Architecture Guide

Cisco Public

Cisco Zero Trust

Architecture Guide

January, 2023

© 2023 Cisco and/or its affiliates. All rights reserved. Page 1 of 32

Contents
Introduction 3
Cisco Zero Trust Framework 3
Zero Trust Security Frameworks 4

User and Device Security 4

Network and Cloud Security 5
Application and Data Security 6

Cisco SAFE Capabilities 8

Zero Trust Common Capabilities 8
Security Capability Groups 9
Endpoint Security 9

Secure Internet Gateway 10

Application Workload Security 11

Internet Edge Capabilities 12

Cisco SAFE Business Flows 14

Zero Trust Business Flows 14
Zero Trust Business Flows - Threat Vectors 14
Zero Trust Business Flows - Capability Mapping 15
Zero Trust Business Flows - Capability Mapping by Zero Trust Pillar 16

Cisco Zero Trust Reference Architecture 17

Appendix 19
Appendix A – Cisco Zero Trust Reference Architecture - Security Capabilities 19
Appendix B – Cisco Zero Trust Reference Design 23
Appendix C – Zero Trust Detailed Business Flows with Capabilities 24
Appendix D - Acronyms Defined 31
Appendix E - References 32
Appendix F - Feedback 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 2 of 32

Introduction
Zero trust is a strategic approach to security that centers on the concept of eliminating trust from an
organization's network architecture. Trust is neither binary nor permanent. It can no longer be assumed that
internal entities are trustworthy, that they can be directly managed to reduce security risk, or that checking
them one time is enough. The zero-trust model of security prompts you to question your assumptions of trust at
every access attempt.

Traditional security approaches assume that anything inside the corporate network can be trusted. The reality is
that this assumption no longer holds true, thanks to mobility, BYOD (Bring Your Own Device), IoT (Internet of
Things), cloud adoption, increased collaboration, and a focus on business resiliency. A zero-trust model
considers all resources to be external and continuously verifies trust before granting only the required access.

The key to comprehensive Zero Trust is extending security throughout the entire network environment with
examples such as:

● Employees accessing sensitive applications, both on and off the enterprise network
● Contractors and guests using the network infrastructure
● Application to application communications
● Communication between industrial control systems

Cisco Zero Trust Framework

Cisco Zero Trust Framework

Security is not a one-size-fits-all and Zero Trust is more than network segmentation. To help understand the
architecture, Cisco has broken it down into three pillars:

● User and Device Security: making sure users and devices can be trusted as they access systems,
regardless of location

© 2023 Cisco and/or its affiliates. All rights reserved. Page 3 of 32

 ● Network and Cloud Security: protect all network resources on-prem and in the cloud, and ensure
secure access for all connecting users
● Application and Data Security: preventing unauthorized access within application environments
irrespective of where they are hosted

Zero Trust Security Frameworks

The following table shows how Zero Trust Frameworks map to the Cisco Zero Trust Framework.
Cisco NIST Cyber Security Framework CISA Common
Users Identity
User and Device
Security Devices Device
Network and Cloud Networks/Hybrid Multi-Cloud Network/ Environment Visibility & Analytics
Security Automation & Orchestration
Governance
Applications Application Workload
Application and Data
Security Data Data

This architecture guide is focused on the Cisco Zero Trust Framework with the User and Device Security,
Application and Data Security, and Network and Cloud Security pillars. If interested in how Cisco products map
to other Zero Trust Frameworks, refer to Zero Trust Frameworks.
User and Device Security
User and Device Security provides solutions that establish trust in users and devices through authentication and
continuous monitoring of each access attempt, with custom security policies that protect every application.

With a zero-trust approach to securing users and devices, you can help prevent or mitigate against several
different types of attacks that target users and devices in this new perimeter-less world:
Threat Icon Threat Name Threat Description

Attackers can easily steal or compromise passwords via phishing

emails sent to users. With stolen credentials, they can log in to
work applications or systems undetected and access data.
Rogue Actor Brute-force attacks involve programmatically trying different
credential pairs until they work, another attack that can be
launched remotely. Once inside, attackers can move laterally to
get access to more sensitive applications and data.

Devices running older versions of software – such as operating

systems, browsers, plugins, etc. – can be susceptible to
Malicious Device vulnerabilities not patched by software vendors. Without those
security patches, devices that access work applications and data
can introduce risks by increasing the overall attack surface.

Often, devices that are not owned or managed by your IT team

can have out-of-date software and lax security.
Devices that do not have certain security features enabled –
Insecure unmanaged device (BYOD) such as encryption, firewalls, passwords, etc. – are considered
riskier or potentially out of compliance with data regulation
standards that require encryption, like healthcare industry
compliance standards.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 4 of 32

The ideal end state of your zero trust for user and device security would allow your enterprise to answer the
following:

● Are my users really who they say they are? Verify the identity of every user, regardless of type
(contractors, vendors, third-party providers, partners, remote users, employees, temporary workers,
etc.)
● What devices are connecting to my applications and data Get visibility into every type of device, both
managed or unmanaged (mobile, laptops, and desktops; company-issued, -owned, or -managed; user-
owned)
● Who or what is allowed to access my applications and data? By enforcing adaptive access policies,
you can limit access to enterprise applications and data based on user role, type of device, security
health of user devices, user group, application type, and much more
● How can I enable remote, frictionless access for all users? With a remote-access proxy, you can
enable access to multi-cloud environments, web applications, servers, VPNs, and more for employees,
remote workers, and contractors. With Single Sign-On (SSO), you can allow users to securely access
their cloud and on-premises applications seamlessly by logging in just once
Network and Cloud Security
Network and Cloud Security enables users to securely connect to your network from any devices, anywhere
while restricting access from non-compliant devices. Automated network-segmentation capabilities enable
administrators to set policy for users, devices, and application traffic without requiring network redesign.

With a zero-trust approach to securing the workplace, you can help prevent or mitigate against several different
types of attacks that target the network:
Threat Icon Threat Name Threat Description

Suspect data loss occurs when an abnormal amount of data has

been transferred out of the network. Suspect data hoarding
Data Exfiltration
occurs when an inside host is found downloading an abnormal
amount of data from other inside hosts.

Hosts attempting to compromise each other, such as through

Exploitation
worm propagation and brute force password cracking.

An unknown host on the network, or a host that has been

Malicious Insider compromised and has attempted deviant communication, such
as reaching out to a command-and-control server.

In an enterprise architecture, the network may span multiple domains, locations, or sites such as main
campuses and remote branches, each with multiple devices, services, and policies. A Zero Trust solution
should demand an end-to-end architecture that ensures consistency in terms of connectivity, segmentation,
and policy across the full spectrum of the network.

Zero Trust for the network and application security enables network administrators to:

● Know who is on the network. To truly secure the network, you need to know what is connecting to it.
For managed devices, such as laptops and smartphones, mobile device management (MDM) can be
used to determine what the connecting device is what it says it is. For unmanaged devices, such as

© 2023 Cisco and/or its affiliates. All rights reserved. Page 5 of 32

 BYOD or IoT devices, network-based machine learning can be used to identity attributes for
categorization, while sensitive workloads can be limited to managed devices controlled by the enterprise
● Define what endpoints can access. Segmentation and access policies should be easily defined for
individual devices as well as groups of similar devices. These policies should be defined with least
privilege access to help ensure that the devices have only the minimal level of access to minimize the
potential for lateral movement of threats
● Provide always-on analysis and enforcement. Security threats are always evolving, so a continuous
loop of analysis and enforcement must be administered to stay atop intrusions and vulnerabilities. It is
important to understand traffic norms and identity the out-of-policy traffic, enabling device isolation in
the case of an event
Application and Data Security
Application and Data Security secures connections for all APIs, microservices, and containers that access
applications, whether in the cloud, data center, or other virtualized environment.

Enterprise networks are increasingly becoming more complex as applications move to multi-cloud and leverage
containers and microservices, effectively creating new security, reporting, and compliance challenges. With a
zero-trust approach to securing applications and data, you can help prevent or mitigate against several different
types of attacks that target applications:
Threat Icon Threat Name Threat Description

For example, a malicious actor, on the public network, exploits a

PHP Code Injection vulnerability on the web application and
gains access to the details of the underlying operating system
and installed packages.
The attacker then exploits a known vulnerability in the underlying
operating system or the installed package to perform privilege
Advanced Threats escalation and then goes on to establish a command-and-
control channel to a malicious server running on attacker’s
network by remotely executing a piece of code.
The attacker then starts profiling the application environment and
exfiltrates sensitive data out through the established command-
and-control channel over an outbound UDP 53 port (DNS
protocol).

Zero-day malware attacks, poorly developed applications or

unpatched applications are all attack vectors that can be
Malware exploited by threat actors. If not protected, the attacker can push
malicious code in the source repository resulting in infected
software and potential propagation.

Without appropriate network visibility and segmentation policies,

unknown users / applications may exist in the network or known
Malicious Insider applications may deviate from characteristic behavior. Malicious
actors can take advantage of a flat network with little to no
visibility and infiltrate the network without triggering suspicion.

The need for comprehensive visibility of all network traffic down to the individual workload level for effective
security policy management and enforcement has never been more important than now. The ideal end state of
your zero trust for the workloads solution would allow your enterprise to answer the following:

© 2023 Cisco and/or its affiliates. All rights reserved. Page 6 of 32

 ● Do I have complete visibility of application communication? Achieving comprehensive zero trust and
true end-to-end visibility across on-premises and multi-cloud environments requires robust network-
based detection and response. It is critical to understand who and what are on the network before any
segmentation policies can be applied
● Can I control workloads moving laterally throughout the network? When you have visibility across
how the digital business operates, you can create smart segmentation policies to control access to
critical resources. This ability is very important to prevent threats from spreading and creating a
significant impact.
● Do I understand the posture of my applications and are they compliant with industry best practices?
Organizations that have moved resources and workloads to public cloud environments like AWS, Azure,
and Google Cloud Platform face a multitude of new security, policy, and compliance-related challenges.
Developing robust cloud security posture management (CSPM) capabilities such as monitoring risk
exposure levels related to configuration, network segmentation, user, and system events helps
guarantee sound policy management and protect against data leakage

© 2023 Cisco and/or its affiliates. All rights reserved. Page 7 of 32

Cisco SAFE Capabilities
The Cisco Zero Trust Architecture is defined using the Cisco SAFE methodology. For more information on SAFE
please go to cisco.com/go/safe.
Zero Trust Common Capabilities
The following common capabilities are included in Cisco Zero Trust.
Capability Icon Capability Name Capability Description

Anomaly detection maintains complex models of what is normal,

and, in contrast, what is anomalous. Not all anomalous traffic is
Anomaly Detection
malicious, and therefore deviations in the network are classified
into event categories to assign severity to the anomalies.

The device posture assessment analyzes the device and

Device Posture Assessment assesses its security posture, and reports it to the policy
decision management system.

Network Detection and Response (NDR) solutions leverage pre-

existing infrastructure to offer enterprise-wide, contextual
visibility of network traffic. Flow information can be used to
Flow Analytics
conduct forensic analysis to aid in lateral threat movement
investigations, ensure ongoing zero trust verification is provided,
and modern tools can even detect threats in encrypted traffic.

Establish trust by verifying user and device identity at every

access attempt. Least privilege access should be assigned to
Identity Authorization every user and device on the network, meaning only the
applications, network resources and workload communications
that are required should be permitted.

Authentication based on usernames and passwords alone is

unreliable since users may have trouble storing, remembering,
and managing them across multiple accounts, and many reuse
passwords across services and create passwords that lack
complexity. Passwords also offer weak security because of the
Multi-Factor Authentication
ease of acquiring them through hacking, phishing, and malware.
Multi-factor authentication (MFA) requires extra means of
verification that unauthorized users will not have. Even if a threat
actor can impersonate a user with one piece of evidence, they
will not be able to provide two or more.

Security Assertion Markup Language (SAML) is an open

standard that simplifies the login experience for users. It lets
Security Assertion Markup Language
them access multiple applications with one set of credentials,
(SAML) & Single Sign on (SSO)
usually entered just once. SAML is the underlying technology
that links applications with trusted identity providers.

Security Orchestration Automation SOAR is a set of technologies that enable organizations to

and Response (SOAR) collect information monitored by the security operations team.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 8 of 32

 Capability Icon Capability Name Capability Description

Knowledge of emerging threats from active adversaries is shared

Threat Intelligence with solutions that will utilize the information to protect the
organization.

Security Capability Groups

A security capability group is made up of multiple security capabilities.

The security capability groups are:

● Endpoint Security
● Secure Internet Gateway
● Application Workload Security

Endpoint Security

Endpoint security solutions protect endpoints such as mobile devices, desktops, laptops, and even medical and
IoT devices. Endpoints are a popular attack vector, and the goal of an attacker is to not only compromise the
endpoint but also to gain access to the network and the valuable assets within.

Security practices such as turning on disk encryption, disabling automatic login, and installing anti-virus help
ensure an endpoint is “healthy” when joining the network or accessing an application.
Capability Icon Capability Name Capability Description

Advanced malware’s goal, in general, is to penetrate a system

and avoid detection. Once loaded onto a computer system,
advanced malware can self-replicate and insert itself into other
programs or files, infecting them in the process. Anti-malware
Anti-Malware
protection should be implemented in both the network (to
prevent initial infection and detect attempts of spread) and in the
endpoint (to prevent endpoint infection and remove unwanted
threats). This capability represents endpoint anti-malware.

Anti-Virus typically deals with older established threats such as

trojans, viruses and worms. Anti-Virus is generally included in
Anti-Virus Anti-Malware solutions which also can detect new modern day
threats. Anti-Malware solutions typically also include Anti-Virus
capabilities.

The device health connector analyzes a device and assesses its

Device Health Connector security posture, and reports it to the policy decision
management system.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 9 of 32

 Capability Icon Capability Name Capability Description

The DNS security connector enforces security at the DNS layer

DNS Security Connector to block malware, phishing, and command and control callbacks
over any port.

Mobile device management (MDM) includes software that

provides the following functions: software distribution, policy
Mobile Device Management management, inventory management, security management, and
service management for smartphones and media tablets. MDM
provides endpoint access control based on policies.

The Web security connector redirects all web traffic to a full web
Web Security Connector
proxy that provides secure web gateway security services.

Secure Internet Gateway

A Secure Internet Gateway (SIG) unifies multiple functions in a single solution that traditionally required a set of
on-premises security appliances (firewalls, proxies, gateways) or single function cloud-based security
solutions.
Capability Icon Capability Name Capability Description

Application Visibility & Control Visibility and access control to approved web applications.

An intermediary between cloud providers, cloud-based

Cloud Access Security Broker
applications, and cloud consumers to enforce an organization’s
(CASB)
security policies and usage.

Data Loss Prevention (DLP) is designed to stop sensitive

information from leaving an organization. The goal is to stop
Data Loss Prevention information such as intellectual property, financial data, and
employee or customer details from being sent, either
accidentally or intentionally, outside the corporate network.

DNS security enforces security at the DNS layer to block

DNS Security malware, phishing, and command and control callbacks over any
port.

Macro segmentation is the process of separating a network

topology into smaller sub-networks, often known as zones. A
Firewall
firewall is typically the enforcement point between zones in a
network.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 10 of 32

 Capability Icon Capability Name Capability Description

An intrusion prevention system (IPS) provides network visibility,

Intrusion Prevention security intelligence, automation, and advanced threat
protection.

Inspects and analyzes suspicious files and URLs and their

Malware Sandbox
associated artifacts.

Advanced malware’s goal, in general, is to penetrate a system

and avoid detection. Once loaded onto a computer system,
advanced malware can self-replicate and insert itself into other
programs or files, infecting them in the process. Anti-malware
Network Anti-Malware
protection should be implemented in both the network (to
prevent initial infection and detect attempts of spread) and in the
endpoint (to prevent endpoint infection and remove unwanted
threats). This capability represents network anti-malware.

Provides an added layer of protection against browser-based

security threats for high-risk users. RBI moves the most
Remote Browser Isolation
dangerous part of browsing the internet away from the end
user’s machine and into the cloud.

Ability to decrypt and inspect encrypted web traffic and block

TLS/SSL Decryption
hidden attacks.

Compares each new website visited against known sites and

Web Reputation Filtering
then blocks access to sites that launch malicious code.

A full proxy that can log and inspect all your web traffic for
greater transparency, control, and protection. IPsec tunnels, PAC
Web Security files and proxy chaining can be used to forward traffic for full
visibility, URL and application-level controls, and advanced
threat protection.

Application Workload Security

Application Workload Security includes measures at the application level that aim to prevent data or code within
the application from being stolen or hijacked. It encompasses the security considerations that happen during
application development and design, but it also involves systems and approaches to protect applications after
they get deployed.

All application servers should be hardened and follow security practices such as disabling root access, using
SNMPv3 instead of SNMPv2, enabling certificate-based authentication for web clients, etc.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 11 of 32

 Capability Icon Capability Name Capability Description

Creates a map of all the components of an application. enables

network admins to build tight network security policies based on
Application Dependency Mapping
various signals such as network flows, processes, and other side
information like load balancer configs.

Continuously acquire, assess, and take action on new

Continuous Vulnerability Scanning information in order to identify vulnerabilities, remediate, and
minimize the window of opportunities for attackers.

Micro-segmentation secure applications by expressly allowing

particular application traffic and, by default, denying all other
Micro-Segmentation traffic. Granular east-west policy control provides a scalable way
to create a secure perimeter zone around each workload with
consistency across different workload types and environments.

The systematic notification, identification, deployment,

installation, and verification of operating system and application
Patch Management
software code revisions. These revisions are known as patches,
hot fixes, and service packs.

The output of application dependency mapping provide an

Policy Generation, Audit and Change
allowed access list policy. This policy will need to be audited and
Management
changed as required.

Anomaly detection is provided by performing hash analysis of all

httpd binaries on the system, and reporting any mismatches. For
all processes across the workloads if the rootscope, executable
Process Anomaly Detection &
binary path, OS version or package info does not match the
Forensics
expected value, it is reported. Forensics enables monitoring and
alerting for possible security incidents by capturing real-time
forensic events and applying user-defined rules.

A security technology that is built or linked into an application or

Runtime Application Self-Protection application runtime environment, and is capable of controlling
(RASP) application execution and detecting and preventing real-time
attacks.

Tagging/Grouping for Software Segmentation using Endpoint Groups (EPG), TrustSec Security
Defined Policy Group Tag (SGT), or VLANs.

Internet Edge Capabilities

The following Internet edge capabilities are included in Cisco Zero Trust.
Capability Icon Capability Name Capability Description

Provides protection against a cyber-attack in which the

Distributed Denial of Service (DDoS) perpetrator seeks to make a machine or network resource
Mitigation unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 12 of 32

 Capability Icon Capability Name Capability Description

Enables users who are working remotely to securely access and

use applications and data that reside in the enterprise data
Remote Access VPN
center and headquarters, encrypting all traffic the users send
and receive.

Allows users to securely access to on-premises websites, web

applications, and SSH servers using any browser, from anywhere
Reverse Proxy
in the world without having to install, configure remote access
software on their device.

Provides a replacement for traditional WAN routers and are

agnostic to WAN transport technologies. SD-WAN provides
Software Defined-WAN dynamic, policy-based, application path selection across
multiple WAN connections and supports service chaining for
additional services such as WAN optimization and firewalls.

A Web Application Firewall (WAF) protects websites from

application vulnerability exploits like SQL injection, cross-site
Web Application Firewall
scripting (XSS), cross-site request forgery, session hijacking,
and other web attacks.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 13 of 32

Cisco SAFE Business Flows
Zero Trust Business Flows
SAFE uses the concept of business flows to simplify the analysis and identification of threats, risks, and policy
requirements for effective security. This enables the selection of very specific capabilities necessary to secure
them. This is a sample set of business flows. Additional detailed business flows can be found in Appendix B.

Zero Trust Business Flows

Zero Trust Business Flows - Threat Vectors

The next step in the SAFE methodology is to identify the threats for each business flow. This is the attack
surface and the mitigation of these threats is the business problem to be solved.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 14 of 32

 Zero Trust Business Flows with Threat Vectors

Zero Trust Business Flows - Capability Mapping

Not all business flows have the same requirements. Some use cases are subject to a smaller attack vector and
therefore require less security to be applied. Some have larger and multiple vectors thus, require more.
Evaluating the business flow by analyzing the attack surfaces provides the information needed to determine and
apply the correct capabilities for flow specific and effective security. This process also allows for the application
of capabilities to address risk and administrative policy requirements.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 15 of 32

 Zero Trust Business Flows with Capabilities

The capabilities required to protect the business flow are represented above. This is a consolidated view of the
business flows with capabilities. The detail business flows with the security capability groups expanded out can
be found in the Appendix C.

The Common Flow Capabilities grouping is a common set of capabilities that applies to all flows.
Zero Trust Business Flows - Capability Mapping by Zero Trust Pillar
The mapping of security capabilities to zero trust pillar are represented below for each of the zero trust
business flows.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 16 of 32

 Zero Trust Business Flows with Capabilities by Zero Trust Pillar

Cisco Zero Trust Reference Architecture

The Cisco Zero Trust Reference Architecture below includes the architectural components needed to deliver
the security capabilities by zero trust pillar. The Cisco Zero Trust Reference Architecture is included in the Cisco
Security Reference Architecture and is presented below in that format and merging it with the SAFE
methodology.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 17 of 32

 Cisco Zero Trust Reference Architecture

© 2023 Cisco and/or its affiliates. All rights reserved. Page 18 of 32

Appendix
Appendix A – Cisco Zero Trust Reference Architecture - Security Capabilities
Considering the design discussed in previous sections of this document, all the capabilities and Cisco solutions
can be mapped as below.
Capability Icon Capability Name Security Solution

Cisco Secure Network Analytics

Cisco Cyber Vision
Anomaly Detection
Cisco Secure Cloud Analytics
Cisco Secure Access by Duo

Anti-Virus Cisco Secure Endpoint

Cisco Secure Endpoint (integrated with Umbrella, Firewall & SD-

Anti-Malware WAN)
Cisco Secure Malware Analytics

Application Dependency Mapping Cisco Secure Workload

Cisco Umbrella
Cisco Secure Firewall
Cisco Secure Workload
Cisco AppDynamics
Application Visibility & Control
Cisco Secure Application
Cisco Secure Web Appliance
Cisco Cloudlock
Cisco Meraki

Asset Management Cisco Secure Cloud Insights

Cloud Access Security Broker Cisco Umbrella

(CASB) Cisco Cloudlock

Cloud Security Posture Management

Cisco Secure Cloud Insights
(CSPM)

Cisco Secure Endpoint

Endpoint Security
Cisco Secure Access by Duo Device Health Application

© 2023 Cisco and/or its affiliates. All rights reserved. Page 19 of 32

 Capability Icon Capability Name Security Solution

Cisco Cloudlock
Data Loss Prevention
Cisco Umbrella

Device Health Connector Cisco Duo Device Health

Device Posture Assessment Cisco Secure Access by Duo

Distributed Denial of Service (DDoS)

Radware DDoS
Mitigation

DNS Security Cisco Umbrella

Cisco Secure Client (AnyConnect)

DNS Security Connector
Cisco Umbrella Virtual Appliance

Cisco Secure Firewall

Cisco Umbrella
Firewall
Cisco Secure Workload
Cisco Meraki MX

Cisco Secure Network Analytics

Cisco Secure Cloud Analytics
Flow Analytics
Cisco Cyber Vision
Cisco Secure Workload

Cisco Secure Access by Duo

Identity Authorization
Cisco Identity Services Engine

Cisco Secure Firewall

Intrusion Prevention
Cisco Umbrella

Malware Sandbox Cisco Secure Malware Analytics

© 2023 Cisco and/or its affiliates. All rights reserved. Page 20 of 32

 Capability Icon Capability Name Security Solution

Mobile Device Management Cisco Meraki Mobile Device Manager

Cisco Identity Services Engine

Micro-Segmentation Cisco Secure Workload
Cisco Secure Application

Multi-Factor Authentication Cisco Secure Access by Duo

Cisco Secure Firewall

Cisco Umbrella
Network Anti-Malware Cisco Meraki MX
Cisco Secure Email Appliance
Cisco Secure Web Appliance

Policy Generation, Audit and Change

Cisco Secure Workload
Management

Process Anomaly Detection &

Cisco Secure Workload
Forensics

Cisco Secure Firewall (ASA (Adaptive Security Appliance))

Cisco Secure Firewall (FTD (Firepower Threat Defense))
Remote Access VPN
Cisco Meraki MX
Cisco Secure Connect Choice

Remote Browser Isolation Cisco Umbrella

Reverse Proxy Cisco Duo Network Gateway

Runtime Application Self-Protection

Cisco Secure Application
(RASP)

Security Assertion Markup Language

Cisco Secure Access by Duo
(SAML) & Single Sign on (SSO)

© 2023 Cisco and/or its affiliates. All rights reserved. Page 21 of 32

 Capability Icon Capability Name Security Solution

Security Orchestration Automation

Cisco SecureX
and Response (SOAR)

Cisco Meraki
Software Defined-WAN (SD-WAN)
Cisco Viptela

Tagging/Grouping for Software

Cisco Secure Workload
Defined Policy

Threat Intelligence Cisco Talos

Cisco Umbrella
TLS/SSL Decryption
Radware Alteon

Kenna Security
Vulnerability Management
Cisco Secure Workload

Radware WAF
Web Application Firewall
Radware kWAF

Cisco Umbrella
Web Reputation Filtering
Cisco Secure Web Appliance

Cisco Umbrella
Web Security
Cisco Secure Web Appliance

Web Security Connector Cisco Secure Client (AnyConnect)

© 2023 Cisco and/or its affiliates. All rights reserved. Page 22 of 32

Appendix B – Cisco Zero Trust Reference Design
The following is the Cisco Zero Trust Reference Design which identifies the products that deliver the security
capabilities required in the Cisco Zero Trust Reference Architecture.

Cisco Zero Trust Reference Design

© 2023 Cisco and/or its affiliates. All rights reserved. Page 23 of 32

Appendix C – Zero Trust Detailed Business Flows with Capabilities
On-prem Employee with Trusted Device: Accessing Public Application (SaaS)

On-prem employee: Accessing Private Application (DC/IaaS)

© 2023 Cisco and/or its affiliates. All rights reserved. Page 24 of 32

On-prem Employee with Trusted Device: Accessing Internet

On-prem Contractor with Untrusted Device: Accessing Public Application (SaaS)

© 2023 Cisco and/or its affiliates. All rights reserved. Page 25 of 32

On-prem Contractor with Untrusted Device: Accessing Private Application (DC/IaaS)

On-prem Contractor with Untrusted Device: Accessing Internet

© 2023 Cisco and/or its affiliates. All rights reserved. Page 26 of 32

On-prem Guest with Untrusted Device: Accessing Internet

Remote Employee with Trusted Device: Accessing Public Application (SaaS)

© 2023 Cisco and/or its affiliates. All rights reserved. Page 27 of 32

Remote Employee with Trusted Device: Accessing Private Application (web/ssh/rdp) (Private DC/IaaS)

Remote Employee with Trusted Device: Accessing Private Application (any tcp/udp) (Private DC/IaaS)

© 2023 Cisco and/or its affiliates. All rights reserved. Page 28 of 32

Remote Employee with Trusted Device: Accessing Internet

Customer with Untrusted Device: Accessing Public Website

© 2023 Cisco and/or its affiliates. All rights reserved. Page 29 of 32

Application: API calls between microservices in the Data Center

Application: API calls to Internet

© 2023 Cisco and/or its affiliates. All rights reserved. Page 30 of 32

Industrial Security: On-prem Workstation (Trusted Device) to Programmable Logic Controller (PLC)

Appendix D - Acronyms Defined

Acronym Definition

BYOD Bring Your Own Device

CSPM Cloud Security Posture Management
DLP Data Loss Prevention
DNS Domain Name System
IoT Internet of Things
IPS Intrusion Prevention System
MDM Mobile Device Management
MFA Multi-Factor Authentication
NDR Network Detection & Response
SNMP Simple Network Management Protocol
SSO Single Sign-On
WAF Web Application Firewall
WAN Wide Area Network
XSS Cross Site Scripting

© 2023 Cisco and/or its affiliates. All rights reserved. Page 31 of 32

Appendix E - References
● Cisco Zero Trust Security
● Zero Trust Frameworks
● Zero Trust: User and Device Security Design Guide
● Zero Trust: Going Beyond the Perimeter
● Cisco Secure Workload
● Software-Defined Access
● Cisco SAFE
● Cisco Security Reference Architecture

Appendix F - Feedback
If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to
[email protected].

© 2023 Cisco and/or its affiliates. All rights reserved. Page 32 of 32