Complexity, opacity and the gatekeeping of knowledge are tactics often used to appear sophisticated or intelligent. They can also be used to intimidate.
In security and technology, complexity can lead to critical gaps in visibility and an extended attack surface – with too many vendors and solutions to interconnect and manage. Additionally, many enterprises are operating with limited budgets, too many projects with conflicting priorities, projects creating disparity between different technology teams; all supported by a limited security team (or an IT or networking team doing double duty). As a result, complexity creep has risen to counteract our best security efforts.
At Cisco, we’re seeking to eliminate that complexity and close knowledge gaps with simplicity in how we execute and deliver security, as well as transparency in how we talk about it. The security industry is often guilty of using buzzwords and jargon that can add to the growing complexity and shifting priorities as enterprises attempt to follow best security practices defined by the industry.
Zero Trust: The Concept, Defined
To that end, let’s start with defining and simplifying the most popular buzzword, ‘zero trust’ – it’s about never implicitly trusting, but always verifying someone or something that is requesting access to work resources.
It’s not about getting rid of the perimeter – but rather tightening security on the inside.The new perimeter is less about the edge of the network, and now more about any place you make an access control decision.
–Wendy Nather, Head of Advisory CISOs, Summarized from Zero Trust: Going Beyond the Perimeter
- Users, devices and applications were located behind a firewall, on the corporate network
- All endpoints accessing resources were managed by the enterprise
- Systems managed by enterprises could all inherently trust one another, and trust was often based on network location
The new zero trust is about:
- Gaining visibility to intelligently inform policy, and enabling BYOD (bring your own device) or IoT (Internet of Things) devices for business agility
- Continual reestablishment of user, device and application trust
- Continuous monitoring and threat containment
Protecting the Workforce, Workloads & Workplace
With all of that in mind, what exactly are you trying to protect?
Enterprises are complex by nature. They have vast IT ecosystems, with many different vendors, software and infrastructure spread across the multi-cloud and on-premises. They have many different types of users – employees, contractors, customers, etc. – everywhere across the world – often using their own personal devices to work. They have applications that talk to each other via APIs, microservices and containers. And they still have enterprise networks that devices regularly access, including IoT.
That’s why we’ve simplified things – by classifying each area of your enterprise IT as equally important to protect using a zero-trust security approach.
- Zero Trust for the Workforce – Ensure only the right users (employees, contractors, partners, etc.) and their secure devices (BYOD) can access applications (regardless of location).
- Zero Trust for Workloads – Secure all connections within your applications (when an API, micro-service or container is accessing an application’s database), across the multi-cloud (cloud, data centers and other virtualized environments).
- Zero Trust for the Workplace – Secure all user and device connections across your enterprise network, including IoT (types of devices may include: servers, printers, cameras, HVAC systems, infusion pumps, industrial control systems, etc.).
For complete zero-trust security, you need to address each area of your IT ecosystem – securing access across all environments, in a consistent and automated way.
Enter the Cisco Approach to Zero Trust
Cisco’s approach does not implicitly trust a request – but rather establishes trust for every access request, regardless of where the request is coming from. It secures access across your applications and network, while extending trust to support modern enterprises with BYOD, cloud apps and hybrid environments.
Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:
- Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
- Enforcing trust-based access policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
- Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities
For the workforce, Duo Security protects against phishing, compromised credentials or other identity-based attacks with multi-factor authentication (MFA) to verify user identities and establish device trust before granting access to applications.
For workloads, Tetration secures hybrid, multi-cloud workloads and contains lateral movement with application segmentation. Identify vulnerabilities in software versions and block communication to reduce your overall attack surface.
For the workplace, Software-Defined Access (SD-Access) provides insight into users and devices, identify threats and provides control over all connections across the enterprise network, including IoT devices.
While this is a good starting place, other solutions in the Cisco Security portfolio can extend the zero-trust security model further. Cisco’s framework is built to integrate seamlessly with your existing infrastructure and investments using an open API model, standards-based platform and strong technology partnerships to ensure that everything across your environment is protected – securing your enterprise as you scale.
Those strong partnerships include major players in the industry, including Microsoft, Amazon Web Services (AWS), Google and many more.Extending trust to integrate with third parties for better visibility and consistent policy enforcement is key to making a zero-trust approach practical and effective for modern enterprises.
Benefits of a Zero-Trust Security Approach
Overall – this framework provides the benefits of a comprehensive zero-trust approach:
- Increased visibility – Get insight into the contextual data behind access requests, including users, user endpoints and IoT devices connecting and talking to your applications and network
- Reduced attack surface – Mitigate risks related to identity attacks (stolen or compromised passwords, phishing) and lateral attacker movement within your network (in the event of a breach – contain the impact of the initial breach)
- Broad coverage – Zero-trust security for not just the workforce, but across workloads and the workplace for complete coverage and a consistent approach to securing access and enforcing policies, regardless of where data or applications are located
Did you hear? Cisco was named a leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 – read the report.