A couple weeks ago, we spoke about the mobility journey and the phases that organizations take as they embrace the widely accepted mode of mobility—Beyond BYOD to Workspace Mobility (device-focus, application-focus and experience-focus). Whatever phase your organization is in, security is a top priority. These phases can help determine your secure mobility approach but your risk aversion level will also define it. Whatever your risk tolerance, the mobile threat landscape is extremely active and clever—do not underestimate it.
The dynamic nature of mobile threats does not stop by simply entering from your mobile device but it can further propagate and manifest across the network, wired devices, virtual, cloud and data center environments. So your secure mobility approach must be non-stop, continuous and pervasive—end to end. To hinder the chance of threat damage or inappropriate access whether intentional or not, one must offer comprehensive secure mobile access controls at the access layer across each phase of an attack, before, during and after.
Let’s take a closer look at the initial mobile protection layer—Cisco’s secure access controls include: Identity Services Engine, AnyConnect, Trustsec and ISE integrations with Mobile Device Management (MDM) and SIEM.
Cisco ISE is the brains behind discovering and stopping any inappropriate mobile access. Working with MDM vendors, ISE determines access based on real-time contextual from MDM solutions (Is it registered? Does it have PIN-lock? Disk encryption? Etc.) ISE enforces centrally created mobile access policy across the networks. ISE also finds mobile devices that may not be registered with MDM. AnyConnect provides secure remote access coming in and redirects any web traffic to Cisco’s web security cloud services to ensure protection from a top source of threats. Ensuring the right person and device gets to the right IT assets starts the process of ensuring protection to applications and data—as well as setting a level of trust.
Unfortunately, in today’s threat landscape threats can get through even if we minimize the threat vector. ISE also works to detect and defend during an attack with SIEM partners. The powers of both bring together a network wide of security events with relevant identity and device context from ISE. This additional identity insight does not require the security professional to translate or cross-reference IP addresses. It facilitates a quicker and more accurate remediation of the mobile threat.
If a threat does enter your network, you need to scope the potential damage, contain and remediate. Leveraging the centralized secure access policy from ISE, the unique Trustsec tagging, an embedded security technology on network infrastructure can also enforce or contain a threat in a particular network segment. This means the network did the enforcement—we did not need yet another dedicated enforcement device (point-in-time appliance). Cisco demonstrated this at last year’s Black Hat and surprised many security professionals who could not believe the network switch did the enforcement. Security is woven into the network to increase efficiency and efficacy.
In addition to this initial layer of mobile secure access, Cisco offers a rich portfolio of next generation network security, market leading content security, proven protection for advanced persistent threats and data protection to address the mobile threats across this attack continuum in a very dynamic manner. Does your network or security provider offer this breadth and depth of mobile security?