Zero Trust for Workloads: Knowledge is Key

Zero trust is such a popular term in the security space today.  Everyone is talking zero trust, Cisco included. The interesting point is it’s not new – the original architecture model was released in 2010, and the important guidelines have been part of good security practices for years; think about your important assets and develop secure perimeters around them.  What has changed today is the design of security controls as it relates to secure perimeters.  A secure perimeter with robust security controls can no longer exist at the network edge in today’s complex, cloud-based, heterogeneous environments.  Disparate technologies, lack of integration, rapidly expanding threat surfaces and changing threat landscapes make the job of security difficult.  That’s why zero trust is a process that begins first at the point of understanding your environment.

In today’s world, assets must be untrusted until network traffic and application behavior can be validated. Security controls must be driven down to the application workload level to be effective since applications are so critical to business today.  This means extending your traditional security infrastructure with new technologies; network access needs to focus on the workload. 

Protection starts with security closer to your applications using a new firewall type of enforcement that surrounds each workload.  Enhance this with real-time visibility to map workload communications and application behaviors, and environmental context to determine whether they should be trusted.  Then effective policy controls can be put in place to establish secure perimeters – micro-segmentation – at the workload level for stateful and consistent micro-segmentation across multi-cloud data centers at scale.  This also allows you to minimize lateral movement in case of security incidents.  Continual validation of trust is important to automatically update those policies based on changes to application dependencies and communication patterns.   But the first step for a zero trust model for your application workloads is understanding your environment.

The Cisco answer to solve this problem is Tetration.  Cisco Tetration provides east-west traffic firewalling capability along with policy discovery and management; no matter where your workloads are located, on-premise, or hybrid/multi cloud. By providing a single pane of glass to define a context-based workload inventory in an automated way, Tetration auto-discovers application context and collects rich workload telemetry, Using this context and telemetry, Cisco Tetration automates zero trust policy discovery to help you understand what your policy needs to be.  Without that level of understanding, you will struggle to effectively deploy zero trust (micro-segmentation) policy enforcement at the workload level.  Enforcement without this level of understanding limits your zero trust policy effectiveness.

For more information on a comprehensive zero trust strategy, here are couple of valuable resources