end 2 end zero trust network security framework...veliminate network trust vexternal and internal...
TRANSCRIPT
![Page 1: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/1.jpg)
Philip WongPrincipal Solution ArchitectCisco Greater China
End 2 End Zero Trust Network Security Framework
![Page 2: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/2.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
• Trends and Challenges
• A Practical Zero Trust Approach
• Use Case
• Call for Collaboration
Agenda
![Page 3: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/3.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shift in IT LandscapeUsers, devices and apps are everywhere
Evolving Perimeter
Remote Users
Personal &Mobile Devices
IOT Devices
CloudApplications
HybridInfrastructure
CloudInfrastructure
![Page 4: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/4.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Traditional Security is like a castle
![Page 5: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/5.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What about“Least-Privilege Access”(i.e. grant access, but make a very specific)
üFocus on data protection, not on attacksüAssumes all environments are hostile and breachedüNo access until user + device is proven “trusted”
üAuthentication not equal to Authorization
![Page 6: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/6.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
TODAY2004 2010 2014 2017Jericho Forum ZT BeyondCorp CARTA & ZTX ZTA
De-perimeterisationAn international group of CISOs and Vendors
Focus on solving “de-perimeterisation” problem
Early output calling for “the need for trust”
Multiple Models EmergeForrester coined Zero Trust.
Google published their ZT solution as BeyondCorp.
Forrester expands to Zero Trust eXtended.
Gartner named their model Continuous Adaptive Risk and Trust Assessment.
GeneralizedThe industry has largely accepted Zero Trust Architecture as the general term.
A brief history of Zero Trust
![Page 7: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/7.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero TrustArchitectural “Pillars”
vEliminate Network Trust
vExternal and internal threats exist at all times
vEvery user, device, app and network flow is authenticated and authorized
vPolicies-based and must be dynamic; postures calculated from as many sources as possible
vConstant logging, monitoring and re-scoring
vAutomation is key to build and operate a ZT architecture
![Page 8: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/8.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
Cisco Zero Trust Approach
v Multi-factors of User Identity
v Device context and Identity
v Device posture & health
v Location
v Relevant attributes & contect
“Least Privilege Access” to:
v Network
v Applications
v Resources
v Users & Devices
v Original tenets used to
establish trusts still true?
v Threat Traffic?
v Behavior baselining
v Malicious or anomalous
actions?
![Page 9: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/9.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
Sample Zero Trust Architecture
Control Plane
Data Plane
Policies Establishment
Polices Enforcement
Workload / AppInventory
DeviceInventory
UserInventory
Policy Information Point (PiP) Policy Administration Point (PaP)Policy Decision Point (PdP)
Policy Information Point (PiP)
ZT Policy Engine Trust EngineOtherSources
LegacyApp
Endpoint Network EquipmentIPS, FW
App
LegacyApp
LegacyApp
Internet
SaaS
SaaS
Policy Enforcement Point (PEP)
Feedback Loop
CLOUDs
On-Premise
Network
Applications
Mode 1
Mode 2
![Page 10: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/10.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
Zero Trust Use Case Scenarios
Workload / AppInventory
DeviceInventory
UserInventory
WORKFORCE WORKLOAD WORKPLACE
DeviceInventory
UserInventory
+ Network / Location Context
Policies Policies
![Page 11: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/11.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
Ø“No more network centric authentication”
ØShifting to “a serverless world” ØApplication Services relationship @uto-discovery
ØConstantly Monitor flows ØApply Machine Learning, baselining activities, identify anomalous, …ØEstablish and Simulate Trust PoliciesØMulti-domain enforcement
ØAgentsØPolicy-based networkØ3rd party OPEN integration
WorkloadWORKLOAD
![Page 12: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/12.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
• Mode 1 Applications transition to Micro-
Services
• Safeguard Interaction between Mode 1 and
Mode 2
• Securely expose Mode 2 Services to ultimate
consumers
WORKLOAD
![Page 13: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/13.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Embracing Other contextual data
13
![Page 14: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/14.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveLA
![Page 15: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/15.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
Expand to a much wider scope with context data exchange
![Page 16: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/16.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
• Publish/Subscribe Model with Bi-directional Context Sharing and
Consuming Control
Cisco Platform Exchange Grid (pxGrid)
IOT Ecosystem partner (e.g. MRI)
Policy Enforcement Point
![Page 17: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/17.jpg)
© 2020 Cisco and/or its affiliates. All rights reserved.
• Platform Exchange for context sharing and innovative integration between• IOT Devices• Thin Applications
• Further information• Cisco Zero Trust
• https://www.cisco.com/c/en_hk/products/security/zero-trust.html• pxGrid White Paper
• https://pubhub.devnetcloud.com/media/pxgrid-api/docs/overview/Cisco_pxGrid_White_Paper_09192018_JE.pdf• https://developer.cisco.com/site/pxgrid/
Call for Collaboration
![Page 18: End 2 End Zero Trust Network Security Framework...vEliminate Network Trust vExternal and internal threats exist at all times vEvery user, device, app and network flow is authenticated](https://reader033.vdocuments.us/reader033/viewer/2022050611/5fb2c1b6ab08657db7265fc8/html5/thumbnails/18.jpg)