We've been talking for a while about Cisco ACI's leadership in SDN security features (like here), and in the design of our fine-grained security policy enforcement between individual workloads, sometimes called microsegmentation. Today, here at Interop, Las Vegas, Cisco is reaffirming its thought leadership in data center security and SDN automation with a couple of announcements, including the integration of Cisco FirePOWER next generation intrusion prevention system (NGIPS) into the ACI security framework. In other news, another ACI ecosystem security partner was announced last week at the RSA Security Conference: Fortinet, who will be integrating their Fortigate firewall platform with ACI.
The Cisco ACI + FirePOWER solution enables real-time detection, mitigation and remediation for advanced security threats inside the data center by combining granular application visibility and control, threat detection, advanced malware protection (AMP) capabilities of FirePOWER NGIPS with ACI microsegmentation, advanced security service insertion, and L4-7 policy automation. To quickly summarize how this all comes together and a sample use case for ACI security, we created the following video:
https://www.youtube.com/watch?v=0kcXhm9Vbyw
Available in June, 2015, new ACI advanced security works to protect data centers before, during, and after attacks, dynamically detecting threats and automating incident responses. The Cisco FirePOWER family of security appliances consists of industry-leading NGFW, NGIPS appliances offering best-in-class threat effectiveness, superior visibility and global threat intelligence.
FirePOWER + ACI = Automated Security with Advanced Protection Across Attack Continuum for Physical and VirtualCisco also announced that third party auditors validated ACI for deployment in payment card industry data security standard (PCI-DSS) compliant networks. Any organization that accepts credit cards needs to comply with the PCI data security standard, but managing and simplifying the scope of compliance can help to reduce compliance costs for these organizations. Independent qualified security assessors (QSA) validated in Cisco labs that ACI can be used to reduce the scope for PCI and simplify segmentation management.
To set the context for this ACI security news, I like to point to three prevailing trends in data center security that are driving many new product requirements in this area:
Over the previous 10 years, "attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade." If CISOs want to ever improve their abilities to detect and respond to adversaries, they must move from reactive to proactive operations through automation. Every bit of operational friction that S&R pros can reduce using automation will result in a more-agile security posture that makes detecting and responding to adversaries more productive. CISOs can expect automation to become one of the next great security buzzwords.
Through Cisco ACI, all security device provisioning and configuration can be automated according to the centrally managed application policies and requirements, greatly simplifying IT security tasks, and accelerating application deployments.
Tomorrow, I'm planning a blog to review some market data we collected with Enterprise Strategy Group (ESG) on data center security requirements, including the need for automation and finer-grained segmentation as we've discussed here.
If you are around Interop this week, we'd love to have you stop by and see the new demos of ACI with FirePOWER integration, as well as all the other features we're showing. If not, we'll hope to at least see you at Cisco Live in San Diego, where we'll have even more to show off.
[Cisco Press Release]