Safe Multicloud Infrastructure with Cisco Multicloud Protection

It’s a multicloud world!

Right now functions are not restricted to the boundaries of an information heart; functions are deployed all over the place – this alteration brings a necessity for an answer that may present end-to-end visibility, management, coverage administration, and ease of administration.

Market Pattern

Organizations are embracing the ability of the general public cloud as a result of it offers agile, resilient, and scalable infrastructure, enabling them to maximise enterprise velocity. A current research reveals that 82% of IT leaders have adopted hybrid cloud options, combining personal and public clouds. Moreover, 58% of those organizations are utilizing between two and three public clouds¹, indicating a rising pattern in the direction of multicloud environments. As organizations lean additional into multicloud deployments, safety groups discover they’re enjoying catch up, tirelessly making an attempt to construct a safety stack that may sustain with the agility and scale of their cloud infrastructure. Groups additionally face a scarcity of unified safety controls throughout their environments. By definition, cloud service supplier safety options usually are not designed to attain end-to-end visibility and management within the multicloud world, hardening silos and creating larger safety gaps. Organizations want a cloud-agnostic resolution that unifies safety controls throughout all environments whereas securing workloads at cloud velocity and scale.

Cisco Multicloud Protection is a extremely scalable, on-demand “as-a-Service” resolution that gives agile, scalable, and versatile safety to your multicloud infrastructure. It unifies safety controls throughout cloud environments, protects workloads from each path, and drives operational effectivity by leveraging safe cloud networking.

Safe cloud networking may be damaged down into three pillars:

• Safety: Offers a full suite of safety capabilities for workload safety
• Cloud: Integrates with cloud constructs, enabling auto-scale and agility
• Networking: Seamlessly and precisely inserts scalable safety throughout clouds with out handbook intervention

One of many key advantages of Cisco Multicloud Protection will not be solely its means to unify safety controls throughout environments however implement these insurance policies dynamically. With dynamic multicloud coverage administration, you’ll be able to:

• Hold insurance policies updated in near-real time as your surroundings adjustments.
• Join steady visibility and management to find new cloud property and adjustments, affiliate tag-based enterprise context, and robotically apply the suitable coverage to make sure safety compliance.
• Energy and shield your cloud infrastructure with safety that runs within the background by way of automation, getting out of the best way of your cloud groups.
• Mitigate safety gaps and guarantee your group stays safe and resilient.

One other key good thing about Multicloud Protection is the way it provides enforcement factors (PaaS) in each distributed and centralized architectures.

Cisco Multicloud Protection Overview

Cisco Multicloud Protection makes use of a typical precept in public clouds and software-defined networking (SDN) which decouples the management and knowledge airplane, translating to the Multicloud Protection Controller and the Multicloud Protection Gateways.

The Multicloud Protection Gateway(s) are delivered as Platform-as-a-Service (PaaS) in AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). These gateways are delivered, managed, and orchestrated by a SaaS-based Multicloud Protection Controller.

• Multicloud Protection Controller (Software program-as-a-Service): The Multicloud Protection Controller is a extremely dependable and scalable centralized controller (management airplane) that automates, orchestrates, and secures multicloud infrastructure. It runs as a Software program-as-a-Service (SaaS) and is absolutely managed by Cisco. Prospects can entry an online portal to make the most of the Multicloud Protection Controller, or they might select to make use of Terraform to instantiate safety into the DevOps/DevSecOps processes.
• Multicloud Protection Gateway (Platform-as-a-Service): The Multicloud Protection Gateway is an auto-scaling fleet of safety software program with a patented versatile, single-pass pipelined structure. These gateways are deployed as Platform-as-a-Service (PaaS) into the shopper’s public cloud account(s) by the Multicloud Protection Controller, offering superior, inline safety protections to defend towards exterior assaults, block egress knowledge exfiltration, and stop the lateral motion of assaults.

Multicloud Protection Gateways

Within the Cisco Multicloud Protection resolution, organizations can use the controller to deploy extremely scalable and resilient Egress Gateways or Ingress Gateways into their public cloud account(s).

Egress Gateway: Shield outbound and east-west visitors. The egress gateway offers safety capabilities like FQDN filtering, URL filtering, knowledge loss prevention (DLP), IPS/IDS, antivirus, ahead proxy, and TLS decryption.

Ingress Gateway: Protects inbound visitors and offers safety capabilities like internet utility firewall (WAF), IDS/IPS, Layer-7 safety, DoS safety, antivirus, reverse proxy, and TLS decryption.

Be aware: Multicloud Protection Gateways are an auto-scaling fleet of cases throughout two or extra availability zones, offering agility, scalability, and resiliency.

Determine 2 reveals safety capabilities of the ingress and egress Multicloud Protection Gateway.

The gateway makes use of a single cross structure to offer:

• Excessive throughput and low latency
• Reverse proxy, ahead proxy, and forwarding mode
• Flexibility in choosing related superior community safety inspection engines, together with TLS decryption and re-encryption, WAF (HTTPS and internet sockets), IDS/IPS, antivirus/anti-malware, FQDN and URL filtering, DLP

Safety Fashions

This resolution offers a versatile approach for safety insertion within the buyer’s infrastructure utilizing three extremely scalable and automatic deployment fashions (centralized, distributed, and mixed).

Centralized safety mannequin

Within the centralized safety mannequin, the Multicloud Protection Controller seamlessly provides gateways within the centralized safety VPC/VNet/VCN. On this structure, ingress and egress visitors is distributed to a centralized safety VPC/VNet/VCN for inspection earlier than it’s despatched to the vacation spot. This structure ensures scalability, resiliency, and agility utilizing cloud deployment finest practices.

Determine 3 reveals egress and ingress gateways in a safety VPC/VNet/VCN.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled cases are deployed in multi-availability zones.

In a centralized safety mannequin, gateways are deployed in a hub contained in the buyer’s cloud account. Nonetheless, prospects can select to have a number of hubs throughout accounts/subscriptions.

Distributed safety mannequin

Within the distributed safety mannequin, the Multicloud Protection Controller seamlessly provides gateways in every VPC/VNet/VCN. On this structure, ingress, and egress visitors stays native within the VPC/VNet/VCN.

Primarily based on path, visitors circulate is inspected by egress or ingress gateways. This deployment ensures scalability, resiliency, and agility utilizing cloud deployment finest practices.

Determine 4 reveals egress and ingress gateways in every VPC/VNet/VCN.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled cases are deployed in multi-availability zones.

Mixed safety mannequin (Centralized + Distributed)

This safety mannequin makes use of centralized and distributed fashions. On this case, some flows are protected by gateways deployed within the safety VPC/VNet/VCN, and a few flows are protected by gateways within the VPC/VNet/VCN.

Primarily based on the visitors circulate, visitors is inspected by egress or ingress gateways. This deployment ensures scalability, resiliency, and agility utilizing cloud deployment finest practices.

Determine 5 reveals egress and ingress gateways in a centralized safety VPC/VNet/VCN along with gateways deployed within the utility VCPs/VNets/VCNs.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled cases are deployed in multi-availability zones.

Use-cases

Egress safety

Determine 6 reveals egress visitors safety in a centralized and distributed safety mannequin.

• Within the centralized safety mannequin, visitors is inspected by gateways deployed within the safety VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ conscious.
• Within the distributed safety mannequin, visitors is inspected by gateways deployed within the utility VPC/VNet/VCN.

Ingress safety

Determine 7 reveals ingress visitors safety in a centralized and distributed safety mannequin.

• Within the centralized safety mannequin, visitors is inspected by gateways deployed within the safety VPC/VNet/VCN.
• Within the distributed safety mannequin, visitors is inspected by gateways deployed within the utility VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ conscious.

Segmentation (east-west)

Determine 8 reveals intra and inter-VPC/VNet/VCN visitors safety in a centralized and distributed safety mannequin.

• Within the centralized safety mannequin, intra and inter-VPC/VNet/VCN visitors is inspected by gateways deployed within the safety VPC/VNet/VCN.
• Within the distributed safety mannequin, intra-VPC/VNet/VCN visitors is inspected by gateways deployed within the utility VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ conscious.

URL & FQDN filtering for egress visitors

URL & FQDN filtering prevents exfiltration and assaults that use command-and-control. The Multicloud Protection Gateway enforces URL & FQDN-based filtering in a centralized or distributed deployment mannequin.

• URL filtering requires TLS decryption on the gateway.
• FQDN-based filtering may be enforced on encrypted visitors flows.

Coming quickly: Multicloud Networking use circumstances

In our upcoming launch (2HCY23), we’re including a set of Multicloud Cloud Networking use circumstances that allow safe connectivity — bringing all cloud networks collectively.

Multicloud Networking: Cloud-to-Cloud Networking

An egress gateway with VPN functionality offers a safe connection to different cloud infrastructures. The egress gateway is delivered as-a-Service and offers resiliency and autoscaling. This structure requires deploying the egress gateways with VPN functionality “ON.” These gateways use IPsec connectivity for a safe interconnection.

Multicloud Networking: Website-to-Cloud Networking

An egress gateway with VPN functionality offers a safe connection to on-premises infrastructure. This structure requires deploying the egress gateways with VPN functionality “ON” in safety VPC/VNet/VCN and a tool on the knowledge heart edge for IPsec termination.

Conclusion

It’s a multicloud world we stay in, and organizations want a cloud-agnostic resolution that unifies safety controls throughout all environments whereas securing workloads at cloud velocity and scale. With Cisco Multicloud Protection, organizations can leverage a simplified and unified safety expertise serving to them navigate their multicloud future with confidence.

For extra data on Cisco Multicloud Defends seek advice from cisco.com/go/multicloud-defense

Further Sources

Announcement weblog: Cisco Multicloud Protection

At-a-glance: Cisco Multicloud Protection

References

¹ 2022 International Hybrid Cloud Traits Report. S&P International Market Intelligence, 2022.

---

We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels

Instagram
Fb
Twitter
LinkedIn

Share: