Cisco Zero Trust: A Holistic Approach
In This Article
Zero Trust architecture is the "nirvana" of enterprise segmentation. Everybody wants it. Very few achieve it. We all confuse and misuse the term. And most are building toward it instinctively without even knowing it.
In the world of cybersecurity, Zero Trust architecture is a relatively simple idea at face value:
- Nothing on the network trusts anything else by default.
- The network is assumed to be hostile, as if you were sitting directly on the internet.
- Assets aren't allowed to talk to other assets unless they're required to do so.
- Unnecessary traffic is forbidden.
Listen to the TEC17 podcast to hear Cisco's Aaron Woland and WWT's Kent Noyes take a deep dive into Zero Trust.
The current state of cybersecurity and advanced threats is begging for this approach, and modern technology teases architects with the potential of achieving it. If security teams could just snap their fingers and make Zero Trust architecture happen in large networks, they would.
So, what's the hold up?
One issue is the definition of Zero Trust has naturally expanded within the industry well beyond the basic concept of a traffic whitelist. Zero Trust is now often assumed to include some or all of the following:
- Authentication and authorization of devices, users and network flows.
- Extensive asset identity -- way beyond usernames.
- Dynamic policy and trust assignments.
- Encryption across all communications.
While traffic encryption is a well-known concept, the other three ideas are a bit more elusive. Authenticating and authorizing every network flow, for example, is a bit of a mind blower from a scale perspective. It's a major contrast to the traditional approach of all-or-nothing port and IP address filtering between two endpoints. Similarly, constant dynamic evaluation of an asset's trust level based on countless attributes is a big ask.
Ultimately, the requirements to achieve Zero Trust are pushing technology to newfound limits.
That said, the intent of this article isn't to fully detail the definition of Zero Trust. For more foundational information on the topic, I suggest you review some or all of the following resources:
- Zero Trust Networks by O'Reilly Media (even the introductory chapter alone)
- Google's BeyondCorp approach
- Forrester and/or Gartner research on Zero Trust
- Demystifying Zero Trust – Cisco Live Session by Aaron Woland (BRKSEC-3016)
- NIST Draft of 800-207 – Zero Trust Architecture
Whether Zero Trust architecture is an achievable goal is a question not easily answered... because it depends.
The first thing to think about is scope. Just as scope is everything for traditional segmentation, it's also everything for Zero Trust segmentation. For example, if your scope is only two assets (let's say one user accessing an application on one server) then yes, you can achieve a Zero Trust state fairly easily. However, if your scope is enterprise-wide and includes all users, all servers and everything else, then expect to be on a journey that will likely take years.
The end goal of achieving Zero Trust, however, is worth it and I think inevitable. We're all participating in an evolution toward this type of segmentation and shaping it along the way.
So rather than setting the goal of achieving immediate Zero Trust on a global scale, we advise organizations that it's more prudent to patiently maximize their progress and consider solutions that can incrementally help them progress toward this powerfully secure architecture in the long run.
Now let's take a look at one OEM's starter options for achieving Zero Trust.
When an enterprise attempts global segmentation, there are essentially three broad asset categories to consider:
- Users (laptops, phones, tablets, etc.)
- Apps (servers, containers, instances, etc.)
- Other (printers, IoT, ICS, unmanaged devices, etc.)
Typically, your segmentation objective is to determine how to dynamically control and inspect traffic between assets within each of these domains.
Think of it as a basic nine-cell matrix where every cell represents an access combination where the left-hand entities are Consumers and the topline entities are Providers.
Consumers are attempting to access each of the Providers in various ways. Your enterprise will need a Zero Trust approach for each combination, including combinations where communication is intra-domain. While this over-simplifies the concept, at the highest level it's true. From here, things can quickly get more complicated as you go more granular. But you'll ultimately need these nine boxes checked to achieve end-to-end Zero Trust.
What I really like about Cisco's approach to Zero Trust architecture is how it addresses all of these domains and all of these combinations. In other words, Cisco's approach is not just limited to users or app environments. It provides a holistic option.
While the terminology Cisco uses for each domain differs from mine above (i.e., users, apps, other), the concepts they employ in their Zero Trust solutions align nicely:
- Workforce = Users
- Workload = Apps
- Workplace = Other
One reason Cisco's asset groupings are broken into these categories is each requires a different type of Zero Trust solution. Let's briefly explore Cisco's core foundational solutions for each of the three domains.
Foundational Solution: Cisco DUO
Acquiring DUO, which represents a modern identity-based approach to application access control, was a great move by Cisco. While endpoint security controls for defending user devices are ever-evolving due to the mobile nature of the workforce (see Endpoint Security), DUO's focus is controlling what users can access. It's a simple, well-documented solution that gives customers a vehicle for single-sign-on (SSO), multi-factor authentication (MFA) and a variety of other identity features.
With DUO, TLS-native apps are essentially covered out of the box. Legacy apps can also be protected through a DUO proxy architecture. Plus, DUO provides the option of relying on existing asset manager investments to assess trust.
While DUO isn't the only solution you'll need to secure your workforce by any stretch, it should definitely be considered as a core staple for fundamental access control.
Foundational Solution: Cisco Tetration
When it comes to workloads, it's easier to scale Zero Trust if you let servers do the work as opposed to full reliance on the network. Cisco Tetration represents the quickly growing world of host-based segmentation. Read our recent article on 10 Reasons to Lean on the Endpoints Themselves for more background on this solution space, including why and when to use it.
Once an analytics-focused product, Tetration now has a sharp focus on cybersecurity. Tetration packs a punch in the segmentation space by combining visibility and enforcement.
Cisco's long-term strategy for Tetration gives you more bang for your agent buck by adding additional security features such as Vulnerability Analysis and Integrity Management. Tetration also touts perhaps Cisco's greatest advantage -- integration with the other domain solutions. For example, Tetration has awareness of SD-Access environments through a Cisco AnyConnect integration or direct integration with Identity Services Engine (ISE).
Overall, Tetration is evolving into a great option for starting your Zero Trust journey in the workload space. It's a flexible, scalable and multi-platform. The Tetration-SaaS option is recommended where possible.
Foundational Solution: Cisco SD-Access
For a Zero Trust solution for the workplace, go with SD-Access (or at least the fundamental NAC components of SD-Access). The key notion here is to start building a software-defined network (SDN) "fabric."
Why an SDN fabric? Because although the goal of Zero Trust is to push as much security into the assets themselves as possible, the reality is this isn't always possible in LANs and WANs. Why? Because many instances exist where Internet of Things (IoT), Industrial Control and unmanaged devices don't support local agents. All of these have the potential need for network policy support. Until this need changes, which is unlikely to happen soon, a network fabric is the answer.
While it can't be denied there are complexities to building a LAN/WAN SDN fabric in all domains -- particularly one on a path toward Zero Trust -- it's largely predicted that host-based solutions and SDN will need to work in sync for the foreseeable future simply based on a lack of universal asset management and policy. And Cisco is still king in the LAN/WAN space, with SD-Access and SD-WAN representing their go-to fabric solutions.
Now you may be thinking, these can't be the only three solutions required to achieve a Zero Trust architecture, and you'd be correct. Security architectures, especially those with Zero Trust at their core, will include many supplemental controls. Some of which feature Cisco solutions, some of which don't (e.g., SD-WAN, next-generation firewall, analytics, endpoint security, public cloud native controls, ICS databases, and on down the line).
It's also true that the three Cisco solutions mentioned above -- Duo, Tetration and SD-Access -- might not individually be the best for every use case. But if your long-term priority is holistic Zero Trust coverage, meaning end-to-end Zero Trust architecture with maximum policy consolidation and integration, then Cisco certainly seems to stand out from both solution and strategic perspectives.