Tomlinson-Online - Zero Trust in Resilient Cloud and Network Architectures

Zero Trust in Resilient Cloud and Network Architectures, written by a team of senior Cisco engineers, offers a real-world, hands-on guide to deploying automated architectures with a focus on segmentation at any scale--from proof-of-concept to large, mission-critical infrastructures. Whether you’re new to software-defined and cloud-based architectures or looking to enhance an existing deployment, this book will help you: Implement Zero Trust: Segment and secure access while mitigating IoT risks Automate Network Operations: Simplify provisioning, authentication, and traffic management Deploy at scale following best practices for resilient and secure enterprise-wide network rollouts Integrate with Cloud Security, bridging on-prem and cloud environments seamlessly Learn from Real-World Case Studies: Gain insights from the largest Cisco enterprise deployments globally This edition covers Meraki, EVPN, Pub/Sub, and Terraform and Ansible-based deployments with a key focus on network resilience and survivability. It also explores quantum security and Industrial Zero Trust, along with Cisco’s latest evolutions in software-defined networking, providing exclusive insights into its enhancements, architecture improvements, and operational best practices. If you're a network, security, or automation specialist, this book is your essential guide to building the next-generation, zero-trust network.

Introduction xxxix Chapter 1 Zero Trust Demystified 1 Definition of Zero Trust 1 How It All Began 2 Why We Need Zero Trust 3 Core Principles of Zero Trust 5 Major Zero Trust Industry Standards 11 People, Processes, and Technology 15 On-Premises vs. Cloud 19 Hybrid Environment Recommendations 23 Security Certifications 24 Summary 26 References 27 Chapter 2 Secure Automation and Orchestration Overview 29 Introduction to Automation and Orchestration 29 Building Blocks of Secure Automation 35 Common Automation Practices and Tools 40 AI and Machine Learning with Automation 47 Summary 52 Chapter 3 Zero Trust Network Deployment 53 Elements of Zero Trust Strategy Definitions 54 Tools and Technologies 63 Identifying Business Workflows 66 Applying Zero Trust Using SSE 67 ZTNA Deployment Scenarios 71 Summary 74 Chapter 4 Security and Segmentation 75 Overview 75 Segmentation Options 76 Methods of TrustSec Transport 91 Control Plane TrustSec Transport 96 Summary 101 Chapter 5 DHCP and Dynamic Addressing Concepts 103 Introduction to Dynamic Addressing 103 Zero Trust Approach to Dynamic Addressing 109 DHCP Options 113 DHCP Authentication 114 IPv6 Address Assignment 115 IPv6 First Hop Security 123 Summary 126 Chapter 6 Automating the Campus 127 Overview 127 Planning 128 Execution 135 Summary 147 References 147 Chapter 7 Plug-and-Play and Zero-Touch Provisioning 149 Overview 149 Plug-and-Play Provisioning 150 Zero-Touch Provisioning 165 Template Usage in Catalyst Center 169 Programmability-Based Deployment 172 Customer Use Cases 177 Summary 183 Chapter 8 Routing and Traffic Engineering 185 Overview 185 Routing 187 Traffic Engineering 212 Summary 218 References 218 Chapter 9 Authentication and Authorization 219 Overview 219 A Broader View of Identity 220 Authentication and Authentication Methods 223 Authorization 243 Customer Use Cases 249 Summary 252 Chapter 10 Quantum Security 253 What Is Quantum Computing? 253 Quantum Computing and Emerging Security Threats 265 Approaches to Safeguard Against Quantum Adversaries 270 Summary 278 Chapter 11 Network Convergence and Considerations 279 What Is Convergence? 279 Convergence in Layer 3 Routed Architectures 281 Methodologies of Convergence Testing 300 Monitoring Security Convergence 308 Summary 314 Chapter 12 Software-Defined Network Deployment Best Practices 315 Introduction 315 Network Deployment Lifecycle 317 Stage 1: Planning and Design 318 Stage 2: Deployment and Migration 324 Stage 3: Operations and Management 330 Summary 335 References 336 Chapter 13 Wired and Wireless Assurance 337 What Is the Best Practice for Your Enterprise Architecture? 337 Wired Network Best Practice Design Concepts 338 Tiered Network Design 340 Stacking Constructs 342 Layer 3 Architectures 343 Optimizing Wireless Networks 344 Anchoring Concepts (Catalyst/Meraki) 351 Monitoring TrustSec and Security Enforcement 354 Case Study: Financial Sector Customer 358 Summary 360 Chapter 14 Large-Scale Software-Defined Network Deployment 361 Introduction 361 Network Design 362 Security 367 Automation 369 Implementation: Kyle and Jason Go to Fast Burger 377 Summary 379 Chapter 15 Cloud-Native Security Foundation 381 Introduction to Cloud-Native Security: A Zero Trust Perspective 381 Cloud Infrastructure Security: Pillars and Practices in the Modern Cloud 393 Key Management in Cloud Environments 400 Network Security Evolution and Segmentation 404 Navigating Multicloud and Hybrid Cloud Security 413 Monitoring and Logging Requirements for Compliance 421 Summary 435 References 436 Chapter 16 Cloud-Native Application Security 437 Introduction to Cloud-Native Application Security 437 Role of Cloud-Native Application Protection Platform (CNAPP) 458 Building Secure Applications with Cloud-Native Security 460 Unique Security Considerations for Serverless Architectures 470 Emerging Trends and Future Outlook in Cloud-Native Security 482 Summary 485 References 486 Chapter 17 Data Center Segmentation On-Prem to the Cloud 487 Introduction to Data Center Segmentation in Hybrid and Multicloud Environments 487 Zero Trust and Microsegmentation Principles for Segmentation 489 Segmentation Challenges in Hybrid and Multicloud Environments 491 Ways to Implement End-to-End Segmentation Policies with Zero Trust 493 Ways to Migrate Segmentation Policies: From On-Premises to Cloud 496 Web3 and Immutable Trust in Hybrid Cloud Segmentation 514 Summary 534 References 534 Chapter 18 Using Common Policy to Enforce Security 535 Introduction to Security Policies 535 Designing Common Security Policies 536 Policy Enforcement Mechanisms 539 Identity and Access Management (IAM) Policies 541 Data Protection and Privacy Policies 543 Network Security Policies 543 From SDLC to SDL to SSDLC: A Journey Toward Secure Software Development 544 OWASP SAMM: A Framework for Security Maturity 557 Monitoring, Logging, and Auditing Policies 563 Incident Response and Remediation Policies 564 Policy Compliance and Verification 564 Challenges in Policy Enforcement Across Hybrid Environments 565 Future Directions in Policy-Based Security 565 Summary 568 References 569 Chapter 19 Workload Mobility: On-Prem to Cloud 571 Definition and Scope of Workload Mobility 571 Is Your Cloud Ready for Your Workloads? Understanding the Benefits and Challenges 572 Choosing a Cloud Model with Zero Trust as the Goal 579 Analysis of TCO and ROI for Workload Migration 581 Building Out a Secure Migration Plan 583 Integrating AWS’s Well-Architected Framework: Case Study of ABC Corp 587 Workload Migration Frameworks and Tools 589 Data Security During Workload Migration 593 Data Transfer vs. Cloud Migration: An Overview 598 Cloud Migration Security 604 Quality Engineering: The Heart of Cloud Migration 614 Network and Connectivity Considerations 616 Managing IP Addressing and DNS Changes 637 Ensuring High Availability and Disaster Recovery Readiness 643 Security Posture Adjustment Post-Migration 645 Identity and Access Management in Hybrid Environments 649 Summary 664 References 665 Chapter 20 Resilience and Survivability 667 Resilience Metrics 667 Types of Resilience 671 Software Resilience 674 Resilience in the Cloud 676 Consequences of Authentication and Authorization Resilience 681 Client and Server Agent Resilience 684 Audit Trail Resilience 686 Proactive Resilience Validation 689 Network Infrastructure Resilience Consideration 690 Summary 690 Chapter 21 Zero Trust in Industrial Manufacturing Vertical 691 Introduction to Industrial Networking 691 Pillars of ZTNA for Industrial Plant Networks 696 Secure Remote Access with ZTNA 706 Extending ZTNA in a Noncarpeted Environment with Cisco SD-Access 710 Summary 715 Chapter 22 Third-Party SDN Integrations 717 Introduction to Third-Party SDN Integrations 717 End-to-End Policy Strategy in a Multivendor Environment 718 Benefits of End-to-End Segmentation 718 Challenges in Multivendor Environments 719 Why VXLAN-EVPN? 723 BGP EVPN Detailed Traffic Flow and Architecture 725 Security Considerations in the Campus 727 Firewall Connectivity in the Campus 728 Third-Party Vendor Firewall Policy Integration 735 Highly Resilient Firewall Integrations 740 Summary 743 References 743 Chapter 23 Infrastructure as Code (IaC) 745 Introduction 745 Evolution of Automation in Network Device Deployment and Management 746 Working with Structured Data 758 Revision Control 761 Building a Data Model 764 Network Controllers vs. Direct to Device 765 Deploying an IaC Architecture 766 Securing IaC Provisioning 769 Deploying a Resilient “as Code” Infrastructure 772 “As Code” Today 773 Transitioning to a Network “as Code” 774 Pre-Validation in the Physical Replica or a Digital Twin 775 Summary 776 9780138204600, TOC, 5/5/2025