Avatar

Life is generally a lot easier when you have all the facts.  Especially if those facts are actually accurate.  Nowhere does this ring more true than in the life of an IT professional.

Often times a day in an IT shop is a lot like that grade school game of telephone where information gets passed down the line but gets distorted (or is just plain wrong) because no single player has the complete context.  This scenario gets played out everyday in the IT infrastructure where siloed operations, monitoring and policy platforms only work from the information they possess.  But that information is generally just a snapshot viewed through the bias of that system’s siloed purview.  As a result, mistakes get made, security is substandard or perhaps even dysfunctional, and everything from configuration to event management and investigation takes far longer than it should.  Net-net – time is wasted, costs increase, and many things still don’t work that well. 

While getting IT platforms all singing from the same songbook seems like it should be easy in these days of social networking, it remains amazingly elusive.  If the network makes it possible for me to see more kid photos from my friends than I see of my own kids, why can’t IT platforms also access the right sets of information they need from their social circle (other IT platforms) to undertake their jobs in a coordinated and effective way?  Because our IT platforms are still playing telephone when they should be on a secure many-to-many social network.

Cisco announced today that it is taking some steps, with collaboration from major security industry partners, to get IT platforms on their way to sharing important contextual information to make IT operations more effective and efficient.  The first step—available now—is utilizing the Cisco Identity Services Engine (ISE) as a unified source of identity and device context, as well as a unified network access policy point, that IT platforms can leverage.  The goal here is twofold: 1) make the IT infrastructure identity and device aware so it can serve a wider set of use-cases; 2) extend a method for translating various IT platform smarts into actionable network access policy.  Both of these involve Cisco ISE.

So looking at the first goal, there is great operational value in at least getting the IT infrastructure aware of “who, what, where and how” so these platforms can operate from a common set of accurate, consistent and real-time data about the users and endpoint devices on the network.  Most IT platforms lack this identity and device awareness, leaving them disadvantaged in a number of ways, the most obvious of which today is the ability to construct (and enforce) sound mobility and BYOD policies.  Or if platforms do have this awareness, they got it from playing telephone with various parts of the IT infrastructure, resulting in discordant information passed to them piecemeal from a variety of sources.  Cisco ISE, however, has a unified, real-time repository of pretty much any identity or device contextual data an IT platform could want, such as: user, what the user is authorized to access on the network, endpoint device type/make/model/OS, endpoint device posture, network location, network access method… and so on.  This enables ISE to play the role of “oracle,” providing this reliable, accurate and real-time context to IT platforms.  The first place we’ve integrated ISE context is with SIEM and threat defense partners—HP, IBM, Lancope, LogRhythm, Splunk, Symantec, and Tibco LogLogic.  This integration provides these SIEM/Threat-Defense platforms device and identity awareness to utilize in their security analytics, event investigation and even to take mitigation actions on the Cisco network.  One obvious way this can make an IT pro’s life easier: leverage ISE device-type context in security analytics to get better visibility into the wild west of BYOD in their network.  There are numerous possibilities here, which I’ll go into more in-depth on in a future blog post.

Looking at the second goal of extending network reach to IT platforms, ISE also provides a unified point of network access policy.  This gives partner IT platforms a single place to integrate with to take the contextual information they possess and make it part of network access policies and decisions.  ISE has done just this with Mobile Device Management (MDM) partners by leveraging the wealth of context information MDM has regarding mobile endpoint security posture and translating that into an actionable, network-wide access policy.  It results in smarter access decisions and extends the reach of IT platforms, such as MDM, into the Cisco network infrastructure.  This makes life easier.

ISE integration with both SIEM/Threat-Defense partners and MDM partners are leading examples of making IT platforms user and device aware, but they won’t be the last examples.  There’s no shortage of such opportunities throughout the IT infrastructure.  And Cisco has developed a secure, many-to-many context-sharing framework called Platform Exchange Grid (pxGrid) to accomplish just that.  Over time, we’ll work with the industry partners to make identity and device awareness more the norm across IT platforms.  And hopefully that will make life at least a little bit easier.



Authors

Scott Pope

Director, Product Management & Business Development

Security Technical Alliances Ecosystem