Avatar

Within our Cisco Identity Service Engine (ISE) 3.0 release, we started talking about dynamic visibility. But what is dynamic visibility, what are the benefits, and why should we care? Maybe we should begin with what it is not. Dynamic visibility is not assuming trust based on location. It is not authenticating or establishing trust, based solely on login credentials or a single device identifier such as MAC address. Dynamic visibility has context that can be updated from the cloud and throughout the session to keep up with threats. As your endpoint’s posture and risk levels are updated, so are their access policies. Dynamic visibility recognizes that authorization does not happen just once. It is continual and re-accomplished at multiple decision points throughout the network to enforce trust closest to the resource and maintain a zero-trust framework.

What are the benefits of dynamic visibility?

Build zero trust: If your endpoints are not continually analyzed with analytics to build and maintain trust, based on several identifiers regardless of location—you are not doing zero trust within the workplace. Dynamic visibility gives you visibility into the endpoint’s identity to continually authorize access based on “least privilege” and to maintain access based on trust levels that may change throughout the session. With visibility that is dynamic, you can reduce mean time to remediation, automate threat containment, and build zero trust within the workplace.

Continual compliance: Compliance is not a set it and forget strategy. Our compliance policies are a framework, but what accesses them is not static. We need the ability to continually update access based on the endpoint’s posture and look deep into the device itself. If not, we risk falling out of compliance without ever knowing until it is too late.

Gain granular control: With this level of visibility, organizations can gain granular control to build and implement access policies based on their organizational needs, enabling network segmentation and shrinking the attack surface within zones of trusted access.

Be all-knowing: Identify, track, and profile all connected endpoints, whether managed or unmanaged and without agents to provide accurate asset inventories and gain the visibility required for granular control.

There are many reasons why we need to focus on dynamic visibility. But it comes down to two big “macro-trends” that are themselves dynamic. One, threat actors are dynamic. They are continually evolving, and dynamic visibility gives you the continual assurance that the endpoint is still who they said they are and behaving the way they are supposed to, allowing you to keep up with the changing threat landscape. And two, access is dynamic. With people, processes, applications, and data spread across the distributed network, we access everything from anywhere and on anything. We need the ability to extend our networks to anywhere and allow users to connect on anything to enable this transition. Dynamic visibility is the first step to extending the zero-trust workplace. But we all know that the most significant barrier to change is the ease of use. So, we need to make obtaining dynamic visibility easy and simple. So, within the ISE 3.0 release, we fixated on simplicity and ease of use.

Three ways 3.0 is simplifying visibility and zero trust

Agentless posture: In ISE 3.0, our focus on simplicity extended into our core value to build visibility and maintain access control within a zero-trust framework. With this in mind, we added agentless posture for compliance. Now IT teams have the flexibility they need to rapidly provision new users, devices, and endpoints no matter where they are without sacrificing protection.

Integration with AI Endpoint Analytics: ISE 3.0 closes the gaps of visibility into endpoints with additional visibility from AI Endpoint Analytics and DNA Center. With this integration, customers can now leverage machine learning to automate endpoints’ identification and ensure access based on privilege, a critical tenant of zero trust. Read how Adventist Health identified 70% of all endpoints.

Moving onto the cloud: Where and how customers consume their security and build identity has evolved, and to lead in this transition, ISE 3.0 is deployable from the cloud (AWS and Azure). We are also increasing our integration with cloud-based ID stores with SSO (single sign-on) to work with Azure AD. This is just the start of how we are going to enable the multi-cloud migration.

We are always on the quest for more visibility within our environments. But it is just not about the quantity or getting more; it is about getting the right visibility and asking, “What do we need to know to allow access based on least privilege?” And since we need to always assume threats continue to exist, assume that they get in. How do we re-authenticate and re-authorize based on continual learning throughout the session that will enable us to keep up in the arms race that fuels the malware economy? Because risk does not stop when access is granted, endpoints can be infected at any time, even within your walls. We must have visibility that is dynamic to authenticate based on more than one parameter. With this level of visibility, we can confidently identify and profile all of our endpoints. But we must also authorize access based on context to ensure that no matter where the endpoint is, we are continually establishing and re-establishing trust. And with this level of visibility, we can build network segmentation and zero trust in our workplace. But that discussion is for another time and another blog.

To learn more about ISE 3.0, take a look at What’s New in 3.0, At-a-Glance, or visit our ISE product page.