Today we will talk about MDS proposed Security Zero trust concept that is booming today and how that can be achieved with the diversity and various methods of accessing our enterprise network, whether we can access remotely with VPN access from our personal devices, or if our applications and services are hosted on the cloud or by bringing our own devices like smartphones or even trusting IoT devices.
There is one vendor in the market who is truly addressing this complex issue of how we can trust users, applications and devices and know who they are regardless from where they are accessing our network. Cisco is offering a complete portfolio and future vision of this concept simply because they are dividing the zero trust into three areas:
1- WorkForce
2- WorkLoad
3- WorkPlace
The below image illustrates the concept
Cisco Duo for Trust Workforce:
Cisco Duo Protects organization by verifying the identity of users and the health of their devices before connecting to the applications they need. Duo handles zero trust for the workforce in three main pillars, one is verifying the trust of the users at every access point, another is the trust of the devices and whether they are risky when accessing cooperate resources, and finally making sure that folks have the right access that aligns to their job function according to least privilege.
Why user trust is important:
- 81% of breaches leverage stolen or weak passwords while tokens and one-time passwords are not user friendly.
- Meet compliance requirements
Why duo:
- World’s easiest and most secure MFA
- Instantly integrates with all apps
- Users self-enroll in minutes
- Users authenticate in seconds; no codes to enter
- Broadest range of MFA options (push, SMS, phone call, soft token, biometrics. hardware tokens, wearables etc.)
- Temporary offline authentication for Windows
Cisco ISE and SDA for WorkPlace:
Cisco ISE is an authentication server sometimes referred to as a triple A server since it provides distinct capabilities around authentication, authorization and accounting. The primary use case of ISE is to communicate with network access devices, such as switches wireless LAN controllers and VPN concentrators to authenticate users and devices onto the network. ISE does this using open standard protocols such as radius and TACACS plus. ISE has been described by some as a RADIUS server on steroids. The reason for this is ISE performs a lot more than just authenticating users via radius, ISE is able to learn granular endpoint information via its profiling engine, and then turn around and use that endpoint information in its policy. It can also share this endpoint context with ecosystem partners both Cisco and non-Cisco, ISE can act as a certificate authority for issuing certificates to BYOD endpoints. It can be configured as a Guest Access Server. we can also act as a mitigation point to quarantine endpoints in a threat defense scenario.
With ISE and SDA, the Trust Sec protocol application has gone over the roof. Not only are we talking about intent based network which made IP access lists from the past, we are talking here about the fusion between automation and security.
Cisco Tetration for WorkLoad:
Cisco Tetration can easily achieve micro segmentation regardless of the hypervisor, the cloud vendor or any on-premise infrastructure that the customer may have. Now, before we get started, it is really important to understand what exactly Tetration is going to deliver within one platform within one solution, we are going to be able to deliver visibility across any hybrid cloud model where workloads may live.
We’re going to be able to automate our segmentation policies, meaning from what we discover we’re going to automatically be able to generate the proper ACLs for us to allow or deny certain kinds of traffic. Now by nature Tetration is going to operate based on a whitelist, meaning everything is going to be allowed that we see and need. And then we’re going to go ahead and block everything else.
The last thing that we’re going to do is then we’re going to monitor for threat protection or compliance. If I’ve gone ahead and I’ve created a policy, I now want to make sure that my environment never deviates from that policy that I’ve created, and if something does happen where workloads are now communicating that they shouldn’t communicate. I want to know about it and I also want to be able to easily fix that.
So Tetration has the ability to automatically cluster my servers together, tell me what servers are alike and how they should be grouped, it has the ability to automatically generate a policy for me, based on the traffic that it sees. And again, it’s not going to add unused ports to this policy it’s going to add what it sees, it’s going to tell me when we have unused traffic. And then on top of that it has the ability to analyze my policy against my live traffic not a simulation, so that I can be absolutely certain that this will not break anything when I go ahead and enforce