Cisco has built into its Tetration Analytics engine the ability to enforce policies that govern network traffic...
between applications running in the data center and the cloud.
The new application security capabilities are in the first major upgrade of Tetration, which was released last summer. In announcing the update this week, Cisco also launched a version of the product for midsize companies that's a fraction of the cost of the original system.
The upgrade raises the Tetration Analytics system's value by adding application-policy enforcer to its initial role as a monitor that recommended policy changes based on network activity. The new version lets corporate IT segment applications in the data center or the cloud, as well as set rules for network traffic entering and leaving. Tetration enforces policies through software agents installed on the servers or virtual machines running the applications.
"This is interesting, since it helps bridge the silos between infrastructure, network, and security [and] compliance teams using a single tool," said Dan Conde, an analyst at Enterprise Strategy Group Inc., based in Milford, Mass.
For example, an IT professional could set a rule saying only certain Oracle or SAP applications can communicate with a database storing customer data. The restriction would prevent a compromised web application from contacting the database directly.
In this scenario, Tetration 1.0 would have warned an IT administrator of an unauthorized application trying to reach the database, but would not have taken corrective action. The latest version would stop the process and notify managers.
Many organizations today identify applications through IP addresses and restrict them to specific switch ports. That traditional method, however, is no longer useful in modern data centers, where applications are running on virtual machines that software engineers move among servers, Conde said. The use of ports and IP addresses is also ineffective in cloud environments, where applications are often broken up into pieces called containers that are also in constant flux.
"You can't trust the IP address as the only way to identify things, so Tetration is clever enough to look at behavior on the fly and try to deduce what needs to be done based on network traffic," Conde said.
Tetration Analytics pricing
The previous version of Tetration came in one size that had an average price tag of $1 million, making it out of reach for midsize companies. So, Cisco has introduced a slimmer version of the product that starts at $25,000.
Called Tetration-M, the rack-mounted version comprises six servers and two Cisco Nexus 9300 switches. Cisco built the product for data centers with less than 1,000 application servers running on virtual machines or bare-metal hardware.
Cisco has also introduced a virtualized version of the Tetration-M software. Called Tetration Cloud, the product can run as an instance in Amazon Web Services.
Cisco has opened up Tetration Analytics to products from partners. Cisco partners that provide integration using Tetration APIs include AlgoSec, Citrix Systems, F5 Networks, Infoblox, ServiceNow, Tufin, and VCE.
Optimizing data governance policies
Using route analytics to improve routing maintenance
Making privacy policies a competitive advantage