Avatar

ISE 3.0 – Control access and contain threats within zones of trust 

You wake up to find out that another security incident has occurred. You are confused and not sure how the attacker was able to get by your perimeter. But then you realize you haven’t had a perimeter for some time as it has been pulled apart by cloud, mobility, and IoT. Like your network resources, your permitter is distributed. Now with the sudden surge for remote access given a work-from-anywhere, and on-anything, workforce, controlling access back to the workplace feels like it is spiraling out of control.

Zero trust is a security concept that solves for the paradigm being caused by the distributed network. With resources being accessed from anywhere and on anything, we require a method of ensuring that only trusted users gain access to our trusted network resources. We also need to ensure they remain in compliance and don’t bring anything back with them from shared environments such as a home office or random hotspots.

A core tenant of zero trust is continually authenticating the endpoint and authorizing access. We never assume trust, and we always verify regardless of device location. Once we have established trust, and we know the endpoint is within organizational compliance, we can segment access to network resources based only on what is required to achieve business objectives, known as access based on “least privilege.” Segmenting the network into trusted zones of access has long been an accepted practice for ensuring policies are adhered to and for reducing risk. But this has rarely moved beyond practice, leaving organizations with partial segmentation and partial protection.

A primary barrier to network segmentation has been a lack of visibility into the identity of devices, how they interact with each other, and ensuring policies don’t cause reachability issues that shut down critical business objectives. Our recent Cisco Identity Services Engine (ISE) 3.0 release focused on gaining dynamic visibility and making network segmentation easier to achieve within the workplace.

Three ways ISE 3.0 enables visibility-driven network segmentation

  1. Expectation meets reality. When we think of access based on least privilege and network segmentation, our minds wander to neatly identify and profile groups of endpoints, where access is easily controlled between the profiled groups. But this expectation often falls short. ISE 3.0 leverages machine learning to close the gaps of visibility into endpoints with AI Endpoint Analytics on Cisco DNA Center. Finally, our expectations can meet reality, and we can build zero-trust access within the workplace. Read how Adventist Health immediately identified 70% of all endpoints and is on the path to obtain complete visibility and control.
  2. Visibility and compliance your way. Visibility is the first step to gaining control and segmenting access based on least privilege. But when we look at controlling access based on organizational compliance, we want a choice. With ISE 3.0, customers are now able to choose between using an agent or going agentless to speed the onboarding of endpoints to answer the call of remote access, as well as gain visibility into IoT devices. Complete visibility, for visibility-driven segmentation, your way.
  3. Guided workflows. A step-by-step “walk me through” deploying advanced use cases such as network segmentation gives IT teams the knowledge they need to adapt to changing business needs. By removing the “complexity barrier,” ISE 3.0 is easing the deployment of network segmentation and allowing customers to take a huge step forward in achieving a zero-trust workplace.

Network segmentation is within reach

ISE 3.0 takes a big leap forward to simplify and ease the deployment of network segmentation, while giving customers the visibility they require to ensure this level of protection doesn’t shut down access and disrupt business objectives. We are making it easier and easier to control access, shrink the attack surface, continually enforce policy, and contain malware. I encourage you to reach out to your Cisco representative to take a tour of Cisco Identity Services Engine 3.0 and learn more today with the links below.

Visit our webpage to learn how ISE can enable your network segmentation initiatives and read ESG’s whitepaper, “Removing Complexities Around Network Segmentation,” to gain further insights into how you can simplify and embrace network segmentation.



Authors

Paul Burdette

Product Marketing Manager

Security