Cisco Crosswork Cloud Trust Insights Data Sheet
Available Languages
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco Crosswork Cloud Trust Insights™ module is a cloud service that provides operational intelligence on integrity and security posture of Cisco IOS® XR devices. The service brings together Cisco’s Knowledge and Trust Anchor technologies combined with customer devices to provide a holistic view of the trustworthy status of their network assets.
Network infrastructure drives mission-critical services. Understanding the complex hardware and software environment supporting critical infrastructure devices is an important part of network operations, but the tools to track and test integrity of the software on these devices is often limited to simple tools that query device OS versions and configurations. Today’s mission-critical environments need the ability to not only help operators better track and understand the complex software components required to maintain and operate network devices, but also validate the integrity of the software supporting these mission-critical services.
Cisco Crosswork Trust Insights is a software-as-a-service solution that provides intuitive visualization, rich analytics, and alerts on actionable device integrity events. It empowers you with visibility to help assess the integrity and affirm trust in your network routing infrastructure. It aggregates hardware and software signature information from your network devices and gathers evidence to validate if the hardware is authentic and running software maps to published Known Good Values (KGVs). The service enables you to take maximum advantage of the trustworthy technologies baked into the Cisco platforms and implement operational best practices to collect and validate changes in system integrity information.
Crosswork Trust Insights offers an IOS XR network device monitoring solution for complex enterprise and service provider networks. The solution supports IOS XR software and hardware systems. The Crosswork Trust Insights solution captures, enriches, and analyzes trustworthy network equipment status to help service providers, web companies, and enterprises to validate the integrity of their network infrastructure assets. A trustworthy network is one that continues to ensure performance, reduce management costs, gain deep visibility, and reduce downtime caused by malicious or noncompliant changes.
Product description
Crosswork Cloud Trust Insights is Cisco’s first cloud-based service that presents continuous and verifiable network device integrity information. It uses secure data exchange protocols in combination with a cloud-native architecture to continuously monitor changes to device trust posture. In addition, the service takes advantage of its deeper knowledge of Cisco network devices to provide a comprehensive view of device inventory and changes in system integrity measurements.
Cisco is committed to continually enhance the security and resilience of our networking solutions. Trust Insights uniquely leverages the built-in trust technologies. For example, it utilizes the cryptographic identity as part of a trust anchor for the validation of information collected from the device. In addition, the service provides an independent and secure offsite repository of system integrity information.
Trust Insights delivers the critical consumer experience component as part of the Cisco Trust Anchor technology evolution.
Accelerate time to know
Cisco Crosswork Trust Insights helps to detect and analyze any change in system integrity measurements. As a result it significantly reduces the Mean Time to Know (MTTK) when a security event occurs. Operators can subscribe to such change notifications to help accelerate Mean Time to Resolution (MTTR). The service is built to communicate and alert on issues using new collaboration media platforms and legacy methods such as email. These collaborative tools help network operation teams efficiently coordinate their efforts to resolve issues. The framework is able to support integration with third-party plug-ins to facilitate collaboration. Efficiency will further be improved with alarms to trigger automation playbooks to implement remediation or accessibility actions.
Accelerate Time to Action
Crosswork Cloud Trust Insights leverages the robust Cisco Cloud Service Infrastructure.
Cisco Crosswork Trust Insights is designed to cost-effectively manage very large-scale data sets. It utilizes the scalability of the Cisco Crosswork Cloud Service Infrastructure to achieve this. The architecture is capable of tracking millions of signature value pairs while maintaining their historical information. It delivers a solution that is flexible, resilient, and secure.
In summary, Trust Insights is for anyone who needs to understand the trust posture of their network routers and track and analyze changes that may potentially expose the attack surface. The service will continue to evolve, providing organizations with the capability to protect and monitor the trust posture of their network assets.
Trust Insights
● Collect, analyze, and report on the integrity and trustworthiness of Cisco IOS XR–based routing platforms
● Hardware and software inventory management and reporting
● Reliable audit trail of platform integrity and inventory with history
● Tracks observed changes to hardware and software inventory and major operational events
● Flexible traffic dashboards and reporting functions
Trust Insights use cases
Crosswork Trust Insights Use Cases
IOS XR inventory and integrity analytics
Trust Insights provides an operational timeline for all events captured within the trust dossier (such as reboot or configuration rollback events), as well as dossier collection, and also observed changes between dossiers. This is designed to provide a unique historical view into changes observed in systems, which is intended to support root-cause analysis of known network issues, or to prove that scheduled hardware or software maintenance has been completed as planned.
Track changes and events with trust dossier
Integrity measurement and KGVs
Trust Insights works by leveraging the “trust dossier” feature within IOS XR 7 systems. This cryptographically signed dossier contains data on the hardware and software inventory of the router, as well as unique measurements of hardware and runtime software within each IOS XR device. These runtime signatures are compared to KGVs, which are collected as part of the IOS XR build and release process as part of the Trust Insights service. With Trust Insights, you can not only understand the current and previous hardware and software running on your production systems, but you can also get a unique view into the integrity of all hardware and software running in your mission-critical production network devices.
Integrity measurement and Known Good Values
Forensic reporting on observed software signatures
Trust Insights highlights critical new security capabilities of modern Cisco routers and can provide insights into new capabilities enabled by upgrading to newer software versions of the IOS XR operating system. The integrity reporting capabilities can validate IOS XR software packages, detect runtime changes to file contents on production systems, and file signatures across monitored devices within your environment. Trust Insights leverages key capabilities in the IOS XR operating system to track and report on the integrity and runtime changes to individual software packages as well as at-rest and in-use file fingerprints.
Integrity reporting capabilities
Trust capability assessment
Trust Insights provides unique insights into security capabilities of your IOS XR fleet. This feature helps you audit the security capabilities of already-deployed IOS XR systems to identify opportunities to mitigate risks through upgrades.
Audit security capabilities with Trust Insights
Historical audit of operational changes
Trust Insights provides a historical audit trail of measured systems and can track and report on observed changes to hardware and running software over time. This is a critical capability to ensure compliance with approved software releases and patch (SMU) standards, as well as forensic capabilities to report on exact software state and observed changes during previous operational events.
Historical audit trail
Secure remote collection and storage
Crosswork Cloud delivers a robust solution for cloud-to-ground connectivity through the Crosswork Data Gateway. Deployed as a virtual machine, the Data Gateway provides a scalable and easy-to-manage solution to enable secure collection of integrity measurements from on-premises IOS XR devices.
The Data Gateway is designed for simple and repeatable deployment and includes tools to easily validate and troubleshoot connectivity. Once deployed, it is fully cloud managed and does not require any ongoing maintenance. This enables Trust Insights to provide a scalable cloud-based solution to audit the inventory and software of your IOS XR devices, with minimal investment in ongoing software maintenance or infrastructure.
Crosswork Data Gateway
Table 1. Features and benefits of the Cisco Crosswork Cloud Trust Insights module
| Feature |
Benefit |
| Cloud delivered |
Reduce time to value with easy ordering, provisioning, and setup. Adopt new releases and innovation in an effortless manner. Facilitate integration with other systems through open APIs. |
| Software as a Service (SaaS) |
Build and maintain confidence with “always-on” monitoring. Reduce technical and operational overhead required to set up, operate, and maintain servers and software. Leverage seamless flexibility to add capacity, scale, and features, securely and reliably, to align with your business objectives. |
| Cryptographically secured evidence of system integrity and changes |
Affirm trust in network infrastructure by gathering evidence to verify if the hardware is authentic and running software maps to published KGVs. Track changes to system integrity measurements. |
| Intuitive dashboard |
Get a glance into observed hardware and software changes; contextually navigate deeper to analyze the behavior and assess the impact. |
| System integrity evidence analysis |
Validate trust posture for network devices by regularly observing any system hardware and software changes and validating if the changes were as planned and conform to manufacturer guidelines. Analyze run-time software changes to investigate what they are, when they happened, and which devices were affected. Expedite resolution by assessing the change behavior such as if similar change was observed in the past or if the change occurred concurrently across multiple devices. |
| Historical archive of system changes |
Establish traceability for forensic and causal analysis. |
| Notification of observed system changes |
Accelerate mean time to know by subscribing to system change notifications. Mechanisms include Email, SMS, and Structured Syslog to Cloud File Storage. |
| Immutable secure storage of evidence |
Ease compliance check while safe-guarding against evidence tampering. |
| Secure connection from network devices to the cloud |
Establish secure cloud tether using a Cisco Crosswork Data Gateway deployed on-premises in your network. |
| Subscription pricing |
Flexibility of payments, with 12- to 60-month terms and annual renewals Lower upfront CapEx and overall Total Cost of Ownership (TCO) Ability to add capacity or term as needed to meet business requirements The current subscription tiers are: Essentials Subscription tiers are based on the number of configured devices to be monitored. |
| Multitenant |
Role-based access controls Cisco.com Federated One Identity for easy access to multiple customer tenancies Enterprise Single Sign-On with Federated Identity to reduce user support and onboarding |
| Network automation integration |
Trigger software upgrades and compliance audits with operational awareness Integrations options with Cisco Crosswork Change Automation and Cisco® NSO |
Product subscription tiers
The Cisco Crosswork Trust Insights service is a new capability to provide insight and analysis of device hardware and software integrity status. The services provide expanded near real-time and historical state information for each monitored IOS XR routing device. Future license tier capabilities will be delivered as Function Packs. The Function Packs will enhance the Essentials Right to Manage (RTM) offer with new alarms, reporting and continuous analysis, and recommendation capabilities over time. The primary difference between the Essentials tier and the Function Packs is the accessibility to automation use cases as well as proactive policy-based alerting.
All Cisco Crosswork Cloud subscription tiers can be used independently or in combination with each other. The Trust Insights module integrates the information and features of the Trust Anchor Module embedded in the Cisco IOS XR hardware as well as the signature information found in the Trust Inventory Dossier that is collected from the router. Customers familiar with the Crosswork Cloud can integrate any existing service offering of Cisco Crosswork Cloud or create a separate tenancy as required. Customers will be able to mix and match license types based on allocation of licenses to specific organizational tenancies. License compliance is flexible and reported within the user interface.
Cisco Crosswork Trust Insights subscription tiers
The following feature support matrix is per subscripted device for the Trust Insights service.
Feature support may be subject to the configured mapped state of a device to a license tier:
Y = Yes, feature is supported per associated device
P = Partial, feature is supported per device if compatibility exists
O = Feature is Optional but must be purchased separately
A = Feature is Always available regardless of Device License Association
Table 2. Product subscription tiers
| Product Subscription Tier |
Essentials Device RTM - Paid |
Essentials Device RTM - Voucher |
| Product Availability |
Available |
Available |
| Subscription Term |
12-60 Months (Variable) |
36 Months (Fixed) |
| Data Granularity |
Varies |
Varies |
| Polling Interval |
6 hours |
6 hours |
| Data Retention And Lookback |
12 months |
12 months |
| Crypto Secure Integrity And Change Status |
Y |
Y |
| Trust Posture Validation |
Y |
Y |
| Y |
Y |
|
| Immutable Evidence Chain |
Y |
Y |
| Device Software Comparison |
Y |
Y |
| Device Hardware Comparison |
Y |
Y |
| Device Boot Integrity Verification |
Y |
Y |
| P |
P |
|
| Cisco Chip Validation |
P |
P |
| Hardware Trust Anchor Module (TAm) |
P |
P |
| Secure JTAG |
P |
P |
| Secure SUDI |
P |
P |
| Software Validation |
Y |
Y |
| Hardware Anchored Secure Storage |
P |
P |
| High Entropy RNG |
Y |
Y |
| Runtime Protections (OSC/ASLR/X-Space) |
Y |
Y |
| Process Integrity Measurement |
Y |
Y |
| Process Integrity Validation |
Y |
Y |
| IOS XR Package Signature Support |
Y |
Y |
| IOS XR Enhanced File System Integrity Reporting |
Y |
Y |
| Policy Based Rules & Alarms |
(Roadmap) |
(Roadmap) |
| Hardware Policy Rules |
Roadmap |
Roadmap |
| Software Policy Rules |
Roadmap |
Roadmap |
| Notification Endpoints |
(Roadmap) |
(Roadmap) |
| |
Y |
Y |
| SMS |
Y |
Y |
| Cisco Webex® Teams1 |
Y |
Y |
| Slack.com Channels2 |
Y |
Y |
| Microsoft Teams3 |
Y |
Y |
| Syslog via AWS S3 File Storage4 |
Y |
Y |
| Identity Management |
Y |
Y |
| Unlimited Users per Tenancy |
Y |
Y |
| Cisco.com User Accounts |
Y |
Y |
| Federated Identity and SSO via OKTA |
Y |
Y |
| Role-Based Access Controls (RBAC) |
Y |
Y |
| API Support |
(Roadmap) |
(Roadmap) |
| Technical Support for API Usage |
Y |
Y |
| API Signing Key |
Y |
Y |
| API Bearer Token |
Y |
Y |
The Cisco Crosswork Cloud Trust Insights application is delivered via a Software-as-a-Service (SaaS) offer and does not have any specific system requirements to operate the software itself. Users of Cisco Crosswork Cloud products require one of the following browsers in order to access the SaaS application.
Table 3. Cisco Crosswork Cloud system requirements
| Feature |
Description |
| Web Browser |
Google Chrome 70 or later |
| Mozilla Firefox 62 or later |
The Trust Insights features require the use of the Cisco Crosswork Data Gateway to aggregate device data and transmit this to the cloud service as a form of network telemetry. The following system requirements are a guide to a base collector Virtual Machine (VM) specification. The Cisco Crosswork Cloud application may require multiple CDG instances depending on the number of devices to be associated with the service and the amount of redundancy required from the collection framework.
For Cisco Crosswork Cloud applications, Cisco Crosswork Data Gateway software is included in your application cost. The Cisco Crosswork Data Gateway is prevented from being used for other on-premises Cisco Crosswork applications.
Table 4. Cisco Crosswork Data Gateway system requirements
| Feature |
Description |
| Hypervisor |
VMWare ESXi 6.5 (update 2 or later) and 6.7.x |
| Memory |
32 GB minimum |
| Disk Space |
50 GB SSD |
| vCPU |
8 vCPU |
| Network Interfaces |
Up to three virtual interfaces depending on requirements*
● One interface for management access, including SSH and GUI access to the VM. The DNS and NTP servers, and the default gateway, must be reachable via this interface.
● One interface for southbound device access. Associated devices must be reachable via this interface (routable).
● One interface for northbound cloud access. The data destination must be reachable via this interface (routable).
*Interfaces can be consolidated subject to deployment requirements.
|
For more information about the Cisco Crosswork Data Gateway, please see the Crosswork Data Gateway Data Sheet.
Cisco Crosswork Cloud Trust Insights is available. To order, please visit the Cisco Ordering Home Page.
Trust Insights feature tiers can be ordered in one-year, three-year, and five-year subscription periods. In addition, volume and term discounts are available for customers ordering higher numbers of monitored routers at the same time. All current subscriptions are offered at the Essentials level. The SaaS software is accessible via crosswork.cisco.com.
Cisco Smart Accounts and Smart Licensing are supported for Trust Insights. In addition, Cisco Connection Online (CCO) user accounts are mandatory in order to use the Cisco Crosswork Cloud user interface.
Table 5. Ordering information – paid subscriptions
| Product Description |
Entitlement Model |
| Trust Insights Subscription |
Per Subscription |
| Trust Insights Essentials - Device RTM |
Per Device Right to Manage |
A Trust Insights subscription must be purchased to enable Trust Insights functionality within a Crosswork Cloud account. Trust Insights device Right-to-Manage licenses (including embedded vouchers) cannot be claimed until a minimum Trust Insights subscription product ID is purchased that contains a Cisco Support Contract.
Crosswork Trust Insights vouchers are embedded in numerous IOS XR device orders automatically using am embedded product ID. The Crosswork Trust Insights RTM Voucher SKUs can be consumed based on a single device per IOS XR license subscription. Each voucher is equivalent to a paid Trust Insights Essentials RTM for a fixed term of 36 months.
Table 6. Ordering information – voucher subscriptions
| Product Description |
Entitlement Model |
| Trust Insights Essentials - Device RTM Voucher |
Per Device Right to Manage |
Cisco environmental sustainability
Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.
Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:
| Sustainability topic |
Reference |
| Information on product material content laws and regulations |
|
| Information on electronic waste laws and regulations, including products, batteries, and packaging |
Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.
Cisco offers a wide range of services to help accelerate your success in connecting to Cisco Crosswork Cloud. The innovative Cisco Services offerings are delivered through a unique combination of people, processes, tools, and partners and are focused on helping you increase operational efficiency and improve your network control. Cisco Advanced Services use an architecture-led approach to help you align your network infrastructure with your business goals and achieve long-term value. Cisco Crosswork products can be combined with the Cisco SMARTnet® service to help you resolve mission-critical problems with direct access at any time to Cisco network experts and award-winning resources. Spanning the entire network lifecycle, Cisco Services offerings help increase investment protection, optimize network operations, support migration operations, and strengthen your IT expertise. For more information, please visit www.cisco.com/go/services.
Flexible payment solutions to help you achieve your objectives
Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation, and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services, and complementary third-party equipment in easy, predictable payments. Learn more.
For more information on Cisco's network automation portfolio for service providers, please visit www.cisco.com/go/crosswork. To learn more about Cisco Crosswork Cloud or to schedule a demonstration, contact your Cisco sales representative.
| New or Revised Topic |
Described In |
Date |
| General Availability |
11/03/2021 |
|
| General Availability |
11/03/2021 |
|
| General Availability |
11/03/2021 |
|
| General Availability |
11/03/2021 |
|
| General Availability |
11/03/2021 |