AlgoSec ASMS A32 is our latest release to feature a major technology integration, built upon our well-established collaboration with Cisco — bringing this partnership to the front of the Cisco innovation cycle with support for Multi-Site Orchestrator (MSO). MSO allows Cisco ACI – and legacy-style Data Center Network Management – to operate at scale in a global context, across data center and cloud regions. The AlgoSec solution with MSO brings the power of our intelligent automation and software-defined security features for ACI, including planning, change management, and microsegmentation, to this global scope. I urge you to see what AlgoSec delivers for ACI with multiple use cases, enabling application-mode operation and microsegmentation, and delivering integrated security operations workflows. AlgoSec now brings support for Shadow EPG and Inter-Site Contracts with MSO, to our existing ACI strength.
I had my first encounter with Cisco Application Centric Infrastructure in 2014 at a Symantec Vision conference. The original Senior Product Manager and Technical Marketing lead were hosting a discussion about the new results from their recent Insieme acquisition and were eager to onboard new partners with security cases and added operations value. At the time I was promoting the security ecosystem of a different platform vendor, and I have to admit that I didn’t fully understand the tremendous changes that ACI was bringing to security for enterprise connectivity. It’s hard to believe that it’s now seven years since then and that Cisco ACI has mainstreamed software-defined networking — changing the way that network teams had grown used to running their networks and devices since at least the mid-’90s.
Since that 2014 introduction, Cisco’s ACI changed the landscape of data center networking by introducing an intent-based approach, over earlier configuration-centric architecture models. This opened the way for accelerated movement by enterprise data centers to meet their requirements for internal cloud deployments, new DevOps and serverless application models, and the extension of these to public clouds for hybrid operation – all within a single networking technology that uses familiar switching elements. Two new, software-defined artifacts make this possible in ACI: End-Point Groups (EPG) and Contracts – individual rules that define characteristics and behavior for an allowed network connection.
That’s really where MSO comes into the picture. By now, we have an ACI-driven data center networking infrastructure, with management redundancy for the availability of applications and preserving their intent characteristics. Through the use of an infrastructure built on EPGs and contracts, we can reach from the mobile and desktop to the datacenter and the cloud. This means our next barrier is the sharing of intent-based objects and management operations, beyond the confines of a single data center. We want to do this without clustering types, that depend on the availability risk of individual controllers, and hit other limits for availability and oversight.
Instead of labor-intensive and error-prone duplication of data center networks and security in different regions, and for different zones of cloud operation, MSO introduces “stretched” shadow EPGs, and inter-site contracts, for application-centric and intent-based, secure traffic which is agnostic to global topologies – wherever your users and applications need to be.
MSO Deployment Topology – Image: Cisco
Having added MSO capability to the formidable shared platform of AlgoSec and Cisco ACI, regional-wide and global policy operations can be executed in confidence with intelligent automation. AlgoSec makes it possible to plan for operations of the Cisco MSO scope of connected fabrics in application-centric mode, unlocking the ACI super-powers for micro-segmentation. This enables a shared model between networking and security teams for zero-trust and defense-in-depth, with accelerated, global-scope, secure application changes at the speed of business demand — within minutes, rather than days or weeks.
Change management: For security policy change management this means that workloads may be securely re-located from on-premises to public cloud, under a single and uniform network model and change-management framework — ensuring consistency across multiple clouds and hybrid environments.
Visibility: With an MSO-enabled ACI networking infrastructure and AlgoSec’s ASMS, all connectivity can be visualized at multiple levels of detail, across an entire multi-vendor, multi-cloud network. This means that individual security risks can be directly correlated to the assets that are impacted, and a full understanding of the impact by security controls on an application’s availability.
Risk and Compliance: It’s possible across all the MSO connected fabrics to identify risk on-premises and through the connected ACI cloud networks, including additional cloud-provider security controls. The AlgoSec solution makes this a self-documenting system for MSO, with detailed reporting and an audit trail of network security changes, related to original business and application requests. This means that you can generate automated compliance reports, supporting a wide range of global regulations, and your own, self-tailored policies.
Cisco MSO is a major technology and AlgoSec is in the early days with our feature introduction, nonetheless, we are delighted and enthusiastic about our early adoption customers. Based on early reports with our Cisco partners, needs will arise for more automation, which would include the “zero-touch” push for policy changes – committing Shadow EPG and Inter-site Contract changes to the orchestrator, as we currently do for ACI APIC. Feedback will also shape a need for automation playbooks and workflows that are most useful in the MSO context, and that we can realize with a full committable policy by the ASMS Firewall Analyzer.
I encourage anyone interested in MSO and enhancing their operational maturity in aligned network and security operation, to talk to us about our joint solution. We work together with Cisco teams and resellers and will be glad to share more.
Receive notifications of new posts by email.