Supported Web Browsers
Secure Workload supports the following web browsers:
-
Google Chrome
-
Microsoft Edge
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Today’s networks include applications running in a hybrid multicloud environment that uses bare metal, virtualization, and cloud-based and container-based workloads. The key challenge in such an environment is improving application and data security without compromising on agility. Cisco Secure Workload provides comprehensive workload protection by bringing security closer to applications and tailoring the security posture that is based on the application behavior. Secure Workload achieves this tailoring by using advanced machine learning and behavior analysis techniques. It provides a ready-to-use solution to support the following security use cases:
Implement a zero-trust model with microsegmentation policies that allow only traffic that is required for business purposes.
Identify anomalies on workloads using behavioral baselining and analysis.
Detect Common Vulnerabilities and Exposures in the software packages that are installed on the servers.
Recommend quarantining of servers if vulnerabilities persist after enforcing policies and blocking communication.
Workloads and IP Addresses in Secure Workload
In Cisco Secure Workload, a workload is an IP address; hosts that have software agents that are installed are called workloads and hosts that do not have an agent that is installed on them are called IP addresses.
Note |
To view the End User License Agreement and Supplemental End User License Agreement for your product, see End User License Agreement and Supplemental End User License Agreements. |
Secure Workload supports the following web browsers:
Google Chrome
Microsoft Edge
An optional wizard can guide you through creating the first branch of your scope tree, which is a first step toward generating and enforcing policies for an application you choose. The wizard introduces the concepts and benefits of labels and scopes.
The following user roles can access the wizard:
Site administrator
Technical support
Root scope owner
To access the wizard, do any one of the following:
Sign in to Cisco Secure Workload.
Click the link in the blue banner. The blue banner appears at the top of all pages.
Choose Overview from the main menu.
Note |
You cannot access the wizard if scopes are already defined in . Delete the existing scopes to access the wizard. |
Use the high-level procedures given here to set up segmentation and microsegmentation policies using Secure Workload.
The intent of segmentation and microsegmentation is to allow only the traffic that is required for business purposes and to block all other traffic.
Step 1 |
Ensure that Secure Workload supports the platforms and versions that your workloads are running on, and the systems that provide essential information to your policies. See Secure Workload Compatibility Matrix. |
Step 2 |
Install agents on workloads. Agents gather flow data and other information that is required that is for Secure Workload to group workloads and determine appropriate policies. The agents also enforce approved policies. For more information, including links to lists of supported platforms and requirements, see Deploying Software Agents. |
Step 3 |
Gather or upload labels that describe your workloads. Labels let you easily understand the purpose of each workload and provide other key information about each workload. You need this information to group workloads, apply appropriate policies, and understand the policies that Secure Workload suggests. Labels are the foundation of maintaining groups that simplify policy management. For more information, see Workload Labels and Importing Custom Labels. |
Step 4 |
Create a scope tree based on your workload labels. The logical groups of workloads that labels help you create are called scopes, and a well-chosen set of labels helps you create a hierarchical map of your network called a scope tree. This hierarchical view of the workloads on your network is key to efficiently creating and maintaining policies. The hierarchical view enables you to create a policy once and apply it automatically to every workload on that branch of the tree. The view also lets you delegate responsibility for certain applications (or parts of your network) to people who have the expertise needed to determine the correct policies for those workloads. You can query workloads and group them into scopes based on their labels. For example, you can create a scope called Email-app that includes all of the workloads that have the labels Application = Email-app and Environment = Production. You can create a parent scope for the Application = Email-app scope by using the query Environment = Production. The Production scope includes the production Email-app and all other workloads labeled with Environment = Production. For more information, see Scopes and Inventory. If you have not yet created any scopes, you can use the Quick Start wizard to create a scope tree. For more information, see Quick Start Wizard. |
Step 5 |
Create a workspace for each scope for which you want to create policies. The workspace is where you manage policies for the workloads in that scope. For more information, see Workspaces. |
Step 6 |
Manually create policies that apply across your network. For example, you might want to allow access from all internal workloads to your NTP server, and deny all external traffic, or deny access from all non-internal hosts unless explicitly permitted. Policies can be absolute, meaning that they cannot be overridden by more specific policies, or default, where they can be overridden by more specific policies. For more information, see Manually Create Policies. Secure Workload has policy templates that make policy creation easier. For more information, see Policy Templates. You can enforce manually created policies without waiting for the policies to be discovered. For more information, see Enforce Policies. |
Step 7 |
Automatically discover policies based on existing traffic patterns. Secure Workload analyzes traffic between workloads, groups workloads based on their behavior, and suggests a set of policies that are intended to allow the traffic that your organization needs, so you can block all other traffic. Analysis of more data flow over a longer time period leads to more accurate policy suggestions. You can discover policies iteratively. (There is more information about this later in this procedure.)
For more information, see Automatic Policy Discovery and Discover Policies for One Scope or for a Branch of the Scope Tree. |
Step 8 |
Review and analyze your policies. Examine your policies carefully to ensure that they have the effects you expect and that there are no unintended side effects. Work with subject-matter experts and application owners in your organization to understand the needs of the organization and the appropriateness of suggested policies. |
Step 9 |
Iteratively discover policies as needed. More traffic flow produces more accurate policy suggestions. For example, for a monthly report even three weeks worth of data may not capture all essential traffic. Continue to discover policies and review and analyze new policy suggestions. Each discovery run suggests policies based on the current traffic flows. You can also iteratively discover polices to capture changes in policy discovery settings and approved clusters. For more information, see Iteratively Revise Policies. Before you re-run automatic policy discovery, ensure that you approve policies and clusters that you want to retain. Each time you re-discover policies, you must review and analyze them. |
Step 10 |
When you are ready, enforce policies. After you have determined that the policies associated with a workspace (and hence, the associated scope) are appropriate and will block unwanted traffic while not interrupting essential services, you can enforce those policies. You can iteratively enforce policies; for example, you might initially enforce just the manually created policies in scopes near the top of your tree, then over time, enforce discovered policies in scopes lower in the tree. For more information, see Enforce Policies. |
Step 1 |
Gather the IP addresses of workloads on your network. For each workload, you will also want the application name, application owner, environment (production or non-production), and other information such as geographical region that will determine the policies to be applied.. If you do not have a Configuration Management Database (CMDB), you can collect this information in a spreadsheet. To get started, choose a single application that you can focus on. |
Step 2 |
Install agents on supported bare-metal-based or virtual workloads. For more information, see Deploying Software Agents. |
Step 3 |
Upload labels that describe these workloads. For more information, see Workload Labels and Importing Custom Labels. Optionally, you can run the quick start wizard to create labels and the first branch of your scope tree. For more information about the wizard, see Quick Start Wizard. |
Step 4 |
If needed, create or update your scope tree based on your labels. For more information, see Scopes and Inventory. |
Step 5 |
Create a workspace for each scope for which you want to apply policies. For more information, see Workspaces. |
Step 6 |
Create manual policies that apply across your network. For more information, see Manually Create Policies. |
Step 7 |
For more information on platform-specific policies, see Platform-Specific Policies. |
Step 8 |
Automatically discover policies in workspaces associated with lower-level scopes. For more information, see Automatic Policy Discovery and subtopics. |
Step 9 |
Review and analyze the suggested policies. For more information, see Review and Analyze Policies and subtopics. |
Step 10 |
Iteratively discover policies as needed. For more information, see Iteratively Revise Policies and subtopics. |
Step 11 |
When you are ready, enforce the policies. You can enforce policies when you are satisfied with the behavior of the policies in each workspace. You must enforce policies both in the workspace and in the agent configuration. For more information, see Enforce Policies. |
Step 1 |
Install agents on your cloud-based workloads, if required. Cloud connectors provide VPC/VNet level granularity in policy discovery and enforcement. Install agents on supported platforms if you require policy discovery and enforcement at a more granular level. Install agents based on the operating system on which your cloud service is running. For more information, see Deploying Software Agents. |
Step 2 |
Set up cloud connectors to gather labels and flow data. For more information, see: |
Step 3 |
Create workspaces for the scopes created by the connector. For more information, see Workspaces. |
Step 4 |
Automatically discover policies. Discover policies for each VPC/VNet-defined scope, and if applicable, for more granular scopes. For more information, see Automatic Policy Discovery. |
Step 5 |
Review and analyze the suggested policies. See Review and Analyze Policies and subtopics. |
Step 6 |
Iteratively discover policies as needed. See Iteratively Revise Policies and subtopics. |
Step 7 |
Approve and enforce policies for each scope. You must enable enforcement in the applicable workspace and in the connector for each VPC or VNet, and for any agents installed on individual workloads.
|
Step 1 |
Install agents on Kubernetes-based workloads. Ensure that you check the requirements and prerequisites. For more information, see Kubernetes/Openshift Agents - Deep Visibility and Enforcement. Agents are automatically installed on all future workloads managed by the applicable Kubernetes service. |
Step 2 |
Gather labels for your Kubernetes-based workloads. For more information on:
|
Step 3 |
Create or update your scope tree based on your labels. For more information, see Scopes and Inventory. |
Step 4 |
Create a workspace for each scope for which you want to apply policies. For more information, see Workspaces. |
Step 5 |
Automatically discover policies for each low-level scope. For more information, see Automatic Policy Discovery. |
Step 6 |
For more information on applicable additional options, see Platform-Specific Policies. |
Step 7 |
Review and analyze the suggested policies. For more information, see Review and Analyze Policies. |
Step 8 |
Iteratively discover, review, and analyze policies as needed. For more information, see Iteratively Revise Policies. |
Step 9 |
When you are ready, approve and enforce policies for each scope. You must enable policy enforcement in the workspace and for the agents. For more information, see Enforce Policies and Enforcement on Containers. |
Related Information: