The rapid expansion of connected devices is a double-edged sword for businesses. On one hand, mobility, cloud, and BYOD innovations enable unprecedented flexibility, collaboration, and ease of access for employees. Fifty percent of employers will adopt BYOD policies by 2017, and 90 percent of American workers are already using their own smartphones for work. But this flexibility comes with a cost: as endpoints multiply, controlling network access becomes increasingly difficult. The vast majority – 90 percent – of organizations lack full awareness of all of the devices accessing their network. At the same time, insiders perpetrate 34 percent of all cybercrimes highlighting the key role of identity access management in maintaining a strong cybersecurity posture.
As the Cisco 2015 Annual Security Report shows, current security approaches aren’t sufficient. Attackers are shifting methods and becoming more sophisticated in their approaches, users are unwittingly complicit enablers, and defenders struggle to keep up with all of these things. It is time for defenders to take a different approach to security that not only outwits attackers but also makes security a competitive advantage that enables business growth.
By taking a threat-centric and operational approach to security, organizations can reduce complexity and fragmentation, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum.
Using Cisco technology, this approach is enabled by broad visibility for superior intelligence across the extended network, where all the solutions a customer deploys communicate with each other. Organizations using siloed solutions will have holes in their security. Siloed solutions do not provide full protection since they do not communicate with one another, thus leaving security gaps and the inability to create actionable intelligence.
Cisco can provide a holistic solution to this problem by reducing the attack surface and extending protection across the network – before, during and after attacks.
Cisco Identity Services Engine (ISE) is commonly associated with use as a network access policy, BYOD and AAA platform. But to do its job in network policy, ISE collects a great breadth of telemetry about network users and devices. Whether a device is trying to access the network or is already connected, ISE knows specifics about:
- What the device type is (e.g., iPad Air 2 running iOS 8.1.2)
- How it is connected to the network (e.g., enterprise Wi-Fi)
- From where (e.g., access point in “California/SanDiego/Building 2/Floor 3/South”)
- Security and compliance posture of the device (e.g., Antimalware operating and up to date? PIN lock configured?)
- Who the user is on the device…or if it even has a user (e.g., printer)
- What policy and AD/LDAP group the user belongs to (e.g., “IT Admin” authorization group)
- Related session IP address and MAC address
While ISE primarily uses all this telemetry to establish network policies, it also shares it for use by other IT platforms. By doing so, ISE helps these platforms become more identity and device aware and thus more effective in a variety of ways. And this is where Splunk comes in.
Seven billion. That’s the number of mobile-connected devices that will be trying to get on networks this year. Now you’re probably not going to be hosting all 7 billion of them, so let’s try this number – 4. As in, “the average number of devices that enterprise users have” is roughly 4 devices*. Go ahead – do the math with your own employees. For Cisco, that’s around 250,000+ devices or so attempting to connect to our network. As a company, you may have more, you may have less…but the one thing you definitely have are employees who are eager to access your network with more of their own personal devices than ever before.
Great for employees, right? Absolutely. However, this, generally, gives enterprises two major dilemmas:
1) They lack any visibility into or context around who and what is getting on the network – Is it a smartphone? Is it a smartphone with the latest OS? Is it a smartphone supported by the enterprise?
2) They’ve lost the stringent control they used to have over what’s getting onto the networks. Sure – rules are defined for users, but maybe they’re not really being enforced. Or maybe “shadow IT” is just going around the rules to get someone’s new cracked Android tablet online.
This, generally, also gives network administrators heartburn…and for good reason. They’re stuck walking that fine line between security and productivity. How can they secure the enterprise and network access without making life miserable for their users…and themselves?
In our experiences here at Cisco, we’ve discovered that tackling these challenges requires a few things:
1) Find a way to accurately identify who and what is getting on the network
2) Centrally manage user access policy and use the identity to assign everyone the right network access
3) Make it easy for users to actually get onto the network – however they connect
4) Keep an eye on the network for threats and then quickly neutralize those threats.
If you can find a way to do each one of those things, you’ve taken a big first step in addressing these dilemmas.
Dynamic Control with Context
At Cisco, we’re helping organizations tackle these challenges every day with the Cisco Identity Services Engine (or “ISE”). Cisco ISE is an access policy platform that unifies and automates secure access control to network resources.
1) Accurate Identification – Cisco ISE grabs contextual data from a wide variety of sources (e.g., Active Directories, sensors, NetFlow) across the network to offer clear visibility into every connected device. It also offers advanced profiling technology as well as a curated profiling update service to ensure that all these connected devices are accurately identified and classified.
2) Centralized Access Policy – Cisco ISE gives enterprises the power to centrally define and manage the right types of access for users and devices. ISE can take written, granular business policy and make it real secure access policy, enforced across the network.
3) Easy Onboarding – New simplified onboarding experiences provide intuitive user access on branded portals, without sacrificing security, for a wide variety of enterprise deployments – from guest hotspot to “BYOD” projects.
4) Rapid Mitigation and Remediation – Cisco ISE can take all that collected contextual data and share it with integrated partner solutions. By delivering a deeper level of context, ISE makes it easier and faster to identify, mitigate, and take action to remediate non-compliant mobile devices, compromised endpoints, or other network threats.
Cisco ISE provides enterprises with greater visibility into who and what is on the network. This leads to more accurate identification, which, in turn, allows enterprises to assign the right access control to an end-user and device…easily and securely.
So, when that day comes where some of those 7 billion devices end up on YOUR network, you know you’ll be ready to tackle those challenges with Cisco ISE.
*Citrix, “Workplace of the Future: a global market research report”, September 2012 http://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/workplace-of-the-future-a-global-market-research-report.pdf
The industry is going beyond BYOD—it’s not just about simply connecting the device anymore: the mobile landscape has grown to include apps, devices and content, all of which require security and management. This is no easy task. Enterprise mobility management (EMM) is no longer a nice-to-have for our customers—it is a necessity. You need a mobile strategy.
We at Cisco have been steadily building out our mobility portfolio across infrastructure, policy and management over the past few years to provide our customers with what they need to get ahead of the mobile trend.
It has always been Cisco’s strategy to use open API’s with ISE to integrate with host of 3rd party EMM vendors, including Citrix, MobileIron, Airwatch and many more. We are now extending that flexibility to create a cloud-managed EMM offering with our Cisco Meraki solution. The latest addition to the Cisco mobility portfolio, the Cisco Meraki Systems Manager Enterprise is an evolution of Cisco Meraki’s existing MDM cloud offer, and a natural extension of the Cisco Meraki network management solution (e.g. extending management of wireless access points to the management of devices connecting to the enterprise domain).
Cisco is committed to customer choice, and will continue to offer different options to the market, including ecosystem EMM partner solutions. The addition of the Cisco Meraki Systems Manager broadens that portfolio to strengthen our offering and empower our customers attain the mobility solution best suited for their specific requirements.
For more information on the Cisco Meraki Systems Manager, read the full announcement blog here.
Tags: 3rd party, access point, AirWatch, API, App, application, byod, citrix, connect, content, customer, device, emm, Enterprise, Identity Services Engine, infrastructure, ISE, Manage, management, market, MDM, meraki, mobile, mobile device, MobileIron, mobility, network, partner, policy, portfolio, secure, security, solution, system, systems manager, trend, vendor, wi-fi, wifi, wireless