Cisco Security Reference Architecture

How to use Cisco Security Reference Architecture

The Cisco Security Reference Architecture (SRA) provides an overview of the Cisco Security portfolio, commonly deployed use cases, and the recommended capabilities within an integrated architecture. The reference architecture maps to domains that align closely with industry security frameworks such as NIST, CISA, and DISA. The five main components of the reference architecture are listed below.

• Security cloud platform
• Security operations center
• User/device security
• Cloud edge and on-premises networks
• Workload and application security

Every organization has a unique environment based on business requirements. Not every listed capability is required to complete the architecture. We encourage you to connect with your Cisco account team and map out your security journey with us.

Simplified higher level overview.

The SRA overview is made up of functional modules and capabilities which provide layers of defense and deliver specific business outcomes such as Zero Trust, SASE, and XDR for the Security Operations Center. At the most outer layer is the platform layer called the Security Cloud Control. This security platform is cloud-based, based on AI/ML algorithms, open & extensible, and provides unified management with risk assessments for all inner modules within the architecture. Directly embedded in the security platform is Talos threat intelligence, actionable threat intelligence, and malware research & analytics in real-time across the entire network. SOC capabilities such as IP/domain reputation, SNORT signatures, malicious file analysis and control, URL categorization, and AI defenses are made available in multiple enforcement points such as endpoint, NGFW, email, cloud gateways, and workloads.

Below the security operations layer is the Zero Trust and SASE modules which span the entire architecture from user/devices to workloads and applications across multicloud. User/Devices security capabilities are listed to ensure the user experience is as easy as possible through the unified Secure Client and highly secure to stop threats such phishing and ransomware. The data access path from user/device to workloads and applications can be taken across the Cloud Edge Network or on-premises network modules. For further details, please see the following use cases.

Cisco pxGrid(RFC8600) facilitates the publisher/subscriber communications channel that allows context sharing across the entire architecture. The core functionality starts with Identity Services Engine (ISE) and extends into Cloud Edge, SDWAN, IOT, and workload & applications to share context about any endpoint accessing protected workloads and applications. Together with TrustSec and Security Group Tags (SGT), east-west and/or north-south segmentation can easily be achieved across the entire architecture. Furthermore, the openness of pxGrid expands its integration with third-party ecosystem solutions to deliver dynamic granular user and application access control.

Identity intelligence is a critical part of the overall Zero Trust architecture because user trust levels change overtime due to the workforce being mobile. The NIST 800-207 Zero Trust architecture mandates that a security policy from the control plane must be enforced by enforcement points in the network, or data plane, as users cross boundaries from an untrusted to any trusted zones. Cisco Identity Intelligence provides visibility of user behaviors across multiple identity sources commonly found across customer networks. The security policy must respond to change due to various inputs such as threat intelligence, logging trends, anomalous user login behavior, unrealistic travel, etc. Thus, the security reference architecture delivers such enforcement capabilities including Identity Threat Detection & Response (ITDR) across Cloud Edge & On-Premises networks as well as the Workload and Applications across multicloud to assist the SOC analyst respond to incidents across the network.

The goal of a platform is to drive unification of policies and common objects sharing within the platform. Inside the SRA, the Security Cloud Control (SCC) console was built to deliver integrated architectures such as Hybrid Mesh Firewall where firewall services across Cloud Edge, On-premises, and across multicloud data centers can be unified and simplified to reduce human error. AI capabilities are leveraged by SCC to deploy a common policy (i.e. Deny John on his mobile device accessing a finance application after 5pm daily) across various enforcement points (physical, virtual, or cloud native security groups) across the multicloud network.

Benefits of building Security Cloud Control extends into other architectures in the SRA such as Universal ZTNA. Universal ZTNA uses the Cisco Secure Client and allows users and their devices to easily access any application securely without having to enable full VPN or think how to securely access a desired application. The goal of Zero Trust is to grant least privileged access and nothing more to prevent unauthorized or excess access privileges. Universal ZTNA delivers per application VPN where possible and dictates the right datapath per application policy. For example, a cloud averse finance company may prefer to connect their users to critical applications through on-premises networks instead of over cloud edge networks while the non-mission critical applications can be accessed through cloud edge. Such capabilities also provide datapath resiliency. Using Security Cloud Control, the administrator can easily provision UZTNA policies from a single console.

The Security Operations Center (SOC) proactively protects and enables organizational success through vigilant monitoring, rapid incident response, and collaborative security leadership. This approach safeguards our digital assets and builds trust with stakeholders. The Security Reference Architecture (SRA) delivers the capabilities for continuously monitoring network activities to identify suspicious behaviors and potential threats. By integrating threat intelligence and dynamic context sharing, we enhance threat detection and analysis. The SOC manages incident response across the environment, ensuring timely remediation to minimize business impact. The SRA provides insights for enhancing security controls and practices, which supports the organization’s overall security strategy and compliance efforts. This architectural approach allows the SOC to continuously improve as adversaries adapt their campaigns to target a dynamic attack surface, ranging from mobile users to hybrid workloads and applications.