Let’s focus on the Zero Trust approach first. If your infrastructure was on the Internet, how would you design your organization’s cybersecurity framework?
- Authentication to confirm who logs into your infrastructure and multi factor authentication for your Admins?
- Would you encrypt everything?
- VPN at a minimum, but a proxy access would be nice?
- Use true segmentation, micro segmentation, nano segmentation (not just VLANs or ACLS, or use of a NGFW) to break up your flat network?
- Wouldn’t you want to map your application and data flows?
- Secure your workloads?
- Make sure your visibility, automation, analytics, and intelligence all works together?
- Would you want to have all your cybersecurity solutions talk with a common set of API’s?
With those questions to get you thinking about where to start, lets now talk about the 9 Domains that make up the Forrester Zero Trust Model:
- Zero Trust Platform
- Security Automation and Orchestration
- Security Visibility and Analytics
- People Interactions
- People Identity
- Workload Security
- Data Security
- Network Segmentation
- Device Security
A good book to read on Zero Trust is from the Beyond Corp team at Google;
Zero Trust Networks by Evan Gilman and Doug Barth O’Reilly Media 2017
It discusses guiding principles and benefits. Using that type of model here’s a brief overview of how a number of Cisco products map to those principles. Food for thought as you are thinking about zero trust in your environment.
Five Guiding Principles of Measuring Zero Trust with Cisco Solutions:
1. Identify and Catalog your Sensitive Data
- Umbrella – watching exflows and inflow (easy button), and after breaches…
- CloudLock – API into SaaS for granular controls
- Identity Services Engine (ISE) – Inventory of what comes into the network, Posture profiling
- Equipment utilities (StealthWatch, Netflows, Active Threat Analytics –Premier service, Switches, routers, firewalls)
2. Map the data flows of your sensitive data
- App Dynamics
3. Architect your Zero Trust network
- Define your network segments (SD Access/WAN/Network, ISE, ACI, TrustSec)
- Ensure all resources are accessed securely (ISE, NAC)
- Strengths of your enforcement controls (ISE, TrustSec, ACI, pxGrid)
4. Create your automated rule base
- Limit and strictly enforce access control (Policy-based, ISE, TrustSec, ACI)
- Leverage firewall auditing and change controls tools (NGFW, analytics)
5. Continuously monitor your trusted ecosystem
- Use a security analytics solution to detect and respond to events (ATA)
- Extent of visibility and depth of content (SDA, StealthWatch, ISE, ACI)
- Application Security (App Pen testing)
- DNS Flows (Umbrella)
- Analytics used to watch structured and un-structured data (Cisco DNA)
For anyone in the cybersecurity business, we recommend reading the O’Reilly book and to talk with Cisco about our comprehensive approach to Zero Trust and all the other security frameworks out there. We have the product capabilities and expertise to help you determine a systems approach to Zero Trust, based on your organization’s needs.
This blog post was co-authored by Cisco employee Jeff Fawcett, Consulting Principal Director.
We have additional blogs on Zero Trust planned for July, August, September, and October.
Click here to be notified by email whenever a new Zero Trust blog is posted in this series.