloud infrastructure and functions. Ansible can be used to configure the Subsequent Technology Firewall coverage. Jenkins will automate and orchestrate the construct and deployment of the setting. Different instruments we can be utilizing embrace GitHub for supply code administration and model management, Docker for deploying Ansible playbooks and Python scripts in our CI/CD pipeline, and the Kubernetes CLI (kubectl) to watch and handle the cluster itself.

Find out how to safe cloud native environments?

Securing the cloud native setting can grow to be a little bit bit difficult. What precisely are we making an attempt to safe? There are such a lot of questions that may come up when deploying your cloud-native app in AWS (or one other IaaS supplier):

  • Are we securing the general public cloud infrastructure? or the Kubernetes cluster? or the microservices working within the cluster? or how concerning the containers and the apps working contained in the containers?
  • What concerning the APIs (Utility Programming Interfaces) they’re exposing? What concerning the authentication and authorization of the APIs?
  • How is the info encrypted in transit and at relaxation?
  • What number of connections or requests can the app help?
  • Are there any weak libraries being utilized in these apps?

Fortunately for us, the Cisco Safe portfolio gives options for all these questions.

Completely different options for various use circumstances

On this collection we are going to begin with the infrastructure and make our manner up within the stack to the appliance and customers. Relying on the deployment, a number of the infrastructure layers may not be managed (e.g., in serverless computing deployments). Due to this fact, it is very important notice that not all these options can be wanted for each cloud-native deployment. Throughout this weblog collection, we are going to clarify the completely different use circumstances, and once you want which resolution. Verify the diagram beneath to see how the completely different options play a job within the software stack.

Secure Cloud Native
Completely different options play completely different roles within the software stack

From infrastructure to software – going up the stack

At a excessive degree, going up within the stack from the infrastructure to the appliance, seems like this:

  1. We are going to safe the cloud edge utilizing Cisco Safe Firewall (NGFW) which can be provisioned on an EC2 occasion that would be the entry level into the VPC. The NGFW will present North/South layer 3-7 entry management, intrusion prevention, and anti-malware protections to and from our functions. This resolution gives an choice to safe the cloud infrastructure (AWS VPC) itself. The opposite choice is to deploy Cisco Safe Firewall Cloud Native (SFCN) immediately into the Kubernetes cluster. SFCN is a full NGFW, constructed to run in a managed Kubernetes setting in public cloud. This gives automated scaling options for safety companies primarily based on demand.
  2. We will even dive into different rising applied sciences comparable to Cloud Safety Posture Administration (CSPM) utilizing Cisco Safe Cloud Insights. Safe Cloud Insights offers us full visibility into cloud safety posture whereas regularly monitoring and detecting coverage violations and misconfigurations and mapping relationships between all property to know the whole assault floor.
  3. We are going to then present visibility and safety analytics into the cloud infrastructure and Kubernetes cluster utilizing Cisco Safe Cloud Analytics (SCA). SCA detects indications of compromise comparable to insider menace exercise and malware throughout the microservices setting. This resolution offers us the choice to safe public cloud (AWS VPC) and cloud native (Kubernetes) infrastructures. SCA additionally has integration with serverless computing platforms comparable to AWS Lambda.
  4. Cisco Safe Workload can present micro-segmentation within the cloud infrastructure and micro-service functions. Safe Workload could be deployed utilizing an agent on the cloud cases (EC2) or a daemonset on the Kubernetes cluster. This resolution gives choices to section cloud cases and micro-apps at Layer 3-4, which means coverage continues to be being enforced by IP handle and repair port.
  5. Cisco Safe Utility for cloud native will ship Kubernetes and Container safety offering, CI/CD pipeline integration and API visibility and threat detection. Since this resolution is a container safety resolution, it may be used along with your Kubernetes cluster.
  6. Now we are going to safe the appliance itself by detecting code dependencies whereas repeatedly monitoring vulnerabilities and blocking exploits all throughout software runtime utilizing Cisco Safe Utility for AppD. Cisco Safe Utility is a part of the AppDynamics suite and runs on its Utility Efficiency Monitor (APM), which is deployed within the appliance code. Since this resolution is embedded within the appliance runtime through an agent it may be used wherever the appliance is working.
  7. Utilizing Cisco Safe Entry by Duo will set up user-device belief and extremely safe entry to functions that will help you determine company versus private units with straightforward certificates deployment, block untrusted endpoints, and provides customers safe entry to inner functions with out utilizing VPNs. Moreover, Duo Community Gateway gives granular person and endpoint entry management to CI/CD functions and infrastructure over HTTPS, SSH and RDP.

Comply with the collection

That is the primary weblog in my 3-part Cisco Cloud Native Safety collection. Every weblog will introduce the subsequent demo video. Take a look at the primary video, Cisco Safe Cloud Native Safety – Half 1 – Introduction, for extra detailed info and demo. And please go to the Cisco Utility-First Safety web site for entry to instruments, studying labs, and extra info. Received questions, or stuff you’d like to debate?… be a part of us within the Safety Developer Neighborhood


Cisco Safe Cloud Native Safety – Half 1 – Introduction


We’d love to listen to what you assume. Ask a query or go away a remark beneath.
And keep linked with Cisco DevNet on social!

LinkedIn | Twitter @CiscoDevNet | Fb Developer Video Channel




Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.