Zero Trust in Resilient Cloud and Network Architectures: (Networking Technology)

Zero Trust in Resilient Cloud and Network Architectures, written by a team of senior Cisco engineers, offers a real-world, hands-on guide to deploying automated architectures with a focus on segmentation at any scale--from proof-of-concept to large, mission-critical infrastructures. Whether you’re new to software-defined and cloud-based architectures or looking to enhance an existing deployment, this book will help you: Implement Zero Trust: Segment and secure access while mitigating IoT risks Automate Network Operations: Simplify provisioning, authentication, and traffic management Deploy at scale following best practices for resilient and secure enterprise-wide network rollouts Integrate with Cloud Security, bridging on-prem and cloud environments seamlessly Learn from Real-World Case Studies: Gain insights from the largest Cisco enterprise deployments globally   This edition covers Meraki, EVPN, Pub/Sub, and Terraform and Ansible-based deployments with a key focus on network resilience and survivability. It also explores quantum security and Industrial Zero Trust, along with Cisco’s latest evolutions in software-defined networking, providing exclusive insights into its enhancements, architecture improvements, and operational best practices. If you're a network, security, or automation specialist, this book is your essential guide to building the next-generation, zero-trust network.

Table of Contents:
    Introduction xxxix Chapter 1 Zero Trust Demystified 1     Definition of Zero Trust 1     How It All Began 2     Why We Need Zero Trust 3     Core Principles of Zero Trust 5     Major Zero Trust Industry Standards 11     People, Processes, and Technology 15     On-Premises vs. Cloud 19     Hybrid Environment Recommendations 23     Security Certifications 24     Summary 26     References 27 Chapter 2 Secure Automation and Orchestration Overview 29     Introduction to Automation and Orchestration 29     Building Blocks of Secure Automation 35     Common Automation Practices and Tools 40     AI and Machine Learning with Automation 47     Summary 52 Chapter 3 Zero Trust Network Deployment 53     Elements of Zero Trust Strategy Definitions 54     Tools and Technologies 63     Identifying Business Workflows 66     Applying Zero Trust Using SSE 67     ZTNA Deployment Scenarios 71     Summary 74 Chapter 4 Security and Segmentation 75     Overview 75     Segmentation Options 76     Methods of TrustSec Transport 91     Control Plane TrustSec Transport 96     Summary 101 Chapter 5 DHCP and Dynamic Addressing Concepts 103     Introduction to Dynamic Addressing 103     Zero Trust Approach to Dynamic Addressing 109     DHCP Options 113     DHCP Authentication 114     IPv6 Address Assignment 115     IPv6 First Hop Security 123     Summary 126 Chapter 6 Automating the Campus 127     Overview 127     Planning 128     Execution 135     Summary 147     References 147 Chapter 7 Plug-and-Play and Zero-Touch Provisioning 149     Overview 149     Plug-and-Play Provisioning 150     Zero-Touch Provisioning 165     Template Usage in Catalyst Center 169     Programmability-Based Deployment 172     Customer Use Cases 177     Summary 183 Chapter 8 Routing and Traffic Engineering 185     Overview 185     Routing 187     Traffic Engineering 212     Summary 218     References 218 Chapter 9 Authentication and Authorization 219     Overview 219     A Broader View of Identity 220     Authentication and Authentication Methods 223     Authorization 243     Customer Use Cases 249     Summary 252 Chapter 10 Quantum Security 253     What Is Quantum Computing? 253     Quantum Computing and Emerging Security Threats 265     Approaches to Safeguard Against Quantum Adversaries 270     Summary 278 Chapter 11 Network Convergence and Considerations 279     What Is Convergence? 279     Convergence in Layer 3 Routed Architectures 281     Methodologies of Convergence Testing 300     Monitoring Security Convergence 308     Summary 314 Chapter 12 Software-Defined Network Deployment Best Practices 315     Introduction 315     Network Deployment Lifecycle 317     Stage 1: Planning and Design 318     Stage 2: Deployment and Migration 324     Stage 3: Operations and Management 330     Summary 335     References 336 Chapter 13 Wired and Wireless Assurance 337     What Is the Best Practice for Your Enterprise Architecture? 337     Wired Network Best Practice Design Concepts 338     Tiered Network Design 340     Stacking Constructs 342     Layer 3 Architectures 343     Optimizing Wireless Networks 344     Anchoring Concepts (Catalyst/Meraki) 351     Monitoring TrustSec and Security Enforcement 354     Case Study: Financial Sector Customer 358     Summary 360 Chapter 14 Large-Scale Software-Defined Network Deployment 361     Introduction 361     Network Design 362     Security 367     Automation 369     Implementation: Kyle and Jason Go to Fast Burger 377     Summary 379 Chapter 15 Cloud-Native Security Foundation 381     Introduction to Cloud-Native Security: A Zero Trust Perspective 381     Cloud Infrastructure Security: Pillars and Practices in the Modern Cloud 393     Key Management in Cloud Environments 400     Network Security Evolution and Segmentation 404     Navigating Multicloud and Hybrid Cloud Security 413     Monitoring and Logging Requirements for Compliance 421     Summary 435     References 436 Chapter 16 Cloud-Native Application Security 437     Introduction to Cloud-Native Application Security 437     Role of Cloud-Native Application Protection Platform (CNAPP) 458     Building Secure Applications with Cloud-Native Security 460     Unique Security Considerations for Serverless Architectures 470     Emerging Trends and Future Outlook in Cloud-Native Security 482     Summary 485     References 486 Chapter 17 Data Center Segmentation On-Prem to the Cloud 487     Introduction to Data Center Segmentation in Hybrid and Multicloud Environments 487     Zero Trust and Microsegmentation Principles for Segmentation 489     Segmentation Challenges in Hybrid and Multicloud Environments 491     Ways to Implement End-to-End Segmentation Policies with Zero Trust 493     Ways to Migrate Segmentation Policies: From On-Premises to Cloud 496     Web3 and Immutable Trust in Hybrid Cloud Segmentation 514     Summary 534        References 534 Chapter 18 Using Common Policy to Enforce Security 535     Introduction to Security Policies 535     Designing Common Security Policies 536     Policy Enforcement Mechanisms 539     Identity and Access Management (IAM) Policies 541     Data Protection and Privacy Policies 543     Network Security Policies 543     From SDLC to SDL to SSDLC: A Journey Toward Secure Software Development 544     OWASP SAMM: A Framework for Security Maturity 557     Monitoring, Logging, and Auditing Policies 563     Incident Response and Remediation Policies 564     Policy Compliance and Verification 564     Challenges in Policy Enforcement Across Hybrid Environments 565     Future Directions in Policy-Based Security 565     Summary 568     References 569 Chapter 19 Workload Mobility: On-Prem to Cloud 571     Definition and Scope of Workload Mobility 571     Is Your Cloud Ready for Your Workloads? Understanding the Benefits and Challenges 572     Choosing a Cloud Model with Zero Trust as the Goal 579     Analysis of TCO and ROI for Workload Migration 581     Building Out a Secure Migration Plan 583     Integrating AWS’s Well-Architected Framework: Case Study of ABC Corp 587     Workload Migration Frameworks and Tools 589     Data Security During Workload Migration 593     Data Transfer vs. Cloud Migration: An Overview 598     Cloud Migration Security 604     Quality Engineering: The Heart of Cloud Migration 614     Network and Connectivity Considerations 616     Managing IP Addressing and DNS Changes 637     Ensuring High Availability and Disaster Recovery Readiness 643     Security Posture Adjustment Post-Migration 645     Identity and Access Management in Hybrid Environments 649     Summary 664     References 665 Chapter 20 Resilience and Survivability 667     Resilience Metrics 667     Types of Resilience 671     Software Resilience 674     Resilience in the Cloud 676     Consequences of Authentication and Authorization Resilience 681     Client and Server Agent Resilience 684     Audit Trail Resilience 686     Proactive Resilience Validation 689     Network Infrastructure Resilience Consideration 690     Summary 690 Chapter 21 Zero Trust in Industrial Manufacturing Vertical 691     Introduction to Industrial Networking 691     Pillars of ZTNA for Industrial Plant Networks 696     Secure Remote Access with ZTNA 706     Extending ZTNA in a Noncarpeted Environment with Cisco SD-Access 710     Summary 715 Chapter 22 Third-Party SDN Integrations 717     Introduction to Third-Party SDN Integrations 717     End-to-End Policy Strategy in a Multivendor Environment 718     Benefits of End-to-End Segmentation 718     Challenges in Multivendor Environments 719     Why VXLAN-EVPN? 723     BGP EVPN Detailed Traffic Flow and Architecture 725     Security Considerations in the Campus 727     Firewall Connectivity in the Campus 728     Third-Party Vendor Firewall Policy Integration 735     Highly Resilient Firewall Integrations 740     Summary 743     References 743 Chapter 23 Infrastructure as Code (IaC) 745     Introduction 745     Evolution of Automation in Network Device Deployment and Management 746     Working with Structured Data 758     Revision Control 761     Building a Data Model 764     Network Controllers vs. Direct to Device 765     Deploying an IaC Architecture 766     Securing IaC Provisioning 769     Deploying a Resilient “as Code” Infrastructure 772     “As Code” Today 773     Transitioning to a Network “as Code” 774     Pre-Validation in the Physical Replica or a Digital Twin 775     Summary 776   9780138204600, TOC, 5/5/2025

About the Author :
Josh Halley, CCIE (No. 11924), is a Principal Architect in the office of the CTO, focused on next generation technologies and technical transformation for some of Cisco's largest global customers. A triple CCIE, he has more than 25 years of experience in security, cloud, data center, and networking, working with industries from finance to manufacturing.   Dhrumil Prajapati, CCDE (No. 20210002), CCIE (No. 28071 [EI/SP]), is a Principal Architect within Cisco CX’s GES Architectures team where his focus is multi-domain networks. His 14 years of experience has been in designing and building 200+ customer networks of various sizes in Healthcare, Financial, Manufacturing, Public Sector, Logistics, Transportation, and Enterprise and Service Provider industry verticals.   Ariel Leza has been an evangelist for Web3, decentralized infrastructure, and blockchain-based distributed systems since 2013, being a leading voice in this area. Until recently, she was acting as a Senior Cloud Architect in the CTO Office of CX EMEA at Cisco, and now is a startup founder and community contributor focusing on the confluence of cloud native open-source technologies and enterprise IT systems. Ariel is a pioneer in reconciling traditional cloud architectures and decentralized computing, with a special focus on radically approaching the future beyond such disparate paradigms, driving innovation and efficiency in the evolving digital landscape.   Vinay Saini, CCIE Ent Wireless (No. 38448), is a seasoned technologist, inventor, and mentor with more than two decades in networking. As a Principal Architect at Cisco, he has guided organizations across industries on security-driven digital transformation. Holding dual expert-level certifications--CWNE (No. 69), CCIE (No. 38448), as well as CCDE (No. 20240032)--Vinay is a key contributor to Cisco’s certification programs. With 100+ patents filed and a passion for innovation, he is a sought-after speaker at Cisco Live and a dedicated mentor helping professionals excel in both technical and leadership domains.