Cisco Secure Workload Reviews

When we onboarded Cisco Secure Workload, the usual use case was to discover internal application dependencies and create a dependency map for Cisco ACI. As the network team, we chose to implement ACI in a network-centric mode rather than an application-centric mode. However, we soon realized that Cisco Secure Workload's capabilities extend far beyond discovering dependency maps.

We use it for internal micro-segmentation. After evaluating it, we began using the agent-based solution across our server estate to protect our internal servers from each other and internal users. Today, our primary use case for the product is micro-segmentation within our internal network.

Cisco Secure Workload is an agent-based solution that allows you to install the agent on physical servers and virtual machines in your own data center and on VMs in cloud environments like AWS, Oracle Cloud, or Azure. This flexibility is a key advantage over other solutions, such as NSX-based products, which may be tied to specific vendors or technologies. 

With Cisco Secure Workload, we can effectively implement micro-segmentation regardless of where the application resides, whether in the cloud or on-premises. This solution enables us to segregate the entire application estate, including servers, databases, and user access, using the agent-based micro-segmentation capabilities of Tetration. The Tetration Agent leverages the local firewall on the operating system, whether it’s the Windows Firewall or a Linux firewall on a VM.

The most valuable feature of Cisco Secure Workload is its ability to streamline policy discovery. Once you create the workspace, it automatically identifies policies at various levels, whether you need finely-tuned micro-level or broader group policies. As data is gathered from all the agents, the system presents these policies, significantly reducing the need for multiple engineers who typically take much longer to create them. My IT risk colleagues utilize a process we call ADM, where they discover policies over a three to six-month period and present them to application owners. Once the application owners approve the policies, they can switch to enforcement mode in Cisco Tetration. This automation in policy presentation and access is incredibly valuable, as it minimizes manual intervention and the time required for policy discovery.

Micro-segmentation allows for precise enforcement of policies based on specific needs. You can implement tight risk postures, defining policies per IP, server, or port. This enables granular control or broader policies at the group level, grouping similar types of servers. The system automates this process; you specify your risk appetite and how detailed or general you want the policies to be. This approach protects servers that sit next to each other on the same VLAN without requiring large network firewalls to create multiple dependencies or DMZs. Instead, it leverages the existing firewalls on each server, allowing you to control policies centrally.

We actively seek improvements in integrating the Infoblox DDI platform with Cisco Secure Workload. This integration allows Cisco Secure Workload to learn about our networks and network tags, providing valuable insights into vulnerabilities related to the operating system and various applications installed on our servers.

Recently, Cisco announced a new product called HyperShield, an AI-based autonomous micro-segmentation solution. While Cisco has not stated that HyperShield will replace Cisco Secure Workload, it represents a natural evolution for the company. HyperShield features dynamic policy discovery and enforcement; however, once policies are enforced, they do not change until a discovery occurs, requiring a re-enforcement process. This new platform operates autonomously, minimizing the need for user or security engineer intervention. 

I would have expected Cisco to incorporate more automatic discovery and enforcement features within the existing Cisco Secure Workload product. Instead of enhancing the current product, they have introduced a new solution. Cisco plans to honor existing Tetration licenses, allowing users to transition to HyperShield without additional costs, reflecting the investment enterprises have already made.

From Cisco’s perspective, this represents a natural progression in their product line. While the product name changes, it seems more of a rebranding effort. The enhancements are greater autonomy, improved discovery, and automatic enforcement, which are now being introduced in HyperShield.

Cisco Secure Workload offers automatic policy enforcement but cannot adjust policies dynamically as the application needs to change. Having used the platform for the past five years, the recent announcement has been reassuring. Cisco has confirmed that our investment in the platform will not go to waste. They will honor our existing licenses, providing a natural migration path to the new solution without any disruption

I have been using Cisco Secure Workload for five years.

The product is stable. It serves as a management plane for firewall policies. The local operating system firewalls on servers—whether Windows or Linux—are quite stable since they are integrated into the operating system. Policy enforcement control relies on these built-in firewalls.

If the Tetration platform goes down, the server usually functions, and the enforced policies remain active. The only impact of a Tetration outage would be on our ability to push changes or updates. Tetration acts as a centralized policy management tool, contributing to its stability.

I rate the solution’s stability a ten out of ten.

We have seven to eight people using this solution. We were initially licensed for 5000 servers but haven't deployed all those licenses. For our contract renewal this year, we've opted for a 1200 license.

I rate the solution’s scalability an eight out of ten.

Cisco's technical support has always been quite reliable since Cisco manages our rack. Whenever there was an issue, whether it involved replacing a switch or a physical server in a cluster, their support was helpful, and all replacements were completed on time.

Positive

We considered tools from Nutanix and ESX but decided to move away from ESX due to its vendor-specific nature. Each tool had its challenges, especially if we were to invest in a Nutanix solution. We wanted to avoid being locked into a single vendor's ecosystem. We quickly evaluated and eliminated those solutions, as we needed a technology-agnostic option that could operate across all our platforms.

The concepts can be quite new without the right professional services support from Cisco, and security teams might struggle. Cisco's professional services team guided us through the process, helping us implement around twenty critical applications within the micro-segmentation framework. 

Our deployment was straightforward. We simply connected two network cables and assigned some IP addresses, and the platform was operational within a day or two. However, the micro-segmentation of each application and the automatic discovery of rules took about a year to fully deploy for all twenty applications.

The process involved collaboration between two teams: the network team, which manages the Tetration platform, and the IT risk team, which focuses on policy decisions. We maintained the Tetration platform, handled updates, and engaged our IT risk colleagues to determine which IT risk policies needed implementation for various applications. They maintained a list of critical applications that required segregation.

Once we established this partnership, the IT risk team worked with application teams on auto-discovery and policy presentation. After deliberation and agreement on the policies, the network team enforced them. Our role primarily involved overseeing Tetration as a secure on-premises platform while assisting our IT risk colleagues, who were still learning, with decision-making supported by Cisco Professional Services.

At the senior management level, we decided which applications to include within the scope of Cisco Tetration. The process was structured to involve one application team at a time, helping them build confidence through testing. Once successful on day one, we deployed the application into production and established policies for service and request flows.

We also implemented a process for handling changes at the application level, using ServiceNow for requests to modify existing policies, similar to changing firewall rules. Additionally, we created a RACI matrix to clarify responsibilities: defining who was accountable for deploying agents, monitoring their performance, and managing policy enforcement.

I would rate the experience a ten out of ten.

CloudStrike offers antivirus capabilities and firewall features for servers and VDI but lacks automatic policy discovery. This raises questions about the resources required to discover and write policies manually. You’d have to consider how many engineers would be needed to manage this process, potentially increasing your team size from two to ten.

I rate the product’s pricing a six out of ten, where one is cheap, and ten is expensive.

We need two people, one from the IT risk side and one from the network side, for the maintenance.

Since deploying the Cisco Secure Workload, we haven't experienced any security incidents with our internal critical systems. While this implementation has increased our maintenance costs due to introducing a new product, it was necessary to meet internal segregation regulations. Without Cisco Tetration, we would likely have been forced to purchase multiple firewalls and create various DMZs, which would have consumed significant time and resources in networking and security maintenance. Traditional hardware solutions wouldn't have offered the same flexibility as Tetration, which allows us to use distributed firewalls on each server.

Deploying this platform across 20 applications has been much quicker than relying on physical firewalls, which would have led to a more macro-segmentation approach.

Overall, I rate the solution a ten out of ten.

The only use case I can see that makes sense is micro-segmentation. I think there are other use cases for it. The main purpose of the product is to do micro-segmentation by collecting IP. That could be done by installing an agent, and then you have all the communication coming in and out. You could also use some flow sensors installed in the network that receive a copy of the traffic and then report that back to the system.

No matter where you're getting the flow from, the system calculates all those flows. You know what the front end, the middleware, the back end, the database, and so on are so that you can group them. The system's strength is actually in proposing the policy. So, all web servers need to have HTTPS access to it.

Then, you can start building the policy for your application. When you have a policy, you can push that situation for self-service, which means you're trying out the policies you created in a real environment. Then, you can spend time trying to see if you have any escaped traffic, which means you have traffic that does not match the policy. If you were in enforcement mode, that traffic would be dropped. So you have a period where you can monitor if you have done the correct mode, seen all the traffic, and so on. That could be for a couple of weeks, that could be a month, or it could be half a year, depending on the criticality and how important your system actually is.

From my point of view, the strength is the policy proposal you're receiving. It's really good. That's the biggest challenge for everybody - creating a policy you could use in Cisco Secure Workload itself. You could also export it and use it in your firewall if you want to do that if you have a Cisco firewall setup. But you could also use it in every other enforcement part. I'm seeing what people are struggling with in companies - to actually restructure your CMDB data correctly, then get a policy that you can use in your network. I think that the tool is good at that.

There's room for improvement when it comes to Cisco Secure Workload. A couple of internal areas could be refined a little bit. They are trying to solve it, depending on where you suppose the agent is. Suppose you have the agent on both the server and the client, which could be the front-end server or web server connecting to the. In that case, if those two are communicating on RPC, the server can look into its configuration. It could go down and find the configuration file on the FTP server and then set the policies to it. But there are a lot of different FTP servers out there. It's also a complex case for the tool to support all FTP servers.

Some things are related to Windows, Unix, Linux, and IBM AIX. We have been working on all platforms, but the support for IBM AIX isn't that good compared to normal operating systems. Support is much better for Windows compared to IBM AIX.

I have been using the product for a couple of years.

Cisco support has been really good. We have access to the guys who are programming or developing it. We've had good contact, and that helped us encounter all those issues we were facing, both bugs and knowledge around how to do stuff correctly.

The cloud-based solution is much easier to use than the on-premises solution. But if you want it on-premises, it could be a complex case to keep that up to date.

If you order a proof of concept or value, you'll get access to a cloud-based version if that's what you want to do. That's the easiest one. You'll get access to maybe 50-100 clients, and then you can start to install it. That's really easy. But the difficult thing is to provide the solution with the correct tags, and that's what everybody is struggling with - actually getting a good asset database. Usually, banks and the financial sector have a really good overview and registration for all the different services. A lot of other companies out there don't have that.

Regarding price, Cisco Secure Workload can be expensive if you don't have a budget. If you're not doing micro-segmentation, every extra security measure or enforcement you're putting on top of your existing environment will be an extra cost. It's not a cheap solution at all. But from my point of view, if you need to do micro-segmentation, this is one of the best tools I've seen for it. I can't compare that to Microsoft's solution because I haven't looked into it. I've looked into VMware and Cisco. Those are the only two that I know of. I didn't know that Microsoft could do micro-segmentation at all. Maybe they can, but I haven't heard anything about it.

The tool is a complex system. I've been trying to install it myself. Normally, you can get a virtual edition. You can also buy a whole rack for it, where it ships all the appliances we need. And you can get it as a cloud version. Maintaining a system like that, upgrading it and patching it, keeping it running, and all those things are huge tasks. From my current view, because the pricing for it is almost the same for getting it on-premises compared to the cloud version, and all the services you're receiving around it, getting updates, patches, support, and all those things, it's a much better solution compared to having it on-site. Also, you need all the skills for actually keeping that system alive.

We have encountered a couple of issues normally based on the platform. We've seen a couple of issues on the Windows platform. We've solved some bugs during the years we've worked with them. Some are related directly to ops, but some are also related to how we use the technology.

If you're interested in using Cisco Secure Workload for the first time, I'd ask you a few questions about what you want to achieve. Many customers say they have some crown jewels for which they need to do micro-segmentation. That makes sense. But at some point, you need to look at all your other systems. You could have a management backend setup or environment connecting to all your networks, your servers, and so on. Those environments must be in place, and micro-segmentation must be done on them. Otherwise, if people get access or hack those systems, you're in trouble because they have access to all your different systems, no matter what you're actually doing for micro-segmentation.

Before installing the agent on all hosts and starting to do micro-segmentation, you must look at your CMDB and asset database. Try to get the best quality. When you have that available and refined, you can start micro-segmentation. We need to ensure that every time you deploy a new server, it must be propagated into the system automatically. Otherwise, you could end up in a situation where you're blocking your traffic and denying service to yourself.

It would help if you had all those workflows in place. The next time a server is deployed, it needs to be propagated automatically into the system. So, all DNS servers, for example, are in one group. If they decide to deploy a new DNS server, that will automatically propagate into the system. So, others who are on micro-segmentation have access to it. Otherwise, it'll only be a static solution that you must maintain daily to see if something has been dropped. You need to monitor the system for dropped traffic, but you also need to automate everything.

I'm unsure I would want to apply Cisco Secure Workload on all hosts. What I would do is create or allow the application owners themselves. They could use Cisco Secure Workload or they could use another technology. It could also be using containers and stuff like that, Kubernetes, and so on. But I'd use Cisco Secure Workload to define a policy together with the application owners. Then I'd give that policy to the application owners and ask them if they want to use Cisco Secure Workload, or if they have another enforcement mechanism they want to use. Here's the policy, then we need to enforce it. You can export that, put it in your documentation for the design document for the application and work with that.

That makes a huge difference for the application owners if they don't know what's going on in the application. When you're done with that, either you're going to keep the agent there and enforce it, or you can uninstall it and move to another target, a new application, and do the same thing. Depending on the criticality of the application, you could maybe use some of the policy in Cisco Secure Workload, or you could use it in other enforcement points out there.

Based on the way that you're collecting all the flows and can create a policy for you, I think that is really good compared to a lot of other systems that I have seen out there. So based on that, I would give it a nine out of ten. It's really good. There could be something with the price, maybe. But it depends on how you're using it.

Usually, when somebody has a big Cisco shop, they'll deal with Cisco solutions.

I used to be a big fan of Cisco Secure Workload and Cisco Tetration Platform. I used to really like it. However, the product has undergone significant modifications since then. Certain pieces of it have been moved into Cisco SD-Access, and the original DVR of the network functionality has been moved. As a result, the product has changed a lot since I was most familiar with it.

Regarding features, it's quite similar to scanning tools as it catalogs vulnerabilities and identifies their locations on your endpoints within the network. It operates on an agent-based system and uses a catalog and scoring function to determine where known vulnerabilities exist.

On the client side, Cisco Secure Workload orchestrates host firewalls for micro-segmentation, which is crucial for zero trust security for whitelisting in networking. Before speaking of areas for improvement, I would like to say that I have always been fond of Cisco Tetration Platform and Cisco Secure Workload. There was a controversy when Cisco reduced the amount of data they kept, and the solution became quite cost-intensive, which made its adoption challenging. Although they have modified it now, I preferred the previous version, and I wish all the functionality were back under the same product. Currently, it is integrated into Cisco SD-Access, but not all customers want access to this product.

I am familiar with Cisco Secure Workload. My organization is small, and we are resellers having a partnership with Cisco.

Generally speaking, Cisco support is considered one of the best in the networking products and stack. However, their support is not as good when it comes to higher layer products, such as software and application layer products.

I am not familiar with the current deployment options for Cisco Secure Workload, but it seems to involve deploying an agent, which is about as complex as other solutions. One significant difference among these products is how much they enable you to manage noise. Some criticisms of products like Palo Cortex or Rapid7 are that they are very noisy, with lots of false positives and alerts that customers do not consider actionable. In order for an alert to be actionable, customers need to know what steps to take to resolve it, and sometimes the products are not clear enough. Wiz has been differentiating itself recently by adding extra controls in the scoring, allowing for a custom component to the security scoring. This makes alerts less noisy and easier to focus on for customers who want fewer alerts coming out of the product. Security is a problem that never ends, and customers appreciate the ability to focus their activity since their teams can only handle so much at a time. Therefore, the more these products can do to be less noisy and provide clarity and focus, the better they will perform.

Overall, I rate the solution a seven out of ten.

Secure Workload is mainly used for micro-segmentation.

Secure Workload's best feature is that it's an end-to-end offering from Cisco.

Secure Workload is a little complicated to use, and the dashboard isn't intuitive, so it takes a while to learn how to use it.

I've been using Secure Workload for four years.

Secure Workload's stability is good.

Secure Workload is scalable.

Cisco's technical support is responsive.

Positive

I previously used VMware NSX.

The initial setup was straightforward, and deployment took one to two days.

We used a team from Cisco.

The cost for the hardware is around 300k.

I would recommend Secure Workload to other users and rate it seven out of ten.

We offer this solution to financial institutions. It complements the infrastructure of Cisco, routers, switches, and endpoints. 

This is part of the suite of solutions that we offer.

The solution is very user-friendly, which clients appreciate. 

The UI and GUI are fine.

It's stable. 

We can scale the product.

Technical support is helpful and responsive. 

I'm in pre-sales. I have no technical complaints in regard to the product.

The integration could be better, especially with different types of solutions.

I've dealt with the solution for about ten years or so.

The stability is good. There are no bugs or glitches. It doesn't crash or freeze. 

The product can scale well. 

Technical support is good. We are satisfied with their level of responsiveness. 

Positive

I also have experience with Trend Micro. 

Trend Micro's just a niche solution. Cisco has more capabilities

The solution's setup process isn't too easy or hard. It is moderate in terms of ease of implementation.

It's best to have one to two people available to handle deployment and maintenance. Even though one person can handle the process, it's good to have a backup if they go on vacation or take PTO. Usually, engineers can handle any task. 

We don't really look into ROI.

We are Cisco partners and resellers.

Normally, we deal with the most up-to-date version of the solution. It's typically a requirement of the client that we provide the latest.

I'd advise potential users to watch some webinars in order to understand the tool. Normally, we offer these solutions with training. That paying a premium for a new tool is always very good advice.

I'd rate the solution eight out of ten.

The solution is used for data communication and consultancy for ECS.

The product provides multiple-device integration.

The product must be integrated with the cloud.

I have been using the solution for two years.

I rate the tool’s stability a ten out of ten.

The product is highly scalable. I rate the scalability a ten out of ten. Our clients are enterprise-level businesses.

The software agents must be improved.

Positive

I rate the initial setup a nine out of ten. We use the micro-segmentation features two times a year.

The tool provides zero-trust micro-segmentation features. Overall, I rate the solution a nine out of ten.

The solution offers 100% telemetry coverage. The telemetry you collect is not sampled, it's not intermittent. It's complete. You see everything in it, including full visibility of all activities on your endpoints and in your network. 

Other valuable features include vast support for annotations, flexible user applications, machine learning, automatic classification, and hierarchical policies.

The multi-tenancy, redundancy, backup and restore functionalities, as well as the monitoring aspects of the solution, need improvement. The solution offers virtually no enterprise-grade possibility for monitoring. Example include: The onboard features do not allow remote detection of simple hardware failures. There is no backup option for the data lake. The cluster cannot be deployed in a geo-redundant setup. There is no hardware upgrade path.

Our company has been using the solution for 2.5 years.

The stability of the solution is good. What it really lacks is the fact it's not enterprise-grade from an operational perspective.

The scalability is linked to redundancy. You cannot seriously cluster two Tetration units that are physically apart. That doesn't work. So scalability is quite limited. You are basically locked in with the physical setups that you start with.

The solution's technical support is average.

The initial setup was straightforward. It took us about three days to deploy the solution. To reach your first operational capability, from then onwards, it depends on the scenario. We usually spend weeks, if not months, in order to adapt the system to the customer's use case and this requires professional services, specific for the situation.

We use the on-premises deployment model along with MSSP, a service provider.

I would rate the solution eight out of ten.

We have many use cases for Cisco Tetration. Examples of this are micro-segmentation and the visibility of applications.

The most valuable feature is micro-segmentation, which can be used to deploy endpoint security along with the visibility of application and connection matrix

This product is simple to deploy, and provides visibility of connectivity between the endpoints/application.

There is some overlap between Cisco Tetration and AppDynamics and there are few DC tools, It would be great  to have a single pane of glass, rather than have to jump between different tools.

I have used Cisco Tetration for few months in POC last year 2019

With respect to stability, we haven't seen any issues so far with it.

We have evaluated in my last organisations as part of POV with about 1,000 endpoints and we have incorporated Kubernetes as well. Scalability depends upon what hardware you're using or what model of Tetration you're using. If you're using it on-premises then the scalability numbers are different than a cloud-based deployment.

So far, we have not had any trouble with scalability. However, we have just completed our proof of concept, so we do not have many actual users yet.

We have not been in contact with technical support.

We have not used anything quite like Cisco Tetration in the past.

The initial setup is straightforward. It doesn't take long to deploy. You just need to install the agents on the machines and if you want to install it on-premises then you use the cloud servers to help with the setup. The entire process takes a week or two. 

The price is based on how many installation of software sensors you're going to install it on.

We did not evaluate other options because there are not many products in the market that offer this functionality. In fact, I think that Cisco is specifically covering the market for micro-segmentation and visibility of applications.

The suitability of Cisco Tetration depends on the strategy of any given organization. If your organization has a micro-segmentation strategy then this is a good solution. It works to improve visibility by creating connection metrics between applications and having the proper policy in place.

Overall, this is a really good product and I am happy with it.

I would rate this solution a nine out of ten.

We have an on-premises deployment.

The most valuable feature of this solution is security. We check processes on the different components of the virtual machines.

The scalability of this solution needs to be improved. For us, we are not yet at the breaking point, but it is a question.

This is an agent-based system but it is not clear how to efficiently deploy an agent. If you discover new assets, you can ask the neighbor on the network for functional sites. You can't deploy the agent because they don't have the feature. Sometimes you deploy from a web server and you discover new assets, but it fails to deploy for some reason.

The cartography has to be improved. We can add a new one, but we would like to be able to see the performance advantage of our changes over time.

The interface is really helpful for technical people, but it is not user-friendly.

This is a really stable solution and we have not had any incidents. All of the features from Cisco are stable, although sometimes they are buggy.

We have had issues with scalability.

We have ten people using this solution, with approximately four thousand assets.

Technical support for this solution is really good. For this kind of solution, you have cutting-edge support. The only problem is that many of the specialists only speak English, which sometimes makes it difficult as we are a French company. Aside from the interaction with people, however, the support is really good. If you have a complex case then they work with you until you have a solution.

We have also used Check Point CloudGard and Carbon Black. We stopped using Carbon Black because it is only for another website service.

The initial setup of this solution is complex because you need to have a good understanding of your information system. You need to tag your different assets. 

It took two people approximately one week to deploy. It is a full-time commitment to deploy this solution, and after that, you need to implement controls to tag the assets.

It is a prerequisite from Cisco that you have one of their product specialists for the deployment. You can't build the solution without assistance. I think that this is due to the cost of the solution, and hundreds of people have had a bad experience.

You need to have a team with a good understanding of your information systems in order to have benefits with this kind of solution.

My advice for anybody who is implementing this solution is to define what you want to use, and what you need from the tool. You can't have rules that are too strict in the beginning because otherwise, you can't go to production. Over time, you will have a clear view of what is ongoing with your information system. This allows you to improve step-by-step. This is a long-term approach.

This is a good solution, but it should be more user-friendly and easier to deploy agents.

I would rate this solution an eight out of ten.

Our primary use case is for process discovery and for the data center. 

One thing for sure about improvement to our organization and that is we do have several applications with no servers. It's hard to identify what port every application is using. So by using Tetration, it runs an agent and will let us know all the processes running within that server. We can quickly turn around and be able to secure the server by blocking the unused ports.

The most valuable feature right now is to do with having visibility on the network — especially on our servers — and to be able to enforce some type of security measures. This is mostly to combat processes that shouldn't be running on the servers.

The data analytics and all the data that it gathers are very useful. It creates a fast turn around to improve the speed of decision making so we can decide what we need to do to remain secure.

A feature that I was looking for was emailed alerts and notifications so we'd get them right away. I don't know if it is there or not yet but I haven't had enough time to explore and find it.

The search capabilities can be improved as well.

So far the stability has been reliable.

Scalability all depends on how many agents you buy. If Cisco makes it more affordable to buy agents, then it will be more scalable for us. The limitation right now is the cost and not the system.

So far tech support has been great. Every time we call, they're always available to help us troubleshoot or help us get around in the application.

It was very straightforward since we're doing cloud-based management.

If you have a somewhat limited budget you may find the scalability limited. The product does not seem to be.

For me, the solution is a nine out of ten. I really like it. It's a great tool that will help give visibility to a data center and network, understand processes that are running within the data center and be able to enforce rules and regulations for all your processes.