SAFE Architecture Guide

Places in the Network: Secure Cloud

June 2019
SAFE Architecture Guide Places in the Network: Secure Cloud | Contents

Contents
3 Overview
Cloud Taxonomy 5
Cloud Services 6
Cloud Responsibility 7

8 Business Flows
Functional Controls 9
Capability Groups 10

11 Threats
12 Security Capabilities
18 Architecture
Secure Cloud 19

20 Attack Surface
Humans 20
Devices 20
Network 20
Applications 21

22 Summary
23 Appendix A – Proposed Designs
Amazon Web Services 23
Microsoft Azure 24
Google Cloud Platform 25

26 Appendix B - Suggested Components

SAFE Architecture Guide Places in the Network: Secure Cloud | Overview June 2019

3
Overview
The Secure Cloud is a place in the network (PIN) where a company centralizes data and performs services for business.
Cloud service providers host data center services in the Secure Cloud. This guide addresses Secure Cloud business flows
and the security used to defend them. The focus of this guide in on the security controls necessary to provide “security
FOR the cloud”.
The Secure Cloud is one of the seven places in the network within SAFE. SAFE is a holistic approach in which Secure
PINs model the physical infrastructure and Secure Domains represent the operational aspects of a network.
The Secure Cloud architecture guide provides:
• Business flows for the cloud
• Cloud threats and security capabilities
• Business flow security architecture
• Design examples and a suggested components

YOU ARE
HERE

Figure 1 The Key to SAFE. SAFE provides the Key to simplify cybersecurity into Secure Places in the Network (PINs) for
infrastructure and Secure Domains for operational guidance.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Overview June 2019

4
SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding
security capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.

YOU ARE

HERE

Figure 2 SAFE Guidance Hierarchy

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Overview June 2019

5
Cloud Taxonomy
The Internet is a collection of interconnected Information Technology (IT) and clouds. Terms of clouds varies by
context, ownership and integration.
Table 1 Common Cloud Terms and Definitions.
Cloud Term Definition
Cloud Cloud computing enables convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction.
Public Cloud A style of computing where scalable and elastic IT-enabled capabilities are
provisioned as a service to customers using Internet technologies.
Private Cloud A style of computing where scalable and elastic IT-enabled capabilities are
provisioned over IT infrastructure that is on-prem.
Hybrid Cloud A style of computing where scalable and elastic IT-enabled capabilities are
provisioned services out of multiple, private and public cloud availability
zones. Workloads are actively ported between these zones for reasons
including cost, performance and availability.
Multicloud A style of computing where scalable and elastic IT-enabled capabilities are
provisioned services out of multiple, private cloud and public cloud
availability zones. Workloads are not ported between these zones.
Hybrid IT Hybrid IT is when an enterprise adds cloud-based services to complete their
entire pool of IT resources. A hybrid IT model enables organizations to lease
a portion of their required IT resources from a public/private cloud service
provider.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Overview June 2019

6
Cloud Services
Cloud Service Providers (CSP) provide public cloud services. CSPs deliver a variety of cloud services that can provide
business application delivery. The following table lists the cloud service types, definitions and the corresponding SAFE
PIN Architecture Guide the cloud service is covered under.

Table 2 Cloud Service Type, Definition and SAFE PIN coverage

Cloud Service Type Definition SAFE PIN
Architecture Guide
Software as a Service Software that is deployed over the internet, A provider licenses Secure Internet
(SaaS) an application to customers either as a service on demand,
through a subscription, in a “pay-as-you-go” model, or
(increasingly) at no charge when there is opportunity to
generate revenue from streams other than the user, such as
from advertisement or user list sales.
Functions as a Service A cloud computing service that provides a platform allowing Secure Cloud
(FaaS) customers to develop, run, and manage application
functionalities without the complexity of building and
maintaining the infrastructure typically associated with
developing and launching an application. Also referred to as
Serverless.
Platform as a Service A computing platform that allows the creation of web Secure Cloud
(PaaS) applications quickly and easily and without the complexity of
buying and maintaining the software and infrastructure
underneath it.
Container as a Service A cloud service that allows software developers and IT Secure Cloud
(CaaS) departments to upload, organize, run, scale, manage and stop
containers by using container-based virtualization.
Infrastructure as a A way of delivering Cloud Computing infrastructure – servers, Secure Cloud
Service (IaaS) storage, network and operating systems – as an on-demand
service. Rather than purchasing servers, software, datacenter
space or network equipment, clients instead buy those
resources as a fully outsourced service on demand.
On-Prem IT services are provisioned over private IT infrastructure for the Secure Data Center
dedicated use of a single organization. The customer owns all
costs for hosting the applications in a location they own.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Overview June 2019

7
Cloud Responsibility
The customer selects the cloud service model which best serves the business need. The following figure represents the
responsibility model between the Cloud Service Provider and the Customer.

Figure 3 Cloud Service Shared Responsibility Model

On the far left, the Software as a Service (SaaS) cloud service has the cloud service provider being responsible for all
costs. On the far right, the On-Prem cloud service (i.e. private cloud) is a traditional data center deployment where the
customer is responsible for all costs. The cloud services between them have varying ownership responsibility. A
customer needs to evaluate the service level agreements for all cloud services under consideration.
Runtime is a responsibility highlighted because with an On-Prem or IaaS deployment the customer owns runtime even
if the servers sit idle. In a PaaS or FaaS deployment, a customer would only pay for the runtime that they used.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Business Flows June 2019

8
Business Flows
The SAFE model is based on ten business flows as described in the SAFE Overview Guide. SAFE’s color-coded business
flows illustrate the security needed for each role. These flows depict the attack surface, ensuring that controls are
easily accounted for.
The Secure Cloud provides business services to the company’s users.

• Employees in the branch, campus, and remote locations require access to applications, collaboration services
(voice, video, email), and the Internet
• Systems communicate east/west within the cloud service, as well as with other cloud services or on-premise
data centers

The three business flows this architecture guide focuses on describing the capabilities required to secure the Secure
Cloud PIN are depicted in Figure 4.

Figure 4 Cloud business use cases are color coded to define where they flow

The green business flow is an example of a secure application, depicted by a clerk in the branch accessing a payment
application hosted in the cloud (Amazon Web Services). The capabilities in the branch are documented in the Secure
Branch architecture guide.

The blue business flow is an engineer connected directly to the Internet accessing a secure workflow application hosted
in the cloud (Microsoft Azure).

Lastly, the gray business flow represents the east-west traffic between a database server and a payment application
hosted in Google Cloud Platform. The business requires visibility and control capabilities for the traffic between the
hosted applications.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Business Flows June 2019

9
Functional Controls
Functional Controls are common security considerations that are derived from the technical aspects of the business
flows.
________________________________________________________________________________________________
Secure Applications Applications require sufficient security controls for protection.
_________________________________________________________________________________________________
Secure Remote Access Secure remote access for employees and third-party partners that are external to
the company network.
_________________________________________________________________________________________________
Secure East/West Traffic Data moves securely; internally, externally, or to third-party resources.
_________________________________________________________________________________________________

Figure 5 Cloud business flows map to functional controls based on the types of risk they present

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Business Flows June 2019

10
Capability Groups
Cloud security is simplified by grouping capabilities into three groups which align to the functional controls:
Foundational, Business, and Access. Each flow requires the access and foundational groups. Business activity risks
require appropriate capabilities to control or mitigate them.
For more information regarding capability groups and functional controls, refer to the SAFE overview guide.

Figure 6 The Secure Cloud Business Flow Capability Diagram

Secure Cloud threats and capabilities are defined in the following sections.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Threats June 2019

11
Threats
Cloud services contain the majority of business information assets and intellectual property. These are the primary
goals of targeted attacks and require the highest level of investment to secure. The cloud assets have four primary
threats:

Data extraction (data loss)

The unauthorized ex-filtration or theft of a company’s intellectual property, innovation, and proprietary company data.

Unauthorized network access

Unauthorized access gives attackers the potential to cause damage, such as deleting sensitive files from a host, planting
a virus, and hindering network performance with a flood of illegitimate packets.

Malware propagation
Assets in the data center are targets for east/west contamination between servers, and north/south from employees,
partners, or customer devices on the network. Applications that process credit card transactions and Internet of Things
devices are the most prevalent targets.

Botnet cultivation
The resources of a server farm are a valuable target for botnet cultivation. Botnets are networks made up of remote
controlled computers, or “bots.” They are used to steal data, send spam, or perform other attacks.

The defense is explained throughout the rest of the document.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Security Capabilities June 2019

12
Security Capabilities
The attack surface of the cloud is defined by the business flows, and includes the people and the technology present.
The security capabilities that are needed to respond to the threats are mapped in Figure 7. The cloud security
capabilities are listed in Table 3. The placement of these capabilities is discussed in the architecture section.

Figure 7 Secure Cloud Attack Surface and Security Capabilities

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Security Capabilities June 2019

13
Table 3 Secure Cloud Attack Surface, Security Capability, and Threat Mapping. Products that implement these
capabilities can be found in Table 4 in Appendix B.
Secure Cloud Attack Surface
Human Security Capability Threat
Attackers or
Users: disgruntled
Identity: admins accessing
Employees, third
parties, customers, Identity-bases access. restricted
and administrators. information
resources.
Devices Security Capability Threat
Clients: N/A: Compromised
Devices such as PCs, Covered in Internet, administrator
laptops, smartphones, Campus and Branch systems obtaining
tablets. PINs. elevated access.

Voice/Video: N/A: Attackers

accessing private
Phone and Covered in Secure information.
teleconferencing Services domain.

N/A:
Autonomous Device: Attackers taking
Covered in IoT Threat over systems
Building controls.
Defense
Network Security Capability Threat

Firewall: Unauthorized
access and
Stateful filtering and malformed
protocol inspection packets between
between segments in and within
the virtual private application in the
Cloud Network cloud. cloud.
Infrastructure:
Intrusion Prevention: Attacks using
Routing and switching
Blocking of attacks by worms, viruses,
capabilities required
signatures and or other
to host business
anomaly analysis. techniques.
services in the cloud.
Tagging: Unauthorized
Software-based access and
segmentation using malicious traffic
native cloud between
capabilities segments.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Security Capabilities June 2019

14
Network (continued) Security Capability Threat
Malware
Anti-Malware: distribution
Identify, block, and across networks
analyze malicious files or between
and transmissions. servers and
devices.
Threat Intelligence:
Analysis: Zero-day malware
Contextual knowledge and attacks.
of emerging hazards.
Flow Analytics: Traffic, telemetry,
and data
Network traffic exfiltration from
metadata identifying successful
security incidents. attacks.
Virtual Private
Network (VPN) or SD-
WAN: Easily collecting
information and
Encrypted identities.
communication
tunnels.
VPN Gateway or
WAN:. Concentrator: Exposed services
Encrypted remote and data theft.
access.

DDoS Protection: Massively scaled

attacks that
Protection against overwhelm
scaled attack forms. services.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Security Capabilities June 2019

15
Applications Security Capability Threat
Unauthorized
Application Visibility access and
Control: malformed
Inspects network packets
communications. connecting to
services.
Web Application Attacks against
Firewall: poorly developed
Applications: applications and
Advanced application
Management, servers, inspection and website
database, load monitoring. vulnerabilities.
balancer.
File Analysis:
Zero-day malware
Inspects and analyzes and attacks.
suspicious files.

TLS Encryption
Offload: Theft of
unencrypted
Accelerated encryption traffic.
of data services.
Theft of
Disk Encryption:
Storage: unencrypted
Encryption of data at data.
Cloud storage.
rest.

Applications Security Capability Threat

Server-based Security: Viruses or

Security software for malware
servers with the compromising
following capabilities: systems.
Servers:
Anti-Malware:
Malware
Identify, block, and distribution
analyze malicious files across servers.
and transmissions.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Security Capabilities June 2019

16
Applications (continued) Security Capability Threat

Cloud Security: Redirection of

session to
Security services from malicious
the cloud website.

Flow Analytics: Traffic, telemetry,

and data
Network traffic exfiltration from
metadata identifying successful
security incidents. attacks.

Exploiting a
Application
misconfigured
Dependency Mapping:
firewall policy

Exploiiting
Vulnerability
unpatched or
Assessment and
outdated
Software Inventory:
applications.

Exploiting
Servers: Process Anomaly
privileged access
Detection & Forensics:
to run shell code.

Unauthorized
Tagging: access and
Grouping for Software malicious traffic
Defined Policy between
segments.
Targeted attacks
Policy Generation,
taking advantage
Audit, and Change
of known
Management:
vulnerabilities.
Unauthorized
Host-based Firewall: access and
Provides micro- malformed
segmentation and packets
policy enforcement. connecting to
server.

Disk Encryption: Unauthorized

Protect information at access to system-
rest. stored data.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Security Capabilities June 2019

17
Management Security Capability Threat
Analysis/Correlation:
Diverse and
Security event polymorphic
management of real- attacks.
time information
Anomaly Detection:
Identification of Malware
infected hosts scanning distribution
for other vulnerable across servers.
hosts.
Identity/Authorization:
Viruses
Centralized identity compromising
and administration systems.
policy.

Logging/Reporting: Redirection of
session to
Management, Centralized event malicious
Control, and information collection. website.
Monitoring
Unauthorized
Monitoring: access and
malformed
Network traffic packets
inspection. connecting to
server.
Policy/Configuration:
Targeted attacks
Unified infrastructure taking advantage
management and of known
compliance vulnerabilities.
verification.
Vulnerability
Management: Unauthorized
Continuous scanning, access to system-
patching, and reporting stored data.
of infrastructure.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Architecture June 2019

18
Architecture
SAFE underscores the challenges of securing the business. It enhances traditional network diagrams to include a
security-centric view of the company business. The Secure Cloud architecture is a logical grouping of security and
network technology that supports business use cases.
SAFE business flow security architecture depicts a security focus. A SAFE logical architecture can have many different
physical designs.

YOU ARE
HERE

Figure 8 SAFE Model. The SAFE Model simplifies complexity across a business by using Places in the Network (PINs) that
it must secure.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Architecture June 2019

19
Secure Cloud
The Secure Cloud architecture has the following characteristics:
• Visibility with centralized management, analytics, and shared services
• A core connecting distribution and application-centric layers
• Software-defined network segmentation
• Software-defined application segmentation
• Virtual servers requiring secure network access connectivity
Humans and devices are part of the attack surface, but are not part of the architecture within the secure cloud.

Figure 9 Secure Cloud PIN. The Secure Cloud business flows and security capabilities are arranged into a logical
architecture. Business use cases flow through the green architecture icons with the required blue security capabilities

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Architecture June 2019

20
Attack Surface
The Secure Cloud attack surface (Figure 7) consists of Humans, Devices, Network, and Applications. A successful breach
gives an attacker the “keys to the kingdom.”
Security includes these considerations:
• Human administrators can be located anywhere
• Network security is required for applications hosted in public cloud
• Applications and data contain vital company information
• Application orchestration centralizes control of security, network, and server elements into a single critical
target
The sections below discuss the security capability that defends the threats associated with each part of the attack
surface.

Humans
Typically, humans are administrators for the secure data center, secure cloud and public SaaS applications.
No amount of technology can prevent successful attacks if the administrators themselves are compromised.
Administrators that are disgruntled (fired, demoted, bullied, ideology), compromised (blackmail, threats, bribery), or
have had their credentials stolen (phishing, key logger, password reuse) are the single biggest risk in the security of a
company.
Administrators have a higher level of access than normal users which requires additional controls:
• Multi-factor authentication
• Limited access to job function
• Logging of administrator changes
• Dedicated, restricted workstations
• Removal of old administrator accounts
The primary security capability is Identity. One of the primary threats is “Unauthorized Network Access”. A strong
Identity solution is required to mitigate against this threat.

Devices
The administrator’s device (i.e. laptop, tablet) is used to access tools that administrators use to control and monitor
systems that maintain and secure the business applications whether they are secure data center, secure cloud or public
SaaS applications. Administrators connect to centralized management systems using secure connectivity with strong
encryption (SSH, TLS, VPN) and multi-factor authentication from a variety of devices.
The primary security capabilities are Client-Based Security and Posture Assessment for the device. Client-Based Security
includes VPN client, Anti-Malware and Secure Internet Gateway capabilities.

Network
The network is located in a virtual private cloud hosted by a cloud service provider. The foundational capabilities:
Firewall, Intrusion Prevention and Tagging are required for protecting the application in the cloud. The cloud service
providers offer default firewall capabilities for the various cloud service types they offer. For IaaS deployments,
Firepower Threat Defense Virtual (FTDv) provides extensive L4-L7 firewall protection capabilities with integrated

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Architecture June 2019

21
intrusion prevention in the same virtual machine. The tagging capability will vary by cloud service and could include:
VLANs, VXLANs or Security Group Tags (TrustSec).
The foundational capabilities include Anti-Malware, Threat Intelligence and Flow Analytics. One of the primary threats
is “Malware propagation” and anti-malware detection of network traffic is required. To mitigate against this threat, the
anti-malware solution should operate in-line with the traffic. Advanced Malware Protection for Networks (AMP4N) is
enabled FTDv, as well as many of the Cisco security products.
Threat Intelligence is required and all Cisco security products are connected to Talos Intelligence to stay current with
cyber threats. Analysis of the traffic is key to visibility, you can’t protect yourself unless you can see it. Stealthwatch
cloud is recommended to analyze the traffic to and within the virtual private cloud hosting the applications, and can
aggregate different CSPs analytics as well as on-prem data centers.
The business capabilities include Distributed Denial of Service Protection and we have partners in the Appendix B that
offer this capability.

Applications
The servers are the endpoints in the cloud that host web services, applications, and databases. The access capabilities
to secure them are Server-Based Security and Posture Assessment. Server-Based Security requires Anti-Malware, Host
Based Firewall, Posture Assessment and Patching, Cloud Security, and Disk Encryption.
Tetration provides the Host Based Firewall capability including micro-segmentation, tagging for software defined
policy, and enforcement. Tetration is also provides Posture Assessment and Patching.. The Anti-Malware capability is
required and Cisco’s Advanced Malware Protection for Endpoints (AMP4E) is recommended.
To secure access to applications beyond foundational and access capabilities, business capabilities must be deployed to
manage business risks introduced by the business practice. The primary security capabilities Application Visibility
Control, Web Application Firewall, TLS Offload and File Analysis.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Summary June 2019

22
Summary
Today’s companies are threatened by increasingly sophisticated attacks. Public Cloud services hosting business
applications are targeted because they store the company’s data.
Cisco’s Secure Cloud architecture defend the business against corresponding threats using an architectural approach
that overcomes the limitations of a point product offering.
SAFE is Cisco’s security reference architecture that simplifies the security challenges of today and prepares for the
threats of tomorrow.

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix A – Proposed Designs June 2019

23
Appendix A – Proposed Designs
This Appendix includes some proposed design examples for Amazon Web Services, Microsoft Azure, and Google Cloud
Platform.

Amazon Web Services

IaaS Design with 3-Tier Web Application

IaaS with Virtual Firewall Design with 3-Tier Web Application

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix A – Proposed Designs June 2019

24
Microsoft Azure

IaaS Design with 3-Tier Web Application

IaaS with Virtual Firewall Design with 3-Tier Web Application

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix A – Proposed Designs June 2019

25
Google Cloud Platform

IaaS Design with 3-Tier Web Application

IaaS with Virtual Firewall Design with 3-Tier Web Application

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix B - Suggested Components June 2019

26
Appendix B - Suggested Components
Table 4 SAFE Design Components for Secure Cloud
Secure Cloud Attack Surface Security Capability Suggested Cisco
Components
Human Users Duo
Identity Meraki Mobile Device
Management
Devices Endpoints AnyConnect
Advanced Malware
Client-Based Security Protection (AMP) for
Endpoints
Cisco Umbrella
AnyConnect Agent
Duo

Posture Assessment Identity Services

Engine (ISE)
Meraki Mobile Device
Management
Network Cloud Network Firepower Threat
Infrastructure Defense Virtual
Firewall Adaptive Security
Appliance Virtual
Cloud Services Router
Firepower Threat
Defense Virtual
Intrusion Prevention
Firepower NGIPS
Virtual
VLANs/VXLANs
Tagging TrustSec
ACI Anywhere

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix B - Suggested Components June 2019

27
Secure Cloud Attack Surface Security Capability Suggested Cisco
Components
Network Analysis
(continued) Cisco AMP for
Anti-Malware
Networks

Talos Threat
Intelligence
Threat Intelligence Cognitive Threat
Analytics
Cisco Threat Response

Flow Analytics Stealthwatch Cloud

WAN Meraki Virtual MX

vEdge Router
Virtual Private
Cloud Services Router
Network (VPN) or
Software Defined Firepower Threat
WAN (SD-WAN) Defense Virtual
Adaptive Security
Appliance Virtual
Firepower Threat
VPN Gateway or Defense Virtual
Concentrator Adaptive Security
Appliance Virtual

Cisco Partners:
DDoS Protection
Radware

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix B - Suggested Components June 2019

28
Secure Cloud Attack Surface Security Capability Suggested Cisco
Components
Applications Application Meraki Virtual MX
Firepower Threat
Application Visibility
Defense Virtual
Control
Adaptive Security
Appliance Virtual
Application Cisco Partners:

Web Application Radware

Firewall AVI Networks
CSP WAF
Application
File Analysis Cisco Threat Grid

Application Cisco Partners:

Radware
TLS Encryption Offload
AVI Networks
CSP Load Balancer
Storage Cisco Partners:
Disk Encryption
Cloud Storage Provider

Server
Server-Based Security

Cisco AMP for

Anti-Malware
Endpoints

Cloud Security Umbrella

Flow Analytics Tetration

Application
Tetration
Dependency Mapping

Vulnerability
Assessment and Tetration
Software Inventory

 Return to Contents
SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix B - Suggested Components June 2019

29
Secure Cloud Attack Surface Security Capability Suggested Cisco
Components
Applications Server (continued) Process Anomaly
(continued) Tetration
Detection & Forensics

Tagging Tetration

Policy Generation,
Audit, and Change Tetration
Management

Host-based Firewall. Tetration

Cisco Partners:
Disk Encryption
Cloud Storage Provider

Management Management, Cisco Threat Response

Control, and Analysis/Correlation
Stealthwatch Cloud
Monitoring
Cisco Threat Response
Anomaly Detection
Stealthwatch Cloud
Duo
Identity/Authorization Meraki Mobile Device
Manager

Logging/Reporting Stealthwatch Cloud

Stealthwatch Cloud
Monitoring
AppDynamics

Cisco Defense
Policy/Configuration Orchestrator
Tetration

Meraki Dashboard
Vulnerability
Management Stealthwatch Cloud
Tetration

 Return to Contents
 SAFE Architecture Guide Places in the Network: Secure Cloud | Appendix B - Suggested Components June 2019

30

Americas Headquarters Asia Pacific Headquarters Europe Headquarters

Cisco Systems, Inc. Cisco Systems (USA) Pte. Ltd. Cisco Systems International BV Amsterdam,
San Jose, CA Singapore The Netherlands

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in
the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners.
The Return
use to Contents
of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)