Indonesia, Jakarta . 9 April 2019 #CiscoConnectID · “Server workloads in hybrid data centers...
Transcript of Indonesia, Jakarta . 9 April 2019 #CiscoConnectID · “Server workloads in hybrid data centers...
Indonesia, Jakarta . 9 April 2019
#CiscoConnectID
Monitoring & Protecting the WorkloadHow to Protect your Multicloud?
Nuttee JirattivongvibulDC Technical Solution Architect, Cisco Systems
APPLICATIONS
WORKLOADS
OPEX
“Server workloads in hybrid data centers spanningprivate and public clouds require a protectionstrategy different from end-user-facing devices.Security and risk management leaders shouldevaluate and deploy offerings specifically designedfor cloud workload protection.”
Gartner
I’ve already invested in many security vendors …
• Attacks are mainly driven by application vulnerabilities, not network
• In most cases the port will be legitimately open
• Apache Struts?
• What about attacks coming from other workloads on the same hypervisor
• Spectre / Meltdown?
• Hybrid Cloud environment – How to protect your workload?
• Containers environment – scale?
Where is it coming from?
How can we secure our workload?
VADIM GHIRDA/AP
What if you could actually protect all your workloads in hybridcloud environment with full visibility?
How to protect workload?
Who is talking to who?
Vulnerability and attack surface
Baseline
Visibility
Threat detection, blocking, and automated response
Threat Detection
Whitelist Policy and enforcement
Segmentation
Integrated
The Traditional Approach
11
Gather Data Analyze the Data
100 Billion Events in 3 Months
Implement the Policy 1 Year Later?
Troubleshooting? Apps evolved?
App Guy
VMware Hyper-V
Mainframes
DC Firewalls
AWS
DirectConnect
CampusContainers
security group
struts
server
db
server
struts
server
db
server
file
server
Segmentation your network
Policy Enforcement into Cloud?
Application dependency between clouds?
By default, each security group supportsup to 50 rules and each networkinterface can have up to 5 securitygroups, for a maximum of 250 rules perinterface. If your AWS network is in EC2-Classic, maximum cap limit of 500security groups in each region for eachaccount.
Network Security Groups (NSG)
default limit is 100 can be
increased up to 400. NSG rules
per NSG default limit is 200 canbe increased up to 1000.
Firewall rules: Maximum
Number of Stateful
Connections per VM bydefault is 130,000.
Policy enforcement
How can we enforce this type ofpolicies into our switches? Whichswitches can survive?
How can we maintain this policiesin clouds with consistent?
Tetration
The Strategy – Defense in depth
Zone-Based
North-South
AWS
security group
struts
server
db
server
Host-Based
Cisco Tetration platformHybrid cloud workload protection approach
Communication control App behavior detection Security Grade
• Visibility and ADM
• Automated whitelist policy based on application behavior
• Policy enforcement to enable segmentation
• Tracking of policy compliance
• Outlier detection
• IP Blacklist Blocking using Zeus, Bogon Cymru or manual
• Process hash, lineage, attributes
• New command, new user
• Account modification
• Privilege escalation
• Shell-code execution
• Raw sockets
• Installed package tracking
• Weekly CVE tracking
• Vulnerability scoring
• Threat intelligence ingestion
• Process Inventory and outlier
• Security Dashboard with Data Leak Detection, Process anomaly, Security Events, Attack Surface, Policy Violation
Demo 1 - Tetration Host-Based SegmentationMulticloud, Platform-Agnostic Segmentation and Enforcement
Why AppDynamics?
Leader in Gartner Magic Quadrant for APM
Best Analytics Platform for Applications at Scale
Brings App Dev, IT Ops and Business Together
Blue Chip Enterprise Customer Base
Flexible Option Cloud, On-Prem, Hybrid
AppDynamics - Application Insights in Real Time at Scale
AppDynamics – Faster Time to Value and Flexibility
S u b s c r i p t i o n - B a s e d R e v e n u e M o d e l
Demo 2 – Protect Application Performance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Real Problems
© 2019 Cisco and/or its affiliates. All rights reserved.
Surprise by Cloud Bills
“Pinterest executives got a surprise during last year’s holiday season. Pinterest’s computing bills on Amazon Web Services had shot past their expectations.”
“Pinterest, which had paid in advance for AWS’s services, had to buy additional capacity at a higher price. That contributed to Pinterest spending roughly $190 million on AWS last year, $20 million more than it had initially expected”
© 2019 Cisco and/or its affiliates. All rights reserved.
IT Challenges
Feature Velocity OptimizationMulticloud Governance Secure Automation
© 2019 Cisco and/or its affiliates. All rights reserved.
IT Benefit
Optimizing cloud instance sizing and type
reduced cloud bill
Feature Velocity OptimizationMulticloud Governance Secure Automation
© 2019 Cisco and/or its affiliates. All rights reserved.
Easy to buy. Complex to reconcile…
HigherCosts
Increased Complexity
Compute
Storage
Networking
Services
$
$
$
$
$
$
$
$
$
$
$
$
© 2019 Cisco and/or its affiliates. All rights reserved.
Waste, Visualized
0
5
10
15
20
25
30
35
40
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
CP
U U
tiliz
ation %
Time (24 hour, UTC)
1. Turn off machines
2. Right-size machine
3. Use reservedinstances
4. Scale when needed
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Not Utilized
Under-Utilized
© 2019 Cisco and/or its affiliates. All rights reserved.
• High level information on potential savings based on
• Rightsizing instances
• AWS reserved instance utilization
• Suspending workloads during non-working hours
Cost Optimization
© 2019 Cisco and/or its affiliates. All rights reserved.
• Recommends actions based on usage metrics
• Metrics provided by cloud monitoring
• Shows metrics for determining recommendation
• Recommended actions automated through the CloudCenter Workload Manager
• VM must be imported into Workload Manager to automate action
Right-Sizing Recommendations
© 2019 Cisco and/or its affiliates. All rights reserved.
• Shows current consumption vs purchased units
• Shows metrics for determining recommendation
• Potential monthly costs savings
• Recommended actions are carried out manually
Reserved Instance (AWS) Recommendations
© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved.
Real Customer Results
Metric Before After
Cloud Bill$2M per
year$700K
Decrease in Spending
65%
Customer Experience
OutstandingNo
Change
© 2019 Cisco and/or its affiliates. All rights reserved.
The Services
Cisco Connect 2019 Indonesia, Jakarta . 9 April 2019
Bringing it all together with Cisco Professional Services
Implementation & MigrationConsultancy & AdvisoryEnvision your roadmap. Strategic
advice from advisory, assessment, consulting to detailed design and
validation
Migrate and deploy. Expertise, tools, and processes to de-risk & speed
deployment
Complementing Partner Capabilities• Bridge to New Technologies• Support Complex Solutions
Experts who speed time to value
Value of CiscoEngagement
Global Experience and Best Practices
Proven Methodology
Cutting Edge Expertise
Cisco Connect 2019 Indonesia, Jakarta . 9 April 2019
End to End Plan
Technology Selection
RoadmapBusiness
Case SecurityOperating
Model
3rd Party
Vendor
Advisory
Harness the Multicloud with Cloud
Advisory Services
• Minimal and underutilized IT organization
• No existing blueprint, strategy or best practices for developing multicloudinfrastructure.
• Analysis and comparison of Public Cloud and Physical Autonomous Infrastructure
• Classify key requirements for cloud alternatives, mapping capabilities to solution, identify project risks, stakeholders, future integrations and hardware/software costs
• Actionable MultiCloud solution blueprint based on business needs and IT capabilities to be rolled out as a pilot.
• Solution study with cost analysis, potential risk and future scalability
Customer’s Challenge Proposed Solutions Impact on CustomerCustomer Case Study
Global Furniture Company works
with Cloud Advisory to define a Next Generation IT and MultiCloudInfrastructure for
expansion.
Key Takeaways
• Protect your workload anywhere
• Protect application performance
• Protect your cloud bills
Indonesia, Jakarta . 9 April 2019
#CiscoConnectID