Skip to content

3.11 Zero Trust Security Architecture

Document Information

Item Details
Organization Abhavtech.com
Domain abhavtech.com
Version 2.0
Last Updated December 2025

1. Zero Trust Overview

1.1 Zero Trust Principles

┌─────────────────────────────────────────────────────────────────────┐
│                    Zero Trust Core Principles                        │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   1. NEVER TRUST, ALWAYS VERIFY                                    │
│      • Every access request is authenticated                       │
│      • Continuous validation throughout session                    │
│                                                                     │
│   2. ASSUME BREACH                                                  │
│      • Micro-segmentation limits blast radius                      │
│      • Continuous monitoring for anomalies                         │
│                                                                     │
│   3. VERIFY EXPLICITLY                                              │
│      • User identity (who)                                         │
│      • Device health (what)                                        │
│      • Location context (where)                                    │
│      • Application access (why)                                    │
│                                                                     │
│   4. LEAST PRIVILEGE ACCESS                                         │
│      • Minimum necessary permissions                               │
│      • Just-in-time access                                         │
│      • Just-enough-access                                          │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

1.2 CISA Zero Trust Maturity Model Mapping

Pillar CISA Requirement Abhavtech Implementation
Identity Phishing-resistant MFA Duo MFA with push/FIDO2
Device Device health validation ISE Posture + Secure Client
Network Micro-segmentation TrustSec SGT + SGACL
Application Continuous authorization ISE + pxGrid + CoA
Data Data classification DLP integration via pxGrid

2. Abhavtech Zero Trust Architecture

2.1 Architecture Overview

┌─────────────────────────────────────────────────────────────────────┐
│                 Abhavtech.com Zero Trust Architecture               │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   User/Device                                                       │
│   ┌───────────┐                                                    │
│   │ Endpoint  │                                                    │
│   │ + Secure  │                                                    │
│   │   Client  │                                                    │
│   └─────┬─────┘                                                    │
│         │                                                           │
│         ▼                                                           │
│   ┌─────────────────────────────────────────────────────────┐      │
│   │              IDENTITY VERIFICATION                       │      │
│   │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐   │      │
│   │  │  ISE    │  │  Duo    │  │  AD     │  │  SAML   │   │      │
│   │  │802.1X   │  │  MFA    │  │  Auth   │  │  IdP    │   │      │
│   │  └─────────┘  └─────────┘  └─────────┘  └─────────┘   │      │
│   └─────────────────────────────────────────────────────────┘      │
│         │                                                           │
│         ▼                                                           │
│   ┌─────────────────────────────────────────────────────────┐      │
│   │              DEVICE TRUST                                │      │
│   │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐   │      │
│   │  │Posture  │  │Endpoint │  │MDM      │  │ Device  │   │      │
│   │  │Check    │  │Analytics│  │Status   │  │ Profile │   │      │
│   │  └─────────┘  └─────────┘  └─────────┘  └─────────┘   │      │
│   └─────────────────────────────────────────────────────────┘      │
│         │                                                           │
│         ▼                                                           │
│   ┌─────────────────────────────────────────────────────────┐      │
│   │              NETWORK SEGMENTATION                        │      │
│   │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐   │      │
│   │  │TrustSec │  │Virtual  │  │Micro-   │  │Firewall │   │      │
│   │  │SGT/SGACL│  │Networks │  │Segment  │  │Policy   │   │      │
│   │  └─────────┘  └─────────┘  └─────────┘  └─────────┘   │      │
│   └─────────────────────────────────────────────────────────┘      │
│         │                                                           │
│         ▼                                                           │
│   ┌─────────────────────────────────────────────────────────┐      │
│   │              CONTINUOUS MONITORING                       │      │
│   │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐   │      │
│   │  │Catalyst │  │Cisco    │  │ SIEM    │  │Threat   │   │      │
│   │  │Assurance│  │XDR      │  │(Splunk) │  │Intel    │   │      │
│   │  └─────────┘  └─────────┘  └─────────┘  └─────────┘   │      │
│   └─────────────────────────────────────────────────────────┘      │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

3. Identity Pillar Implementation

3.1 Multi-Factor Authentication (Duo)

Duo_Integration:
  Primary_Authentication: Active Directory via ISE
  Secondary_Authentication: Duo MFA

  Methods_Enabled:
    - Duo Push (preferred)
    - FIDO2/WebAuthn (phishing-resistant)
    - Hardware Token (backup)

  Risk-Based_Policies:
    High_Risk:
      - New device + New location = Require FIDO2
      - Impossible travel = Deny + Alert SOC
    Medium_Risk:
      - New browser = Require Duo Push
      - After hours = Additional verification
    Low_Risk:
      - Known device + Known location = Push
      - Trusted network = Remembered device (30 days)

3.2 ISE + Duo Integration

! ISE Duo Proxy Configuration

Administration → Identity Management → External Identity Sources → Duo MFA

Duo Configuration:
  Integration Key: DI****************
  Secret Key: **********************
  API Hostname: api-********.duosecurity.com

Authentication Policy:
  Policy Set: ZERO-TRUST-POLICY
  Rule: Require-Duo-MFA
    Condition: Network Access:AuthenticationMethod EQUALS Dot1x
    Identity Source: AD-ABHAVTECH-PRIMARY
    Use: DUO-MFA-AUTH

3.3 Identity Governance

┌──────────────────────────────────────────────────────────────┐
│ User Lifecycle States → ISE Authorization                    │
├──────────────────────────────────────────────────────────────┤
│                                                              │
│ AD Status          ISE Condition         Authorization      │
│ ─────────────────────────────────────────────────────────── │
│ Active + MFA       Full-Access           Employee-Full      │
│ Active - MFA       Pending-MFA           Limited-Access     │
│ Disabled           Account-Disabled      Deny-Access        │
│ Expired Password   Password-Expired      Password-Portal    │
│ Locked             Account-Locked        Quarantine         │
│                                                              │
└──────────────────────────────────────────────────────────────┘

4. Device Pillar Implementation

4.1 Device Trust Assessment

Device_Trust_Levels:

  Fully_Trusted:
    Requirements:
      - Corporate-owned (CMDB verified)
      - MDM enrolled (Intune/JAMF)
      - Posture compliant
      - Latest patches installed
      - Encryption enabled
    Access: Full corporate resources
    SGT: Employee-Trusted (SGT 10)

  Partially_Trusted:
    Requirements:
      - BYOD registered
      - Certificate enrolled
      - Basic posture passed
    Access: Limited corporate + SaaS
    SGT: Employee-BYOD (SGT 16)

  Unknown:
    Requirements:
      - No certificate
      - Not profiled
    Access: Guest/Remediation only
    SGT: Unknown (SGT 998)

4.2 Posture Policy (Zero Trust)

Work Centers → Posture → Policy Elements → Requirements

Zero Trust Posture Requirements:

Requirement: ZT-Endpoint-Protection
  OS: Windows All
  Conditions:
    ├── Anti-Malware Running (CrowdStrike/Defender)
    ├── Firewall Enabled
    └── Real-time Protection Active
  Remediation: Install Secure Endpoint

Requirement: ZT-Patch-Compliance
  OS: Windows All
  Conditions:
    ├── Critical Patches < 7 days old
    └── OS Version supported
  Remediation: Redirect to WSUS

Requirement: ZT-Disk-Encryption
  OS: Windows All
  Conditions:
    └── BitLocker Enabled on System Drive
  Remediation: Enable BitLocker instructions

Requirement: ZT-Secure-Client
  OS: All
  Conditions:
    └── Cisco Secure Client version >= 5.1.2
  Remediation: Download latest Secure Client

4.3 Continuous Posture Assessment

! Enable Continuous Endpoint Attribute Monitoring

Administration → System → Settings → Posture

Continuous Monitoring:
  ☑ Enable Periodic Reassessment
  Reassessment Interval: 4 hours

  ☑ Enable Real-time Posture Updates
  Event Triggers:
    ├── Security software disabled → Quarantine
    ├── Firewall disabled → Re-assess
    └── New vulnerability detected → Alert SOC

  Grace Period: 30 minutes
  Non-Compliant Action: CoA → Limited Access

5. Network Pillar Implementation

5.1 Micro-Segmentation with TrustSec

┌─────────────────────────────────────────────────────────────────────┐
│              Zero Trust Segmentation Matrix                          │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│ Source SGT →    │ IT-Admin │ Employee │ Contractor │ Guest │ IoT  │
│ Destination ↓   │   (14)   │   (10)   │    (15)    │  (40) │ (50) │
│ ────────────────┼──────────┼──────────┼────────────┼───────┼──────│
│ DC-Servers (5)  │  Permit  │ Limited  │   Deny     │ Deny  │ Deny │
│ Employee App(6) │  Permit  │  Permit  │  Limited   │ Deny  │ Deny │
│ Guest Internet  │  Permit  │  Permit  │   Permit   │Permit │ Deny │
│ IoT Services    │  Permit  │   Deny   │   Deny     │ Deny  │Permit│
│ Mgmt Network    │  Permit  │   Deny   │   Deny     │ Deny  │ Deny │
│                                                                     │
│ Legend: Permit = Full Access, Limited = Specific ports, Deny = Drop │
└─────────────────────────────────────────────────────────────────────┘

5.2 Zero Trust SGACL Policies

! Deny by Default SGACL
ip access-list role-based DENY-ALL
 deny ip
!

! Employee to DC Servers - Limited
ip access-list role-based EMPLOYEE-TO-DC
 permit tcp dst eq 443   ! HTTPS only
 permit tcp dst eq 8443  ! App portal
 deny ip log
!

! Contractor - Very Limited
ip access-list role-based CONTRACTOR-LIMITED
 permit tcp dst eq 443   ! HTTPS only
 permit udp dst eq 53    ! DNS
 deny ip log
!

! Apply Zero Trust Matrix
cts role-based permissions from 10 to 5 EMPLOYEE-TO-DC
cts role-based permissions from 15 to 5 DENY-ALL
cts role-based permissions from 40 to 5 DENY-ALL
cts role-based permissions default DENY-ALL

6. Application Pillar Implementation

6.1 Application-Aware Access

Application_Access_Control:

  Critical_Apps:
    - SAP ERP
    - Oracle Financials
    - HR Systems
    Requirements:
      - MFA required
      - Managed device only
      - Posture compliant
      - During business hours

  Standard_Apps:
    - Email (O365)
    - Collaboration (Teams/Webex)
    - SharePoint
    Requirements:
      - MFA required
      - Any registered device

  Public_Apps:
    - Guest WiFi
    - Public website
    Requirements:
      - CWA acceptance
      - Rate limited

6.2 Cisco Secure Access (ZTNA) Integration

┌─────────────────────────────────────────────────────────────────────┐
│            Cisco Secure Access + SD-Access Integration              │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   Remote User                 Secure Access Cloud                   │
│   ┌───────────┐              ┌─────────────────┐                   │
│   │ Secure    │──ZTNA────────│ Access Proxy    │                   │
│   │ Client    │  Tunnel      │ (SSE)          │                   │
│   └───────────┘              └────────┬────────┘                   │
│                                       │                             │
│                                       │ SGT preserved               │
│                                       ▼                             │
│   ┌───────────────────────────────────────────────────────────┐    │
│   │                    SD-Access Fabric                        │    │
│   │  ┌─────────┐     ┌─────────┐     ┌─────────┐             │    │
│   │  │ Border  │─────│ Control │─────│  Edge   │             │    │
│   │  │ Node    │     │ Plane   │     │  Node   │             │    │
│   │  └─────────┘     └─────────┘     └─────────┘             │    │
│   │       │                                                    │    │
│   │       ▼                                                    │    │
│   │  ┌─────────┐                                              │    │
│   │  │ Private │  ← SGT-based access to apps                  │    │
│   │  │ Apps    │                                              │    │
│   │  └─────────┘                                              │    │
│   └───────────────────────────────────────────────────────────┘    │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

7. Data Pillar Implementation

7.1 Data Classification Integration

Data_Protection_Integration:

  DLP_Vendor: Microsoft Purview
  Integration: pxGrid Cloud

  Classification_Levels:
    - Public
    - Internal
    - Confidential  
    - Highly Confidential

  Network_Response:
    Highly_Confidential:
      - Log all access
      - Require managed device
      - Block from guest network
      - Alert on anomaly

7.2 Encryption Requirements

Data State Encryption Implementation
At Rest AES-256 BitLocker, FileVault
In Transit (LAN) MACsec AES-256-GCM
In Transit (WAN) IPsec/DTLS SD-WAN encryption
In Transit (Wireless) WPA3 GCMP-256

8. Continuous Monitoring

8.1 Security Operations Integration

┌─────────────────────────────────────────────────────────────────────┐
│                    SOC Integration Architecture                      │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│   ┌─────────────┐    ┌─────────────┐    ┌─────────────┐           │
│   │ Catalyst    │    │   Cisco     │    │   Splunk    │           │
│   │ Center      │───►│   XDR       │───►│   SIEM      │           │
│   │ Assurance   │    │             │    │             │           │
│   └──────┬──────┘    └──────┬──────┘    └──────┬──────┘           │
│          │                  │                  │                   │
│          │    ┌─────────────┼─────────────┐   │                   │
│          └───►│        pxGrid             │◄──┘                   │
│               │    Context Sharing        │                        │
│               └─────────────┬─────────────┘                        │
│                             │                                       │
│                             ▼                                       │
│               ┌─────────────────────────────┐                      │
│               │   Automated Response        │                      │
│               │   • CoA (Change of Auth)    │                      │
│               │   • Quarantine endpoint     │                      │
│               │   • Block at firewall       │                      │
│               │   • Alert SOC team          │                      │
│               └─────────────────────────────┘                      │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

8.2 Threat Response Automation

! ISE Threat-Centric NAC Response

Administration → Threat Centric NAC → Policy

Threat Response Policies:

Policy: Critical-Threat-Detected
  Trigger: XDR threat score >= 90
  Action: 
    - Quarantine immediately
    - CoA to all sessions
    - Notify SOC (Webex + Email)
    - Create incident ticket

Policy: Suspicious-Behavior
  Trigger: AI Analytics anomaly detected
  Action:
    - Reduce access to limited
    - Enable enhanced logging
    - Alert user's manager

Policy: Posture-Violation
  Trigger: Endpoint protection disabled
  Action:
    - CoA to remediation VLAN
    - Display remediation portal
    - 30-minute grace period

9. Zero Trust Metrics & KPIs

9.1 Security Metrics Dashboard

Metric Target Current Status
MFA Adoption Rate >99% 98.5% 🟡
Device Compliance >95% 96.2% 🟢
Mean Time to Detect <5 min 3.2 min 🟢
Mean Time to Respond <15 min 12.8 min 🟢
Failed Auth Rate <2% 1.4% 🟢
Posture Compliance >90% 94.1% 🟢

9.2 Continuous Improvement

Zero_Trust_Maturity_Roadmap:

  Current_State: Advanced (Level 3)

  Next_Steps:
    Q1_2026:
      - Implement FIDO2 for all privileged users
      - Deploy AI-driven access decisions
      - Enable passwordless authentication

    Q2_2026:
      - Integrate DLP with network policy
      - Implement just-in-time access
      - Automate access certification

    Q3_2026:
      - Full continuous authorization
      - Behavior-based access decisions
      - Zero standing privileges

Document Version: 2.0 Abhavtech.com - SD-Access Implementation