Zero Trust Architecture (Networking Technology: Security)

Cover
Title Page
Copyright Page
Contents at a Glance
Contents
Preface
Introduction
Chapter 1 Overview of Zero Trust (ZT)
	Chapter Key Points
	Zero Trust Origins
	Planning for Zero Trust
		Discovery Zero Trust Segmentation Workshop
		Defining the Zero Trust Discovery Workshop Purpose
		Defining Participation in the Discovery Workshop
		Goals and Risks of the Zero Trust Architecture
		Results of Discovery Processes Already Executed Upon
		The Definition of Success and Benefits
		A Practical Approach to Success and Future Needs
		Artifact Gathering for Successful Workshop Outcomes
		Exploring the Business to Secure It
	Zero Trust Organizational Dynamics
		“We have a plan”
		Competing Teams
		“Problem? What problem?”
		“We are going to the cloud and the cloud is Zero Trust by default”
	Cisco’s Zero Trust Capabilities
		Policy & Governance
		Identity
		Vulnerability Management
		Enforcement
		Analytics
	Summary
	References in This Chapter
Chapter 2 Zero Trust Capabilities
	Chapter Key Points
	Cisco Zero Trust Capabilities
	Policy & Governance Pillar
		Change Control
		Data Governance
		Data Retention
		Quality of Service (QoS)
		Redundancy
		Replication
		Business Continuity
		Disaster Recovery (DR)
		Risk Classification
	Identity Pillar
		Authentication, Authorization, and Accounting (AAA)
		AAA Special Conditions
		Certificate Authority
		Network Access Control (NAC)
		Provisioning
		Device
		User
		People
		Infrastructure
		Services
		Privileged Access
		Multifactor Authentication (MFA)
		Asset Identity
		Configuration Management Database (CMDB)
		Internet Protocol (IP) Schemas
		IPV4
		IPV6
		Dual Stack
	Vulnerability Management Pillar
		Endpoint Protection
		Malware Prevention and Inspection
		Vulnerability Management
		Authenticated Vulnerability Scanning
		Database Change
	Enforcement
		Cloud Access Security Broker (CASB)
		Distributed Denial of Service (DDOS)
		Data Loss Prevention (DLP)
		Domain Name System Security (DNSSEC)
		Email Security
		Firewall
		Intrusion Prevention System (IPS)
		Proxy
		Virtual Private Network (VPN)
		Security Orchestration, Automation, and Response (SOAR)
		File Integrity Monitor (FIM)
		Segmentation
	Analytics Pillar
		Application Performance Monitoring (APM)
		Auditing, Logging, and Monitoring
		Change Detection
		Network Threat Behavior Analytics
		Security Information and Event Management (SIEM)
		Threat Intelligence
		Traffic Visibility
		Asset Monitoring & Discovery
	Summary
	References in This Chapter
Chapter 3 Zero Trust Reference Architecture
	Chapter Key Points
	Zero Trust Reference Architecture: Concepts Explored
		Branch
		Campus
		Core Network
		WAN
		Data Center
		Cloud
	Summary
	References in This Chapter
Chapter 4 Zero Trust Enclave Design
	Chapter Key Points
	User Layer
		Corporate Workstations
		Guests
		BYOD: Employee Personal Devices
		IoT
		Collaboration
		Lab and Demo
	Proximity Networks
		Personal Area Network
	Cloud
		Public Cloud
		Private Cloud
		Hybrid Cloud
		Securing the Cloud
		Zero Trust in the Cloud
	Enterprise
	Business Services
		DMZ
		Common Services
		Payment Card Industry Business Services
		Facility Services
		Mainframe Services
		Legacy Systems and Infrastructure Services
	Summary
Chapter 5 Enclave Exploration and Consideration
	Chapter Key Points
	Addressing the Business
	Identifying the “Crown Jewels”
	Identifying and Protecting Shared Enclaves
		Segmentation Policy Development
		Modeling and Testing of Segmentation Policy
	Bringing Blurred Borders Back into Focus
		Monitoring Segment Definitions
		Mitigating Security Holes to Overcome Operational Challenges
	Incorporating New Services and Enclaves
		Onboarding: The Challenge of Merger Activity
		Onboarding: The Challenge of Independent Purchasing Decisions
		Planning for Onboarding New Devices
	Using Automation in Enclaves
	Considerations on the Physicality of an Enclave
	Summary
	References in This Chapter
Chapter 6 Segmentation
	Chapter Key Points
	A Brief Summary of the OSI Model
	Upper Layer Segmentation Models
	Common Network-Centric Segmentation Models
	North-South Directional Segmentation
	East-West Directional Segmentation
	Determining the Best Model for Segmentation
		A Charter for Segmentation
		What is the impact of not segmenting the network?
		Is there a policy that allows us to enforce the need for segmentation of the network?
		To what level do we need to segment the network while still maintaining business as usual?
		An Architectural Model for Success
		Whether the Organization Understands Device Behavior
	Applying Segmentation Throughout Network Functions
		VLAN Segmentation
		Access Control List Segmentation
		TrustSec Segmentation
		Layering Segmentation Functions
		Outside the Branch or Campus
	How To: Methods and Considerations for Segmentation in an Ideal World
		The Bottom Line: Ideal World
		Understanding the Contextual Identity
		Understanding External Resource Consumption of the Device
		Validating Vulnerabilities to External Sites
		Understanding Communication Within the Organization
		Validating Vulnerabilities Within the Organization
		Understanding Communication Within the Broadcast Domain or VLAN
	Restricting Peer-to-Peer or Jump-Off Points
	Summary
	References in This Chapter
Chapter 7 Zero Trust Common Challenges
	Chapter Key Points
	Challenge: Gaining Visibility into the Unknown (Endpoints)
	Overcoming the Challenge: The Use of Contextual Identity
		NMAP
		Operating System (OS) Detection
		Vulnerability Management Integration Systems
		Sneakernet
		Profiling
		System Integrations
	Challenge: Understanding the Expected Behavior of Endpoints
	Overcoming the Challenge: Focusing on the Endpoint
	Challenge: Understanding External Access Requirements
	Overcoming the Challenge: Mapping External Communication Requirements
		Taps
		NetFlow
		Encapsulated Remote Switch Port Analyzer (ERSPAN)
		Proxied Data
		Source of Truth
		CMDBs
		APMs
	Challenge: Macrosegmentation vs. Microsegmentation for the Network
	Overcoming the Challenge: Deciding Which Segmentation Methodology Is Right for an Organization
	Challenge: New Endpoint Onboarding
	Overcoming the Challenge: Consistent Onboarding Processes
	Challenge: Policies Applied to Edge Networks
	Overcoming the Challenge: Ubiquitous Policy Application
	Challenge: Organizational Belief That a Firewall Is Enough
	Overcoming the Challenge: Defense in Depth and Access-Focused Security
		Vulnerability Scanners
		Device Management Systems
		Malware Prevention and Inspection
		Endpoint-Based Analysis Policies
	Overcoming the Challenge: The Case for Securing the Application, Not the Network
	Summary
	References in This Chapter
Chapter 8 Developing a Successful Segmentation Plan
	Chapter Key Points
	Planning: Defining Goals and Objectives
		Risk Assessments and Compliance
		Threat Mapping
		Data Protection
		Reducing Attack Surfaces
	Plan: Segmentation Design
		Top-Down Design Process
		Bottom-Up Design Process
	Implement: Deploying the Segmentation Design
		Creating a Segmentation Plan by Site Type
		Business Services
		Building IoT
		Infrastructure Management
		Guest
		Services
		Creating a Segmentation Plan by Endpoint Category
		Common or Shared Devices
		Labs
		Pharma
		Imaging
		Point of Care
		Clinical VDI
		Creating a Segmentation Plan by Service Type
		Partner/Vendor Remote Access VPN
		Employee Remote Access VPN
		Partner Leased Lines
		DMZ Services
		Corporate WAN
		Employee Outbound Internet
		Guest Outbound Internet
		Unknown
	Implement: The Segmentation Model
	Summary
	References in This Chapter
Chapter 9 Zero Trust Enforcement
	Chapter Key Points
	A Practical Plan for Implementing Segmentation
	Endpoint Monitor Mode
		Initial Application of Monitoring Mode
	Endpoint Traffic Monitoring
		Monitoring of Additional Sites
	Enforcement
	Network Access Control
	Environmental Considerations
		Greenfield
		Brownfield
	Practical Considerations Within Contextual Identity
		Authentication (AuthC)
		Authorization (AuthZ)
		Segmentation
		Greenfield
		Brownfield
		Unified Communications
		Data Exchange
	Summary
Chapter 10 Zero Trust Operations
	Chapter Key Points
	Zero Trust Organization: Post-Implementation Operations
		Adoption Barriers
		Innovators and Early Adopters
		The Early Majority
		The Late Majority
		Laggards
		Applications Owners and Service Teams
		Operations and Help Desk
		Network and Security Teams
	The Life Cycle of Zero Trust Policies
		Zero Policy Management
		Practical Considerations: Cisco Network Architecture
	Moves, Adds, and Changes in a Zero Trust Organization
	Summary
	References in This Chapter
Chapter 11 Conclusion
	Chapter Key Points
	Zero Trust Operations: Continuous Improvements
		Policy & Governance
		Identity
		Vulnerability Management
		Enforcement
		Analytics
	Summary
Appendix A: Applied Use Case for Zero Trust Principles
	Business Problem
	Goals and Drivers
	Application of the Principles of Zero Trust
		Policy and Governance
		Understanding the Business
		Identifying and Vulnerability Management
		Application of Enforcement
		Firewalls
		Identity Services Engine (ISE)
		TrustSec Tags
		DNS
		Analytics
	Conclusion
Index
	A
	B
	C
	D
	E
	F
	G
	H
	I
	J
	K
	L
	M
	N
	O
	P
	Q
	R
	S
	T
	U
	V
	W
	X
	Y
	Z