Zero Trust Micro Segmentation with

Secure Workload
Journey from Baremetal to Cloud-Native Security

Jorge Quintero
Technical Marketing Engineer
14/07/2022
 Understand micro segmentation
1 challenges and Secure Workload
solution approach
Learning
Mapping Zero Trust Frameworks to
Objectives 2
Secure Workload

Articulate the benefits of Secure

3
Workload as a centralized common
policy engine, policy admin and policy
lifecycle

Identify policy enforcements points

4
and their capabilities
Ransomware Unleashed

3 Encryption
Lateral
2
Movement

1 Initial Access

4 Exfiltration

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
 Policy Control Challenges
Network Server/VM Cloud-Native
Security Security
Cloud Security
Security
Organizational Challenges

Multiple teams,
People
NetOps/SecOps Server/VM Admin Cloud Architect DevSecOps organizations and
environments
Process

Inconsistent islands
of policy controls
Technology
across
environments

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Application and Workload Security Transition
Secure Workload
Server/VM
Security
Server/VM Admin

Network
Security Cloud Security
NetOps/SecOps Cloud Architect

Cloud-Native
Security
DevSecOps

Virtual Machine Containers K8s Mainstream

Abstraction Microservices Crossing the Chasm

Before 2006 2006 2014 2018 2021 2022

Baremetal Cloud-IaaS Cloud-Native Evolution
Hardware-based Scale Refactoring/Rearchitect

Application Protection
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
 Secure Workload – Breaking Down Silos
NetOps/SecOps DevSecOps
• Security at application
• Full visibility and control Compliance speed
• Guardrails for app-
• Full Visibility & Automation
owners
• Compliance
Discover/Define

Enforce

Cloud Architect Server Admin

• Secure cloud apps
• Secure traditional tiered
• Full Visibility and
Simulate/Test and monolithic applications
Automation

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Zero Trust Frameworks
and Secure Workload
Secure Workload Zero Trust Capabilities

Respond
Establish Enforce Trust- Continuously to Change
Trust Based Access Verify Trust in Trust
• Agent and agentless • Across bare metal, VMs, • New application • Policy versioning
visibility containers communications • Quarantining
• Behavior and risk • Across on-prem and • New vulnerability landscape • New policy enforcement
monitoring public cloud • Application migrations
• Automatically discovered • Across firewalls, load • Re-assessment of trust
policy balancers, security groups
• AI/ML-based grouping

User & Device Network & Cloud Application & Data

Security Security Security

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
 Cisco Secure Workload and NIST 800-207
Inventory a nd
Automated integration Annotations Hi erarchical, ML
✓ ServiceNow ✓ Unlimited automated a utomated, dynamic Secure Workload Secure Workload
annotations
✓ vCenter pol icy engine cluster and user segmentation
✓ Up to 32 custom
✓ AWS, Azure, GCP
✓ Kubernetes
annotations interface policies
✓ Firewalls, Load Balancers
✓ Cisco ISE & AnyConnect
✓ Infoblox Cryptography used for
✓ DNS securing agent,
workload, and cluster
communication
Industry and enterprise Role based,
compliance policies decentralized
combined with application policy Identity learned
policies administration from AD, ISE,
AnyConnect

✓ NIST CVE & RDS

✓ Zeus Botnet
✓ Reversing Labs Send and events
to SIEM

Complete visibility with ✓ Servers

always on logs of users, ✓ Virtual machines
flows, and processes User, device, workload, owned by ✓ Containers
enterprise or BYOD, on enterprise ✓ Databases
Secure Workload orchestrates and enforces ✓ Appliances
network or public network
distributed policy via native host firewall, cloud ✓ SaaS systems
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential and network ✓ Data 9
 Secure Workload Approach to NIST Zero Trust
Policy Discovery Secure 2
3 Workload Policy Engine
Policy Decision
Point Context
Policy Analysis 4 Policy Admin
CDM System
Centralized Policy
Control Plane 5
1 Visibility Enforcement Industry Compliance
Distributed Enforcement
Data Plane Threat Intelligence
PEP
PEP PEP
Activity Logs
Subjects Systems
Untrusted PEP PEP Data Access Policy
PEP PEP
PEP PKI
Identity
Management
Host Cloud Network SIEM System

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Zero Trust Segmentation –
Where to Start?
 Zero Trust Segmentation Approaches
Common Approach: Bottom-Up Top-Down

• Extensive time performing reverse discovery

US EMEAR

• Dependency on existing inventory

• Complex approving process
DC DC
• Continuous app owner engagement for changes

Env Env Env Env Env

A B A B C

App App App

A B A

Pick an App and do reverse-discovery Define and segment trust zones first

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
 Benefits of a Top-Down Segmentation Approach
• Aligns with Zero-Trust Architecture to define and Top-Down Approach
segment trust zones first
• Value realization starts faster paired with a phased
approach EMEAR

Phased

• Has less dependencies on customer data set

maturity
DC
• Provides a pathway to granular application policy

Env Env Env

A B C

App
A

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 Top-Down: Phased Approach 1

Internal
Global PolicyPolicy
Policy
Application 2
Examples:
Examples:
OT
Users
Internet Web
Internal IT
Networks HTTPS Protocol
RDPAny 443
Protocol
Protocol 3389 3
Production
Web
Internet Development
App
Internal Networks Application
SMB Protocols
AnyProtocol
Protocol
445
Phase
Phase3:
2:Application
1: Global Policy
Zone toPolicy
Zone
PCI
App
Internal OOS
Networks PCI
DBCDE
DNS SQL Protocol
Any
UDP 3306
Protocol
Protocol 53
Internal Networks AD
Internal AD Ports3389
RDP Protocol
•• Delegated
Define global
Delegated policies to (e.g
responsibility
responsibility protect
([Link]
Secure Management DenyNetworks
All
against
Team)
NetSec) high-risk protocols such
Internal
Ansible
Networks Workloads
Approved File Shares SMB
SSH Protocol
Protocol 445
22 •• Application
as RDP andpolicy
Common SMB for
policyand InfoSec
bounded
all by
workloads
• higher
policies
Definelevel
Zonespolicy
•• Define
Reduce attack
of surface
Intra-zone
Limit scope and
Application-to-
malware
restrict unused
Application
proliferation and open ports
Application-to-
• Reactive: Prevent spread of
Zone Policy
• Automatically
ransomware to generate, verify
uninfected
and enforce allow-list policy
systems
• Deny anything else

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
What is new?
 Secure Workload New Features - Highlights
Agent and Agentless Micro segmentation Integrations and Ecosystem
• Azure Connector (Flow logs, tags, AKS and NSG) • FMC Domain Awareness, rule re-ordering and meaningful dynamic
• GCP Connector – GKE support objects naming

• DNS/FQDN based segmentation/micro segmentation (Only visibility) • Update on Infoblox integration

• User identity and AD group attribute-based segmentation/micro • ISE scale enahancements

segmentation
• TLS encryption reporting
User Experience
• First-time user experience segmentation and cloud onboarding workflow
• UX improvements (ADM, labels, inventory, traffic flow, datatable)

Containers and Cloud-Native

• Secure workload CI/CD integration
Agent and Platform
• CRI-O and Containerd Kubernetes runtime support
• Golden image support and installer expiration
• K8s Service Type Lb for visibility
• Automate stale agent records removal
• Cloud-Managed K8s - GKE
• Platform IPv6 support – NetFlow, ISE, and ERSPAN
• Label management and DBR enhancement

© 2022 Cisco and/or its affiliates. All rights reserved. 16

Public Cloud
 Public Cloud Connectors
• Support for all major cloud service providers
• Easy way to manage and configure through
connectors

• Tags Import • Tags Import

• Flow Logs • Flow Logs
• • GKE
• Agentless Segmentation Agentless Segmentation
• EKS • AKS

© 2022 Cisco and/or its affiliates. All rights reserved. 18

Public Cloud Connector NEW Azure Connector

Consolidated Functionlality

Prod

Azure Flow Logs Tags AKS Network

Security Groups

© 2022 Cisco and/or its affiliates. All rights reserved. 19

 NEW Azure Cloud
Public Cloud Onboarding Onboarding

Activate Connector
1 Select Capabilities
2 Roles and Settings
3 Select VNet

Selected Capabilities determine required IAM roles and permissions

© 2022 Cisco and/or its affiliates. All rights reserved. 20

 NEW Azure Cloud
Public Cloud Onboarding Onboarding

Activate Connector
1 Select Capabilities
2 Roles and Settings
3 Select VNet

Auto-generated template with Step by Step guidance

© 2022 Cisco and/or its affiliates. All rights reserved. 21

 NEW Azure Cloud
Public Cloud Onboarding Onboarding

Activate Connector
1 Select Capabilities
2 Roles and Settings
3 Select VNet

Select target VNets and Cloud-Managed Kubernetes

© 2022 Cisco and/or its affiliates. All rights reserved. 22

 NEW Azure Agentless
Agentless Enforcement Enforcement with NSG

Compliance Discover/Define
Prod DEv

Azure Flow Logs Tags

Flow Logs ingested for Tags ingested for workload

visibility and compliance context

Enforce Network Security Groups

Simulate/Test
Agentless Policy Enforcement

© 2022 Cisco and/or its affiliates. All rights reserved. 23

Public Cloud Connector NEW GCP Connector

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Demo AWS Agentless
Enforcement
AWS Agentless Enforcement

DB
Users
Web

Proxy
Server NFS

Invoice App
Datacenter Sapphire App
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Containers
Kubernetes Cluster Native Support for GKE

Amazon Elastic
Kubernetes Service (EKS)

Azure
Kubernetes Service
(AKS)

Google OpenShift 4.[5-9]

Kubernetes Engine Supported
(GKE)

Common Kubernetes Foundation

Kubernetes 1.[16-23] Kubernetes 1.[16-23]
As supported by OpenShift
Supported Supported

Consistent support for Kubernetes

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
across multiple public clouds 28
Containers Visibility and Enforcement

User to Pod
(Visibility and Enforcement)

DaemonSet
Orders Queue

Pod to Pod
Payment (Visibility and Enforcement)
Users
Front-end

Catalogue
Container
runtime

OS
Pod to External Networks
(Visibility and Enforcement)

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Container Runtime NEW Containerd Support

Deprecated from
Kubernetes 1.20

Container Runtime Interface (CRI)

Docker Shim
docker containerd CRI-O

• Docker, Containerd and CRI-O Open Container Initiative (OCI)

container runtimes supported. runc
• Kubernetes support up to 1.23

container container
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
 NEW Service Type Load
Service Type LB for K8s Balancer

Traffic

Load Balancer

Service

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Demo Pod-to-Pod
Enforcement
Pod-to-Pod Enforcement Sock-Shop

Service
Users Front-end

Cart

Catalogue

Payment
User
Orders

Shipping Queue Queue Master

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
 Secure Workload​ Panoptica​
Coverage​ Bare Metal, VM’s, Containers​ Containers, Serverless​
Kubernetes​ All – any major K8s platform​ All – any major K8s platform​
Deployment Architecture​ DaemonSet Pod-Based/Service Mesh​
Micro-segmentation​ Micro-segmentation (BM, VM’s, Containers), Layer 3 & 4, Istio Service Mesh (Containers)​
Agent & Agentless Layer 7 Enforcement​
(Agentless policy enforcement for Containers in roadmap)​
Firewall integration​ Yes (Cisco & 3rd party – i.e., AlgoSec). N/A​
On prem agentless policy enforcement​
Dedicated API Security​ N/A​ Inventory, OWASP API Top 10​
CI/CD Integrations​ Yes​ Yes​
Vulnerability Analysis​ VM, BareMetal​ Container, Serverless,
Deep at Container Image Level, SBOM, Code
Authentication​
Integrations​ SecOps Focused​ Developer Focused​
Primary Competitors​ VMware NSX, Illumio, Guardicore, Palo Alto Prisma Palo Prisma Cloud, Aqua, Sysdig, Styra, VMware (Mesh7
Cloud, Zscaler​ & Octarine acquisitions)
Persona Focus​ NetSec, SecOps, DevSecOps, Cloud Architects​ DevSecOps, Cloud Engineering​

Chart jointly prepared by Secure Workload and Panoptica PM

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Secure Firewall
FMC Integration Updates
NEW FMC Integration
Enhancements FMC

Access Control Policy

Readable Dynamic
Objects

Domain Awareness

Improved rule
ordering

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Demo
Secure Firewall Agentless
Enforcement
 Zero Trust Segmentation for Invoice App

Sales Users
(alice)
TCP: 1936
TCP: 80,1936

TCP: 4567
TCP: 8081 TCP: 3306 TCP: 3306

Contractors
(bob)

Invoice App
IOT (Branch)
Datacenter

Developers
(chuck)
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
 Proactively protect applications and
1
contain lateral movement
Key Zero-Trust segmentation for agent
Takeaways 2
and agentless applications

Leverage a centralized common

3
policy control and lifecycle

Rich set of integrations for visibility,

4
context and enforcement
 ‣ Secure Workload User Guide
Click here

‣ Secure Workload and Secure Firewall

Integration Guide

Resources Click here

‣ Secure Workload YouTube Channel

Click here

‣ Software Agent Support Matrix

Click here