In recent times, the way people work is constantly changing. Whether it be working from home, utilizing the cloud, or even heavy use of mobile devices, the ways networks are secured must also consistently change to keep those working on them protected. This is where Zero Trust comes into play. The basic approach can be summarized with this: By default, do not trust anyone or anything. This applies to even those inside of the network.
This guide will discuss how Cisco devices can be leveraged to enforce Zero Trust security using various key practices such as group-based access, trust-based access, and Security Group Tags (SGTs). After an overview and in-depth discussion, we’ll go through an example use case.
What is Zero Trust Truly About?
Zero Trust focuses on the concept that everyone is required to prove who they are, no matter if they are already inside, or outside of your company network. On top of this, they must also prove they’re allowed access to the system, software, or information they’re attempting to access. Look at it almost as having a security guard at a club that checks every person’s ID, even if they are regulars that the guard sees every night.
How Does Cisco Help with Zero Trust?
Cisco, as many know, is a massive name in security and networking, which means they have fantastic tools to help set up Zero Trust. Main areas Cisco focuses on when it comes to Zero Trust are:
Workplace Security: Network and device protection at work.
Workforce Security: Ensuring only the proper devices and people are given correct access.
Workload Security: Safeguarding data and apps both on-premises or in the cloud.
Group-Based and Trust-Based Access Using Cisco Devices
Both group-based access and trust-based access are essential when building out Zero Trust. Group-based access refers to the grouping of users into security groups, allowing for access to be granted or denied based upon membership of a group. Trust-based access involves consistent checks that a user or device can be trusted to maintain access.
Cisco Identity Services Engine (ISE)
ISE allows for granular control of who can access your network. Various rules will grant or deny access based on device being used, who it is trying to gain access, and more. Policies can be divided and assigned to various groups, such as giving the System Administrators group access to servers that people in another group, say the HR group, cannot access. ISE leverages the use of Security Group Tags (SGTs), which is explained further below.
Security Group Tags (SGTs)
SGTs allow for the “tagging” of devices and users within ISE. By giving users and devices tags, they can be assigned permissions for one, or multiple groups, all of which will be given access rights by policies associated with those SGTs.
Cisco Duo
The purpose of Duo is to increase security by adding a “something they have” element to user access. Duo can be integrated with many apps and services and its ease of use makes it one of Cisco’s most popular tools.
Cisco Secure Network Analytics (formerly Stealthwatch)
Allows for viewing of network traffic, giving users the ability to scope out any anomalies or strange behavior on the network. This tool is only for analyzing traffic, it will not prevent or act against any events.
Real-World Example: Securing a Remote Workforce
For this example, we will look at how a financial services company would implement and use Zero Trust tools provided by Cisco to secure remote users.
At the company, users are working both from home and within an office. The network team must ensure that users in both locations have proper access to very sensitive financial information.
How Each Tool is Used
Authentication of Users Using Duo
Each time an employee logs in, they will be prompted to verify that it is them. This is done through the Duo app and, if the correct user accepts the log in, they will be authenticated and granted access.
Device Checking with ISE
Upon authentication, ISE will ensure that the device is secure. Once confirmed, the device gains access, otherwise it will be blocked and noted to be fixed.
Group-Based Access with ISE
Once a user is authenticated, ISE will look to see which group the user is in. One example may be a user in HR being given access to only the HR tools needed, ensuring that the user only gets access to the resources they need.
Use of Security Group Tags
SGTs are used to tag users and devices based on roles. All those in the Finance department will be given the “Finance” SGT. This will give access to secure financial data to only those in this trusted group of employees.
Monitoring with Secure Network Analytics
Using Secure Network Analytics, monitoring will be done continuously on the network. This will confirm that Zero Trust is being properly used by making sure no strange traffic is going through the network.
Policy Enforcement with ISE
Policies will be created in ISE for each group. Users that are a part of a certain group will have those policies assigned to them when authenticated into the network. As an example, the finance users will have policies allowing higher access to financial information than a group such as IT Admin users but will lack access to secure servers that the IT Admin group has access to in their policies.
Incident Response
The network team will be alerted to abnormal traffic or device authentication issues through ISE and Secure Network Analytics. The user or device will be isolated and, if it is a potential security threat, be revoked of access and fixed for future use.
In Conclusion
Zero Trust is one of the most important aspects to keeping organizations network safe in today’s landscape. Utilizing Cisco’s available tools such as ISE, Duo, and Secure Network Analytics, setting up group-based and trust-based access with use of SGTs becomes a much less daunting task. When these tools are used in unison, a network will be secure and only trusted users and devices will be given access to secure information on the network.
So, leverage the tools made available by Cisco to create a more secure network, both inside and out!
How can CDA help you improve your network security?
Need help implementing Zero Trust? Our network security professionals are here to assist you in leveraging Cisco tools like ISE, Duo, and Secure Network Analytics to create a more secure network.
Comments