On this weblog we introduce the Cisco Cloud Native Safety SPOT-On demo video sequence. On this sequence we’ll take you thru tips on how to present a cloud native infrastructure to run purposes. We’ll take a look at what instruments are wanted to make this occur and, most significantly, how we are able to safe these environments utilizing the Cisco Safe portfolio.
On this half 1 of the sequence, we’ll introduce:
- what we will probably be constructing
- what kinds of safety applied sciences we will probably be implementing
- how the Cisco Safe portfolio supplies visibility and safety coverage in a cloud native atmosphere.
Every weblog within the sequence will embrace a demo video! You can even discover extra info at Cisco Utility-First Safety.
What and the place will we be constructing?
First, we’d like someplace to deploy our infrastructure. We will probably be deploying our infrastructure in Amazon Net Providers (AWS). In AWS we’ll provision a Digital Non-public Cloud (VPC) with all the required subnets, safety teams, interfaces, route tables, web gateways, elastic IP addresses, and elastic compute (EC2) situations. We can even be deploying an Elastic Kubernetes Service (EKS) cluster to handle and orchestrate our cloud native purposes. There will probably be two EC2 situations provisioned, the primary will host our Subsequent Era Firewall. The second will host the EKS employee node, which is able to host our microservices purposes.
What instruments do we’d like?
We additionally want some instruments to assist us with provisioning and configuring our surroundings. We constructed a DevBox with all the required DevOps instruments to perform this. On this DevBox we’ll set up the most recent variations of Terraform, Ansible, Jenkins and AWS CLI. We’ll use Terraform and the AWS CLI to provision the cloud infrastructure and purposes. Ansible will probably be used to configure the Subsequent Era Firewall coverage. Jenkins will automate and orchestrate the construct and deployment of the atmosphere. Different instruments we will probably be utilizing embrace GitHub for supply code administration and model management, Docker for deploying Ansible playbooks and Python scripts in our CI/CD pipeline, and the Kubernetes CLI (kubectl) to observe and handle the cluster itself.
How you can safe cloud native environments?
Securing the cloud native atmosphere can turn into a little bit bit difficult. What precisely are we attempting to safe? There are such a lot of questions that may come up when deploying your cloud-native app in AWS (or one other IaaS supplier):
- Are we securing the general public cloud infrastructure? or the Kubernetes cluster? or the microservices operating within the cluster? or how concerning the containers and the apps operating contained in the containers?
- What concerning the APIs (Utility Programming Interfaces) they’re exposing? What concerning the authentication and authorization of the APIs?
- How is the info encrypted in transit and at relaxation?
- What number of connections or requests can the app assist?
- Are there any weak libraries being utilized in these apps?
Fortunately for us, the Cisco Safe portfolio supplies options for all these questions.
Completely different options for various use instances
On this sequence we’ll begin with the infrastructure and make our approach up within the stack to the appliance and customers. Relying on the deployment, a few of the infrastructure layers may not be managed (e.g., in serverless computing deployments). Subsequently, it is very important notice that not all these options will probably be wanted for each cloud-native deployment. Throughout this weblog sequence, we’ll clarify the totally different use instances, and if you want which resolution. Verify the diagram under to see how the totally different options play a job within the utility stack.
Completely different options play totally different roles within the utility stack
From infrastructure to utility – going up the stack
At a excessive stage, going up within the stack from the infrastructure to the appliance, seems like this:
- We’ll safe the cloud edge utilizing Cisco Safe Firewall (NGFW) which will probably be provisioned on an EC2 occasion that would be the entry level into the VPC. The NGFW will present North/South layer 3-7 entry management, intrusion prevention, and anti-malware protections to and from our purposes. This resolution supplies an choice to safe the cloud infrastructure (AWS VPC) itself. The opposite possibility is to deploy Cisco Safe Firewall Cloud Native (SFCN) instantly into the Kubernetes cluster. SFCN is a full NGFW, constructed to run in a managed Kubernetes atmosphere in public cloud. This supplies automated scaling options for safety companies primarily based on demand.
- We can even dive into different rising applied sciences akin to Cloud Safety Posture Administration (CSPM) utilizing Cisco Safe Cloud Insights. Safe Cloud Insights provides us full visibility into cloud safety posture whereas regularly monitoring and detecting coverage violations and misconfigurations and mapping relationships between all belongings to grasp the whole assault floor.
- We’ll then present visibility and safety analytics into the cloud infrastructure and Kubernetes cluster utilizing Cisco Safe Cloud Analytics (SCA). SCA detects indications of compromise akin to insider menace exercise and malware inside the microservices atmosphere. This resolution provides us the choice to safe public cloud (AWS VPC) and cloud native (Kubernetes) infrastructures. SCA additionally has integration with serverless computing platforms akin to AWS Lambda.
- Cisco Safe Workload can present micro-segmentation within the cloud infrastructure and micro-service purposes. Safe Workload will be deployed utilizing an agent on the cloud situations (EC2) or a daemonset on the Kubernetes cluster. This resolution supplies choices to section cloud situations and micro-apps at Layer 3-4, that means coverage remains to be being enforced by IP tackle and repair port.
- Cisco Safe Utility for cloud native will ship Kubernetes and Container safety offering, CI/CD pipeline integration and API visibility and danger detection. Since this resolution is a container safety resolution, it may be used along with your Kubernetes cluster.
- Now we’ll safe the appliance itself by detecting code dependencies whereas constantly monitoring vulnerabilities and blocking exploits all throughout utility runtime utilizing Cisco Safe Utility for AppD. Cisco Safe Utility is a part of the AppDynamics suite and runs on its Utility Efficiency Monitor (APM), which is deployed within the appliance code. Since this resolution is embedded within the appliance runtime by way of an agent it may be used wherever the appliance is operating.
- Utilizing Cisco Safe Entry by Duo will set up user-device belief and extremely safe entry to purposes that can assist you determine company versus private units with straightforward certificates deployment, block untrusted endpoints, and provides customers safe entry to inner purposes with out utilizing VPNs. Moreover, Duo Community Gateway supplies granular person and endpoint entry management to CI/CD purposes and infrastructure over HTTPS, SSH and RDP.
Comply with the sequence
That is the primary weblog in my 3-part Cisco Cloud Native Safety sequence. Every weblog will introduce the subsequent demo video. Take a look at the primary video, Cisco Safe Cloud Native Safety – Half 1 – Introduction, for extra detailed info and demo. And please go to the Cisco Utility-First Safety web site for entry to instruments, studying labs, and extra info. Bought questions, or stuff you’d like to debate?… be a part of us within the Safety Developer Group
Cisco Safe Cloud Native Safety – Half 1 – Introduction
We’d love to listen to what you suppose. Ask a query or depart a remark under.
And keep linked with Cisco DevNet on social!
LinkedIn | Twitter @CiscoDevNet | Fb | Developer Video Channel
Share: