What advice do you have for others considering Cisco Secure Workload?

We need two people, one from the IT risk side and one from the network side, for the maintenance. Since deploying the Cisco Secure Workload, we haven't experienced any security incidents with our internal critical systems. While this implementation has increased our maintenance costs due to introducing a new product, it was necessary to meet internal segregation regulations. Without Cisco Tetration, we would likely have been forced to purchase multiple firewalls and create various DMZs, which would have consumed significant time and resources in networking and security maintenance. Traditional hardware solutions wouldn't have offered the same flexibility as Tetration, which allows us to use distributed firewalls on each server. Deploying this platform across 20 applications has been much quicker than relying on physical firewalls, which would have led to a more macro-segmentation approach. Overall, I rate the solution a ten out of ten.

The tool is a complex system. I've been trying to install it myself. Normally, you can get a virtual edition. You can also buy a whole rack for it, where it ships all the appliances we need. And you can get it as a cloud version. Maintaining a system like that, upgrading it and patching it, keeping it running, and all those things are huge tasks. From my current view, because the pricing for it is almost the same for getting it on-premises compared to the cloud version, and all the services you're receiving around it, getting updates, patches, support, and all those things, it's a much better solution compared to having it on-site. Also, you need all the skills for actually keeping that system alive. We have encountered a couple of issues normally based on the platform. We've seen a couple of issues on the Windows platform. We've solved some bugs during the years we've worked with them. Some are related directly to ops, but some are also related to how we use the technology. If you're interested in using Cisco Secure Workload for the first time, I'd ask you a few questions about what you want to achieve. Many customers say they have some crown jewels for which they need to do micro-segmentation. That makes sense. But at some point, you need to look at all your other systems. You could have a management backend setup or environment connecting to all your networks, your servers, and so on. Those environments must be in place, and micro-segmentation must be done on them. Otherwise, if people get access or hack those systems, you're in trouble because they have access to all your different systems, no matter what you're actually doing for micro-segmentation. Before installing the agent on all hosts and starting to do micro-segmentation, you must look at your CMDB and asset database. Try to get the best quality. When you have that available and refined, you can start micro-segmentation. We need to ensure that every time you deploy a new server, it must be propagated into the system automatically. Otherwise, you could end up in a situation where you're blocking your traffic and denying service to yourself. It would help if you had all those workflows in place. The next time a server is deployed, it needs to be propagated automatically into the system. So, all DNS servers, for example, are in one group. If they decide to deploy a new DNS server, that will automatically propagate into the system. So, others who are on micro-segmentation have access to it. Otherwise, it'll only be a static solution that you must maintain daily to see if something has been dropped. You need to monitor the system for dropped traffic, but you also need to automate everything. I'm unsure I would want to apply Cisco Secure Workload on all hosts. What I would do is create or allow the application owners themselves. They could use Cisco Secure Workload or they could use another technology. It could also be using containers and stuff like that, Kubernetes, and so on. But I'd use Cisco Secure Workload to define a policy together with the application owners. Then I'd give that policy to the application owners and ask them if they want to use Cisco Secure Workload, or if they have another enforcement mechanism they want to use. Here's the policy, then we need to enforce it. You can export that, put it in your documentation for the design document for the application and work with that. That makes a huge difference for the application owners if they don't know what's going on in the application. When you're done with that, either you're going to keep the agent there and enforce it, or you can uninstall it and move to another target, a new application, and do the same thing. Depending on the criticality of the application, you could maybe use some of the policy in Cisco Secure Workload, or you could use it in other enforcement points out there. Based on the way that you're collecting all the flows and can create a policy for you, I think that is really good compared to a lot of other systems that I have seen out there. So based on that, I would give it a nine out of ten. It's really good. There could be something with the price, maybe. But it depends on how you're using it.

The tool provides zero-trust micro-segmentation features. Overall, I rate the solution a nine out of ten.

Overall, I rate the solution a seven out of ten.

We are Cisco partners and resellers. Normally, we deal with the most up-to-date version of the solution. It's typically a requirement of the client that we provide the latest. I'd advise potential users to watch some webinars in order to understand the tool. Normally, we offer these solutions with training. That paying a premium for a new tool is always very good advice. I'd rate the solution eight out of ten.

Its good Micro segmentation solution if you already have Nexus 9K and 7K in your organization with ACI integration you should be able to get micro segmentation capability at L3/L4 

But there is lots of improvement required from Cisco on this product  

You need to have a team with a good understanding of your information systems in order to have benefits with this kind of solution. My advice for anybody who is implementing this solution is to define what you want to use, and what you need from the tool. You can't have rules that are too strict in the beginning because otherwise, you can't go to production. Over time, you will have a clear view of what is ongoing with your information system. This allows you to improve step-by-step. This is a long-term approach. This is a good solution, but it should be more user-friendly and easier to deploy agents. I would rate this solution an eight out of ten.

The suitability of Cisco Tetration depends on the strategy of any given organization. If your organization has a micro-segmentation strategy then this is a good solution. It works to improve visibility by creating connection metrics between applications and having the proper policy in place. Overall, this is a really good product and I am happy with it. I would rate this solution a nine out of ten.

We use the on-premises deployment model along with MSSP, a service provider. I would rate the solution eight out of ten.

For me, the solution is a nine out of ten. I really like it. It's a great tool that will help give visibility to a data center and network, understand processes that are running within the data center and be able to enforce rules and regulations for all your processes.

On a scale from one to ten, I would rate Cisco Tetration an eight or nine. I'd like to see better documentation for advanced features. The documentation is fairly basic. I would also like to see better integration with other applications. It's still a maturing product at the beginning of the lifecycle right now.

This product does everything that you need it to do and more. I would definitely rate it a 10 out of 10. It does a lot to provide visibility in a network environment, save time and money, and makes the organization IT operate in much more of a streamlined fashion. We could have chosen other products, but this is the horse that we picked to go in the race.