Zero Trust in Resilient Cloud and Network Architectures

Josh Halley, CCIE (No. 11924), is a Principal Architect in the office of the CTO, focused on next generation technologies and technical transformation for some of Cisco's largest global customers. A triple CCIE, he has more than 25 years of experience in security, cloud, data center, and networking, working with industries from finance to manufacturing.  Dhrumil Prajapati, CCDE (No. 20210002), CCIE (No. 28071 [EI/SP]), is a Principal Architect within Cisco CX’s GES Architectures team where his focus is multi-domain networks. His 14 years of experience has been in designing and building 200+ customer networks of various sizes in Healthcare, Financial, Manufacturing, Public Sector, Logistics, Transportation, and Enterprise and Service Provider industry verticals.  Ariel Leza has been an evangelist for Web3, decentralized infrastructure, and blockchain-based distributed systems since 2013, being a leading voice in this area. Until recently, she was acting as a Senior Cloud Architect in the CTO Office of CX EMEA at Cisco, and now is a startup founder and community contributor focusing on the confluence of cloud native open-source technologies and enterprise IT systems. Ariel is a pioneer in reconciling traditional cloud architectures and decentralized computing, with a special focus on radically approaching the future beyond such disparate paradigms, driving innovation and efficiency in the evolving digital landscape.  Vinay Saini, CCIE Ent Wireless (No. 38448), is a seasoned technologist, inventor, and mentor with more than two decades in networking. As a Principal Architect at Cisco, he has guided organizations across industries on security-driven digital transformation. Holding dual expert-level certifications--CWNE (No. 69), CCIE (No. 38448), as well as CCDE (No. 20240032)--Vinay is a key contributor to Cisco’s certification programs. With 100+ patents filed and a passion for innovation, he is a sought-after speaker at Cisco Live and a dedicated mentor helping professionals excel in both technical and leadership domains.

• Introduction xxxixChapter 1 Zero Trust Demystified 1Definition of Zero Trust 1How It All Began 2Why We Need Zero Trust 3Core Principles of Zero Trust 5Major Zero Trust Industry Standards 11People, Processes, and Technology 15On-Premises vs. Cloud 19Hybrid Environment Recommendations 23Security Certifications 24Summary 26References 27Chapter 2 Secure Automation and Orchestration Overview 29Introduction to Automation and Orchestration 29Building Blocks of Secure Automation 35Common Automation Practices and Tools 40AI and Machine Learning with Automation 47Summary 52Chapter 3 Zero Trust Network Deployment 53Elements of Zero Trust Strategy Definitions 54Tools and Technologies 63Identifying Business Workflows 66Applying Zero Trust Using SSE 67ZTNA Deployment Scenarios 71Summary 74Chapter 4 Security and Segmentation 75Overview 75Segmentation Options 76Methods of TrustSec Transport 91Control Plane TrustSec Transport 96Summary 101Chapter 5 DHCP and Dynamic Addressing Concepts 103Introduction to Dynamic Addressing 103Zero Trust Approach to Dynamic Addressing 109DHCP Options 113DHCP Authentication 114IPv6 Address Assignment 115IPv6 First Hop Security 123Summary 126Chapter 6 Automating the Campus 127Overview 127Planning 128Execution 135Summary 147References 147Chapter 7 Plug-and-Play and Zero-Touch Provisioning 149Overview 149Plug-and-Play Provisioning 150Zero-Touch Provisioning 165Template Usage in Catalyst Center 169Programmability-Based Deployment 172Customer Use Cases 177Summary 183Chapter 8 Routing and Traffic Engineering 185Overview 185Routing 187Traffic Engineering 212Summary 218References 218Chapter 9 Authentication and Authorization 219Overview 219A Broader View of Identity 220Authentication and Authentication Methods 223Authorization 243Customer Use Cases 249Summary 252Chapter 10 Quantum Security 253What Is Quantum Computing? 253Quantum Computing and Emerging Security Threats 265Approaches to Safeguard Against Quantum Adversaries 270Summary 278Chapter 11 Network Convergence and Considerations 279What Is Convergence? 279Convergence in Layer 3 Routed Architectures 281Methodologies of Convergence Testing 300Monitoring Security Convergence 308Summary 314Chapter 12 Software-Defined Network Deployment Best Practices 315Introduction 315Network Deployment Lifecycle 317Stage 1: Planning and Design 318Stage 2: Deployment and Migration 324Stage 3: Operations and Management 330Summary 335References 336Chapter 13 Wired and Wireless Assurance 337What Is the Best Practice for Your Enterprise Architecture? 337Wired Network Best Practice Design Concepts 338Tiered Network Design 340Stacking Constructs 342Layer 3 Architectures 343Optimizing Wireless Networks 344Anchoring Concepts (Catalyst/Meraki) 351Monitoring TrustSec and Security Enforcement 354Case Study: Financial Sector Customer 358Summary 360Chapter 14 Large-Scale Software-Defined Network Deployment 361Introduction 361Network Design 362Security 367Automation 369Implementation: Kyle and Jason Go to Fast Burger 377Summary 379Chapter 15 Cloud-Native Security Foundation 381Introduction to Cloud-Native Security: A Zero Trust Perspective 381Cloud Infrastructure Security: Pillars and Practices in the Modern Cloud 393Key Management in Cloud Environments 400Network Security Evolution and Segmentation 404Navigating Multicloud and Hybrid Cloud Security 413Monitoring and Logging Requirements for Compliance 421Summary 435References 436Chapter 16 Cloud-Native Application Security 437Introduction to Cloud-Native Application Security 437Role of Cloud-Native Application Protection Platform (CNAPP) 458Building Secure Applications with Cloud-Native Security 460Unique Security Considerations for Serverless Architectures 470Emerging Trends and Future Outlook in Cloud-Native Security 482Summary 485References 486Chapter 17 Data Center Segmentation On-Prem to the Cloud 487Introduction to Data Center Segmentation in Hybrid and Multicloud Environments 487Zero Trust and Microsegmentation Principles for Segmentation 489Segmentation Challenges in Hybrid and Multicloud Environments 491Ways to Implement End-to-End Segmentation Policies with Zero Trust 493Ways to Migrate Segmentation Policies: From On-Premises to Cloud 496Web3 and Immutable Trust in Hybrid Cloud Segmentation 514Summary 534   References 534Chapter 18 Using Common Policy to Enforce Security 535Introduction to Security Policies 535Designing Common Security Policies 536Policy Enforcement Mechanisms 539Identity and Access Management (IAM) Policies 541Data Protection and Privacy Policies 543Network Security Policies 543From SDLC to SDL to SSDLC: A Journey Toward Secure Software Development 544OWASP SAMM: A Framework for Security Maturity 557Monitoring, Logging, and Auditing Policies 563Incident Response and Remediation Policies 564Policy Compliance and Verification 564Challenges in Policy Enforcement Across Hybrid Environments 565Future Directions in Policy-Based Security 565Summary 568References 569Chapter 19 Workload Mobility: On-Prem to Cloud 571Definition and Scope of Workload Mobility 571Is Your Cloud Ready for Your Workloads? Understanding the Benefits and Challenges 572Choosing a Cloud Model with Zero Trust as the Goal 579Analysis of TCO and ROI for Workload Migration 581Building Out a Secure Migration Plan 583Integrating AWS’s Well-Architected Framework: Case Study of ABC Corp 587Workload Migration Frameworks and Tools 589Data Security During Workload Migration 593Data Transfer vs. Cloud Migration: An Overview 598Cloud Migration Security 604Quality Engineering: The Heart of Cloud Migration 614Network and Connectivity Considerations 616Managing IP Addressing and DNS Changes 637Ensuring High Availability and Disaster Recovery Readiness 643Security Posture Adjustment Post-Migration 645Identity and Access Management in Hybrid Environments 649Summary 664References 665Chapter 20 Resilience and Survivability 667Resilience Metrics 667Types of Resilience 671Software Resilience 674Resilience in the Cloud 676Consequences of Authentication and Authorization Resilience 681Client and Server Agent Resilience 684Audit Trail Resilience 686Proactive Resilience Validation 689Network Infrastructure Resilience Consideration 690Summary 690Chapter 21 Zero Trust in Industrial Manufacturing Vertical 691Introduction to Industrial Networking 691Pillars of ZTNA for Industrial Plant Networks 696Secure Remote Access with ZTNA 706Extending ZTNA in a Noncarpeted Environment with Cisco SD-Access 710Summary 715Chapter 22 Third-Party SDN Integrations 717Introduction to Third-Party SDN Integrations 717End-to-End Policy Strategy in a Multivendor Environment 718Benefits of End-to-End Segmentation 718Challenges in Multivendor Environments 719Why VXLAN-EVPN? 723BGP EVPN Detailed Traffic Flow and Architecture 725Security Considerations in the Campus 727Firewall Connectivity in the Campus 728Third-Party Vendor Firewall Policy Integration 735Highly Resilient Firewall Integrations 740Summary 743References 743Chapter 23 Infrastructure as Code (IaC) 745Introduction 745Evolution of Automation in Network Device Deployment and Management 746Working with Structured Data 758Revision Control 761Building a Data Model 764Network Controllers vs. Direct to Device 765Deploying an IaC Architecture 766Securing IaC Provisioning 769Deploying a Resilient “as Code” Infrastructure 772“As Code” Today 773Transitioning to a Network “as Code” 774Pre-Validation in the Physical Replica or a Digital Twin 775Summary 776  9780138204600, TOC, 5/5/2025