Cisco Multicloud Portfolio: Cloud Protect...professionals who want to secure their organization’s data flows and applications on AWS. Cisco Multicloud Portfolio: Overview In a multicloud

© 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 18

Cisco Multicloud Portfolio:

Cloud Protect

Cisco Tetration: Deployment, Mapping, and

Enforcement

June 2018

Design and Deployment Guide


Contents

Executive summary ................................................................................................................................................. 3 Cisco Multicloud Portfolio: Overview ..................................................................................................................... 3 Cloud Protect overview ......................................................................................................................................... 4 Cloud Protect use cases ....................................................................................................................................... 4 Cloud Protect benefits ........................................................................................................................................... 4

Technology overview .............................................................................................................................................. 5 Cisco Tetration ...................................................................................................................................................... 5 Tetration agents .................................................................................................................................................... 6

Solution deployment ............................................................................................................................................... 6 Requirements ........................................................................................................................................................ 7

Validated deployment steps ................................................................................................................................... 8 Tetration deployment: Orchestrator deployment ................................................................................................... 9 Tetration deployment: Cluster deployment ......................................................................................................... 11 Deploying software agents .................................................................................................................................. 14 Mapping and enforcing ....................................................................................................................................... 15

For more information ............................................................................................................................................. 17


Executive summary

Cisco® Tetration

™ is a part of the Cloud Protect component of the Cisco Multicloud Portfolio for simplifying

multicloud adoption and management. Cisco Tetration addresses important data center security challenges by

providing behavior-based application insight, automating whitelist policy generation, and enabling zero-trust

security using application segmentation. This guide will lead you through the process of deployment, application

mapping, and enforcement using Tetration on Amazon Web Services (AWS).

This guide documents how Cisco Tetration discovers, maps, baselines, and protects applications for workloads on

the cloud, hybrid, and on premises, including planning application migrations, identifying deviations in application

behavior, and applying security policies for enforcing fine-grain application micro-segmentation. The audience for

this guide includes, but is not limited to, security analysts, security administrators, and computer security

professionals who want to secure their organization’s data flows and applications on AWS.

Cisco Multicloud Portfolio: Overview

In a multicloud world, growing complexity is driving a cloud gap between what your customers require and what

your people, processes, and tools can support. With the Cisco Multicloud Portfolio, we make it simple: simple to

connect, simple to protect, and simple to consume.

The Cisco Multicloud Portfolio is a set of essential products, software, and services supported with simplified

ordering and design deployment guides to help you when it comes to multicloud adoption. The Cisco Multicloud

Portfolio consists of four component portfolios (Figure 1):

● Cloud Advisory: Helps you design, plan, accelerate, and remove risk from your multicloud migration

● Cloud Connect: Securely extends your private networks into public clouds and helps make sure of the

appropriate application experience

● Cloud Protect: Protects your multicloud identities, direct-to-cloud connectivity, data, and applications,

including Software as a Service (SaaS), and detects infrastructure and application threats on premises and

in public clouds

● Cloud Consume: Helps you deploy, monitor, and optimize applications in multicloud and container

environments

Figure 1. Cisco Multicloud Portfolio: Cloud Advisory, Cloud Connect, Cloud Protect, and Cloud Consume


Cloud Protect overview

Cloud Protect consists of essential products to protect your multicloud identities, direct-to-cloud connectivity,

data, and applications, including SaaS, and detects infrastructure and application threats on-premises and in

public clouds:

● Cisco Umbrella™

● AMP for Endpoints

● Cisco Meraki™

Systems Manager

● Cloudlock

● Tetration Cloud

● Stealthwatch Cloud

For detailed use cases, see the section about Cloud Protect on the portfolio’s solution page at

https://www.cisco.com/go/multicloud.

Cloud Protect use cases

Cloud Protect delivers value in the following use cases:

● Secure users connecting to the Internet (cloud), including users from data centers/main offices, branches

(no MPLS), roaming places (off VPN), and direct-to-cloud users, including protection for ransomware,

command and control callbacks, phishing attacks, and inappropriate web use

● Secure users’ devices connecting to the Internet (cloud), both on and off the network, including blocking

malicious files at initial entry by inspection and using a sandbox to further inspect unknown files for

advanced protection

● Enable endpoint protection by making sure that the right security services are installed and configured, by

permitting only sanctioned apps to access the cloud, and by constantly evaluating and dynamically taking

corrective action based on changes to endpoint posture

● Secure cloud applications and data, including detecting data leakages through sanctioned SaaS

applications, as well as protecting sensitive data and users from malicious or compromised applications

● Discover, map, baseline, and protect applications for workloads on the cloud, hybrid, and on premises,

including planning application migrations, identifying deviations in application behavior, and applying

security policies for enforcing fine-grain application micro-segmentation

● Efficiently identify threat activity and monitor user and device behavior across the public cloud and on-

premises network. Use high-value, low-noise alerts to detect unusual, risky, and malicious behavior across

your IT infrastructure, from the public cloud to headquarters to the branch network

Cloud Protect benefits

Cloud Protect benefits include:

● Secures cloud identities, data, and apps/SaaS

● Provides secure cloud access for users on and off the network

● Enables easy pluggable protection of mobile devices accessing apps (for example, Apple iOS devices)

● Protects workloads on public cloud Infrastructure-as-a-Service (IaaS) providers with security policy

enforcement

● Enables compliance in the cloud

https://www.cisco.com/go/multicloud


● Lowers risk by providing increased visibility and control

● Reduces costs by about 5–10 percent through simplified deployment

● Reduces remediation time for more than 30 percent of organizations by over 90 percent

● Reduces malware infections for about 40 percent of organizations by over 90 percent

● Protects on-premises and cloud environments with a single vendor

● Provides increased visibility tied into automated threat defense

● Dynamically react to changes in endpoint posture by controlling apps, users, and services that access cloud

data via laptops and mobile devices

Technology overview

Today, applications are driving the modern data center’s infrastructure. With the increasingly dynamic nature of

applications, organizations are struggling to build a secure infrastructure without compromising agility. Complexity

is high because not only are modern applications dynamic, they are distributed across a heterogeneous

environment, including public cloud. For these dynamic distributed applications, traditional perimeter-based

security is not sufficient. A new approach is needed.

Three primary factors contribute to this challenge:

● Application magnitude: You must manage hundreds or even thousands of applications within your data

center. To do so successfully, it is critical that you know what is running, are aware of applications’

dependencies, and understand the blueprint of application communication. Imagine trying to plan security

for a building without a blueprint.

● Attack surface: It is important to minimize the attack surface within your data center. Today, most data

center security is perimeter based with free lateral movement inside. However, because of dynamic

applications, static security policies implemented at the perimeter of the network are not sufficient to meet

the security requirements of modern applications. You need application segmentation that uses a zero-trust

model.

● Automation: Whitelist policies that are critical for segmentation and zero-trust need to be generated in an

automated manner. These policies need to be infrastructure-independent, moving as workloads move or

migrate between infrastructures, including to a public cloud. In addition, you need a mechanism that keeps

your whitelist policies up-to-date as application behavior changes and that tracks compliance to identify

deviations quickly.

Cisco Tetration

The Cisco Tetration platform addresses important data center security challenges by providing behavior-based

application insight, automating whitelist policy generation, and enabling zero-trust security using application

segmentation.

The Tetration enforcement layer ensures that policies move with workloads, even when application components

are migrated from a bare-metal server to a virtualized environment. In addition, the platform helps ensure

scalability through consistent policy implementation for thousands of applications spanning tens of thousands of

workloads.


The platform is designed to normalize and automate policy enforcement within the application workload itself, track

policy-compliance deviations, and keep the application segmentation policy up to date as application behavior

changes. With this approach, Cisco Tetration provides stateful and consistent enforcement across virtualized and

bare-metal workloads running in private, public, and on-premises data centers.

Tetration agents

Tetration agents are software that runs within a host operation system, such as Linux or Windows. An agent’s core

functionality is to monitor and collect network flow information. Agents also collect other host information such as

network interfaces and active processes running in the system. Information collected by agents is exported for

further analytical processing to a set of collectors running within the Tetration cluster. In addition, software agents

also have capability to set firewall rules on installed hosts (enforcement agents).

Tetration supports a wide range of sensors for both visibility and enforcement. As an example, Table 1 lists the

agents supported by Tetration version 2.2.1.34. (Please refer to Cisco Tetration latest release notes for an updated

sensor list.)

Table 1. Agents supported by Tetration version 2.2.1.34

Deep visibility agents Enforcement agents

Linux family: 64-bit variants

RHEL: 5.[0-11], 6.[0-9], 7.[0-4] RHEL: 6.[0-9], 7.[0-4]

CentOS: 5.[0-11], 6.[0-9], 7.[0-4] CentOS: 6.[0-9], 7.[0-4]

Oracle Linux: 6.[0-9], 7.[0-4] Oracle Linux: 6.[0-9], 7.[0-4]

Ubuntu: 12.04, 14.[04, 10], 16.04 Ubuntu: 12.04, 14.[04, 10], 16.04

SUSE Linux Enterprise Server: 11.[2-4], 12.[0-2] SUSE Linux Enterprise Server: 11.[2-4], 12.[0-2]

Windows family: 64-bit variants

Windows desktop: 7, 8, 8.1, 10 Windows desktop: 7, 8, 8.1, 10

Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016 Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016

Solution deployment

The Tetration Cloud deployment option allows you to run Cisco Tetration Analytics™

software on AWS. You are

responsible for purchasing the required AWS instances directly from Amazon Web Services to run Cisco Tetration

Analytics software. However, deployment, orchestration, and maintenance will be handled by Tetration. This

deployment option is suitable when you need to collect and analyze telemetry from fewer than 1000 servers

(virtual machine or bare metal).

Note that Tetration is agnostic of workload location. The only requirement is that Tetration must be able to reach a

workload over Layer 3 (IP routing).

The Tetration orchestrator will deploy and configure the virtual machines shown in Table 2.

Table 2. Tetration orchestrator deploys and configures the following AWS resources

AWS resource Quantity

t2.medium 6 instances

m4.large 15 instances

m4.2xlarge 2 instances

m4.xlarge 3 instances

r4.large 13 instances

r4.2xlarge 23 instances

https://www.cisco.com/c/en/us/support/data-center-analytics/tetration-analytics/products-release-notes-list.html



r4.xlarge 4 instances


Amazon Elastic Block Store (EBS): General-purpose solid-state drive (gp2) 65 TB

Amazon Elastic IP (EIP) addresses 50 addresses

Requirements

Tetration relies on the AWS resources highlighted in Figure 2. Note that these may not be available in all regions.

Figure 2. AWS resources that Tetration relies on

To deploy Tetration in AWS, several prerequisites must be met, as outlined below.

Create a dedicated AWS account

You will need to create a dedicated AWS account at https://portal.aws.amazon.com/gp/aws/developer/registration.

Tetration requires a separate account for two main reasons:

● Resources isolation: To ensure that other instances or changes do not impact the Tetration cluster

● Billing separation: So that Tetration can provide a view on the resources cost for a cluster

Note that multiple AWS accounts can be consolidated to provide a single billing system while still applying different

billing codes to each account.

https://portal.aws.amazon.com/gp/aws/developer/registration


Increase the AWS limits for this account (if needed)

The Tetration orchestrator will deploy multiple instances in a Virtual Private Cloud (VPC) for this account. To

support this functionality, the appropriate instances must be allowed within the services limits (see Table 3).

Table 3. Minimum services limits required by each AWS resource


t2.medium 10 instances

m4.large 20 instances


m4.xlarge 5 instances

r4.large 15 instances

r4.2xlarge 25 instances

r4.xlarge 5 instances


Amazon EBS:

General-purpose solid-state drive (gp2)

70 TB

Amazon EIP 50 addresses

Even though you will not use all of these instances, we recommend keeping some buffer for future expansion.

Create an AWS S3 bucket for the Cloud Formation templates

During the deployment process, Tetration will create deployment files that must be accessible from the AWS

orchestrator. An AWS S3 bucket will be used for this purpose.

Prepare information for email services

Several email services will be in use, including a Simple Mail Transfer Protocol (SMTP) server, site admin alias,

customer-support alias, and alert alias. As Tetration does not come with a default password, you will need to reset

your password from the main login page once deployment is complete. We recommend that you use aliases for

these emails, as they will be needed for troubleshooting and user creation.

Note: At this point in the deployment, a VPN has not been set up to your premises. Nor has the VPC been peered

to another VPC. We recommend that you use an online email service here, such as AWS Simple Email Service.

The email “to” field will be the site admin email alias.

With the environment prerequisites satisfied, you can move to cluster deployment.

Validated deployment steps

This guide provides deployment details for:

● Tetration deployment (in two stages):

◦ Orchestrator deployment

◦ Cluster deployment

● Deploying software sensors


Tetration deployment: Orchestrator deployment

To begin Tetration deployment, you must deploy the first orchestrator to bootstrap the cluster (Figure 3).

Figure 3. Deploying the first orchestrator during Tetration deployment

The following steps should be executed on a Linux, Windows, or macOS machine with Python 2.7 and access to

the Internet.

Step 1: Go to Cisco.com.

Step 2: Log in with the Cisco.com account linked to your Tetration subscription.

Step 3: Download the files for Tetration AWS deployment.

The zip archive you download will contain the following files (Figure 4):

● AwsHelperGuide.md

● config.yml: Used to populate vital AWS CloudFormation parameters

● orchestrator.yml.j2: Jinja2 template used to generate the CloudFormation template

● tetration_cluster_launcher.py: Script that launches a Tetration cluster using the config.yml and

orchestrator.yml.m2 files

● vpc_peering_role.yml: File that launches a CloudFormation stack that creates a VPC peering connection

Identity and Access Management (IAM) role


Figure 4. Files required for Tetration AWS deployment

Step 4: Edit the config.yml file and populate the fields as shown in Table 4.

Table 4. Parameters and values to populate in config.yml

Parameter name Value

cluster_name Name of the Tetration cluster—must match the site name

vpc_cidr Classless Interdomain Routing (CIDR)-formatted network range of the Tetration cluster VPC (string)

external_cidr CIDR-formatted network ranges to allow ingress to the Tetration UI (list)

region AWS region where the Tetration cluster instances will be launched

availability_zone AWS availability zone where Tetration cluster instances will be launched (currently, Tetration can be launched in only one availability zone)

s3_bucket_name Name of the S3 bucket created in “Requirements” section

Step 5: Once the files have been modified, start the deployment process. Use the following code:

python tetration_cluster_launcher.py -c config.yml_path -t

orchestrator.yml.j2_path

Step 6: To complete deployment, save your output (Figure 5).


Figure 5. Save your output to complete deployment

You have completed Orchestration deployment. Continue to cluster deployment to complete Tetration deployment.

Tetration deployment: Cluster deployment

After the orchestrator is bootstrapped, you can begin cluster deployment (Figure 6).

Figure 6. Cluster deployment

Step 1: Navigate to the cluster setup URL.

Step 2: From that URL, upload the deployment files. Note these files need to be deployed from the URL. If you do

not have these files available from a URL, you can upload them to an AWS S3 bucket and use that URL.


Figure 7. Upload deployment files from the cluster setup URL

Note: More than two files may be needed, depending on the software deployed. All files are available from

Cisco.com, and the list of files will be indicated on the upload page.

Step 3: Once files have been uploaded, the configuration screen comes up (Figure 8). Select the form you wish to

complete.

Figure 8. Site configuration screen with form options

Step 4: Click each forms one by one and enter the parameters required.


General form

Step 5a: Click General.

Step 5b: Enter the unique cluster name under Site Name.

Step 5c: Enter the authentication key under SSH Public Key.

Reader Tip

You need to generate your own SSH key pair. This will provide cluster SSH access for troubleshooting purposes.

Email form

Step 6a: Click Email.

Step 6b: Enter the required email addresses.

Network form

Step 7a: Click Network.

Step 7b: For Internal Network IP Address enter the address from the orchestrator deployment output.

Step 7c: For External Network IP Address enter the address from the orchestrator deployment output.

Step 7d: For External Gateway IP Address enter the address from the orchestrator deployment output.

Step 7e: For DNS Resolver IP Address enter the address from the orchestrator deployment output.

Step 7f: For DNS Domain Field enter your DNS domain (for example, "cisco.com").

Service form

Step 8a: Click Service.

Step 8b: For NTP Servers enter the space-separated list of Network Time Protocol (NTP) server names or IP

addresses from the orchestrator deployment output.

Step 8c: For SMTP Server enter the name or IP address of an SMTP server that can be used by Tetration for

sending email messages. Note that this server must be accessible by Tetration.

Step 8d: For SMTP Port enter the port number of the SMTP server. AWS restricts the use of ports 25 and 465.

Step 8e: For SMTP Username enter the user name for SMTP authentication.

Step 8f: For SMTP Password enter the password for SMTP authentication.

UI form

Step 9a: Click UI.

Step 9b: For UI VRRP VRID keep the default: 77”.

Step 9c: For UI FQDN enter the fully qualified domain name where you will access the cluster.

Step 9d: Leave UI airbrake key blank.

Step 10: Once all parameters are configured click Continue.

The next page will run a number of tests and validate the parameters before running the deployment (including

sending a verification email).


Step 11: Once these steps are complete click Continue to run through the deployment.

Note

Full deployment can take up to 3 hours.

Deployment will complete with the message shown in Figure 9. You can now access the Tetration UI and reset

your account password. (For best security, we recommend changing the account password.)

Figure 9. Tetration cluster deployment completed message

Deploying software agents

For Linux OS, root privileges are required to install and run sensors. In addition, the followings dependencies are

required for Linux sensors:

● curl: Version 7.15 or later

● dmidecode: Version 2.11 or later

● openssl: Upgrade to the latest version supported by your Linux distributor (Red Hat or Oracle)

recommended

● cpio

● sed

● lsb_release

● awk

● flock

For Windows Server OS, administrator rights are required. Also, for Windows agents to operate, you must install

WinPcap 4.1.3 (or later) or Npcap 0.9.5 (or later) onto the system. Tetration will install WinPcap or Npcap

automatically if the library is not already on the system. Otherwise, it will use the libraries currently installed.

Downloading the agent

Step 1: Click the Settings menu in the top-right corner.

Step 2: Select Agent Config to open the configuration page.

Step 3: Click the Software Agent Download tab (Figure 10).

Figure 10. Software Agent Download page


Step 4: Find the correct platform, version, or agent type and click the corresponding Download button.

Installing a Linux agent: For RHEL/CentOS/Oracle:

Step 5: Run rpm -Uvh <rpm filename>.

Installing a Linux agent: For Ubuntu users:

Step 5a: Run rpm -qpR <rpm filename>. Make sure all dependencies are met.

Step 5b: Install with nodep option rpm -Uvh --nodeps <rpm filename>.

Installing a Windows agent

Step 5a: Extract the tet-win-sensor<version>.win64<clustername>.zip file.

Step 5b: Follow the README text file for detailed instructions. Alternatively, run the script install.cmd with

administrator privilege to finish the installation.

Check that sensors are running

Step 6: Click the Settings menu in the top-right corner.

Step 7: Select Agent Config to open the configuration page.

Step 8: Confirm that you see a list of deployed sensors with their software version and an Active icon (green

checkmark; see Figure 11).

Figure 11. Agent Configuration page displays deployed sensors with their software version and an Active icon

You have now completed sensor deployment.

Mapping and enforcing

Tetration uses machine-learning technology to model policies for your environment (both on-premises and cloud)

and to enforce these policies directly at the endpoint level (Figure 12).


Figure 12. You can review the default policies generated by Tetration using machine learning

Policy generation

Policy generation can also optionally be generated based on uploaded “annotations” (tags).

Step 1: Select on Inventory -> Inventory Upload to upload new tags (Figure 13).

Figure 13. You can upload new tags from the Inventory Upload page

Step 2: Use the example format shown in Figure 14 to upload up to 32 custom tags. These tags will then be

reflected in policy generation as well as in flow search.


Figure 14. You can use this format to upload custom tags

Step 3: With annotations and policies generated, you can now enable enforcement (Figure 15).

Figure 15. Once annotations and policies are generated, you can enable enforcement

For a tutorial on policy generation and enforcement, see https://youtu.be/giJ1PTKZQGE.

For more information

For any questions, please refer to these resources:

● Cisco Tetration:

https://cisco.com/go/tetration

● Policy generation and enforcement tutorial:

https://youtu.be/giJ1PTKZQGE

For a complete list of all of our design and deployment guides for the Cisco Multicloud Portfolio, including Cloud

Protect, visit https://www.cisco.com/go/clouddesignguides.


https://cisco.com/go/tetration


https://www.cisco.com/go/clouddesignguides


About Cisco design and deployment guides

Cisco Design and Deployment Guides consists of systems and/or solutions designed, tested, and documented to

facilitate faster, more reliable, and more predictable customer deployments. For more information visit:

https://www.cisco.com/go/designzone.

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS

(COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND

ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING

FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS

SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,

INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE

USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF

THE POSSIBILITY OF SUCH DAMAGES.

THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR

THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER

PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR

OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING

ON FACTORS NOT TESTED BY CISCO.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx,

the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live,

Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting

To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified

Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,

Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack

Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS Management Software, Cisco

Unified Fabric, Cisco Application Centric Infrastructure, Cisco Nexus 9000 Series, Cisco Nexus 7000 Series. Cisco

Prime Data Center Network Manager, Cisco NX-OS Software, Cisco MDS Series, Cisco Unity, Collaboration

Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive,

HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, LightStream, Linksys, MediaTone, MeetingPlace,

MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX,

PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way

to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco

Systems, Inc. and/or its affiliates in the United States and certain other countries.

Printed in USA C07-740315-01 06/18

https://www.cisco.com/go/designzone

Documents

Cisco Multicloud Portfolio: Cloud Protect...professionals who want to secure their organization’s data flows and applications on AWS. Cisco Multicloud Portfolio: Overview In a multicloud