To effectively protect precious data resources across campuses from infiltration, exfiltration, and ransomware, Enterprise IT needs deep visibility into everything connecting to the network and the ability to segment devices by access permissions and security policies. The goal is to attain a Zero-Trust Enterprise based on least-privileged access principles that prevents the lateral movement of threats and automatically isolates any offending endpoint or intrusion.
Today, millions of enterprise endpoints are protected with implementations of Cisco Software-Defined Access (SD-Access), a solution within Cisco DNA Center. Thousands of enterprises are already well along on their journey to obtaining a zero-trust network using endpoint analytics, policy analytics, segmentation, and rapid threat containment capabilities of SD-Access. Now, with the introduction of Continuous Trusted Access with SD-Access Trust Analytics—using AI/ML anomaly modeling and spoofing prevention—the five phases of attaining zero-trust are available to all types of organizations at any stage of their implementation. The complete Cisco SD-Access solution provides inherent flexibility for enterprises to begin or continue the zero-trust journey according to their business priorities and desired outcomes.
This software release will be generally available (GA) in mid-June 2021, or contact your account team for early access.
Existing Networks Benefit from a Flexible Zero Trust Journey
Cisco understands that NetOps and SecOps must build segmentation upon what is already in place, adding capabilities in stages to achieve the desired zero trust outcome for both existing and new network installations. Organizations can use SD-Access to start the journey to zero trust at different stages depending on business priorities.
Adventist Health started its zero trust journey with Cisco AI Endpoint Analytics to find and categorize over 75,000 compute and IoT devices on their multi-state spanning network. Cisco AI Endpoint Analytics uses Deep Packet Inspection (DPI) and advanced AI/ML algorithms to search crowdsourced databases to obtain more granular information about many different device types. Adventist Health even uses the enhanced device visibility from AI Endpoint Analytics to identify devices that are discontinued and no longer supported by manufacturers, which are more susceptible to malware intrusions and other threats. Adventist Health sees AI Endpoint Analytics as an enabling technology that provides the much-needed endpoint visibility and security grouping that will help define their future segmentation policies.
KB Securities needed a more efficient method of managing segmentation access policies as their workforce moved freely among campus buildings. Instead of manually adjusting individual policies, they are using SD-Access segmentation to automatically adjust and apply access policies as the workforce shifts among wired and wireless networks, eliminating time-consuming manual interventions.
BBVA—one of the largest financial institutions in the world, with headquarters in Madrid, Spain—needed a zero trust approach for protecting the organization’s connected endpoints worldwide, starting with a rollout in 390 branches in 122 different municipalities in Columbia. BBVA chose to implement the new SD-Access Trust Analytics to analyze and model normal endpoint behavior to detect anomalies that indicate intrusion attempts before they can cause a data breach of sensitive information.
In SAIC Volkswagen‘s new Modularer Elektrobaukasten plant—a modular chassis designed by Volkswagen specifically for electric cars—the production systems need to be on separate networks for reliability and stability reasons. But instead of building distinct networks, SD-Access simply segments the single physical network into multiple logical networks that keep production systems traffic separate, but under the control of one Cisco DNA Center. As a result, the network is more manageable, and IT can more easily connect and secure thousands of IoT and robotic devices throughout the plant. With Cisco SD-Access, SAIC Volkswagen was able to use existing L2 access switches, enabling a smooth migration of services and reducing up-front costs.
Enterprises Are in Control of Their Zero-Trust Journey
The ability to start the zero trust journey at a point that aligns with the business priority for each enterprise expands the number and types of use cases for Cisco SD-Access. Cisco SD-Access is the only solution in the industry that provides all the capabilities required for Zero-Trust in the workplace with Visibility (endpoint analytics and traffic policy discovery), Segmentation, Continuous Trust Assessment, and Containment that can be implemented in phases to meet each organization’s security goals.
The recent updates to the SD-Access solution lowers the barrier to embark on a zero-trust journey, especially in existing, heterogeneous networks. Each step along the journey adds incremental value as the threat surface diminishes and enterprises gains more control over every endpoint that joins the network by restricting the resources with which they can communicate. For example, a new personal BYOD connecting to the network can be identified, classified, and initially assigned to a security group segment that only has very limited access to enterprise resources until the device and owner are verified.
“AI Endpoint Analytics has greatly simplified how we manage our network. We get the granular details we need for every device, and with its intelligent grouping of similar devices, we save precious time and reduce complexity by orders of magnitude.” – Brian Jensen, Network Analyst, North Carolina Department of Health and Human Services
Implement SD-Access Segmentation Without Routed Access
To support existing estates that use more traditional networking constructs, SD-Access now supports Layer 2 Switched Access including the option of preserving existing VLANs and IP address pools. In this deployment scenario, the SD-Access Fabric originates at the network aggregation layer. The solution offers the flexibility for enterprises to map existing access VLANs to macro/micro segments in the SD-Access Fabric. To minimize lateral movement of threats, enterprises also have the option to extend the micro-segmentation policies to the Layer 2 Switched Access node. These flexible design options enable enterprises to begin their zero-trust journey without re-designing their existing networks.
“Cisco networking devices, Cisco DNA Center, and SD-Access gave us a flexible networking platform that we could adapt to our unique needs. We were able to integrate third-party industrial switches, keep the factory operating efficiently by quickly locating and fixing network issues, and free our highly-trained engineers from day-to-day operational burdens.” – Xiaoqing XU, IT Director, SAIC Volkswagen
Deploy Macro-Segmentation Before Implementing Cisco ISE
The fully automated turnkey fabric-based architecture offered by SD-Access is an attractive alternative to MPLS-based VRF, VRF-lite and other operationally cumbersome legacy segmentation technologies. With Cisco DNA Center release 220.127.116.11, we have disaggregated the capabilities within SD-Access Fabrics. Enterprises now have the option to use SD-Access to rapidly achieve macro-segmentation of networks even in scenarios where Cisco ISE is not currently being used to authenticate endpoints. This option makes it easier for organizations to get started with SD-Access and expand to other use cases at their own deployment pace and schedule.
You Can’t Secure What You Can’t See
One of the early barriers to begin building a zero-trust enterprise is knowing what devices are connecting to the network, which devices and applications they are communicating with, and developing a deep historical perspective to detect anomalies. That’s why many organizations—such as the Adventist Health example—start with Endpoint Analytics to understand the current threat surface and then apply policy analytics to understand the behavior of traffic patterns.
Implementing Continuous Trust Assessment with the new Cisco Trust Analytics enables IT to develop and use models of typical device behaviors, usage, and traffic history to understand “normal” network operations to protect against spoofing attacks. Trust Analytics detects traffic from endpoints that are exhibiting unusual behavior by pretending to be trusted endpoints using MAC Spoofing, Probe Spoofing, or Man-in-the-Middle techniques. When Trust Analytics detects such anomalies, it signals Endpoint Analytics to lower the Trust Score for the endpoint to completely deny or limit access to the network.
Supplementing the network with Cisco Identity Services Engine completes the continuous trust cycle by aggregating device classification, segmentation rules, and trust analytics to monitor, identify, and isolate any detected device anomalies that can indicate a breach or infection. Cisco ISE provides rapid threat containment and remediation by automatically detecting and isolating suspicious devices or people logging in from unusual or unknown locations.
Attaining Zero Trust is a Flexible Journey
While the ultimate goal is a zero-trust state for all devices, applications, and people, each implemented capability of SD-Access enables enterprises to gain greater control over the security of the network. To prioritize desired outcomes, enterprises are in control of the pace of the journey from starting point to end results. The Zero-Trust Enterprise becomes a flexible journey as campus networks grow and adapt to new endpoint devices, IoT technologies, geographic configurations, and applications that can be accessed from anywhere. All these innovations for the flexible journey to zero trust are benefits of Cisco DNA Center release 18.104.22.168. Start your journey to zero trust today with Cisco SD-Access.
“We wanted to standardize on a single networking architecture globally. We chose Cisco networking with Cisco DNA Center and SD-Access because of the complete zero trust security it offers with continuous monitoring and verification of trust in our connected endpoints.” – Carlos de Liniers, Head of Networking, Architecture & Global Deployment, BBVA
Register now for the Network Insider Series online seminar on June 22, 2021, in which we delve into the latest innovations in Cisco DNA Center and SD-Access.
For more information, visit these Cisco resources:
Check out our Cisco Networking video channel