Zero Trust Architecture for the SMB

Jarrod Benson, CISO of Koch Industries, is attributed with providing the following summary for what might be considered a new IT delivery model, particularly for the Small Business (any business really, but if you are a large Oil Tanker, it might take some time to shift direction). It goes :

1. The Internet is the network
2. The Cloud is the data center
3. Your Identity is the new perimeter
4. Any Device is a work device

And that's pretty much it !. Cisco has worked hard to provide this level of 'simplified sophistication' to the Enterprise market by way of an initiative called Zero Trust Security and this is fully documented here Cisco Zero Trust Security

And the architecture can be distilled further for the SMB market and, particularly, for those that would subscribe to the 'Jarrod Model' above.

Taking the bullet points in turn :

Internet

Cisco is pretty well established here :). I would pay particular attention to the 'full stack' networking model offered by Cisco Meraki, a cloud managed networking platform providing robust wireless, wired and secure connectivity services to the Internet. Products are well described here as the Smart IT solution for networking (with some complementary network attached products).The stack includes complementary network security services by way of solutions such as Cisco Umbrella.

Cloud

Sometimes described as 'someone else's server' :), it is quite obvious that Cloud delivery of infrastructure and applications is common. From SaaS delivery (Software as a Service) we can see major adoption of Productivity Suites, such as Microsoft Office 365 and Google GSuite, is already the 'norm', some stats here Office 365 / Google GSuite with similar shifts to services such as Salesforce, ServiceNow, DocuSign, etc. Bottom line, more companies would rather let someone else feed and water the applications while they get on with using them ! (why wouldn't you !). And, typically, these SaaS platforms are delivered via the Internet (see previous bullet point).

The 'Cloud' also offers use of 'someone else's server' to deploy a company's own virtual machines (VMs) or applications (sometimes known as IaaS - Infrastructure as a Service) as well as offering the ability to rapidly develop their own applications by way of a PaaS (Platform as a Service). IaaS/PaaS/SaaS are relatively old-school terms now for Cloud delivered services with the majority of Public Cloud providers (Azure, GCP, AWS, etc) offering a plethora of services making the shift to cloud pretty much frictionless. As an example, look at this fabulous, eye-watering chart of Google Cloud Platform services on offer. Original (High Res) version available at Google Cloud Developer's Cheat Sheet

Identity

Now, arguably, this is where things start to get really interesting !. Cisco identified (excuse the pun) that Identity was a critical component for permissions based access. Enterprise products such as the Identity Services Engine (ISE) are testament to that. However, there needed to be a 'simplified sophistication' solution to Identity (with subsequent permissions control) and this came in the form of an acquisition of a company called Duo. Duo is a well know Multi Factor Authentication (MFA) company - arguably the world's best MFA solution ! -

However, what is less well known is that Duo have fully embraced the concept of 'Zero Trust' and have been building a rounded solution to this problem for a number of years. Back in the day (and it's still called this), Google introduced a concept known as BeyondCorp. It's a Google view on Zero Trust and Duo liked some of the concepts. So much so that one of the Duo licensing tiers is called Duo Beyond !. The clue is in the name :)

Let's break some of this down in stages.

User Identity

If we can use Multi Factor Authentication against an authentication request then we can be reasonably confident of the person. I think that's fairly obvious. Therefore, a robust, easy to use MFA solution is the starting point.....

Modern Apps & Authentication

The majority of Apps these days are delivered via the Web (we talked about SaaS and even PaaS), therefore the majority of these Apps can be integrated, from an authentication point of view, via standardised Web capabilities such as SAML 2.0 (Security Assertion Markup Language 2.0). Indeed, the majority of modern Apps you may even run on-premise (if you still have some !!) can support SAML.

The Duo Access Gateway (DAG) adds MFA to these apps and services. Now, typically, there might be one or more Identity Management Systems (IMS) such as Active Directory, however, it is also safe to say - particularly for smaller businesses - that using a cloud based identity system is and will be more common. The Duo Access Gateway can be used with Azure and Google directories or third-party IdPs hosted in the cloud. Point being that the DAG has now provided a standardised MFA capability across the multitude of modern Apps in a user friendly way. This can also form the basis of an SSO (Single Sign On) capability, meaning less user prompts if required.

Your Own Web Apps

Now, imagine you've also got your own Apps. You're using Azure, GCP or AWS to host these. You'd typically offer a Web front end to these Apps and deliver via the Web Server of your choice. These Web Servers then exposed to the Internet. Job done.........yes if you are happy with that setup, no if you are sensible and a wee bit more cautious :).

Here, you'd use VPC (Virtual Private Compute) setups with your Cloud provider of choice and, perhaps, not expose these VPCs directly to the Internet. In fact, you'd prefer to 'air gap' them - or Proxy them (technically, Reverse Proxy). In the world of Duo Beyond, this means using the Duo Network Gateway (DNG). The DNG can also protect on-premise web apps but, as we've discussed and particularly for the SMB market, these are more likely delivered via a Cloud provider.

Core to a Zero Trust Strategy

So, in essence, Duo Beyond becomes the core of a Zero Trust strategy and is key to the point of Identity being the new Perimeter.

Device

The concept of *any* device being a work device is reasonable. However, as part of a Zero Trust strategy, this has to include some controls - and what this, typically, means is 'posture' or 'context'. Would you feel comfortable allowing an employee to access the company CRM database using their home Windows PC that hasn't been patched in 6 years and not running any AV ?. Maybe you would..........most might not. And this is where Duo steps up again.

Policy control, at various stages, includes the ability to posture from the simple Multi Factor Authentication prompt. This is particularly useful for when allowing access from non-managed devices.

For deeper visibility (and, therefore, policy control) then the Duo Health app can be installed on devices (both corporately managed but also end user devices if required - the latter, potentially, being a choice for the end-user - ie, install the Health App and I can then use some corporate Apps on my home device, ie flexibility).

Here, some additional attributes such as whether a Firewall is enabled, or a System Password set, etc can help form the basis of which (if any) corporate assets a BYOD (Bring Your Own Device) can access.

Of course, more capabilities can be discussed in order to ensure well protected endpoints are being managed by the company. Here, I'd suggest looking at Meraki Systems Manager in conjunction with Cisco Advanced Malware Protection (AMP) with Umbrella Roaming on the endpoint. Access attributes (ie is this a well managed corporate device vs is this a BYOD with good health) can be used to determine which resources these devices (and associated users) can access. All anchored on the foundation of robust user Identity - remember, the core tenet is Multi Factor Authentication (MFA) so we feel comfortable about the user. From there, we can build some trust on the Device and these attributes can form the basis of a permissions based Access Control to the assets.

Hopefully this makes sense and, hopefully, gives some confidence in pursuing a Zero Trust strategy underpinned by the robust capabilities of Cisco Duo.

PS, I'm a big fan of Google Chromebooks and if I had to manage a fleet of corporate access devices, that would be my choice. For the MFA element, I'd probably allow the use of BYOD Smartphones (the Duo App is available for a lot of device types) and I'd use a permissions based access control stack using all of the aforementioned attributes. Just my opinion.......

The image below shows the Duo MFA App Security Checkup running on my iPhone. These attributes are used to determine the 'health' of the Multi Factor Device (in this case the Duo App on my iPhone). I'll need to upgrade my iOS soon before the score dips lower and, at which point, policy might dictate that the device is no longer suitable as an MFA device. Simple & Effective.

Importantly (very ! :)), an end user can enrol multiple devices for MFA capability. For example, below shows potential enrolment of a Phone, Tablet, Landline, TouchID or Security Key - the latter is brilliant. I use a Yubikey 5c Nano on my laptop and the UX is just brilliant.

Any thoughts or questions then just shout !.