New Cisco Identity Services Engine (ISE) v2.1 Enables TrustSec-ACI Policy Plane Integration

“Going green” is all about reducing waste and protecting the environment. It’s a movement most of us believe in and try to live by. Who wouldn’t want to reduce waste and protect the environment? In fact, it got me thinking that the TrustSec product management team shares a similar end goal. Let me explain.

In the TrustSec team we are focused on automating network security functions (i.e., reducing waste) and removing complexity (which allows you to more effectively protect your environment). And this is at the heart of one of the significant enhancements in Cisco ISE 2.1, the integration of TrustSec and Application Centric Infrastructure (ACI) security policy groups.

This new capability in ISE 2.1 simplifies and ensures consistent security policy by sharing contextual information and policy group information in both directions. The result?

  • More effective use of resources by eliminating the need to manually recreate security policy groups
  • Better protection of your environment with consistent segmentation, simplified security management, and rapid threat containment

With ISE 2.1, intelligence from the branch and campus environment can be repurposed in the data center and vice versa. Specifically, security policy groups can be shared between TrustSec-enabled networks and ACI-enabled data centers (DCs). ACI becomes aware of TrustSec Security Group Tags (SGTs) and can apply these SGTs in the data center to control communication with specific servers. Similarly, endpoint groups (EPGs) created in ACI can be converted to SGTs and used by TrustSec to bring server policies to campus, VPN, and branch environments as well as TrustSec-enabled data centers. This allows you to get more value from the investments you’ve already made and enterprise-wide protection that’s easier to manage.

For instance, if a retail bank needs segmentation in the data center and in branches to reduce the scope of PCI-compliance and also wants to provide controlled DC access to groups such as auditors or ATM systems, TrustSec-ACI integration enables the bank to do this by using a single set of enterprise-wide groups. Within the ACI Controller, APIC-DC, the bank’s administrators can see the TrustSec groups available from ISE, such as the auditor group and ATM group, and allow those groups to access the PCI zone. There’s no need to recreate groups manually by identifying specific IP addresses. The information can be inherited automatically from ISE and the bank can rest assured that there is total consistency.

Similarly, when new virtual machines are created in the data center, endpoint group membership information from ACI is shared with TrustSec policy enforcement points outside of the ACI DC. There’s no need to manually configure a firewall rule or update an Access Control List to protect that virtual machine or application.

Sharing policy groups also makes it easier and faster to contain the spread of malware that has evaded detection and penetrated the network. In ISE 2.1, TrustSec can dynamically change group membership and apply different policies based on Indications of Compromise (IoCs) to contain threats in the TrustSec domain. ACI automatically inherits these group changes to immediately prevent access to sensitive data and applications.

In addition to the campus and branch scenario, TrustSec group-based policies can work together across data centers and hybrid cloud environments, and a TrustSec-enabled data center can link to an ACI data center.

Sharing information in both directions allows you to reduce risk, more easily meet compliance goals, and reduce time and effort spent managing security. This first phase of our integration is just the beginning of allowing our customers to get the best of both worlds – TrustSec and ACI – for effective security made simple, across the organization.

For more information go to www.cisco.com/go/trustsec


Kevin Regan

Product Manager

Secure Access and Mobility Product Group