Cisco Secure Workload (Tetration) Platform Data Sheet
Available Languages
Cisco Secure Workload (formerly Tetration) seamlessly delivers a zero-trust approach to securing your application workloads across any cloud and on-premises data center environments by reducing the attack surface, preventing lateral movement, identifying workload behavior anomalies, and remediating threats quickly.
Traditionally in IT, we’ve had an infrastructure-centric view of the universe. Our most valuable data was contained in the data center, so our job was to let good traffic in and keep bad actors out. And our tool of choice was the firewall.
In today’s organizations, the center of gravity has shifted decidedly in favor of applications. Applications are critical to how you engage with customers, run your operations, and get paid. But the constant proliferation and dynamic nature of these applications have led to an unprecedented security challenge for IT professionals.
Applications are distributed. They’re deployed both on-premises and in the cloud, or across multiple clouds, and critical workloads are no longer tidily kept in the data center where they can be protected by a perimeter firewall. In some ways, there is no more perimeter. To respond to this app-centric world, you need a security solution that can bring security closer to the applications using a “new firewall” that surrounds each and every workload, allowing you to protect what matters most to you—your applications and your data.
With Cisco Secure Workload, you can secure your applications by creating firewalls at the workload level across your entire infrastructure consistently, whether these are deployed on bare-metal servers, virtual machines, or containers.
Secure Workload helps to deliver zero-trust application security, reduce risk, and maintain compliance with:
● Automatically generated microsegmentation policies through comprehensive analysis of application communication patterns and dependencies
● Dynamic attribute-based policy definition with a hierarchical policy model to deliver comprehensive controls across multiple user groups with role-based access control
● Consistent policy enforcement at scale through distributed control of native host firewalls and infrastructure, including ADCs (application delivery controllers) and firewalls
● Near real-time compliance monitoring of all communications to identify and alert against policy violation or potential compromise
● Workload behavior baselining and proactive anomaly detection
● Common vulnerability detection with dynamic mitigation and threat-based quarantine
Multidimensional workload protection approach using Cisco Secure Workload
By using this multidimensional workload protection approach (Figure 1), Cisco Secure Workload significantly reduces the attack surface, minimizes lateral movement in case of security incidents, and quickly identifies anomalous behaviors within the data center.
To learn more about workload protection capabilities, refer to the Cisco Secure Workload Platform for Workload Protection data sheet: www.cisco.com/c/en/us/products/collateral/data-center-analytics/Secure Workload-analytics/datasheet-c78-740328.html.
Table 1 lists the main features and benefits of the Cisco Secure Workload platform.
Table 1. Cisco Secure Workload platform primary features and benefits
| Feature |
Benefit |
| Zero-trust model using microsegmentation |
● Make implementing microsegmentation within your environment a reality
● Secure Workload’s automated approach helps accelerate deployment of microsegmentation
● Secure hybrid multicloud workloads and contain lateral movement using microsegmentation
|
| Extend policy definitions based on additional context |
● Eliminate time-consuming manual creation of resource lists to segment applications
● Define microsegmentation default and absolute policies using asset tags
● Quickly develop consistent policies for applications using real-time asset tagging:
◦ Associate rich business context with the servers
● Define policies based on users and user groups that need access
|
| One-click policy enforcement across a multicloud data center |
● Enforce the security framework using application segmentation and reduce the surface vulnerable to attack
● Enforce policies with a single click. Use the mechanisms in Linux and Microsoft Windows environments to enforce security policy
● Normalize the policy for each server, eliminating the need for manual intervention to identify policy for each of the servers
|
| Defense in-depth |
● Enforce segmentation and security policies simultaneously on Cisco Secure Firewalls through integration with Cisco Firepower Management Center
|
| Detect policy noncompliance events |
● Track application policy compliance in real time
● Enable alerts for compliance events that can then be integrated with SIEM systems for investigation and remediation
|
| Identification of workload behavior deviations |
● Baseline the behavior or the workloads based on communication activities and processes on the workloads
● Proactively detect anomalous behavior and identify indicators of compromise
● Enable alerts for such events to be integrated with your SIEM systems for further security incident handling
|
| Software vulnerability detection |
● Get a baseline software inventory and the version information installed on servers
● Quickly identify if any of the package versions have known vulnerabilities or exposures, along with the severity
● Get an accurate inventory of all the servers that have the vulnerable package
● Tie this information to a policy that designates a specific action, such as quarantining a specific server
|
| Flexible telemetry collection options |
Software agents:
● Capture communication and process activities along with software package information to baseline the workload behavior
● Designed to operate within administrator-defined computing SLAs
● Reside outside the data path and do not affect application performance
● Support bare-metal servers, virtual machines, and containers
Other options:
● ERSPAN sensors
● Application Delivery Controller (ADC) sensors—F5, Citrix NetScaler
● NetFlow sensors
● AWS VPC flow logs
|
| Endpoint device and user context |
● Either collect telemetry from Cisco AnyConnect
® Network Visibility Module (NVM) running on endpoint devices such as laptops, desktops, smart phones, etc., or collect endpoint device information from a Cisco Identity Services Engine (ISE) or VDI environment using Cisco Secure Workload software agents
● Correlate the user data with the user group within an organization
● Define specific policies for segmentation, using user and user group information, that can be enforced on the workloads
|
| Support for data center scalability |
● Collect telemetry data from tens of thousands of workloads across a multicloud data center
● Offer microsegmentation and workload protection capability across all workloads
● Flexible and scalable deployment options designed to support large and mega data centers
|
Cisco Secure Workload offers both Software-as-a-Service (SaaS) and on-premises options allowing customers to choose the model that meets their business needs.
For on-premises deployments, they can choose a hardware-based appliance model (small or large form factors) depending on the number of workloads in your environment.
In order to support very large enterprise deployments that could be split across multiple data centers and regions, Secure Workload supports horizontal scaling through federation. Secure Workload also offers Disaster Recovery (DR) capabilities that allow customers to continuously back up Secure Workload data to another data center and be able to switch to the DR site in case of a disaster in minutes.
Cisco Secure Workload SaaS option
With the Cisco Secure Workload SaaS option, customers can get the benefits of workload protection capabilities without having to deploy the platform on-premises. With this option, Cisco Secure Workload software runs in the cloud, managed and operated by Cisco. The customer is responsible for purchasing the required software subscription licenses and deploying software agents on workloads.
This deployment option Is well suited for SaaS-only or SaaS-first customers, because it offers scale flexibility. You can start small and grow as your demand grows. Other benefits of the SaaS option include:
● Significant reduction in TCO (Total Cost of Ownership)
● Faster time to value
Note: This consumption option does not support ingesting telemetry from hardware sensors. It also does not support custom user applications on the platform.
Cisco Secure Workload-M (small form factor) option
The Cisco Secure Workload-M small form factor deployment option consists of 6 servers and 2 Cisco Nexus® 9300 platform switches. It is suitable for data centers that have fewer than 5000 workloads (virtual machine or bare metal or container hosts).
Table 2 shows the verified and supported scale. Table 3 shows the power and cooling requirements for the Cisco Secure Workload-M platform.
Table 2. Cisco Secure Workload-M platform scale
| Platform characteristics |
Specification |
| Number of concurrent workloads (virtual machine or bare metal or container host) from which telemetry data can be analyzed |
Up to 5000 |
| Number of flow events that can be processed per second |
Up to 500,000 per second |
Table 3. Power and cooling specifications for Cisco Secure Workload-M
| Platform requirements |
Specification |
| Peak power for Cisco Secure Workload-M (8RU) |
5.5 kW |
| Maximum cooling requirement for Cisco Secure Workload-M (8RU) |
13,500 BTUs per hour |
| Rack specification |
Cisco Secure Workload (large form factor) platform option
This deployment option consists of 36 servers and 3 Cisco Nexus 9300 platform switches. It is suitable for data centers hosting more than 5000 workloads (virtual machine or bare metal or container host).
Table 4 shows the verified and supported scale. Table 5 shows the power and the cooling requirements for the Cisco Secure Workload platform.
Table 4. Cisco Secure Workload platform scale
| Platform characteristics |
Specification |
| Number of concurrent workloads (virtual machine or bare metal or container host) from which telemetry data can be analyzed |
Up to 25,000 |
| Number of flow events that can be processed per second |
Up to 2 million per second |
Table 5. Power and cooling specifications for large form factor
| Platform requirements |
Specification |
| Peak power for Cisco Secure Workload - 39-Rack-Unit [39RU] single-rack option* |
22.5 kW |
| Maximum cooling requirements for Cisco Secure Workload - 39RU single-rack option* |
50,000 BTUs per hour |
| Total weight for Cisco Secure Workload - 39RU single-rack option |
1800 lb (800 kg) |
| Power Distribution Unit (PDU) and power supply (39RU single-rack option) |
4 x 3-phase PDUs (current and voltage ratings vary by geography) |
| Peak power for Cisco Secure Workload - 39RU dual-rack option |
11.25 kW per rack (22.5 kW total) |
| Maximum cooling requirement for Cisco Secure Workload - 39RU dual-rack option |
25,000 BTUs per hour per rack |
| Total weight for Cisco Secure Workload - 39RU dual-rack option |
900 lb per rack (400 kg per rack) |
| PDU and power supply - 39RU dual-rack option |
4 x single-phase PDUs per rack (current and voltage ratings vary by geography) |
| Rack specification |
Cisco Secure Workload platform software is licensed based on the number of workload equivalents depending on the sensor type being used. Telemetry data can be collected using software sensors, supported by other supported sensors or collectors, in any combination. Policy enforcement is enabled through software sensors with enforcement capability with infrastructure enforcement through ADC or via streamed Kafka policy. Workload is defined as a virtual machine, bare-metal server, or container host.
There are two primary license types for Secure Workload (including SaaS and On-Premises deployment options):
● Secure Workload protection license: This license provides workload protection capabilities, including telemetry data collection, application insight, forensics, software vulnerability detections, policy recommendation, policy simulation, policy enforcement, and compliance tracking functions
● Secure Workload endpoint license: This license provides the comprehensive telemetry data collection from a Cisco AnyConnect client installed in the endpoints (laptops, desktops, smartphones, etc.), using an NVM module, software agents on VDI, or any endpoint device managed through Cisco ISE. This provides insights into user, device, group, process ID, process hierarchy, and OS as well as the domain names accessed from the endpoint. Customers must purchase the endpoint visibility license if they want to use the platform’s capability to collect, analyze, and define policies and provide visibility into endpoint device activities. This license can be independent of the workload protection licenses. This does not include any other licenses required to enable AnyConnect NVM, VDI, or Cisco ISE (those licenses need to be purchased separately)
If a customer has multiple Cisco Secure Workload clusters, software licenses can be pooled across those clusters.
If a customer has Cisco Secure Workload SaaS licenses, they cannot be ported over to an on-premises license option or vice versa.
Licensing terms
Secure Workload SaaS deployment:
The SaaS subscription is governed by the Secure Workload SaaS Offer Description (https://www.cisco.com/c/dam/en_us/about/doing_business/legal/OfferDescriptions/cisco_tetration_saas_offer_description.pdf) and the Cisco Universal Cloud Agreement, located at www.cisco.com/go/uca (or similar terms existing between you and Cisco) (the “Agreement”), and any software that you install is licensed under the Cisco End User License Agreement, located at www.cisco.com/go/eula (the “EULA”).
On-premises deployment option:
Secure Workload on-premises subscriptions are governed by the Cisco EULA (see www.cisco.com/go/eula). In addition, Cisco Secure Workload software is subject to the terms of the Cisco Supplemental End User License Agreement (SEULA; see https://www.cisco.com/c/dam/en_us/about/doing_business/legal/docs/cisco-tetration.pdf).
Platform support and compatibility
Tables 6–8 provide operating system support and compatibility information for the Cisco Secure Workload platform.
Table 6. Supported operating systems for microsegmentation (deep visibility and enforcement) use case:
| Server mode |
Operating system |
Distribution and release |
| Virtual machines and bare-metal servers |
Linux (x86_64 architecture) |
● Red Hat Enterprise Linux Release 6.0 and later
● Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9
● Red Hat Enterprise Linux Release 8.0, 8.1, 8.2, 8.3
● CentOS Release 6.0 and later
● CentOS Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9
● CentOS Release 8.0, 8.1, 8.2, 8.3
● Oracle Linux Release 6.0 and later
● Oracle Linux Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7, 7.8, 7.9
● Oracle Linux Release 8.0, 8.1, 8.2, 8.3
● Oracle Linux Release 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7 with Unbreakable Enterprise Kernel (UEK)
● SUSE Linux Release 11.2, 11.3, 11.4
● SUSE Linux Release 12.0, 12.1, 12.2, 12.3, 12.4, 12.5
● SUSE Linux Release 15.0, 15.1, 15.2
● Ubuntu Release 14.04, 16.04, 18.04, 20.04
|
| Unix (ppc 64-bit architecture) |
● IBM AIX versions 7.1 and 7.2
|
|
|
|
Microsoft Windows Server (server core and full desktop) |
● Microsoft Windows Server 2008 R2 Standard, Enterprise, Essentials, and Datacenter Editions
● Microsoft Windows Server 2012 Standard, Foundation, Essentials, and Datacenter Editions
● Microsoft Windows Server 2012 R2 Standard, Foundation, Essentials, and Datacenter Editions
● Microsoft Windows Server 2016 Standard, Essentials, and Datacenter Editions
● Microsoft Windows Server 2019 Standard, Essentials and Datacenter Editions
|
| VDI desktop virtual machines |
Microsoft Windows Desktop |
● Microsoft Windows 8 Desktop
● Microsoft Windows 10 Desktop
|
| Container host |
Linux (x86_64 architecture) |
● Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4, 7.7, 7.8, 7.9
● CentOS Release 7.1, 7.2, 7.3, 7.4, 7.7, 7.8, 7.9
● Ubuntu Release 16.04, 20.04
|
Table 7. Supported operating systems for visibility only (no enforcement):
| Server mode |
Operating system |
Distribution and release |
| Virtual machines and bare-metal servers |
|
●
|
| Microsoft Windows Server (server core and full desktop) |
● Microsoft Windows Server 2008 Standard, Datacenter, Enterprise, and Essentials
|
|
| VDI desktop virtual machines |
Microsoft Windows Desktop |
● Microsoft Windows 7 Desktop
|
Table 8. Supported operating systems for universal software sensors
| Server mode |
Operating system |
Distribution and release |
| Virtual machines and bare-metal servers |
Linux |
● Red Hat Enterprise Linux Release 4.0 (32-bit and 64-bit)
● CentOS Release 4.0 (32-bit and 64-bit)
● Red Hat Enterprise Linux Release 5.0 (32-bit)
● CentOS Release 5.0 (32-bit)
|
| Solaris |
● Solaris 11.0 (64-bit) on x86 architecture
|
|
| Microsoft Windows Server |
● Microsoft Windows Server (32-bit and 64-bit)
|
Container microsegmentation requires integration with the orchestration platform. Table 9 below shows the supported orchestrators and corresponding version information. The supported container runtime is Docker.
Table 9. Supported container orchestrator versions
| Orchestrator |
Supported Version |
| Kubernetes |
● 1.12 to 1.18
|
| Redhat Openshift |
● 3.11, 4.1, 4.2, 4.3, 4.4, 4.5 and 4.6
|
Ordering information
Table 10 provides hardware and software bundle part numbers for the Cisco Secure Workload option.
Table 10. Hardware and subscription software bundle for Cisco Secure Workload option
| Bundle part number |
Part numbers included in bundle |
Description |
| C1-TETRATION |
|
Cisco Secure Workload bundle part number that includes the hardware, software subscription license, and Cisco Advanced Services–Fixed (AS-Fixed) service for deployment; AS-Fixed is included at no additional cost |
| TA-CL-39U-M5-K9 |
Secure Workload Gen2 39RU Cluster-supports up to 25K workloads |
|
| C1-TA-SW-K9 |
Bundle part number for the Cisco Secure Workload software subscription license; see Table 16 for details |
|
| ASF-DCV1-TA-QS-M |
AS-Fixed part number for Cisco Secure Workload implementation services |
Table 11 provides hardware and software bundle part numbers for the Cisco Secure Workload-M (8RU) option.
Table 11. Hardware and subscription software bundle for Cisco Secure Workload-M option
| Bundle part number |
Part numbers included in bundle |
Description |
| C1-TETRATION-M |
|
Cisco Secure Workload bundle part number that includes the hardware, software subscription license, and Cisco Advanced Services–Fixed (AS-Fixed) service for deployment; AS-Fixed is included at no additional cost |
| TA-CL-8U-M5-K9 |
Secure Workload Analytics Gen2 8RU Cluster – up to 5K servers |
|
| C1-TA-SW-K9 |
Bundle part number for the Cisco Secure Workload software subscription license, see Table 16 for details |
|
| ASF-DCV1-TA-QS-M |
AS-Fixed part number for Cisco Secure Workload implementation services |
Table 12 provides the software bundle part number for the Cisco Secure Workload software subscription license.
Table 12. Bundle for Cisco Secure Workload software subscription only option
| Bundle part number |
Part numbers included in bundle |
Description |
| C1-TETRATION-V |
|
Cisco Secure Workload bundle part number recommended if only the software subscription license needs to be ordered |
| C1-TA-SW-K9 |
Bundle part number for the Cisco Secure Workload software subscription license. See Table 13 for details |
|
| ASF-DCV1-TA-QS-M |
Optional AS-Fixed part number for Cisco Secure Workload implementation services |
Table 13 provides subscription software bundle part numbers used for the Cisco Secure Workload platform for on-premises deployment options.
Table 13. Subscription software license for Cisco Secure Workload on-premises deployment options
| Bundle part number |
Part numbers included in bundle |
Description |
| C1-TA-SW-K9 |
|
Bundle part number for the Cisco Secure Workload software subscription license |
| C1-TA-CWP-K9 |
Cisco Secure Workload on-premises subscription license for workload protection. Minimum quantity is 100 and increments of 1 after that. This license combines previous base and enforcement capabilities. For example, a quantity of 500 will provide the license price for up to 500 workloads |
|
| C1-TA-ENDPT-K9 |
Cisco Secure Workload endpoint visibility software subscription license is ordered in increments of 1 endpoint. Minimum quantity required is 1000. For example, a quantity of 1505 will provide license price for 1505 endpoint devices tracked through Cisco AnyConnect or Cisco ISE, or VDI Desktops |
Also note the following additional information about the software subscription license part numbers:
● You can select a 1-year, 3-year, or 5-year subscription term.
● The subscription price includes software support.
● The subscription tier is selected automatically based on the quantity entered.
● You can select the annual billing option or prepay for the entire term.
● You can add more workload instance licenses through subscription modification.
● This software subscription license can be used with both forms of Cisco Secure Workload hardware clusters.
Table 14 provides subscription software bundle part numbers used for the Cisco Secure Workload SaaS deployment option.
Table 14. Software bundle for Cisco Secure Workload SaaS option
| Bundle part number |
Part numbers included in bundle |
Description |
| C1-TAAS-SW-K9 |
|
Cisco Secure Workload bundle part number that includes the software subscription license for SaaS option |
| C1-TAAS-WP-FND-K9 |
Bundle part number for the Cisco Secure Workload protection subscription license. Minimum quantity is 100 and increments of 1 after that |
|
| C1-TAAS-ENDPT-K9 |
Cisco Secure Workload endpoint visibility software subscription license for endpoints. Choose a quantity between 1000 and 999999. For example, a quantity of 5000 will provide license price for up to 5000 endpoint devices tracked through Cisco AnyConnect or Cisco ISE, or VDI desktops |
Also note the following additional information about the software subscription license part number:
● You can select a 1-year, 3-year or 5-year subscription term.
● The subscription price includes software support.
● You can select the annual billing, a monthly or quarterly option, or prepay for the entire term.
● You can add more software sensor instance licenses.
● This software subscription license can be used only with a Cisco Secure Workload SaaS deployment.
Your license for Cisco Secure Workload Endpoint software does not include AnyConnect or AnyConnect NVM licenses. You are responsible for acquiring those licenses separately.
Put Cisco expertise to work to accelerate adoption
Cisco provides professional and support services from Advisory, Implementation and Optimization to ongoing Solution Support, to help organizations get the most value from the Cisco Secure Workload platform. Cisco Services experts help integrate the platform into your production data center environment, define use cases relevant to your business objectives, tune machine learning, and validate policies and compliance to improve application and operation performance. Cisco Solution Support for Cisco Secure Workload provides hardware, software, and solution-level support. We offer a selection of custom and fixed-price, fixed-scope services for Cisco Secure Workload that help you experience faster time to value, comprehensive adoption in your environment, optimized policies and application performance, and solution wide support.
Cisco environmental sustainability
Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.
Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:
| Sustainability topic |
Reference |
| Information on product material content laws and regulations |
|
| Information on electronic waste laws and regulations, including products, batteries, and packaging |
Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.
Flexible Payment Solutions to Help You Achieve Your Objectives
Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.
For more information about the Cisco Secure Workload platform, please visit https://www.cisco.com/go/Secureworkload or contact your local Cisco account representative.
| New or revised topic |
Described In |
Date |
| Updated product overview, key features, and benefits and ordering information sections to include the updated content |
Product overview, key features and benefits, and ordering information |
Jan 30, 2019 |
| Updated supported operating systems for visibility and enforcement, and licensing terms |
Ordering information, licensing terms, and supported operating systems |
May 13, 2019 |
| Updated the document to include new features, subscription PID updates, and supported operating systems |
Features and benefits, ordering information, and supported operating systems |
Jul 20, 2019 |
| Updated the agent support matrix, hardware specifications for Secure Workload-V and included rack specifications for 39 RU and 8 RU form factors |
Supported operating systems, Cisco Secure Workload virtual option, Cisco Secure Workload large form factor option, and Cisco Secure Workload small form factor option |
Feb 24, 2020 |
| Updated document to rephrase terminologies and agent support matrix |
Product overview, key features and benefits and, supported operating systems |
June 16, 2020 |
| Updated product overview, key features and benefits, and agent support matrix |
Product overview, key features and benefits, and supported operating systems |
October 6th, 2020 |
| Updated deployment options and scale, agent support matrix and orderability information |
|
March 2nd, 2021 |