Authored by Kedar Hiremath and Matt Brooks
Moving to the cloud and securing applications and data globally is paramount to protect your business. Bad actors are always looking for ways to exploit the reality of digital communication. Zero Trust reflects this evolving threat landscape and has become a central framework for security practitioners to plan their defenses.
In this blog, we’ll discuss Cisco’s approach to Zero Trust, with Cisco Umbrella and Cisco Duo working together to deliver a comprehensive security solution for Internet and cloud application access. We’ll also discuss a Hitachi use case and how Cisco Duo, along with Cisco’s Secure Access Service Edge (SASE) offering, protects their global environment.
Zero Trust
Traditional security approaches assume that anything inside the corporate network can be trusted. A zero-trust model considers all resources to be external and continuously verifies trust before granting only the required access.
It’s a strategic approach to security that relies on the concept of eliminating trust from an organization’s network architecture, as trust is neither binary nor permanent and we shouldn’t assume that internal entities are trustworthy, can be managed to reduce security risk, or checking them once is enough. Zero trust prompts you to question assumptions of trust at every access attempt.
With Cisco Duo zero trust, you establish trust, enforce trust-based access, and verify trust continuously. You gain better visibility across your users, devices, networks, and applications because you are verifying their security states with every access request. You can reduce your organization’s attack surface by segmenting resources and only granting the absolute minimum access needed.
In the Cisco Security Outcomes Report, Volume 3 – one of the success factors to achieving security resilience was to maximize zero trust adoption. The study found that:
“Respondents with mature zero trust implementations boosted their security resilience rating by 30% over organizations that hadn’t started that journey!”
It also found that secure access service edge (SASE), which offers a strategy to converge networking and security into a cloud-delivered service, correlates with higher success rates for 8 out of the 9 desired security resilience outcomes and overall security resilience scores that were, on average, 15% higher than those that had no progress on the SASE front.
Umbrella and SASE
Cisco Umbrella is a cloud-delivered security platform that secures internet access and controls cloud app usage across networks, branch offices, and roaming users. It expands Cisco’s SASE offering, unifying security and network functionality in the cloud. Umbrella provides:
- Cloud-delivered firewall
- DNS-layer security
- Cloud access security broker (CASB)
- Secure web gateway (SWG)
This functionality is all included in a single cloud solution.
The secure web gateway (SWG) prevents access to potentially dangerous or prohibited sites anywhere users go, and is enabled per user, and for devices, per production equipment or sensor. It helps to protect against malware, ransomware, & C2 callbacks, with no added latency. It also provides visibility into internet activity across all locations and users.
Umbrella also includes threat intelligence, remote browser isolation (RBI), data loss prevention (DLP), and cloud malware detection, all while acting as a secure onramp to the internet to provide protection against threats for users anywhere they connect.
This is important because IoT and data utilization are at the forefront of smart factories, production equipment and sensors transmitting operating status data to other systems via the Internet. Cisco Umbrella monitors devices to see if they are transmitting data to the correct destinations and checks for unauthorized activities, minimizing the risk of information leakage.
Duo and zero trust
The first step of the zero-trust journey for many organizations is verifying users and devices through multi-factor authentication (MFA). Among our Security Outcomes study respondents, rolling out MFA correlated with an 11% improvement in security resilience scores.
Duo is the world’s zero trust identity solution that protects access to all applications, for any user and device, from anywhere. It is cloud-based and designed to be easy to administer and deploy, while providing complete endpoint visibility and control. Duo verifies users’ identities with strong MFA, paired with deep insights into your users’ devices. Duo gives you the policies you need to limit access based on endpoint or user risk.
Duo supports leading MFA authentication protocols – including standards like FIDO2 WebAuthn – to enable methods including hardware keys and biometrics. With the support of FIDO2, Duo prevents session hijacking through phishing attacks by requiring channel binding. And it prevents man-in-the-middle attacks by requiring source binding. Duo also supports passwordless authentication, eliminating the issues with passwords altogether.
Umbrella + Duo provide better security together
Both Umbrella and Duo provide protection to secure users and their endpoints’ access to apps and data, and both have origins in zero trust. Cisco’s strategic approach to zero trust includes four groups of solutions to manage the trust lifecycle.
1. Establish trust
We start by establishing trust by verifying users and devices by increasing visibility. Systems like Cisco Secure Endpoint that manage endpoint operating systems may establish whether there are any existing threats. Duo Trusted Endpoints can communicate directly with it, and may be configured to prohibit authentication if the device status is out of compliance. Simultaneously, it can also use device enrollment as an indication of whether it is a corporate device which may be configured as a condition to allow authentication.
Regardless of whether the device is enrolled, especially for BYOD devices, Duo Device Health App can verify whether essential system components are safe to establish trust. This includes whether the OS and browser need to be patched, or whether storage encryption or the host-based firewall are disabled.
Duo Risk-Based Authentication may dynamically use device posture signals or context to determine whether stronger authenticators are required such as Verified Duo Push, biometric authenticators like Windows Hello and Apple Touch ID, or roaming security keys.
With Cisco Secure Email, endpoints will be protected from a significant threat vector. But if user’s personal email or just unguided surfing leads them to click on a phishing link, Cisco Umbrella will block the connection, log the threat, and notify the user appropriately.
Nevertheless, if a user inadvertently navigated to a phishing site that feigns identification controls, Duo FIDO2 would block authentication and the establishment of trust from proceeding.
2. Enforce trust-based access
These solutions grant the appropriate level of access and enforce access policies based on the principle of least privilege. Here, other Cisco security components can be invoked. This includes Cisco ISE which may be used to establish north-south network segmentation. It also includes Cisco Secure Workload to establish east-west micro-segmentation for cloud services, to mitigate the risk of lateral movement in the event of an attack.
3. Continuously verify trust
Change is inevitable. So continuously verifying trust by reassessing trust level and adjusting access accordingly is critical, even after initial access has been granted. Here, Cisco Umbrella will continuously inspect and verify session payloads for any threats to endpoints, corporate systems, or data.
4. Respond to change in trust
Cisco’s security solutions empower teams to respond to change in trust by investigating and orchestrating responses to potential incidents with increased visibility into suspicious changes in trust level.
Umbrella and Duo both can constantly feed threat data to Cisco SecureX, the company’s Extended detection and response (XDR) solution which delivers visibility into data across networks, clouds, endpoints, and applications. All of this is done while applying analytics and automation to detect, analyze, hunt for, and remediate today’s and tomorrow’s threats.
The Security Outcomes study found a whopping 45% better overall resilience score in organizations with progress toward XDR.
How Hitachi used Cisco Umbrella and Duo to deliver identity and security
“Cisco is a dependable partner who can share the same vision and help us tackle difficult challenges. We can do this together!”
Hitoshi Tanaka, General Manager of Global Solutions 2nd Office IT Strategy & Digital Integration Division Hitachi, Ltd.
Hitachi was working to restructure its security infrastructure, because users, devices, systems, and data are scattered widely inside and outside the company’s network due to diversified work styles, people working from home and across the world. Hitachi partnered with Cisco to enhance its security infrastructure to ensure strict authentication of users and devices using a zero-trust architecture. The goal was to safeguard all these different avenues of users’ data and Internet experience, so users could connect online with confidence.
The results of Hitachi implementing a zero-trust strategy and its partnership with Cisco were:
- SASE deployment that enabled Hitachi to take a huge leap forward in security restructuring
- Unauthorized data detected by authentication of users
Hitachi’s Cisco Umbrella + Duo partnership in zero trust security brought a decentralized approach to security where the policy follows the user, and verification is required for everything because anything that accesses the systems or data cannot and should not be automatically trusted. Factory sensors and production equipment are autonomously transmitting data and accessing systems and services, so safety must be verified against both the users and objects.
Hitachi implemented Cisco Umbrella for cloud security and Cisco Secure Access by Duo for ID/access management. Umbrella provides the comprehensive security suite, while Duo is the authentication solution supporting multi-factor authentication and biometrics.
Hitachi also required MFA for accessing the systems and services after starting a PC at home, inside the office, or from a remote location outside the office. Duo allows users to choose any combination of multifactor authentication, enabling Hitachi to design an authentication environment tailored to each work style and job type.
As digitization continues to advance in society, security will always be at the forefront.
Cisco and Hitachi both aim to bring societal benefits and superior IT solutions to customers, and Umbrella + Duo services have provided Hitachi the needed scalability to confidently rebuild the entire security infrastructure of the Hitachi Group. With this partnership there’s a common vision of security and agility for the global workforce, securing a staff of almost 350,000 people worldwide.
The benefits of Cisco Umbrella and Duo together
Duo and Umbrella are better together because they are complementary solutions. Umbrella will secure all the outbound traffic from the organization to determine where it is going on the internet. And Duo establishes user and device trust, which in turn adds another layer of protection for the organization’s information and data.
Hitachi has demonstrated well how to protect their global environments and mitigate the risk of cyber-attacks at scale with Cisco Umbrella and Duo working together.
Want to learn more about how to use Cisco Umbrella and Duo together?
Go to Contact us or call us at 440.333.5903.
TEC Communications is a Cisco Premier Certified Partner and trusted IT solutions provider for over 40 years.
Let’s talk about enhancing your organization’s Cyber Security Plan.