Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Secure Workload (Tetration) Platform Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (564.7 KB)
    View with Adobe Reader on a variety of devices
Updated:March 16, 2021

Available Languages

Download Options

  • PDF
    (564.7 KB)
    View with Adobe Reader on a variety of devices
Updated:March 16, 2021
 

Cisco Secure Workload (formerly Tetration) seamlessly delivers a zero-trust approach to securing your application workloads across any cloud and on-premises data center environments by reducing the attack surface, preventing lateral movement, identifying workload behavior anomalies, and remediating threats quickly.

Product overview

Traditionally in IT, we’ve had an infrastructure-centric view of the universe. Our most valuable data was contained in the data center, so our job was to let good traffic in and keep bad actors out. And our tool of choice was the firewall.

In today’s organizations, the center of gravity has shifted decidedly in favor of applications. Applications are critical to how you engage with customers, run your operations, and get paid. But the constant proliferation and dynamic nature of these applications have led to an unprecedented security challenge for IT professionals.

Applications are distributed. They’re deployed both on-premises and in the cloud, or across multiple clouds, and critical workloads are no longer tidily kept in the data center where they can be protected by a perimeter firewall. In some ways, there is no more perimeter. To respond to this app-centric world, you need a security solution that can bring security closer to the applications using a “new firewall” that surrounds each and every workload, allowing you to protect what matters most to you—your applications and your data.

With Cisco Secure Workload, you can secure your applications by creating firewalls at the workload level across your entire infrastructure consistently, whether these are deployed on bare-metal servers, virtual machines, or containers.

Workload protection use cases

Secure Workload helps to deliver zero-trust application security, reduce risk, and maintain compliance with:

      Automatically generated microsegmentation policies through comprehensive analysis of application communication patterns and dependencies

      Dynamic attribute-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access control

      Consistent policy enforcement at scale through distributed control of native host firewalls and infrastructure, including ADCs (application delivery controllers) and firewalls

      Near real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromise

      Workload behavior baselining and proactive anomaly detection

      Common vulnerability detection with dynamic mitigation and threat-based quarantine

Multidimensional workload protection approach using Cisco Secure Workload

Figure 1.                  

Multidimensional workload protection approach using Cisco Secure Workload

By using this multidimensional workload protection approach (Figure 1), Cisco Secure Workload significantly reduces the attack surface, minimizes lateral movement in case of security incidents, and quickly identifies anomalous behaviors within the data center.

To learn more about workload protection capabilities, refer to the Cisco Secure Workload Platform for Workload Protection data sheet: www.cisco.com/c/en/us/products/collateral/data-center-analytics/Secure Workload-analytics/datasheet-c78-740328.html.

Features and benefits

Table 1 lists the main features and benefits of the Cisco Secure Workload platform.

Table 1.        Cisco Secure Workload platform primary features and benefits

Feature

Benefit

Zero-trust model using microsegmentation

  Make implementing microsegmentation within your environment a reality
  Secure Workload’s automated approach helps accelerate deployment of microsegmentation
  Secure hybrid multicloud workloads and contain lateral movement using microsegmentation

Extend policy definitions based on additional context

  Eliminate time-consuming manual creation of resource lists to segment applications
  Define microsegmentation default and absolute policies using asset tags
  Quickly develop consistent policies for applications using real-time asset tagging:

    Associate rich business context with the servers

  Define policies based on users and user groups that need access

One-click policy enforcement across a multicloud data center

  Enforce the security framework using application segmentation and reduce the surface vulnerable to attack
  Enforce policies with a single click. Use the mechanisms in Linux and Microsoft Windows environments to enforce security policy
  Normalize the policy for each server, eliminating the need for manual intervention to identify policy for each of the servers

Defense in-depth

  Enforce segmentation and security policies simultaneously on Cisco Secure Firewalls through integration with Cisco Firepower Management Center

Detect policy noncompliance events

  Track application policy compliance in real time
  Enable alerts for compliance events that can then be integrated with SIEM systems for investigation and remediation

Identification of workload behavior deviations

  Baseline the behavior or the workloads based on communication activities and processes on the workloads
  Proactively detect anomalous behavior and identify indicators of compromise
  Enable alerts for such events to be integrated with your SIEM systems for further security incident handling

Software vulnerability detection

  Get a baseline software inventory and the version information installed on servers
  Quickly identify if any of the package versions have known vulnerabilities or exposures, along with the severity
  Get an accurate inventory of all the servers that have the vulnerable package
  Tie this information to a policy that designates a specific action, such as quarantining a specific server

Flexible telemetry collection options

Software agents:

  Capture communication and process activities along with software package information to baseline the workload behavior
  Designed to operate within administrator-defined computing SLAs
  Reside outside the data path and do not affect application performance
  Support bare-metal servers, virtual machines, and containers

Other options:

  ERSPAN sensors
  Application Delivery Controller (ADC) sensors—F5, Citrix NetScaler
  NetFlow sensors
  AWS VPC flow logs

Endpoint device and user context

  Either collect telemetry from Cisco AnyConnect ® Network Visibility Module (NVM) running on endpoint devices such as laptops, desktops, smart phones, etc., or collect endpoint device information from a Cisco Identity Services Engine (ISE) or VDI environment using Cisco Secure Workload software agents
  Correlate the user data with the user group within an organization
  Define specific policies for segmentation, using user and user group information, that can be enforced on the workloads

Support for data center scalability

  Collect telemetry data from tens of thousands of workloads across a multicloud data center
  Offer microsegmentation and workload protection capability across all workloads
  Flexible and scalable deployment options designed to support large and mega data centers

Deployment models and scale

Cisco Secure Workload offers both Software-as-a-Service (SaaS) and on-premises options allowing customers to choose the model that meets their business needs.

For on-premises deployments, they can choose a hardware-based appliance model (small or large form factors) depending on the number of workloads in your environment.

In order to support very large enterprise deployments that could be split across multiple data centers and regions, Secure Workload supports horizontal scaling through federation. Secure Workload also offers Disaster Recovery (DR) capabilities that allow customers to continuously back up Secure Workload data to another data center and be able to switch to the DR site in case of a disaster in minutes.

Cisco Secure Workload SaaS option

With the Cisco Secure Workload SaaS option, customers can get the benefits of workload protection capabilities without having to deploy the platform on-premises. With this option, Cisco Secure Workload software runs in the cloud, managed and operated by Cisco. The customer is responsible for purchasing the required software subscription licenses and deploying software agents on workloads.

This deployment option Is well suited for SaaS-only or SaaS-first customers, because it offers scale flexibility. You can start small and grow as your demand grows. Other benefits of the SaaS option include:

      Significant reduction in TCO (Total Cost of Ownership)

      Faster time to value

Note:      This consumption option does not support ingesting telemetry from hardware sensors. It also does not support custom user applications on the platform.

Cisco Secure Workload-M (small form factor) option

The Cisco Secure Workload-M small form factor deployment option consists of 6 servers and 2 Cisco Nexus® 9300 platform switches. It is suitable for data centers that have fewer than 5000 workloads (virtual machine or bare metal or container hosts).

Table 2 shows the verified and supported scale. Table 3 shows the power and cooling requirements for the Cisco Secure Workload-M platform.

Table 2.        Cisco Secure Workload-M platform scale

Platform characteristics

Specification

Number of concurrent workloads (virtual machine or bare metal or container host) from which telemetry data can be analyzed

Up to 5000

Number of flow events that can be processed per second

Up to 500,000 per second

Table 3.        Power and cooling specifications for Cisco Secure Workload-M

Platform requirements

Specification

Peak power for Cisco Secure Workload-M (8RU)

5.5 kW

Maximum cooling requirement for Cisco Secure Workload-M (8RU)

13,500 BTUs per hour

Rack specification

https://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/r-series-racks/datasheet-c78-738217.html?cachemode=refresh

Cisco Secure Workload (large form factor) platform option

This deployment option consists of 36 servers and 3 Cisco Nexus 9300 platform switches. It is suitable for data centers hosting more than 5000 workloads (virtual machine or bare metal or container host).

Table 4 shows the verified and supported scale. Table 5 shows the power and the cooling requirements for the Cisco Secure Workload platform.

Table 4.        Cisco Secure Workload platform scale

Platform characteristics

Specification

Number of concurrent workloads (virtual machine or bare metal or container host) from which telemetry data can be analyzed

Up to 25,000

Number of flow events that can be processed per second

Up to 2 million per second

Table 5.        Power and cooling specifications for large form factor

Platform requirements

Specification

Peak power for Cisco Secure Workload - 39-Rack-Unit [39RU] single-rack option*

22.5 kW

Maximum cooling requirements for Cisco Secure Workload - 39RU single-rack option*

50,000 BTUs per hour

Total weight for Cisco Secure Workload - 39RU single-rack option

1800 lb (800 kg)

Power Distribution Unit (PDU) and power supply (39RU single-rack option)

4 x 3-phase PDUs (current and voltage ratings vary by geography)

Peak power for Cisco Secure Workload - 39RU dual-rack option

11.25 kW per rack (22.5 kW total)

Maximum cooling requirement for Cisco Secure Workload - 39RU dual-rack option

25,000 BTUs per hour per rack

Total weight for Cisco Secure Workload - 39RU dual-rack option

900 lb per rack (400 kg per rack)

PDU and power supply - 39RU dual-rack option

4 x single-phase PDUs per rack (current and voltage ratings vary by geography)

Rack specification

https://www.cisco.com/c/en/us/products/collateral/servers-unified-computing/r-series-racks/datasheet-c78-738217.html?cachemode=refresh

Software licensing

Cisco Secure Workload platform software is licensed based on the number of workload equivalents depending on the sensor type being used. Telemetry data can be collected using software sensors, supported by other supported sensors or collectors, in any combination. Policy enforcement is enabled through software sensors with enforcement capability with infrastructure enforcement through ADC or via streamed Kafka policy. Workload is defined as a virtual machine, bare-metal server, or container host.

There are two primary license types for Secure Workload (including SaaS and On-Premises deployment options):

      Secure Workload protection license: This license provides workload protection capabilities, including telemetry data collection, application insight, forensics, software vulnerability detections, policy recommendation, policy simulation, policy enforcement, and compliance tracking functions

      Secure Workload endpoint license: This license provides the comprehensive telemetry data collection from a Cisco AnyConnect client installed in the endpoints (laptops, desktops, smartphones, etc.), using an NVM module, software agents on VDI, or any endpoint device managed through Cisco ISE. This provides insights into user, device, group, process ID, process hierarchy, and OS as well as the domain names accessed from the endpoint. Customers must purchase the endpoint visibility license if they want to use the platform’s capability to collect, analyze, and define policies and provide visibility into endpoint device activities. This license can be independent of the workload protection licenses. This does not include any other licenses required to enable AnyConnect NVM, VDI, or Cisco ISE (those licenses need to be purchased separately)

If a customer has multiple Cisco Secure Workload clusters, software licenses can be pooled across those clusters.

If a customer has Cisco Secure Workload SaaS licenses, they cannot be ported over to an on-premises license option or vice versa.

Licensing terms

Secure Workload SaaS deployment:

The SaaS subscription is governed by the Secure Workload SaaS Offer Description (https://www.cisco.com/c/dam/en_us/about/doing_business/legal/OfferDescriptions/cisco_tetration_saas_offer_description.pdf) and the Cisco Universal Cloud Agreement, located at www.cisco.com/go/uca (or similar terms existing between you and Cisco) (the “Agreement”), and any software that you install is licensed under the Cisco End User License Agreement, located at www.cisco.com/go/eula (the “EULA”).

On-premises deployment option:

Secure Workload on-premises subscriptions are governed by the Cisco EULA (see www.cisco.com/go/eula). In addition, Cisco Secure Workload software is subject to the terms of the Cisco Supplemental End User License Agreement (SEULA; see https://www.cisco.com/c/dam/en_us/about/doing_business/legal/docs/cisco-tetration.pdf).

Platform support and compatibility

Tables 6–8 provide operating system support and compatibility information for the Cisco Secure Workload platform.

Table 6.        Supported operating systems for microsegmentation (deep visibility and enforcement) use case:

Server mode

Operating system

Distribution and release

Virtual machines and bare-metal servers

Linux (x86_64 architecture)

  Red Hat Enterprise Linux Release 6.0 and later
  Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9
  Red Hat Enterprise Linux Release 8.0, 8.1, 8.2, 8.3
  CentOS Release 6.0 and later
  CentOS Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9
  CentOS Release 8.0, 8.1, 8.2, 8.3
  Oracle Linux Release 6.0 and later
  Oracle Linux Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9
  Oracle Linux Release 8.0, 8.1, 8.2, 8.3
  Oracle Linux Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7 with Unbreakable Enterprise Kernel (UEK)
  SUSE Linux Release 11.2, 11.3, 11.4
  SUSE Linux Release 12.0, 12.1, 12.2, 12.3, 12.4, 12.5
  SUSE Linux Release 15.0, 15.1, 15.2
  Ubuntu Release 14.04, 16.04, 18.04, 20.04

Unix (ppc 64-bit architecture)

  IBM AIX versions 7.1 and 7.2

 

Microsoft Windows Server (server core and full desktop)

  Microsoft Windows Server 2008 R2 Standard, Enterprise, Essentials, and Datacenter Editions
  Microsoft Windows Server 2012 Standard, Foundation, Essentials, and Datacenter Editions
  Microsoft Windows Server 2012 R2 Standard, Foundation, Essentials, and Datacenter Editions
  Microsoft Windows Server 2016 Standard, Essentials, and Datacenter Editions
  Microsoft Windows Server 2019 Standard, Essentials and Datacenter Editions

VDI desktop virtual machines

Microsoft Windows Desktop
(VDI use case only)

  Microsoft Windows 8 Desktop
  Microsoft Windows 10 Desktop

Container host

Linux (x86_64 architecture)

  Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4, 7.7, 7.8, 7.9
  CentOS Release 7.1, 7.2, 7.3, 7.4, 7.7, 7.8, 7.9
  Ubuntu Release 16.04, 20.04

Table 7.        Supported operating systems for visibility only (no enforcement):

Server mode

Operating system

Distribution and release

Virtual machines and bare-metal servers

 

   

Microsoft Windows Server (server core and full desktop)

  Microsoft Windows Server 2008 Standard, Datacenter, Enterprise, and Essentials

VDI desktop virtual machines

Microsoft Windows Desktop
(VDI use case only)

  Microsoft Windows 7 Desktop

Table 8.        Supported operating systems for universal software sensors

Server mode

Operating system

Distribution and release

Virtual machines and bare-metal servers

Linux

  Red Hat Enterprise Linux Release 4.0 (32-bit and 64-bit)
  CentOS Release 4.0 (32-bit and 64-bit)
  Red Hat Enterprise Linux Release 5.0 (32-bit)
  CentOS Release 5.0 (32-bit)

Solaris

  Solaris 11.0 (64-bit) on x86 architecture

Microsoft Windows Server

  Microsoft Windows Server (32-bit and 64-bit)

Container microsegmentation requires integration with the orchestration platform. Table 9 below shows the supported orchestrators and corresponding version information. The supported container runtime is Docker.

Table 9.        Supported container orchestrator versions

Orchestrator

Supported Version

Kubernetes

  1.12 to 1.18

Redhat Openshift

  3.11, 4.1, 4.2, 4.3, 4.4, 4.5 and 4.6

Ordering information

Table 10 provides hardware and software bundle part numbers for the Cisco Secure Workload option.

Table 10.     Hardware and subscription software bundle for Cisco Secure Workload option

Bundle part number

Part numbers included in bundle

Description

C1-TETRATION

 

Cisco Secure Workload bundle part number that includes the hardware, software subscription license, and Cisco Advanced Services–Fixed (AS-Fixed) service for deployment; AS-Fixed is included at no additional cost

TA-CL-39U-M5-K9

Secure Workload Gen2 39RU Cluster-supports up to 25K workloads

C1-TA-SW-K9

Bundle part number for the Cisco Secure Workload software subscription license; see Table 16 for details

ASF-DCV1-TA-QS-M

AS-Fixed part number for Cisco Secure Workload implementation services

Table 11 provides hardware and software bundle part numbers for the Cisco Secure Workload-M (8RU) option.

Table 11.     Hardware and subscription software bundle for Cisco Secure Workload-M option

Bundle part number

Part numbers included in bundle

Description

C1-TETRATION-M

 

Cisco Secure Workload bundle part number that includes the hardware, software subscription license, and Cisco Advanced Services–Fixed (AS-Fixed) service for deployment; AS-Fixed is included at no additional cost

TA-CL-8U-M5-K9

Secure Workload Analytics Gen2 8RU Cluster – up to 5K servers

C1-TA-SW-K9

Bundle part number for the Cisco Secure Workload software subscription license, see Table 16 for details

ASF-DCV1-TA-QS-M

AS-Fixed part number for Cisco Secure Workload implementation services

Table 12 provides the software bundle part number for the Cisco Secure Workload software subscription license.

Table 12.     Bundle for Cisco Secure Workload software subscription only option

Bundle part number

Part numbers included in bundle

Description

C1-TETRATION-V

 

Cisco Secure Workload bundle part number recommended if only the software subscription license needs to be ordered

C1-TA-SW-K9

Bundle part number for the Cisco Secure Workload software subscription license. See Table 13 for details

ASF-DCV1-TA-QS-M

Optional AS-Fixed part number for Cisco Secure Workload implementation services

Table 13 provides subscription software bundle part numbers used for the Cisco Secure Workload platform for on-premises deployment options.

Table 13.     Subscription software license for Cisco Secure Workload on-premises deployment options

Bundle part number

Part numbers included in bundle

Description

C1-TA-SW-K9

 

Bundle part number for the Cisco Secure Workload software subscription license

C1-TA-CWP-K9

Cisco Secure Workload on-premises subscription license for workload protection. Minimum quantity is 100 and increments of 1 after that. This license combines previous base and enforcement capabilities. For example, a quantity of 500 will provide the license price for up to 500 workloads

C1-TA-ENDPT-K9

Cisco Secure Workload endpoint visibility software subscription license is ordered in increments of 1 endpoint. Minimum quantity required is 1000. For example, a quantity of 1505 will provide license price for 1505 endpoint devices tracked through Cisco AnyConnect or Cisco ISE, or VDI Desktops

 

 

Also note the following additional information about the software subscription license part numbers:

      You can select a 1-year, 3-year, or 5-year subscription term.

      The subscription price includes software support.

      The subscription tier is selected automatically based on the quantity entered.

      You can select the annual billing option or prepay for the entire term.

      You can add more workload instance licenses through subscription modification.

      This software subscription license can be used with both forms of Cisco Secure Workload hardware clusters.

Table 14 provides subscription software bundle part numbers used for the Cisco Secure Workload SaaS deployment option.

Table 14.     Software bundle for Cisco Secure Workload SaaS option

Bundle part number

Part numbers included in bundle

Description

C1-TAAS-SW-K9

 

Cisco Secure Workload bundle part number that includes the software subscription license for SaaS option

C1-TAAS-WP-FND-K9

Bundle part number for the Cisco Secure Workload protection subscription license. Minimum quantity is 100 and increments of 1 after that

C1-TAAS-ENDPT-K9

Cisco Secure Workload endpoint visibility software subscription license for endpoints. Choose a quantity between 1000 and 999999. For example, a quantity of 5000 will provide license price for up to 5000 endpoint devices tracked through Cisco AnyConnect or Cisco ISE, or VDI desktops

Also note the following additional information about the software subscription license part number:

      You can select a 1-year, 3-year or 5-year subscription term.

      The subscription price includes software support.

      You can select the annual billing, a monthly or quarterly option, or prepay for the entire term.

      You can add more software sensor instance licenses.

      This software subscription license can be used only with a Cisco Secure Workload SaaS deployment.

Your license for Cisco Secure Workload Endpoint software does not include AnyConnect or AnyConnect NVM licenses. You are responsible for acquiring those licenses separately.


 

Put Cisco expertise to work to accelerate adoption

Cisco provides professional and support services from Advisory, Implementation and Optimization to ongoing Solution Support, to help organizations get the most value from the Cisco Secure Workload platform. Cisco Services experts help integrate the platform into your production data center environment, define use cases relevant to your business objectives, tune machine learning, and validate policies and compliance to improve application and operation performance. Cisco Solution Support for Cisco Secure Workload provides hardware, software, and solution-level support. We offer a selection of custom and fixed-price, fixed-scope services for Cisco Secure Workload that help you experience faster time to value, comprehensive adoption in your environment, optimized policies and application performance, and solution wide support.

Cisco environmental sustainability

Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.

Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:

Sustainability topic

Reference

Information on product material content laws and regulations

Materials

Information on electronic waste laws and regulations, including products, batteries, and packaging

WEEE compliance

Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.

Cisco Capital

Flexible Payment Solutions to Help You Achieve Your Objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For more information

For more information about the Cisco Secure Workload platform, please visit https://www.cisco.com/go/Secureworkload or contact your local Cisco account representative.

Document history

New or revised topic

Described In

Date

Updated product overview, key features, and benefits and ordering information sections to include the updated content

Product overview, key features and benefits, and ordering information

Jan 30, 2019

Updated supported operating systems for visibility and enforcement, and licensing terms

Ordering information, licensing terms, and supported operating systems

May 13, 2019

Updated the document to include new features, subscription PID updates, and supported operating systems

Features and benefits, ordering information, and supported operating systems

Jul 20, 2019

Updated the agent support matrix, hardware specifications for Secure Workload-V and included rack specifications for 39 RU and 8 RU form factors

Supported operating systems, Cisco Secure Workload virtual option, Cisco Secure Workload large form factor option, and Cisco Secure Workload small form factor option

Feb 24, 2020

Updated document to rephrase terminologies and agent support matrix

Product overview, key features and benefits and, supported operating systems

June 16, 2020

Updated product overview, key features and benefits, and agent support matrix

Product overview, key features and benefits, and supported operating systems

October 6th, 2020

Updated deployment options and scale, agent support matrix and orderability information

 

March 2nd, 2021

 


Learn more