Cisco IT is deploying Identity Services Engine (ISE) globally. ISE is a security policy management and control platform that automates and simplifies access control and security compliance for wired, wireless, and VPN connectivity. We’re running ISE 1.2 Patch 3 globally and evaluating Patch 5 for its guest networking enhancements. Over the next few months, I’d like to share some of our best practices and lessons learned as we continue our ISE deployment. Much of the background and deployment work before my blog can be found in this published article. Read More »
One of my passions is around PCI compliance. I know that sounds oxymoronic. How can someone actually be passionate about something as dry as compliance? Well, for the sake of argument, I prefer delusional rationalization. I think of myself as Batman! I don’t have his intelligence, money, car, or cape (well, I do have the cape, but that is another story), but I DO want to fight injustice where I can. I do think that there are bad guys out there trying to steal my family’s hard earned money. PCI compliance is the leading method for securing the world’s payment systems. The bad guys are real, security is getting harder, and I want to fight on the side of good.
The problem with fighting crime with compliance is that it can be so complex. The general strategy to minimize the complexity of PCI compliance is to use segmentation. Segmentation typically involves putting credit card applications and devices onto its own network, and use traditional firewalls to secure the perimeter. Although effective, this method brings about its own headaches around management. Firewall rulesets can become tedious and complex. Readdressing an entire enterprise with the sole driver of compliance is Herculean. Over time, if not properly managed and sustained, this method, can lead to bloat, misconfiguration, or worse, a breach.
No need to guess now!
Cisco commissioned Forrester Consulting to examine the business value and potential return on investment (ROI) enterprises may realize by implementing Cisco Identity Services Engine (ISE)—a leading secure access solution. This is available in the recently published Forrester TEI (Total Economic Impact) Research. Four customers were interviewed for this study and covered use cases for policy-governed, unified access across the following use case scenarios: guest services; BYOD; full access across wired, wireless, and VPN; and policy networking. The calculation was based on a composite organization of 10,000 employees that reflected the four interviewed customers from higher education, utilities, and financial services markets.
Benefits were 75 percent reduction in support calls related to network issues and improved compliance reducing data exposure, breaches, and potential regulatory/remediation costs that could add up to hundreds of thousands or even millions of dollars. Most recently, the Ponemon Institute Live Threat Intelligence Impact Report 2013 indicated that US$10 million is the average amount spent in the past 12 months to resolve the impact of exploits. The benefit of secure access cannot be taken lightly.
Are you a security professional or IT professional just resolving the security issues with BYOD (bring-your-own-device)? Watch out, BYOD was a precursor or warm up exercise to the tsunami just hitting your shores now.
The SANS Institute just completed a survey on the security viewpoints on IoT, predominantly with security and IT professionals.
78% of respondents were unsure of the capabilities for basic visibility and management of Things they will need to secure or lack the capability to secure them.
It seems that, like BYOD, IoT is driven with minimal IT consultation. And it happens with security as an afterthought, with 46% who do not have a policy to drive the visibility and management of IoT devices.
The top security controls used today for securing IoT were 68% authentication/authorization, 65% system monitoring, and 49% segmentation. That translates into Cisco Secure Access solutions that offer superior visibility, robust intelligent platform of critical context, and highly effective unified secure access control. More importantly, this will also help the 74% that rely on manual processes for discovery and inventory of connected device (from previous SANS research).
Over half (67%) are using SIEM (security information and event management) to monitor and collect data to secure IoT. Cisco ISE (Identity Services Engine) integrates with SIEM to bring together a network-wide view of security events supplemented with relevant identity and device context. This provides security analysts the context they need to quickly assess the significance of security events. More details on the ISE and SIEM integration may be found in this new white paper: Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context
The research rightfully points out that, of the many categories of Things, the newest category of single-purpose devices typically connected by wireless (and more likely embedded) software will be the most problematic for security. Due to this difficulty, the SANS community (61%) would like the Thing manufacturers to take more responsibility for providing security. While this is a reasonable request, the question is whether they have the expertise to do this when their focus is on the exciting new IoT market opportunities. Weigh in and tell us your outlook on securing this next wave of Things connecting to your network!
The paper on the SANS survey results is in the SANS reading room.
Are you back from holiday break all refreshed and ready to embrace 2014 with confidence?
Many organizations will see new devices on their networks given the recent massive holiday gift giving. In particular, educational organizations will be morst likely to be impacted. It seems there was no new hot toy (must-have gift) noted this year because kids want electronics. A recent survey indicated that 88% of kids ages 12 to 17 said that they most wanted a gadget as a holiday gift, with the majority (69%) requesting some kind of Apple device.
Students are returning to school with their shiny new electronic mobile devices and no hesitation to access the resources at school. Educational institutions continue to strive to enable users, while minimizing potential risk, and security continues to be the top concern.
The challenge of secure mobility will persist as the device storm continues. 2014 opens with the Consumer Electronics Show in Las Vegas, January 7-10. The last couple years the show highlighted latest smart phones and tablets. It seems this year a heavy focus on the Internet of Things—with sensor-based devices that feed information to a computer over the Internet, further emphasizing the Any to Any problem, which changes the security paradigm. Any user on any device increasingly going over any type of connection, to any application, that could be running in any data center and on any cloud. Regardless of how or where our users are connecting, we have to provide the right levels of inspection and protection against malicious intruders who may steal sensitive data or disrupt business. Let’s start to think and be prepared for what organizations may see coming on their networks and what the security implications may be for next year.