The middle of last year, Cisco held an event in New York to release its newest product, Tetration. The product moved Cisco into the analytics market, with the information being used to help customers better understand application performance and improve data center security.
This week, Cisco announced the next version of Tetration Analytics, which is focused at providing security at the application layer. Cisco also released some new deployment options to make it easier for customers to get started with Tetration.
+ Also on Network World: Application-layer DDoS attacks will increase, Kaspersky Labs predicts +
Securing applications is an equation that has become increasingly complex because the number of variables continues to grow. Historically, application infrastructure was deployed in silos, making it straightforward to secure. In this digital era where continuous deployment, microservices and application mobility have become the norm, it becomes exponentially more difficult to secure.
An easy way to think about the problem is that applications are becoming more dynamic and distributed, but security tools are not. When applications or application components move, the security must follow it, but that’s impossible to do with traditional security technology.
Policy enforcement at the application layer
Cisco’s latest software release for Tetration Analytics now provides consistent policy enforcement that can be applied at the application layer. The policies can be enforced on any type of infrastructure, including virtual machines, bare metal servers, public cloud or private cloud across any vendor’s infrastructure. Tetration accomplishes this by binding policies to workload characteristics, such as a specific department, user or location, and ensuring the policies follow the workload when it moves. Typically this would require tying a policy to an IP address and port, but Tetration automates this process so it’s done in real time.
The most obvious use case for this is improving a company’s security posture through application segmentation. As I pointed out in an earlier post, segmentation of all kinds is becoming an increasingly popular way of securing a business. Historically, Cisco has been one of the leaders in network segmentation through ACLs, VLANs and TrustSec. Tetration segmentation is done at the application layer, so policies can be applied anywhere the application lives. Also, Cisco can direct the policies to any third-party firewall for orchestration with network segmentation.
One of the most challenging aspects of segmentation is knowing what to segment and how to apply it. Tetration automates this by collecting data from servers, Cisco network infrastructure, load balancers, IP address management tools, DNS configuration and other sources. It then analyzes the data and outputs an application segmentation policy. While there are many segmentation solutions on the market, it’s the analytics component that will help customers apply application policies that cut across the other domains.
Tetration also provides a rich “single pane of glass” to give customers a continuous view of the environment and how things change over time.
As part of this launch, Cisco is delivering new deployment models. The Tetration solution available in its first launch was a massive, full rack of equipment that includes 36 UCS C-220 servers and three Nexus 9300 switches and is designed for environments up to 10,000 workloads.
Cisco now offers a small form factor version designed for under 1,000 workloads that includes six UCS C-220 servers and two Nexus 9300 servers. There is also a virtual appliance that runs in Amazon Web Services (AWS) for up to 1,000 workloads. Although no mention was made of this, I assume a Microsoft Azure version is close behind.
One other interesting element to this launch is the platform extensibility via APIs. Cisco customers and ecosystem partners can write their own applications that can access the data stored in Tetration. Also, businesses can apply their own analytics algorithms to generate customized data exports and notifications. Cisco announced several ecosystem partners, including AlgoSec, Citrix, F5, Infoblox, ServiceNow Tufin and the Dell Converged Infrastructure Group (formerly VCE).
Segmentation is no longer a choice. It’s something companies need to embrace to meet the demands of an increasingly digital world. Tetration provides a single pane of glass to automate and enforce security policies based on contextual information.
Tetration 2.0 features
Cisco customers that deploy Tetration will realize the following benefits:
- Visibility into application dependencies in the data center and out to the cloud
- Shift from reactive to proactive management by understanding the impact of changes before they are implemented
- Continuous monitoring of applications’ behavior and the ability to quickly spot deviations that could cause performance problems or indicate a breach
- Enforcement of security policies at the application layer