Cisco Zero Trust Architecture

As a follow-up to the previous post around Zero Trust Architecture, Cisco has been delivering zero trust architectures for customers for many years. With the platform approach provided by Cisco Zero Trust organizations gain better visibility across users, devices, containers, networks, and applications, verifying their security states with every access request. Adopting this model provides a balance between security and usability. Security teams can make it harder for attackers to collect what they need (user credentials, network access, and the ability to move laterally), and users can get a consistent and more productive security experience, regardless of where they’re located, what endpoints they’re using, or whether their applications are on-premises or in the cloud.

Cisco Zero Trust Overview​

Cisco Zero Trust provides a comprehensive approach to securing all access across applications and environments, from any user, device, and location. It protects the workforce, workloads, and workplace.  The 3xWs, as I like to refer to them as define individual areas to focus on to accelerate an organization's journey and adoption of zero trust. And while many integrated solutions and technology enable this functionality, Cisco has focused on 3 primary tools to deliver a seamless end-to-end zero trust architecture with Duo, Software-Defined Access (SDA or SD-Access for short), and Tetration:

_{Figure 1: Cisco's Zero Trust for Workforce, Workloads and Workplace}

Zero Trust for the Workforce​

People, such as employees, contractors, partners, and vendors accessing work applications, using their personal or corporate-managed devices. This pillar ensures only the right users and secure devices can access applications, regardless of location.  

Zero Trust for Workloads​

Applications and their workloads running in the cloud, in on-premise data centers, and other virtualized environments that interact with one another. This pillar focuses on secure access when an API, a microservice, or a container is accessing a database or other component within an application.

Zero Trust for the Workplace​

This pillar focuses on secure access for any and all devices (including IoT) that connect to enterprise networks. These include user endpoints, physical and virtual servers, printers, cameras, HVAC systems, kiosks, infusion pumps, industrial control systems, and more. 

Cisco's Zero Trust Methodology​

To enable an end-to-end architecture, a consistent methodology can be utilized for all Ws:

_{Figure 2: Cisco's Zero Trust Methodology: Establish Trust, Enforce Trust, Continuously Verify Trust}

• Establish Trust
  • User & device identity
  • Device posture & vulnerabilities
  • Any workloads
  • App/service trust
  • Any indicators of compromise
• Enforce Trust-Based Access
  • Applications
  • Network resources
  • Workload communications
  • All workload users/admins
• Continuously Verify Trust
  • Original tenets used to establish trust are still true
  • Traffic is not threat traffic
  • Any risky, anomalous, and malicious behavior
  • If compromised, then the trust level is changed

All in all Cisco Zero Trust delivers some important capabilities and outcomes: 

• Visibility across all environments - Get insight into all users and devices accessing your applications; all connections and applications across a multi-cloud environment; and all connections on your network, including Internet of Things (IoT) devices. Discover early and often what's added to your network, and who has added it as part of the Cisco Zero Trust solution.
• Provide secure, contextual access - Whether for your users, their devices, applications, or any type of connected device on or off your network, Cisco Zero Trust grants secure, policy-based access based on attributes and risk levels associated with the user, device, application and network
• Contain breaches, at scale - Cisco Zero Trust provides application segmentation for on-premises and multi-cloud environments, which can help minimize lateral movement by an attacker that has already gained access to an organization’s application(s)
• Broad security coverage - Implement a broad zero-trust security approach across your workforce (users and devices connecting to applications), workloads (all connections between your applications, across the multi-cloud), and workplace (all connections across your network, including IoT).
• Detect vulnerabilities - Flag risky devices, identify software vulnerabilities, and detect security incidents using behavioral analysis to reduce your attack surface. Tap into Cisco’s threat intel database paired with Cisco’s partner integration ecosystem for contextual data about connections to your network.
• Enforce policies and controls - Enforce user, device, or application-specific access policies to meet your organization's security requirements for access. Automate policy consistently across your multi-cloud environment for application segmentation. Distribute policy enforcement across your entire network from one centralized location.
• Respond to threats quickly - Identify and contain threats related to software vulnerabilities or anomalous server behavior by blocking communication. Restrict access to your applications by users and their devices if they fail to meet minimum security requirements, or notify users to update their own devices. Revoke