Showing results for 
Search instead for 
Did you mean: 

CCIE Security and Practical Applications in Today’s Network: Zero Trust - FAQ


This event had place on Thursday 29th, October at 10hrs PDT 


Event video

Featured Authors

mason.pngMason Harris is a Solutions Architect for Cisco focusing on cloud architectures with Cisco’s largest customers. He has more than 24 years of experience in information technology and is one of the few experts who holds five CCIE certifications (#5916). Prior to joining Cisco, he was the Chief Architect at cloud security startup vArmour Networks. Outside of work, Mason can be found backpacking on long trails or at home with his family.
vivek.jpgVivek Santuka is a Technical Solutions Architect at Cisco and a security consultant to some of Cisco’s largest customers. He has over 15 years of experience in cyber security design, implementation, and troubleshooting. Vivek is a member of multiple technical advisory groups. He holds an RHCE, CISSP, and two CCIE certifications (#17621). Vivek is a distinguished speaker at Cisco Live.
jsanbowe.jpgJamie Sanbower is a Principal Architect in Cisco’s Global Security Architecture Team. Jamie is a technical leader and member of numerous advisory and working groups. With over 15 years of technical experience in the networking and security industry, Jamie has developed, designed, implemented, and operated enterprise network and security solutions for a wide variety of large clients. Jamie is a Cisco Live Distinguished Speaker and a co-author of Cisco Press books. He holds two CCIE certifications (#13637).
aawoland.jpgAaron Woland is a Principal Engineer in Cisco’s Advanced Threat Security & Integrations group and works with Cisco’s largest customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security, and futures. He has over 20 years of experience in the IT industry. Aaron has collaborated on several Cisco Press publications and he has published many papers and design guides. Aaron is a Hall of Fame Elite Member for distinguished speakers at Cisco Live. He holds several certifications: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP, and a CCIE (#20113) among others.

You can download the slides of the presentation in PDF format here.


Live Questions

Q: How is automation part of the Zero Trust framework?

A: Automation is a huge part of the ZT frameworks (there are many frameworks). All the frameworks call out automation as a requirement to ensure that ZT functions occur - it could be for automation of changing the trust levels or automation of the actions.

Q: What do you think is the biggest difference between work in cybersecurity and network security?

A: [Aaron Woland] Cyber is mostly focused on the Incident responder type of position, where as the Security certs are focused more on the Ops / Admin type of role.
[Vivek Santuka] Network Security is part of the larger Cyber Security realm. Network Security focuses on access control and filtering but you it is difficult to stay pure Network Security focused now days.

Q: I got the old CCNA R&S, as we know there is no CCNA Security anymore, is it ok if I study for the CCNP Security or do you recommend any other certification for an entry level like the new CCNA?

A: [Aaron Woland] I personally think CCNP Security would be the way to go if you are comfortable with CCNA R&S topics.

Q: I've been in IT for 26+ years, I got into the Cisco world with firewalls and I really like the world of Firewalls, ISE and Firepower. What Certs are recommended? What path? I have never had a certification. 

A: I would definitely look at the CCNP Security then CCIE Security then! 

Q: Secure Connections are in demand, Security is the future/need. There's so much to learn!

A: Security in motion and Security at rest - These are the 2 pillars of security. And yes, there is always more to learn. All of us have to learn everyday.

Q: Cisco Tetration will be part of ISE or SDN such as DNAC?

A: Unfortunately, we can't talk about roadmaps in public forums. 

Q: For implementing security across an enterprise, do you think it's better to have a team with people that specialize with integrating a product (ie Firepower) or with general knowledge of the products?

A: That is a loaded question, I think it ultimately depends on the environment - but you definitely need to have more than one person who understands how each product works or you will end up in trouble. 

Q: Could you give your observation between Cisco and other vendors (Fortinet) regards security 

A: This is a Cisco webex session, so naturally we are going to say Cisco is the way to go.

Q: Does are topics more general/theoretic or concrete Cisco implementations/technologies?

A: Those are more related to Cisco technologies. 

Q: Is cloud security handled in the virtualization section of your publications? How is this handled in the lab part of the CCIE exam?

A: Cloud Security is part of Part 3 of Volume 1. Unfortunatley, we cannot comment on how CCIE lab handles it due to NDA but an informed analysis can tell you what to expect in the closed lab environment.

Q: The remote VPN will die soon and ZT will replace it. What do the authors think about it?

A: [Aaron Woland] I think there is a nice mixture in the balance with ZT, where traffic will not terminate on the onPrem HQ but that not all traffic can go directly to the Cloud. I'm a HUGE Zero Trust guy - have been forever, so I love this topic.So, think that VPNs to a Cloud termination where traffic goes through a security stack and can make it to the corporate premise AND can go to the cloud is a right future architecture - or where things like a Duo Network Gateway (reverse-proxy technologies)are in play. There is so much here with technology like SASE that is in play, that we can talk about, I love this space and it's only growing. 
[vivek Santuka] Remote VPN won't die anytime soon. There will always be workload in data centers that needs to be accessed. So I see an intelligent combination of SASE/ZTNA/SDP with Remote Access VPN becoming more common.

Q: Can we expect any Video version for these editions?

A: No, we are not planning to do a video version. That will probably take 4 years to do.

Q: A new book to ISE and DevNet?

A: [Aaron Wooland] I just finished the SISE CCNP exam book for ISE, and now I think I'm finished. No more for me.. Maybe Vivek?
[Vivek Santuka (Cisco)I think I am done with writing books. But I agree there needs to be more material around programmability. 

Q: Last week, our team members discussed on password age (password less login is testing in progress in many complies) and the trust value of a password. Who is writing the password, is an important question. How can Zero Trust handle these questions?

A: Zero Trust can solve this by 1) Adding another factor on top of the passwords. We all now passwords are not enough. 2) By restricting access to least required when after password and 2FA is validated.

Q: What type of security track is the best now a days? Pure security, CyberOps, pen testing, etc.

A: That is a very subjective question. Meaning, it's very much up to you. The thing I love about security is that there is so much here that you can specialize in, and if you don't like what you are doing - you can change it. So, what interests you more? 

Q: How do you all feel about how the field is moving toward more DevOps, more of a developer/programmer approach than over the last 20 years?

A: [Aaron Woland] Great question. There is a lot of what we like to call DevSecOps - where security needs to get closer to the application devlelopment in order to protect the data more effectively. The principles are not changing, but the location can and should shift some. It is also important to state it is in addition to, not as a replacement.. "Defense in depth.."
[Vivek Santuka]I would add that the field isn't moving but expanding to include DevSecOps. It isn't new either but there is more focus on it.

Q: Do you see more of the shift being pushed to app developers to integrate on-access auth similar TACACS+ so that app access is constantly verified?

A: [Aaron Woland] I wish!!!! We need that in the industry. 
[Vivek Santuka] Secure App development requires that access is verified regularly. Ideally, every time a new data is requested, you should validate access. I do think we will see this happening more. In addition to that, we will also see posture check happen for app access.

Q: How do you handle learning the never-ending technology changes without driving yourself crazy? Creating a healthy work/life balance is a challenge for me. 

A: [Mason Harris] Personally I enjoy learning the evolution of technology so I guess it's a personal preference. I would not be happy doing the same thing everyday year after year.
[Vivek Santuka] Cisco is amazing at helping with Work/Life balance. It does depend on your employer and family a lot but I personally compartmentalize. Some days work takes priority and some days family. I look to balance it over a period of time instead of daily.
[Aaron Woland] I echo Mason's statement 10000%. I would be miserable in a field that allows me to get bored 


Related Information

Recognize Your Peers
Content for Community-Ad