Government agencies are well along on their journey of Digital Transformation to fundamentally change the way they manage and deliver services throughout our country and to citizens. They are doing this by thinking differently about how they use their networks and taking advantage of new technologies that enable them to harness the power of mobility and cloud.
Protecting the network perimeter
With mobile and cloud technologies expanding (and complicating) today’s networks, securing the perimeter is no longer a viable option. Applications, users and devices are moving outside the trusted network perimeter that is traditionally protected by a security stack. That protected perimeter is now dissolving – and it can no longer be the trusted network boundary.
As a result, protection against threats is now needed everywhere applications, workloads, users and devices may exist. So agencies are now investigating Zero Trust security solutions to address these expanding threats.
What is Zero Trust architecture?
In a nutshell, Zero Trust security is an architectural model for network security, first introduced by analyst John Kindervag at Forrester Research. It’s guiding concept is that the network is always assumed to be hostile and both external and internal threat exists at all times.
Zero Trust mandates a “never trust, always verify, enforce least privilege” approach, granting least privilege access based on a dynamic evaluation of the trustworthiness of users and their devices, and any transaction risk, before they are allowed to connect to network resources. This is the Trust-Centric model and the foundation of Zero Trust security.
Threat-centric security approach within Zero Trust
But moving from a trusted perimeter model to a Zero Trust model means that static security policies that are already in place are now obsolete. So cyber now needs to evaluate, adapt and deploy new security policies that address threats in an ever changing and dynamic environment.
This means their policies now need to be dynamic and calculated from as many sources of data as possible. All network activity must be visible, understood, continuously inspected and logged. Any indications of compromise or variations in behavior changes of their apps, users and devices must be investigated, validated and responded to immediately. This constitutes a Threat-Centric model within Zero Trust.
Both the Trust-Centric and Threat-Centric models should be equally considered when architecting a Zero Trust network. And both should span across all aspects of the network, protecting the workforce, the workloads and the workspace.
Diagram of a Zero Trust network
The following diagrams illustrate the current “AS IS” trusted perimeter and the new Zero Trust “TO BE” perimeter-less concept (where the trust boundary now extends from the network edge and the cloud edge):
How to apply Zero Trust models
Cisco’s practical approach to Zero Trust outlines six important steps for moving towards a Zero Trust cybersecurity framework:
- Establish trust levels for users and user devices (identity and hygiene)
- Establish trust levels for IoT and/or workloads (profile and baseline)
- Establish SD-perimeters to control application access (authorized access)
- Establish SD-perimeters to control network access (segmentation and micro-segmentation)
- Automate adaptive policy using normalization (network-data center-cloud)
- Automate adaptive policy using threat response (adapt trust level).
At Cisco, we will continue to expand our automations between products moving forward for even more consistent policy enforcement, even more integrated threat responses and thus even more trusted access. In Part 2, we’ll take a deeper dive into each of the six steps you’ll need to implement a practical Zero Trust approach to security. Plus, we’ll show you how to get started.