When we onboarded Cisco Secure Workload, the usual use case was to discover internal application dependencies and create a dependency map for Cisco ACI. As the network team, we chose to implement ACI in a network-centric mode rather than an application-centric mode. However, we soon realized that Cisco Secure Workload's capabilities extend far beyond discovering dependency maps.

We use it for internal micro-segmentation. After evaluating it, we began using the agent-based solution across our server estate to protect our internal servers from each other and internal users. Today, our primary use case for the product is micro-segmentation within our internal network.

Cisco Secure Workload is an agent-based solution that allows you to install the agent on physical servers and virtual machines in your own data center and on VMs in cloud environments like AWS, Oracle Cloud, or Azure. This flexibility is a key advantage over other solutions, such as NSX-based products, which may be tied to specific vendors or technologies.

With Cisco Secure Workload, we can effectively implement micro-segmentation regardless of where the application resides, whether in the cloud or on-premises. This solution enables us to segregate the entire application estate, including servers, databases, and user access, using the agent-based micro-segmentation capabilities of Tetration. The Tetration Agent leverages the local firewall on the operating system, whether it’s the Windows Firewall or a Linux firewall on a VM.

The most valuable feature of Cisco Secure Workload is its ability to streamline policy discovery. Once you create the workspace, it automatically identifies policies at various levels, whether you need finely-tuned micro-level or broader group policies. As data is gathered from all the agents, the system presents these policies, significantly reducing the need for multiple engineers who typically take much longer to create them. My IT risk colleagues utilize a process we call ADM, where they discover policies over a three to six-month period and present them to application owners. Once the application owners approve the policies, they can switch to enforcement mode in Cisco Tetration. This automation in policy presentation and access is incredibly valuable, as it minimizes manual intervention and the time required for policy discovery.

Micro-segmentation allows for precise enforcement of policies based on specific needs. You can implement tight risk postures, defining policies per IP, server, or port. This enables granular control or broader policies at the group level, grouping similar types of servers. The system automates this process; you specify your risk appetite and how detailed or general you want the policies to be. This approach protects servers that sit next to each other on the same VLAN without requiring large network firewalls to create multiple dependencies or DMZs. Instead, it leverages the existing firewalls on each server, allowing you to control policies centrally.

We actively seek improvements in integrating the Infoblox DDI platform with Cisco Secure Workload. This integration allows Cisco Secure Workload to learn about our networks and network tags, providing valuable insights into vulnerabilities related to the operating system and various applications installed on our servers.

Recently, Cisco announced a new product called HyperShield, an AI-based autonomous micro-segmentation solution. While Cisco has not stated that HyperShield will replace Cisco Secure Workload, it represents a natural evolution for the company. HyperShield features dynamic policy discovery and enforcement; however, once policies are enforced, they do not change until a discovery occurs, requiring a re-enforcement process. This new platform operates autonomously, minimizing the need for user or security engineer intervention.

I would have expected Cisco to incorporate more automatic discovery and enforcement features within the existing Cisco Secure Workload product. Instead of enhancing the current product, they have introduced a new solution. Cisco plans to honor existing Tetration licenses, allowing users to transition to HyperShield without additional costs, reflecting the investment enterprises have already made.

From Cisco’s perspective, this represents a natural progression in their product line. While the product name changes, it seems more of a rebranding effort. The enhancements are greater autonomy, improved discovery, and automatic enforcement, which are now being introduced in HyperShield.

Cisco Secure Workload offers automatic policy enforcement but cannot adjust policies dynamically as the application needs to change. Having used the platform for the past five years, the recent announcement has been reassuring. Cisco has confirmed that our investment in the platform will not go to waste. They will honor our existing licenses, providing a natural migration path to the new solution without any disruption

I have been using Cisco Secure Workload for five years.

The product is stable. It serves as a management plane for firewall policies. The local operating system firewalls on servers—whether Windows or Linux—are quite stable since they are integrated into the operating system. Policy enforcement control relies on these built-in firewalls.

If the Tetration platform goes down, the server usually functions, and the enforced policies remain active. The only impact of a Tetration outage would be on our ability to push changes or updates. Tetration acts as a centralized policy management tool, contributing to its stability.

I rate the solution’s stability a ten out of ten.

We have seven to eight people using this solution. We were initially licensed for 5000 servers but haven't deployed all those licenses. For our contract renewal this year, we've opted for a 1200 license.

I rate the solution’s scalability an eight out of ten.

Cisco's technical support has always been quite reliable since Cisco manages our rack. Whenever there was an issue, whether it involved replacing a switch or a physical server in a cluster, their support was helpful, and all replacements were completed on time.

We considered tools from Nutanix and ESX but decided to move away from ESX due to its vendor-specific nature. Each tool had its challenges, especially if we were to invest in a Nutanix solution. We wanted to avoid being locked into a single vendor's ecosystem. We quickly evaluated and eliminated those solutions, as we needed a technology-agnostic option that could operate across all our platforms.

The concepts can be quite new without the right professional services support from Cisco, and security teams might struggle. Cisco's professional services team guided us through the process, helping us implement around twenty critical applications within the micro-segmentation framework.

Our deployment was straightforward. We simply connected two network cables and assigned some IP addresses, and the platform was operational within a day or two. However, the micro-segmentation of each application and the automatic discovery of rules took about a year to fully deploy for all twenty applications.

The process involved collaboration between two teams: the network team, which manages the Tetration platform, and the IT risk team, which focuses on policy decisions. We maintained the Tetration platform, handled updates, and engaged our IT risk colleagues to determine which IT risk policies needed implementation for various applications. They maintained a list of critical applications that required segregation.

Once we established this partnership, the IT risk team worked with application teams on auto-discovery and policy presentation. After deliberation and agreement on the policies, the network team enforced them. Our role primarily involved overseeing Tetration as a secure on-premises platform while assisting our IT risk colleagues, who were still learning, with decision-making supported by Cisco Professional Services.

At the senior management level, we decided which applications to include within the scope of Cisco Tetration. The process was structured to involve one application team at a time, helping them build confidence through testing. Once successful on day one, we deployed the application into production and established policies for service and request flows.

We also implemented a process for handling changes at the application level, using ServiceNow for requests to modify existing policies, similar to changing firewall rules. Additionally, we created a RACI matrix to clarify responsibilities: defining who was accountable for deploying agents, monitoring their performance, and managing policy enforcement.

I would rate the experience a ten out of ten.

CloudStrike offers antivirus capabilities and firewall features for servers and VDI but lacks automatic policy discovery. This raises questions about the resources required to discover and write policies manually. You’d have to consider how many engineers would be needed to manage this process, potentially increasing your team size from two to ten.

I rate the product’s pricing a six out of ten, where one is cheap, and ten is expensive.

We need two people, one from the IT risk side and one from the network side, for the maintenance.

Since deploying the Cisco Secure Workload, we haven't experienced any security incidents with our internal critical systems. While this implementation has increased our maintenance costs due to introducing a new product, it was necessary to meet internal segregation regulations. Without Cisco Tetration, we would likely have been forced to purchase multiple firewalls and create various DMZs, which would have consumed significant time and resources in networking and security maintenance. Traditional hardware solutions wouldn't have offered the same flexibility as Tetration, which allows us to use distributed firewalls on each server.

Deploying this platform across 20 applications has been much quicker than relying on physical firewalls, which would have led to a more macro-segmentation approach.

Overall, I rate the solution a ten out of ten.

The only use case I can see that makes sense is micro-segmentation. I think there are other use cases for it. The main purpose of the product is to do micro-segmentation by collecting IP. That could be done by installing an agent, and then you have all the communication coming in and out. You could also use some flow sensors installed in the network that receive a copy of the traffic and then report that back to the system.

No matter where you're getting the flow from, the system calculates all those flows. You know what the front end, the middleware, the back end, the database, and so on are so that you can group them. The system's strength is actually in proposing the policy. So, all web servers need to have HTTPS access to it.

Then, you can start building the policy for your application. When you have a policy, you can push that situation for self-service, which means you're trying out the policies you created in a real environment. Then, you can spend time trying to see if you have any escaped traffic, which means you have traffic that does not match the policy. If you were in enforcement mode, that traffic would be dropped. So you have a period where you can monitor if you have done the correct mode, seen all the traffic, and so on. That could be for a couple of weeks, that could be a month, or it could be half a year, depending on the criticality and how important your system actually is.

From my point of view, the strength is the policy proposal you're receiving. It's really good. That's the biggest challenge for everybody - creating a policy you could use in Cisco Secure Workload itself. You could also export it and use it in your firewall if you want to do that if you have a Cisco firewall setup. But you could also use it in every other enforcement part. I'm seeing what people are struggling with in companies - to actually restructure your CMDB data correctly, then get a policy that you can use in your network. I think that the tool is good at that.

There's room for improvement when it comes to Cisco Secure Workload. A couple of internal areas could be refined a little bit. They are trying to solve it, depending on where you suppose the agent is. Suppose you have the agent on both the server and the client, which could be the front-end server or web server connecting to the. In that case, if those two are communicating on RPC, the server can look into its configuration. It could go down and find the configuration file on the FTP server and then set the policies to it. But there are a lot of different FTP servers out there. It's also a complex case for the tool to support all FTP servers.

Some things are related to Windows, Unix, Linux, and IBM AIX. We have been working on all platforms, but the support for IBM AIX isn't that good compared to normal operating systems. Support is much better for Windows compared to IBM AIX.

I have been using the product for a couple of years.

Cisco support has been really good. We have access to the guys who are programming or developing it. We've had good contact, and that helped us encounter all those issues we were facing, both bugs and knowledge around how to do stuff correctly.

The cloud-based solution is much easier to use than the on-premises solution. But if you want it on-premises, it could be a complex case to keep that up to date.

If you order a proof of concept or value, you'll get access to a cloud-based version if that's what you want to do. That's the easiest one. You'll get access to maybe 50-100 clients, and then you can start to install it. That's really easy. But the difficult thing is to provide the solution with the correct tags, and that's what everybody is struggling with - actually getting a good asset database. Usually, banks and the financial sector have a really good overview and registration for all the different services. A lot of other companies out there don't have that.

Regarding price, Cisco Secure Workload can be expensive if you don't have a budget. If you're not doing micro-segmentation, every extra security measure or enforcement you're putting on top of your existing environment will be an extra cost. It's not a cheap solution at all. But from my point of view, if you need to do micro-segmentation, this is one of the best tools I've seen for it. I can't compare that to Microsoft's solution because I haven't looked into it. I've looked into VMware and Cisco. Those are the only two that I know of. I didn't know that Microsoft could do micro-segmentation at all. Maybe they can, but I haven't heard anything about it.

The tool is a complex system. I've been trying to install it myself. Normally, you can get a virtual edition. You can also buy a whole rack for it, where it ships all the appliances we need. And you can get it as a cloud version. Maintaining a system like that, upgrading it and patching it, keeping it running, and all those things are huge tasks. From my current view, because the pricing for it is almost the same for getting it on-premises compared to the cloud version, and all the services you're receiving around it, getting updates, patches, support, and all those things, it's a much better solution compared to having it on-site. Also, you need all the skills for actually keeping that system alive.

We have encountered a couple of issues normally based on the platform. We've seen a couple of issues on the Windows platform. We've solved some bugs during the years we've worked with them. Some are related directly to ops, but some are also related to how we use the technology.

If you're interested in using Cisco Secure Workload for the first time, I'd ask you a few questions about what you want to achieve. Many customers say they have some crown jewels for which they need to do micro-segmentation. That makes sense. But at some point, you need to look at all your other systems. You could have a management backend setup or environment connecting to all your networks, your servers, and so on. Those environments must be in place, and micro-segmentation must be done on them. Otherwise, if people get access or hack those systems, you're in trouble because they have access to all your different systems, no matter what you're actually doing for micro-segmentation.

Before installing the agent on all hosts and starting to do micro-segmentation, you must look at your CMDB and asset database. Try to get the best quality. When you have that available and refined, you can start micro-segmentation. We need to ensure that every time you deploy a new server, it must be propagated into the system automatically. Otherwise, you could end up in a situation where you're blocking your traffic and denying service to yourself.

It would help if you had all those workflows in place. The next time a server is deployed, it needs to be propagated automatically into the system. So, all DNS servers, for example, are in one group. If they decide to deploy a new DNS server, that will automatically propagate into the system. So, others who are on micro-segmentation have access to it. Otherwise, it'll only be a static solution that you must maintain daily to see if something has been dropped. You need to monitor the system for dropped traffic, but you also need to automate everything.

I'm unsure I would want to apply Cisco Secure Workload on all hosts. What I would do is create or allow the application owners themselves. They could use Cisco Secure Workload or they could use another technology. It could also be using containers and stuff like that, Kubernetes, and so on. But I'd use Cisco Secure Workload to define a policy together with the application owners. Then I'd give that policy to the application owners and ask them if they want to use Cisco Secure Workload, or if they have another enforcement mechanism they want to use. Here's the policy, then we need to enforce it. You can export that, put it in your documentation for the design document for the application and work with that.

That makes a huge difference for the application owners if they don't know what's going on in the application. When you're done with that, either you're going to keep the agent there and enforce it, or you can uninstall it and move to another target, a new application, and do the same thing. Depending on the criticality of the application, you could maybe use some of the policy in Cisco Secure Workload, or you could use it in other enforcement points out there.

Based on the way that you're collecting all the flows and can create a policy for you, I think that is really good compared to a lot of other systems that I have seen out there. So based on that, I would give it a nine out of ten. It's really good. There could be something with the price, maybe. But it depends on how you're using it.

The solution is used for data communication and consultancy for ECS.

The product provides multiple-device integration.

The product must be integrated with the cloud.

I have been using the solution for two years.

I rate the tool’s stability a ten out of ten.

The product is highly scalable. I rate the scalability a ten out of ten. Our clients are enterprise-level businesses.

The software agents must be improved.

I rate the initial setup a nine out of ten. We use the micro-segmentation features two times a year.

The tool provides zero-trust micro-segmentation features. Overall, I rate the solution a nine out of ten.