3.11 Zero Trust Security Architecture
| Item |
Details |
| Organization |
Abhavtech.com |
| Domain |
abhavtech.com |
| Version |
2.0 |
| Last Updated |
December 2025 |
1. Zero Trust Overview
1.1 Zero Trust Principles
┌─────────────────────────────────────────────────────────────────────┐
│ Zero Trust Core Principles │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. NEVER TRUST, ALWAYS VERIFY │
│ • Every access request is authenticated │
│ • Continuous validation throughout session │
│ │
│ 2. ASSUME BREACH │
│ • Micro-segmentation limits blast radius │
│ • Continuous monitoring for anomalies │
│ │
│ 3. VERIFY EXPLICITLY │
│ • User identity (who) │
│ • Device health (what) │
│ • Location context (where) │
│ • Application access (why) │
│ │
│ 4. LEAST PRIVILEGE ACCESS │
│ • Minimum necessary permissions │
│ • Just-in-time access │
│ • Just-enough-access │
│ │
└─────────────────────────────────────────────────────────────────────┘
1.2 CISA Zero Trust Maturity Model Mapping
| Pillar |
CISA Requirement |
Abhavtech Implementation |
| Identity |
Phishing-resistant MFA |
Duo MFA with push/FIDO2 |
| Device |
Device health validation |
ISE Posture + Secure Client |
| Network |
Micro-segmentation |
TrustSec SGT + SGACL |
| Application |
Continuous authorization |
ISE + pxGrid + CoA |
| Data |
Data classification |
DLP integration via pxGrid |
2. Abhavtech Zero Trust Architecture
2.1 Architecture Overview
┌─────────────────────────────────────────────────────────────────────┐
│ Abhavtech.com Zero Trust Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ User/Device │
│ ┌───────────┐ │
│ │ Endpoint │ │
│ │ + Secure │ │
│ │ Client │ │
│ └─────┬─────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ IDENTITY VERIFICATION │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ ISE │ │ Duo │ │ AD │ │ SAML │ │ │
│ │ │802.1X │ │ MFA │ │ Auth │ │ IdP │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ DEVICE TRUST │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │Posture │ │Endpoint │ │MDM │ │ Device │ │ │
│ │ │Check │ │Analytics│ │Status │ │ Profile │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ NETWORK SEGMENTATION │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │TrustSec │ │Virtual │ │Micro- │ │Firewall │ │ │
│ │ │SGT/SGACL│ │Networks │ │Segment │ │Policy │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ CONTINUOUS MONITORING │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │Catalyst │ │Cisco │ │ SIEM │ │Threat │ │ │
│ │ │Assurance│ │XDR │ │(Splunk) │ │Intel │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
3. Identity Pillar Implementation
3.1 Multi-Factor Authentication (Duo)
Duo_Integration:
Primary_Authentication: Active Directory via ISE
Secondary_Authentication: Duo MFA
Methods_Enabled:
- Duo Push (preferred)
- FIDO2/WebAuthn (phishing-resistant)
- Hardware Token (backup)
Risk-Based_Policies:
High_Risk:
- New device + New location = Require FIDO2
- Impossible travel = Deny + Alert SOC
Medium_Risk:
- New browser = Require Duo Push
- After hours = Additional verification
Low_Risk:
- Known device + Known location = Push
- Trusted network = Remembered device (30 days)
3.2 ISE + Duo Integration
! ISE Duo Proxy Configuration
Administration → Identity Management → External Identity Sources → Duo MFA
Duo Configuration:
Integration Key: DI****************
Secret Key: **********************
API Hostname: api-********.duosecurity.com
Authentication Policy:
Policy Set: ZERO-TRUST-POLICY
Rule: Require-Duo-MFA
Condition: Network Access:AuthenticationMethod EQUALS Dot1x
Identity Source: AD-ABHAVTECH-PRIMARY
Use: DUO-MFA-AUTH
3.3 Identity Governance
┌──────────────────────────────────────────────────────────────┐
│ User Lifecycle States → ISE Authorization │
├──────────────────────────────────────────────────────────────┤
│ │
│ AD Status ISE Condition Authorization │
│ ─────────────────────────────────────────────────────────── │
│ Active + MFA Full-Access Employee-Full │
│ Active - MFA Pending-MFA Limited-Access │
│ Disabled Account-Disabled Deny-Access │
│ Expired Password Password-Expired Password-Portal │
│ Locked Account-Locked Quarantine │
│ │
└──────────────────────────────────────────────────────────────┘
4. Device Pillar Implementation
4.1 Device Trust Assessment
Device_Trust_Levels:
Fully_Trusted:
Requirements:
- Corporate-owned (CMDB verified)
- MDM enrolled (Intune/JAMF)
- Posture compliant
- Latest patches installed
- Encryption enabled
Access: Full corporate resources
SGT: Employee-Trusted (SGT 10)
Partially_Trusted:
Requirements:
- BYOD registered
- Certificate enrolled
- Basic posture passed
Access: Limited corporate + SaaS
SGT: Employee-BYOD (SGT 16)
Unknown:
Requirements:
- No certificate
- Not profiled
Access: Guest/Remediation only
SGT: Unknown (SGT 998)
4.2 Posture Policy (Zero Trust)
Work Centers → Posture → Policy Elements → Requirements
Zero Trust Posture Requirements:
Requirement: ZT-Endpoint-Protection
OS: Windows All
Conditions:
├── Anti-Malware Running (CrowdStrike/Defender)
├── Firewall Enabled
└── Real-time Protection Active
Remediation: Install Secure Endpoint
Requirement: ZT-Patch-Compliance
OS: Windows All
Conditions:
├── Critical Patches < 7 days old
└── OS Version supported
Remediation: Redirect to WSUS
Requirement: ZT-Disk-Encryption
OS: Windows All
Conditions:
└── BitLocker Enabled on System Drive
Remediation: Enable BitLocker instructions
Requirement: ZT-Secure-Client
OS: All
Conditions:
└── Cisco Secure Client version >= 5.1.2
Remediation: Download latest Secure Client
4.3 Continuous Posture Assessment
! Enable Continuous Endpoint Attribute Monitoring
Administration → System → Settings → Posture
Continuous Monitoring:
☑ Enable Periodic Reassessment
Reassessment Interval: 4 hours
☑ Enable Real-time Posture Updates
Event Triggers:
├── Security software disabled → Quarantine
├── Firewall disabled → Re-assess
└── New vulnerability detected → Alert SOC
Grace Period: 30 minutes
Non-Compliant Action: CoA → Limited Access
5. Network Pillar Implementation
5.1 Micro-Segmentation with TrustSec
┌─────────────────────────────────────────────────────────────────────┐
│ Zero Trust Segmentation Matrix │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Source SGT → │ IT-Admin │ Employee │ Contractor │ Guest │ IoT │
│ Destination ↓ │ (14) │ (10) │ (15) │ (40) │ (50) │
│ ────────────────┼──────────┼──────────┼────────────┼───────┼──────│
│ DC-Servers (5) │ Permit │ Limited │ Deny │ Deny │ Deny │
│ Employee App(6) │ Permit │ Permit │ Limited │ Deny │ Deny │
│ Guest Internet │ Permit │ Permit │ Permit │Permit │ Deny │
│ IoT Services │ Permit │ Deny │ Deny │ Deny │Permit│
│ Mgmt Network │ Permit │ Deny │ Deny │ Deny │ Deny │
│ │
│ Legend: Permit = Full Access, Limited = Specific ports, Deny = Drop │
└─────────────────────────────────────────────────────────────────────┘
5.2 Zero Trust SGACL Policies
! Deny by Default SGACL
ip access-list role-based DENY-ALL
deny ip
!
! Employee to DC Servers - Limited
ip access-list role-based EMPLOYEE-TO-DC
permit tcp dst eq 443 ! HTTPS only
permit tcp dst eq 8443 ! App portal
deny ip log
!
! Contractor - Very Limited
ip access-list role-based CONTRACTOR-LIMITED
permit tcp dst eq 443 ! HTTPS only
permit udp dst eq 53 ! DNS
deny ip log
!
! Apply Zero Trust Matrix
cts role-based permissions from 10 to 5 EMPLOYEE-TO-DC
cts role-based permissions from 15 to 5 DENY-ALL
cts role-based permissions from 40 to 5 DENY-ALL
cts role-based permissions default DENY-ALL
6. Application Pillar Implementation
6.1 Application-Aware Access
Application_Access_Control:
Critical_Apps:
- SAP ERP
- Oracle Financials
- HR Systems
Requirements:
- MFA required
- Managed device only
- Posture compliant
- During business hours
Standard_Apps:
- Email (O365)
- Collaboration (Teams/Webex)
- SharePoint
Requirements:
- MFA required
- Any registered device
Public_Apps:
- Guest WiFi
- Public website
Requirements:
- CWA acceptance
- Rate limited
6.2 Cisco Secure Access (ZTNA) Integration
┌─────────────────────────────────────────────────────────────────────┐
│ Cisco Secure Access + SD-Access Integration │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Remote User Secure Access Cloud │
│ ┌───────────┐ ┌─────────────────┐ │
│ │ Secure │──ZTNA────────│ Access Proxy │ │
│ │ Client │ Tunnel │ (SSE) │ │
│ └───────────┘ └────────┬────────┘ │
│ │ │
│ │ SGT preserved │
│ ▼ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ SD-Access Fabric │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ Border │─────│ Control │─────│ Edge │ │ │
│ │ │ Node │ │ Plane │ │ Node │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌─────────┐ │ │
│ │ │ Private │ ← SGT-based access to apps │ │
│ │ │ Apps │ │ │
│ │ └─────────┘ │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
7. Data Pillar Implementation
7.1 Data Classification Integration
Data_Protection_Integration:
DLP_Vendor: Microsoft Purview
Integration: pxGrid Cloud
Classification_Levels:
- Public
- Internal
- Confidential
- Highly Confidential
Network_Response:
Highly_Confidential:
- Log all access
- Require managed device
- Block from guest network
- Alert on anomaly
7.2 Encryption Requirements
| Data State |
Encryption |
Implementation |
| At Rest |
AES-256 |
BitLocker, FileVault |
| In Transit (LAN) |
MACsec |
AES-256-GCM |
| In Transit (WAN) |
IPsec/DTLS |
SD-WAN encryption |
| In Transit (Wireless) |
WPA3 |
GCMP-256 |
8. Continuous Monitoring
8.1 Security Operations Integration
┌─────────────────────────────────────────────────────────────────────┐
│ SOC Integration Architecture │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Catalyst │ │ Cisco │ │ Splunk │ │
│ │ Center │───►│ XDR │───►│ SIEM │ │
│ │ Assurance │ │ │ │ │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
│ │ ┌─────────────┼─────────────┐ │ │
│ └───►│ pxGrid │◄──┘ │
│ │ Context Sharing │ │
│ └─────────────┬─────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────┐ │
│ │ Automated Response │ │
│ │ • CoA (Change of Auth) │ │
│ │ • Quarantine endpoint │ │
│ │ • Block at firewall │ │
│ │ • Alert SOC team │ │
│ └─────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
8.2 Threat Response Automation
! ISE Threat-Centric NAC Response
Administration → Threat Centric NAC → Policy
Threat Response Policies:
Policy: Critical-Threat-Detected
Trigger: XDR threat score >= 90
Action:
- Quarantine immediately
- CoA to all sessions
- Notify SOC (Webex + Email)
- Create incident ticket
Policy: Suspicious-Behavior
Trigger: AI Analytics anomaly detected
Action:
- Reduce access to limited
- Enable enhanced logging
- Alert user's manager
Policy: Posture-Violation
Trigger: Endpoint protection disabled
Action:
- CoA to remediation VLAN
- Display remediation portal
- 30-minute grace period
9. Zero Trust Metrics & KPIs
9.1 Security Metrics Dashboard
| Metric |
Target |
Current |
Status |
| MFA Adoption Rate |
>99% |
98.5% |
🟡 |
| Device Compliance |
>95% |
96.2% |
🟢 |
| Mean Time to Detect |
<5 min |
3.2 min |
🟢 |
| Mean Time to Respond |
<15 min |
12.8 min |
🟢 |
| Failed Auth Rate |
<2% |
1.4% |
🟢 |
| Posture Compliance |
>90% |
94.1% |
🟢 |
9.2 Continuous Improvement
Zero_Trust_Maturity_Roadmap:
Current_State: Advanced (Level 3)
Next_Steps:
Q1_2026:
- Implement FIDO2 for all privileged users
- Deploy AI-driven access decisions
- Enable passwordless authentication
Q2_2026:
- Integrate DLP with network policy
- Implement just-in-time access
- Automate access certification
Q3_2026:
- Full continuous authorization
- Behavior-based access decisions
- Zero standing privileges
Document Version: 2.0
Abhavtech.com - SD-Access Implementation