Cisco recently published their Annual Security Report (ASR) for 2015 and there was quite a bit of interesting information on what happened in 2014, but also trends for 2015. We saw the rise in the number of highly publicized attacks in 2014 and the fact that C-Level Executives are under a lot of pressure to improve the security of their networks and protect sensitive client data. While attackers have always targeted IT users, in 2015 the trend is shifting where the primary target is to take advantage of user behaviors to breach the network. This last point is important because once the user has been compromised or their credentials have been lifted, the attacker then has access to anything important that is connected. The Cisco 2015 ASR shows that only 43% of organizations leverage identity administration and provisioning to properly secure their networks and data. This means that over half of organizations don’t know who is accessing their networks, where they’re going or coming from, or what they’re using and if it is even authorized based on business policy. As we all know, once someone unauthorized gets inside it can be challenging to track down the incursion and negate the threat.
Chances are you might be reading this blogpost on a device other than a laptop or desktop computer. I’d also wager that the device you’re using to read this post handles double-duty – that is, you use it for both work (e.g., checking email, reviewing confidential documents) and play (e.g., Vine, Flappy Bird, social media).
You’re not alone. Everywhere you turn, you’ll see someone using a smartphone or tablet to be productive – both on corporate and non-corporate networks, for example, a coffee shop’s guest network. For enterprise IT, this means that the scope of managing an “enterprise network” has really expanded beyond controlling user access to a company intranet to controlling user access to company data across the “extended network” – wherever and however employees choose to do that.
The increased risk due to a larger “attack surface”, fundamentally changes how you approach access control and security. Traditional Network Access Control (NAC) was technology that, while complex and complicated to deploy, worked well enough when enterprise IT controlled the intranet and the procurement of allowed devices.
However, as the Enterprise Mobility, a.k.a. Bring Your Own Device (BYOD), phenomenon accelerated to become the new corporate norm, traditional NAC wasn’t as effective anymore, due to technology that was overly complex to scale with an overarching need for multiple 802.1X supplicants that generally targeted on more “traditional” endpoints like Windows PCs. As a result, enterprises turned to mobile device management (MDM) platforms as a new way to secure just those mobile devices. These MDM solutions were definitely easier and less expensive to deploy and manage than NAC and offered a tangible security ROI.
Even today, many organizations continue to use MDM (and its successor, enterprise mobility management or “EMM”) as a bit of a security silo to secure and manage these devices. However, as is implied, this strategy has a couple of caveats:
- MDM/EMM can enforce device policies (e.g., PIN lock, encryption, whitelisted applications) but offers zero enforcement capabilities for actual network access policies – e.g., restricting corporate network access to financial databases or sales document repositories. The device may be secured, but network access is potentially wide open.
- Obtaining 100% full compliance with installing/configuring the MDM/EMM agent on endpoints is nigh impossible, since the MDM/EMM solution works in isolation from other security solutions. Thus, compliance relies heavily on end-user cooperation and participation, which makes it highly likely that non-compliant devices could gain access to the network. From there, who knows what might happen, if the device is compromised.
The net-net here is that enterprises that leveraged solely MDM/EMM to protect their devices and networks are potentially achieving only part of their security objectives.
Fortunately, network access control platforms have seen a renaissance in the past few years and have evolved substantially. In my last post, I highlighted a recent white paper that discussed how NAC is evolving away from simply basic access or admission control and transforming into a more sophisticated set of controls for endpoint visibility, access, and security – technology dubbed “EVAS” by some. Unlike its overly complex and complicated ancestor, the newest generation of NAC solutions (or EVAS) utilize advanced contextual data gleaned from a number of different sources – including EMM/MDM – in order to enforce granular, dynamic network access policies. In essence, these solutions leverage the network as a sensor in order to make proactive access control decisions e.g., applying different access policy depending on the device being used or the compliance state of the device; or enforcing access to prevent unauthorized lateral movement across a network) throughout the extended network – regardless of how authorized users or devices connect.
This evolution has transformed NAC from a limited security hindrance into a powerful business enabler for enterprises, with more advanced solutions going beyond simple access policy and integrating with other network and security solutions to share data and improve the efficacy of all solutions. For example, here at Cisco, when I attempt to access the network with my iPad, the Cisco Identity Services Engine (“ISE”) (our NAC/EVAS solution) sees my device’s attempt to connect. It checks the profile and posture of the tablet to ensure that it is compliant with our mobile device wireless access policy (i.e., with MDM/EMM software installed). If not, Cisco ISE, which is integrated with an EMM/MDM software solution, redirects me to install that software first in order to become compliant before I gain whatever access my particular level of authorization allows on the network. With this integration between the two solutions, my tablet is now secured with the MDM/EMM software, and my level of access to network resources is seamlessly controlled, down to the letter, courtesy of the NAC/EVAS solution. Caveats solved.
Ultimately, this is just the beginning. Enterprises have realized that the “new NAC” can serve as a viable centerpiece for not only securing access but also for integrating with existing and previously silo’ed security and productivity solutions – like EMM/MDM – that may already be deployed in the enterprise network.
At the end of the day, NAC sure isn’t what it used to be…but that’s, actually, a very good thing.
For an additional perspective on NAC, market trends, and solutions, I invite you to look at the newly-released 2014 Gartner Magic Quadrant for Network Access Control (NAC).
New White Paper from Enterprise Strategy Group on the Evolution of and Need for Secure Network Access
Mention Network Access Control (NAC) to some security or network operations engineers, and they just might grimace. Why? Most people still associate NAC with a set of technologies that were complicated to deploy and implement effectively.
Today, however, those nightmare assumptions are far removed from the reality. In this newly released white paper, Jon Oltsik, Senior Principal Analyst for the Enterprise Strategy Group, discusses how NAC is transforming into something more—a technology he calls Endpoint Visibility, Access, and Security or EVAS. Mr. Oltsik discusses how the NAC market has changed to reduce complexity in both deployment and usage. Through this advancement, this evolved technology has become an increasingly more critical component in securing enterprise networks. In addition, Mr. Oltsik discusses how Cisco and the Cisco Identity Services Engine (ISE) are in the best position to meet IT security challenges in terms of what EVAS should be and how it helps.
Download the white paper on Cisco.com:
Are you a security professional or IT professional just resolving the security issues with BYOD (bring-your-own-device)? Watch out, BYOD was a precursor or warm up exercise to the tsunami just hitting your shores now.
The SANS Institute just completed a survey on the security viewpoints on IoT, predominantly with security and IT professionals.
78% of respondents were unsure of the capabilities for basic visibility and management of Things they will need to secure or lack the capability to secure them.
It seems that, like BYOD, IoT is driven with minimal IT consultation. And it happens with security as an afterthought, with 46% who do not have a policy to drive the visibility and management of IoT devices.
The top security controls used today for securing IoT were 68% authentication/authorization, 65% system monitoring, and 49% segmentation. That translates into Cisco Secure Access solutions that offer superior visibility, robust intelligent platform of critical context, and highly effective unified secure access control. More importantly, this will also help the 74% that rely on manual processes for discovery and inventory of connected device (from previous SANS research).
Over half (67%) are using SIEM (security information and event management) to monitor and collect data to secure IoT. Cisco ISE (Identity Services Engine) integrates with SIEM to bring together a network-wide view of security events supplemented with relevant identity and device context. This provides security analysts the context they need to quickly assess the significance of security events. More details on the ISE and SIEM integration may be found in this new white paper: Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context
The research rightfully points out that, of the many categories of Things, the newest category of single-purpose devices typically connected by wireless (and more likely embedded) software will be the most problematic for security. Due to this difficulty, the SANS community (61%) would like the Thing manufacturers to take more responsibility for providing security. While this is a reasonable request, the question is whether they have the expertise to do this when their focus is on the exciting new IoT market opportunities. Weigh in and tell us your outlook on securing this next wave of Things connecting to your network!
The paper on the SANS survey results is in the SANS reading room.
My company is in the very early stages of an MDM BYOD project. As part of that we are looking at the Cisco Identity Service Engine (ISE) as a central piece. I am about half way through my testing and I thought that I would pass on some of what I have learned so far. I am far from being an ISE expert and I don’t mention profiling or the advanced features in this post. I have tried them but don’t feel knowledgeable enough to go into these details.
ISE is an excellent NAC system but it does much more than that. One of the advantages of trying to configure a new piece of technology yourself is that you learn much more and also other ways to increase the ROI. The main reason we are interested in ISE is as the enforcement point on our wireless network. When a device tries to connect to our BYOD network we want ISE to query the MDM server to verify if the device is registered and if not to redirect the device to the MDM provisioning portal. If the device is registered with MDM ISE will then query AD and verify the user credentials. This is a core function of ISE and went fairly well. Read More »