With some research forecasting that more than 75 million IoT devices will be deployed globally by 2025, enterprise IT administrators have a huge challenge on their hands: How to manage network access policies between so many users, devices, and networks with diverse access privileges.
To date, mostly manual point solutions have been used to broadly enforce network access policies. They’re expensive, time-consuming, and inefficient.
The clock is ticking. Devices are proliferating. Cybercrime cost the world $945 billion in 2020, a 50% increase over 2018. The near future promises an acceleration of both trends.
Here’s how Cisco is protecting enterprise networks with a unified approach to access policies and zero trust security.
More Devices and Users Create Access Policy Nightmare
Once, enterprise networks were used by only employees, contractors, and partners, each with different access privileges. Today, along with the addition of end customers and prospects, enterprise networks are being accessed by a myriad of different kinds of devices in the Internet of Things (IoT). These devices include smartphones, tablets, sensors, video cameras, vending machines, kiosks, slot machines, door locks, smart appliances, wearable technologies, and more.
All these devices seeking access to enterprise IP networks require different levels of access control and policies. For example, there’s no need for a user to talk to a vending machine over the IP network. Cameras need to communicate with media servers but not the internet.
Legacy solutions to policy management rely on manual operations and configurations using the Command Line Interface (CLI), and Access Control Lists (ACLs). This is error prone and cumbersome. Plus, the volume of new devices and users requires frequent modifications that are overwhelming IT departments when using traditional IEEE 802.1Q and other classic technologies.
The Solution: Automated Operations and Zero Trust Security
Enterprises that have deployed a zero trust for the workplace architecture have an array of automated solutions to manage the growth of endpoint devices, IoT technologies, geographic configurations, and applications. Zero-trust is a comprehensive approach to secure access for users, devices, and workloads. It’s based on least-privileged access principles that prevents the lateral movement of threats and automatically isolates any offending endpoint or intrusion.
Available with Cisco Catalyst 9000 series switches, zero trust environments use the Cisco Digital Network Architecture (Cisco DNA) and Cisco Software-Defined Access (SD-Access) solution within Cisco DNA. SD-Access automatically decouples network functions from hardware, creating a virtual overlay over physical networking infrastructure to help ensure the consistency of network access policy by defining and enforcing policies, preventing unauthorized access, and containing breaches.
SD-Access takes away manual, error-prone access policy management work from IT, automating operations and securing the organization through comprehensive segmentation, which allows administrators to control communications between endpoints down to the service, transport, and port levels―even within the same switch. Access policies can segment an enterprise network with fine granularity, separating traffic, reducing the threat surface, and increasing security. You can associate these policies with specific groups with no dependency on VLANs and IP addresses and define one consistent policy, that policy follows the user from the edge to the cloud.
This level of flexibility, segmentation, and control is only possible with the underlying innovations built into Catalyst 9000 platforms. Cisco’s Unified Access Data Plane (UADP) ASIC’s capability to process and recirculate virtual extensible LANs (VxLANs) at line rate in conjunction with hardware-based implementation of security group tags (SGTs) on Cisco IOS XE is what allows customers to focus on business intent rather than network elements. The management of security policies can thereby be performed exclusively based on this security grouping abstraction and the relationship between the various groups (e.g., whether traffic between two groups should be permitted or denied).
Zero Trust in Action in Denmark
The University of Copenhagen created a zero trust network to alleviate growing network access policy challenges. Before, their IT infrastructure was not standardized across departments, which made it complicated to see and control network access security. They had 34 different firewalls—only 24 of them active—and 42,000 switch-ports, some more than 12 years old and with limited functionality.
With the university campus spread across five locations in Copenhagen, students had trouble accessing the same systems between campuses. The university’s IT department recognized that this was substandard and that the legacy infrastructure supporting the devices and applications used by 37,500 students and 16,000 university employees, along with other network endpoints across buildings and labs, exposed them to evolving threats, increased complexity for administrators, and was overly expensive.
Solutions for different facets of the problem existed but no single solution matched the university’s needs until Cisco proposed a proof-of-concept trial with the Cisco Catalyst 9000 and Cisco DNA Center.
Using the Cisco SD-Access feature within DNA Center, the university gained enhanced visibility into endpoints, groups, and traffic patterns with endpoint analytics that they used to fine-tune group access policies. The use of network segmentation allowed admins to better control traffic flows and other SD-Access features continuously verified trust relationships of all endpoint connections by looking for anomalous or malicious behavior. Finally, SD-Access enforced a zero-trust environment throughout all network domains, from the device to the WAN and cloud services.
Fully convinced of the solution’s effectiveness based on the POC results, the university is in the process of deploying 800 Cisco Catalyst 9000 switches, Cisco DNA Center, and Cisco SD-Access. Expected outcomes include a zero-trust network security environment across five campuses for students, employees, IoT devices, and applications; heightened threat detection and compliance; reduced operational costs; and faster deployment for new sites and services.
More Ways to Secure the Enterprise
With the Cisco DNA Advantage license, customers can get Cisco SD-Access along with the Cisco Identity Services Engine (ISE), which is available with the DNA-XARC-OFFER bundle. It provides AI-driven endpoint analytics and group-based policy analytics that fully profile all connected endpoints, place them into logical groups, and display communications between groups. These insights can be used to define and enforce fine-grained access controls for more stringent security without the need for any additional hardware or compromises on network performance as Catalyst 9000 platforms can enable Deep Packet Inspection (DPI) on the platform using Network Based Application Recognition 2 (NBAR2) and switched port analyzer (SPAN).
Currently, nearly 2000 environments are using Cisco Catalyst 9000 and Cisco SD-Access for policy-based zero trust access security.
Learn more about network programmability and infrastructure as code: Check out the full agenda of technical sessions and demos coming to Cisco DevNet Create 2021, starting October 19, 2021.
Check out our Intent-Based Networking video channel.