indonesia, jakarta . 9 april 2019 #ciscoconnectid · “server workloads in hybrid data centers...

Indonesia, Jakarta . 9 April 2019

#CiscoConnectID

Monitoring & Protecting the WorkloadHow to Protect your Multicloud?

Nuttee JirattivongvibulDC Technical Solution Architect, Cisco Systems

APPLICATIONS

WORKLOADS

OPEX

“Server workloads in hybrid data centers spanningprivate and public clouds require a protectionstrategy different from end-user-facing devices.Security and risk management leaders shouldevaluate and deploy offerings specifically designedfor cloud workload protection.”

Gartner

I’ve already invested in many security vendors …

• Attacks are mainly driven by application vulnerabilities, not network

• In most cases the port will be legitimately open

• Apache Struts?

• What about attacks coming from other workloads on the same hypervisor

• Spectre / Meltdown?

• Hybrid Cloud environment – How to protect your workload?

• Containers environment – scale?

Where is it coming from?

How can we secure our workload?

VADIM GHIRDA/AP

What if you could actually protect all your workloads in hybridcloud environment with full visibility?

How to protect workload?

Who is talking to who?

Vulnerability and attack surface

Baseline

Visibility

Threat detection, blocking, and automated response

Threat Detection

Whitelist Policy and enforcement

Segmentation

Integrated

The Traditional Approach

11

Gather Data Analyze the Data

100 Billion Events in 3 Months

Implement the Policy 1 Year Later?

Troubleshooting? Apps evolved?

App Guy

VMware Hyper-V

Mainframes

DC Firewalls

AWS

DirectConnect

CampusContainers

security group

struts

server

db

server

struts

server

db

server

file

server

Segmentation your network

Policy Enforcement into Cloud?

Application dependency between clouds?

By default, each security group supportsup to 50 rules and each networkinterface can have up to 5 securitygroups, for a maximum of 250 rules perinterface. If your AWS network is in EC2-Classic, maximum cap limit of 500security groups in each region for eachaccount.

Network Security Groups (NSG)

default limit is 100 can be

increased up to 400. NSG rules

per NSG default limit is 200 canbe increased up to 1000.

Firewall rules: Maximum

Number of Stateful

Connections per VM bydefault is 130,000.

Policy enforcement

How can we enforce this type ofpolicies into our switches? Whichswitches can survive?

How can we maintain this policiesin clouds with consistent?

Tetration

The Strategy – Defense in depth

Zone-Based

North-South

AWS

security group

struts

server

db

server

Host-Based

Cisco Tetration platformHybrid cloud workload protection approach

Communication control App behavior detection Security Grade

• Visibility and ADM

• Automated whitelist policy based on application behavior

• Policy enforcement to enable segmentation

• Tracking of policy compliance

• Outlier detection

• IP Blacklist Blocking using Zeus, Bogon Cymru or manual

• Process hash, lineage, attributes

• New command, new user

• Account modification

• Privilege escalation

• Shell-code execution

• Raw sockets

• Installed package tracking

• Weekly CVE tracking

• Vulnerability scoring

• Threat intelligence ingestion

• Process Inventory and outlier

• Security Dashboard with Data Leak Detection, Process anomaly, Security Events, Attack Surface, Policy Violation

Demo 1 - Tetration Host-Based SegmentationMulticloud, Platform-Agnostic Segmentation and Enforcement

Why AppDynamics?

Leader in Gartner Magic Quadrant for APM

Best Analytics Platform for Applications at Scale

Brings App Dev, IT Ops and Business Together

Blue Chip Enterprise Customer Base

Flexible Option Cloud, On-Prem, Hybrid

AppDynamics - Application Insights in Real Time at Scale

AppDynamics – Faster Time to Value and Flexibility

S u b s c r i p t i o n - B a s e d R e v e n u e M o d e l

Demo 2 – Protect Application Performance

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Real Problems

© 2019 Cisco and/or its affiliates. All rights reserved.

Surprise by Cloud Bills

“Pinterest executives got a surprise during last year’s holiday season. Pinterest’s computing bills on Amazon Web Services had shot past their expectations.”

“Pinterest, which had paid in advance for AWS’s services, had to buy additional capacity at a higher price. That contributed to Pinterest spending roughly $190 million on AWS last year, $20 million more than it had initially expected”


IT Challenges

Feature Velocity OptimizationMulticloud Governance Secure Automation


IT Benefit

Optimizing cloud instance sizing and type

reduced cloud bill

Feature Velocity OptimizationMulticloud Governance Secure Automation


Easy to buy. Complex to reconcile…

HigherCosts

Increased Complexity

Compute

Storage

Networking

Services

$

$

$

$

$

$

$

$

$

$

$

$


Waste, Visualized

0

5

10

15

20

25

30

35

40

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

CP

U U

tiliz

ation %

Time (24 hour, UTC)

1. Turn off machines

2. Right-size machine

3. Use reservedinstances

4. Scale when needed

Sunday

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Not Utilized

Under-Utilized


• High level information on potential savings based on

• Rightsizing instances

• AWS reserved instance utilization

• Suspending workloads during non-working hours

Cost Optimization


• Recommends actions based on usage metrics

• Metrics provided by cloud monitoring

• Shows metrics for determining recommendation

• Recommended actions automated through the CloudCenter Workload Manager

• VM must be imported into Workload Manager to automate action

Right-Sizing Recommendations


• Shows current consumption vs purchased units

• Shows metrics for determining recommendation

• Potential monthly costs savings

• Recommended actions are carried out manually

Reserved Instance (AWS) Recommendations

© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.

Real Customer Results

Metric Before After

Cloud Bill$2M per

year$700K

Decrease in Spending

65%

Customer Experience

OutstandingNo

Change


The Services

Cisco Connect 2019 Indonesia, Jakarta . 9 April 2019

Bringing it all together with Cisco Professional Services

Implementation & MigrationConsultancy & AdvisoryEnvision your roadmap. Strategic

advice from advisory, assessment, consulting to detailed design and

validation

Migrate and deploy. Expertise, tools, and processes to de-risk & speed

deployment

Complementing Partner Capabilities• Bridge to New Technologies• Support Complex Solutions

Experts who speed time to value

Value of CiscoEngagement

Global Experience and Best Practices

Proven Methodology

Cutting Edge Expertise

Cisco Connect 2019 Indonesia, Jakarta . 9 April 2019

End to End Plan

Technology Selection

RoadmapBusiness

Case SecurityOperating

Model

3rd Party

Vendor

Advisory

Harness the Multicloud with Cloud

Advisory Services

• Minimal and underutilized IT organization

• No existing blueprint, strategy or best practices for developing multicloudinfrastructure.

• Analysis and comparison of Public Cloud and Physical Autonomous Infrastructure

• Classify key requirements for cloud alternatives, mapping capabilities to solution, identify project risks, stakeholders, future integrations and hardware/software costs

• Actionable MultiCloud solution blueprint based on business needs and IT capabilities to be rolled out as a pilot.

• Solution study with cost analysis, potential risk and future scalability

Customer’s Challenge Proposed Solutions Impact on CustomerCustomer Case Study

Global Furniture Company works

with Cloud Advisory to define a Next Generation IT and MultiCloudInfrastructure for

expansion.

Key Takeaways

• Protect your workload anywhere

• Protect application performance

• Protect your cloud bills

Indonesia, Jakarta . 9 April 2019

#CiscoConnectID

indonesia, jakarta . 9 april 2019 #ciscoconnectid · “server workloads in hybrid data centers...

Documents