Let’s focus on the Zero Trust approach first. If your infrastructure was on the Internet, how would you design your organization’s cybersecurity framework?
- Authentication to confirm who logs into your infrastructure and multi factor authentication for your Admins?
- Would you encrypt everything?
- VPN at a minimum, but a proxy access would be nice?
- Use true segmentation, micro segmentation, nano segmentation (not just VLANs or ACLS, or use of a NGFW) to break up your flat network?
- Wouldn’t you want to map your application and data flows?
- Secure your workloads?
- Make sure your visibility, automation, analytics, and intelligence all works together?
- Would you want to have all your cybersecurity solutions talk with a common set of API’s?
With those questions to get you thinking about where to start, lets now talk about the 9 Domains that make up the Forrester Zero Trust Model:
- Zero Trust Platform
- Security Automation and Orchestration
- Security Visibility and Analytics
- People Interactions
- People Identity
- Workload Security
- Data Security
- Network Segmentation
- Device Security
A good book to read on Zero Trust is from the Beyond Corp team at Google;
Zero Trust Networks by Evan Gilman and Doug Barth O’Reilly Media 2017
It discusses guiding principles and benefits. Using that type of model here’s a brief overview of how a number of Cisco products map to those principles. Food for thought as you are thinking about zero trust in your environment.
Five Guiding Principles of Measuring Zero Trust with Cisco Solutions:
1. Identify and Catalog your Sensitive Data
- Umbrella – watching exflows and inflow (easy button), and after breaches…
- CloudLock – API into SaaS for granular controls
- Identity Services Engine (ISE) – Inventory of what comes into the network, Posture profiling
- Equipment utilities (StealthWatch, Netflows, Active Threat Analytics –Premier service, Switches, routers, firewalls)
2. Map the data flows of your sensitive data
- App Dynamics
- Tetration
- ISE
- StealthWatch
- ETA
3. Architect your Zero Trust network
- Define your network segments (SD Access/WAN/Network, ISE, ACI, TrustSec)
- Ensure all resources are accessed securely (ISE, NAC)
- Strengths of your enforcement controls (ISE, TrustSec, ACI, pxGrid)
4. Create your automated rule base
- Limit and strictly enforce access control (Policy-based, ISE, TrustSec, ACI)
- Leverage firewall auditing and change controls tools (NGFW, analytics)
5. Continuously monitor your trusted ecosystem
- Use a security analytics solution to detect and respond to events (ATA)
- Extent of visibility and depth of content (SDA, StealthWatch, ISE, ACI)
- Application Security (App Pen testing)
- DNS Flows (Umbrella)
- Analytics used to watch structured and un-structured data (Cisco DNA)
For anyone in the cybersecurity business, we recommend reading the O’Reilly book and to talk with Cisco about our comprehensive approach to Zero Trust and all the other security frameworks out there. We have the product capabilities and expertise to help you determine a systems approach to Zero Trust, based on your organization’s needs.
This blog post was co-authored by Cisco employee Jeff Fawcett, Consulting Principal Director.
We have additional blogs on Zero Trust planned for July, August, September, and October.
Click here to be notified by email whenever a new Zero Trust blog is posted in this series.
Would love to hear Cisco's thoughts about how or why something like NAC/ISE makes sense in a zero trust model? Doesn't that perpetuate the old "trusted network"design that zero trust is responding to? Zero trust is about authenticating the device and user as close to the service/data being accessed as possible. The access/network edge layer is where NAC/ISE live, so what role does an edge/access layer technology like that play in zero trust?
In my opinion, ISE/NAC technology plays a key role in Zero Trust. With a dissolving network perimeter due to cloud services and IoT, the importance of security visibility and controls for endpoints and users becomes even more critical. With ISE you can identify and profile the devices on your network, assess their posture or in zero trust terms – their trust levels, and ensure corporate resources are accessed securely. Segmentation is important in Zero Trust – ISE allows you to deploy software based segmentation controls in your network, and provide a richer level of context through user identity to influence firewall policies that take into account more than a device IP address.
Thanks for the suggested reading and the associated link to the Doug Barth and Evan Gilman book, "Zero Trust Networks"!