Embed Size (px)
Citation preview
Philip WongPrincipal Solution ArchitectCisco Greater China
End 2 End Zero Trust Network Security Framework
© 2020 Cisco and/or its affiliates. All rights reserved.
• Trends and Challenges
• A Practical Zero Trust Approach
• Use Case
• Call for Collaboration
Agenda
© 2020 Cisco and/or its affiliates. All rights reserved. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shift in IT LandscapeUsers, devices and apps are everywhere
Evolving Perimeter
Remote Users
Personal &Mobile Devices
IOT Devices
CloudApplications
HybridInfrastructure
CloudInfrastructure
© 2020 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Traditional Security is like a castle
© 2020 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What about“Least-Privilege Access”(i.e. grant access, but make a very specific)
üFocus on data protection, not on attacksüAssumes all environments are hostile and breachedüNo access until user + device is proven “trusted”
üAuthentication not equal to Authorization
© 2020 Cisco and/or its affiliates. All rights reserved.
TODAY2004 2010 2014 2017Jericho Forum ZT BeyondCorp CARTA & ZTX ZTA
De-perimeterisationAn international group of CISOs and Vendors
Focus on solving “de-perimeterisation” problem
Early output calling for “the need for trust”
Multiple Models EmergeForrester coined Zero Trust.
Google published their ZT solution as BeyondCorp.
Forrester expands to Zero Trust eXtended.
Gartner named their model Continuous Adaptive Risk and Trust Assessment.
GeneralizedThe industry has largely accepted Zero Trust Architecture as the general term.
A brief history of Zero Trust
© 2020 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Zero TrustArchitectural “Pillars”
vEliminate Network Trust
vExternal and internal threats exist at all times
vEvery user, device, app and network flow is authenticated and authorized
vPolicies-based and must be dynamic; postures calculated from as many sources as possible
vConstant logging, monitoring and re-scoring
vAutomation is key to build and operate a ZT architecture
© 2020 Cisco and/or its affiliates. All rights reserved.
Cisco Zero Trust Approach
v Multi-factors of User Identity
v Device context and Identity
v Device posture & health
v Location
v Relevant attributes & contect
“Least Privilege Access” to:
v Network
v Applications
v Resources
v Users & Devices
v Original tenets used to
establish trusts still true?
v Threat Traffic?
v Behavior baselining
v Malicious or anomalous
actions?
© 2020 Cisco and/or its affiliates. All rights reserved.
Sample Zero Trust Architecture
Control Plane
Data Plane
Policies Establishment
Polices Enforcement
Workload / AppInventory
DeviceInventory
UserInventory
Policy Information Point (PiP) Policy Administration Point (PaP)Policy Decision Point (PdP)
Policy Information Point (PiP)
ZT Policy Engine Trust EngineOtherSources
LegacyApp
Endpoint Network EquipmentIPS, FW
App
LegacyApp
LegacyApp
Internet
SaaS
SaaS
Policy Enforcement Point (PEP)
Feedback Loop
CLOUDs
On-Premise
Network
Applications
Mode 1
Mode 2
© 2020 Cisco and/or its affiliates. All rights reserved.
Zero Trust Use Case Scenarios
Workload / AppInventory
DeviceInventory
UserInventory
WORKFORCE WORKLOAD WORKPLACE
DeviceInventory
UserInventory
+ Network / Location Context
Policies Policies
© 2020 Cisco and/or its affiliates. All rights reserved.
Ø“No more network centric authentication”
ØShifting to “a serverless world” ØApplication Services relationship @uto-discovery
ØConstantly Monitor flows ØApply Machine Learning, baselining activities, identify anomalous, …ØEstablish and Simulate Trust PoliciesØMulti-domain enforcement
ØAgentsØPolicy-based networkØ3rd party OPEN integration
WorkloadWORKLOAD
© 2020 Cisco and/or its affiliates. All rights reserved.
• Mode 1 Applications transition to Micro-
Services
• Safeguard Interaction between Mode 1 and
Mode 2
• Securely expose Mode 2 Services to ultimate
consumers
WORKLOAD
© 2020 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Embracing Other contextual data
13
© 2020 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveLA
© 2020 Cisco and/or its affiliates. All rights reserved.
Expand to a much wider scope with context data exchange
© 2020 Cisco and/or its affiliates. All rights reserved.
• Publish/Subscribe Model with Bi-directional Context Sharing and
Consuming Control
Cisco Platform Exchange Grid (pxGrid)
IOT Ecosystem partner (e.g. MRI)
Policy Enforcement Point
© 2020 Cisco and/or its affiliates. All rights reserved.
• Platform Exchange for context sharing and innovative integration between• IOT Devices• Thin Applications
• Further information• Cisco Zero Trust
• https://www.cisco.com/c/en_hk/products/security/zero-trust.html• pxGrid White Paper
• https://pubhub.devnetcloud.com/media/pxgrid-api/docs/overview/Cisco_pxGrid_White_Paper_09192018_JE.pdf• https://developer.cisco.com/site/pxgrid/
Call for Collaboration
