On this weblog we introduce the Cisco Cloud Native Safety SPOT-On demo video sequence. On this sequence we’ll take you thru present a cloud native infrastructure to run functions. We’ll take a look at what instruments are wanted to make this occur and, most significantly, how we will safe these environments utilizing the Cisco Safe portfolio.
On this half 1 of the sequence, we’ll introduce:
- what we will likely be constructing
- what forms of safety applied sciences we will likely be implementing
- how the Cisco Safe portfolio supplies visibility and safety coverage in a cloud native setting.
Every weblog within the sequence will embrace a demo video! You can even discover extra info at Cisco Utility-First Safety.
What and the place will we be constructing?
First, we want someplace to deploy our infrastructure. We will likely be deploying our infrastructure in Amazon Net Companies (AWS). In AWS we’ll provision a Digital Non-public Cloud (VPC) with all the required subnets, safety teams, interfaces, route tables, web gateways, elastic IP addresses, and elastic compute (EC2) situations. We can even be deploying an Elastic Kubernetes Service (EKS) cluster to handle and orchestrate our cloud native functions. There will likely be two EC2 situations provisioned, the primary will host our Subsequent Era Firewall. The second will host the EKS employee node, which can host our microservices functions.
What instruments do we want?
We additionally want some instruments to assist us with provisioning and configuring the environment. We constructed a DevBox with all the required DevOps instruments to perform this. On this DevBox we’ll set up the newest variations of Terraform, Ansible, Jenkins and AWS CLI. We’ll use Terraform and the AWS CLI to provision the cloud infrastructure and functions. Ansible will likely be used to configure the Subsequent Era Firewall coverage. Jenkins will automate and orchestrate the construct and deployment of the setting. Different instruments we will likely be utilizing embrace GitHub for supply code administration and model management, Docker for deploying Ansible playbooks and Python scripts in our CI/CD pipeline, and the Kubernetes CLI (kubectl) to watch and handle the cluster itself.
How one can safe cloud native environments?
Securing the cloud native setting can turn out to be slightly bit tough. What precisely are we making an attempt to safe? There are such a lot of questions that may come up when deploying your cloud-native app in AWS (or one other IaaS supplier):
- Are we securing the general public cloud infrastructure? or the Kubernetes cluster? or the microservices operating within the cluster? or how in regards to the containers and the apps operating contained in the containers?
- What in regards to the APIs (Utility Programming Interfaces) they’re exposing? What in regards to the authentication and authorization of the APIs?
- How is the information encrypted in transit and at relaxation?
- What number of connections or requests can the app assist?
- Are there any susceptible libraries being utilized in these apps?
Fortunately for us, the Cisco Safe portfolio supplies options for all these questions.
Totally different options for various use circumstances
On this sequence we’ll begin with the infrastructure and make our manner up within the stack to the appliance and customers. Relying on the deployment, a number of the infrastructure layers may not be managed (e.g., in serverless computing deployments). Subsequently, you will need to word that not all these options will likely be wanted for each cloud-native deployment. Throughout this weblog sequence, we’ll clarify the completely different use circumstances, and if you want which answer. Test the diagram beneath to see how the completely different options play a job within the software stack.
Totally different options play completely different roles within the software stack
From infrastructure to software – going up the stack
At a excessive degree, going up within the stack from the infrastructure to the appliance, seems like this:
- We’ll safe the cloud edge utilizing Cisco Safe Firewall (NGFW) which will likely be provisioned on an EC2 occasion that would be the entry level into the VPC. The NGFW will present North/South layer 3-7 entry management, intrusion prevention, and anti-malware protections to and from our functions. This answer supplies an choice to safe the cloud infrastructure (AWS VPC) itself. The opposite possibility is to deploy Cisco Safe Firewall Cloud Native (SFCN) straight into the Kubernetes cluster. SFCN is a full NGFW, constructed to run in a managed Kubernetes setting in public cloud. This supplies automated scaling options for safety companies based mostly on demand.
- We can even dive into different rising applied sciences resembling Cloud Safety Posture Administration (CSPM) utilizing Cisco Safe Cloud Insights. Safe Cloud Insights provides us full visibility into cloud safety posture whereas regularly monitoring and detecting coverage violations and misconfigurations and mapping relationships between all property to grasp the whole assault floor.
- We’ll then present visibility and safety analytics into the cloud infrastructure and Kubernetes cluster utilizing Cisco Safe Cloud Analytics (SCA). SCA detects indications of compromise resembling insider menace exercise and malware throughout the microservices setting. This answer provides us the choice to safe public cloud (AWS VPC) and cloud native (Kubernetes) infrastructures. SCA additionally has integration with serverless computing platforms resembling AWS Lambda.
- Cisco Safe Workload can present micro-segmentation within the cloud infrastructure and micro-service functions. Safe Workload will be deployed utilizing an agent on the cloud situations (EC2) or a daemonset on the Kubernetes cluster. This answer supplies choices to section cloud situations and micro-apps at Layer 3-4, that means coverage remains to be being enforced by IP handle and repair port.
- Cisco Safe Utility for cloud native will ship Kubernetes and Container safety offering, CI/CD pipeline integration and API visibility and threat detection. Since this answer is a container safety answer, it may be used along with your Kubernetes cluster.
- Now we’ll safe the appliance itself by detecting code dependencies whereas repeatedly monitoring vulnerabilities and blocking exploits all throughout software runtime utilizing Cisco Safe Utility for AppD. Cisco Safe Utility is a part of the AppDynamics suite and runs on its Utility Efficiency Monitor (APM), which is deployed within the appliance code. Since this answer is embedded within the appliance runtime by way of an agent it may be used wherever the appliance is operating.
- Utilizing Cisco Safe Entry by Duo will set up user-device belief and extremely safe entry to functions that will help you determine company versus private gadgets with simple certificates deployment, block untrusted endpoints, and provides customers safe entry to inside functions with out utilizing VPNs. Moreover, Duo Community Gateway supplies granular consumer and endpoint entry management to CI/CD functions and infrastructure over HTTPS, SSH and RDP.
Observe the sequence
That is the primary weblog in my 3-part Cisco Cloud Native Safety sequence. Every weblog will introduce the subsequent demo video. Take a look at the primary video, Cisco Safe Cloud Native Safety – Half 1 – Introduction, for extra detailed info and demo. And please go to the Cisco Utility-First Safety web site for entry to instruments, studying labs, and extra info. Received questions, or stuff you’d like to debate?… be part of us within the Safety Developer Group
Cisco Safe Cloud Native Safety – Half 1 – Introduction
We’d love to listen to what you assume. Ask a query or depart a remark beneath.
And keep linked with Cisco DevNet on social!