Cisco Security Reference Architecture

How to use Cisco Security Reference Architecture

The Cisco Security Reference Architecture provides an overview of the Cisco Secure portfolio, commonly deployed use cases, and the recommended capabilities within an integrated architecture. The reference architecture aligns to domains that align closely with industry security frameworks such as NIST, CISA, and DISA. The five main components of the reference architecture are listed below.

• Threat intelligence
• Security operations toolset
• User/device security
• Network security: cloud edge and on-premises
• Workload, application, and data security

Every organization has a unique environment based on business requirements. Just because the reference architecture includes certain capabilities does not mean that your environment must. Additionally, in most cases multiple listed capabilities would be instantiated in a single product to simplify operations. We encourage you to connect with your Cisco account team and map out your security journey.

The overview includes several commonly deployed use cases such as Zero Trust, SASE, and XDR. At a high level, Talos is the main foundational component that provides threat intelligence and malware analytics to the entire architecture. Talos provides the actionable threat intelligence and malware research and analytics that delivers real-time, end-to-end threat prevention across the network. Talos delivers dynamic threat intelligence to the Cisco security platform through IP and domain reputation, SNORT signatures, malicious file analysis and control, and URL categorization, providing actionable intelligence enforcement in the endpoint, firewall, email, and web gateways.

Zero Trust surrounds the SASE layer and everything inside of it because Zero Trust is a methodology that spans the entire architecture and not a single product or multiple individual products. Zero Trust consists of several requirements that can be enforced on users and devices traversing through the cloud edge or on-premises networks when accessing workloads with applications and data. The layer below Zero Trust is SASE. SASE describes an architecture for securing the remote worker and cloud-edge networks such as remote offices or branches. The user/device security component provides the necessary capabilities to deliver a secure and easy user-access experience through the new unified Secure Client. As users/devices access workloads, applications, and data (at the bottom of the diagram), two possible paths (cloud or on-premises access) can be taken. Any access to public SaaS applications or internet would be through the cloud edge network where cloud security services would be performed. The other access path to workloads/applications/data would be through on-premises access where traditional on-premises security services would be applied. For further details, please see the following use cases.

Cisco pxGrid facilitates user/device context sharing throughout the network and in the application security component of zero trust for workloads for hybrid private/public clouds such as AWS, Azure, and GCP. Identity sharing with Cisco Umbrella under cloud edge is available today using AD/LDAP connectors to extend on-premises identity to the Umbrella cloud as part of Umbrella's policy control. Extending identity into Umbrella using pxGrid will be an option in the future and will enable Umbrella customers to enrich their cloud access policies with greater context details. Many Fortune 1000 customers use pxGrid and leverage it to integrate any third-party pxGrid ecosystem solutions into their identity and access deployments.

A converged multicloud policy can be built and managed in stages, starting with application workloads and moving toward the endpoints. Many customers request synchronization of workload and data center perimeter policies to improve firewall policy management in general. For example, a comprehensive secure workload policy can be synchronized with AWS VPC Network Security Group policies running EC2 agents and serverless apps. Beyond the data center perimeter, the workload policy engine can synchronize with network firewalls to improve operational efficiencies. This requires further examination and planning of network policies because of the complexity in merging multiple layers of firewalls. This concept of a multicloud converged policy engine is available today and will continue to evolve and improve based on commonly deployed customer use cases.

The Cisco SASE solution via Cisco Umbrella delivers threat protection and secure access anywhere the user is—home, local coffee shop, headquarters, or regional office. The combination with SD-WAN helps ensure that the appropriate access policy is applied, without requiring the user to decide how to securely connect. The Cisco SASE solution auto-tunnel feature—using, for example, Viptela vManage, Meraki, or Firepower—lets customers easily build thousands of secure IP tunnels with a few clicks and API key entries. Using Umbrella's Secure Internet Gateway (SIG) capabilities, customers can enjoy security features such as DNS security, Snort IPS, cloud-delivered firewall, remote browser isolation, CASB, malware inspection, and more. These advanced security and deployment features reduce human error in large-scale deployments and help enable context-rich policies that mitigate unauthorized access.

The Cisco Zero Trust solution provides user and application security across the entire architecture. Both personal bring-your-own-device (BYOD) and corporate-issued devices are put through an adaptive multi-factor authentication process (risk-based authentication) and assigned the least-privileged access with continuous trust monitoring. Application access is dynamically revoked or authorized if the user/device posture status changes. With Umbrella's managed zero trust network access (ZTNA), customers can offload the remote access administration to Cisco managed services and quickly deploy zero-trust services for public and private application protection. Self-managed ZTNA customers can continue to deploy AnyConnect VPN services or leverage Duo's cloud single sign-on (SSO) and Duo Network Gateway for non-VPN based application access. Duo's passwordless SSO improves and simplifies users' login experience.

The Cisco XDR platform provides visibility, prioritized incident investigation/response based on AI/ML, and orchestration with context and threat intelligence sharing to assist SecOps. Endpoint device information (ranging from mobile device management, endpoint security software such as Duo Device Health, Cisco Secure clients, and third-party EDR solutions) can be sent to Cisco XDR Insights for a complete asset inventory and compliance validation. Cisco XDR helps SOC analysts aggregate and correlate data from multiple sources into a unified view to streamline investigations and implement the most efficient and effective response. Cisco XDR's open and flexible API capabilities further enhance its threat efficacy through third-party integrations. Thus, Cisco XDR truly improves the way security operations support detection and response on a daily basis.