We live in a connected world that has embraced digitaltechnology enabled services and is like a small village. We are alwaysconnected; checking our devices for a status update, or we are the ones postingan update or we are trying to send that status report or close a business dealonline. Our access to the internet as increased tenfold from theprevious years with many more plugging in to the World Wide Web every second,we like to call ourselves the .com generation or if you fancy the title”millennial” you are in the right timeline.But with such exposure, sometimes we just tend to forget thedangers lurking behind our use of the internet.
A few of us try to at leastensure we are using a secure connection. But many ignore it all and end-up in areally bad fix. Take for example the year 2017 as we knew it, every ITsecurity professional will tell you that it was a terrible year in the cybersecurityhome front especially in the malware category with Wannacry wreaking havoc inthe cyberspace by taking hostage company networks in a spat of ransomwareattacks that led to losses in millions if not billions of dollars. Such occurrences are a network security professional’s worstnightmare. According to Forbes.com, as cyberattacks increase in frequency and sophistication,by the year 2020, the global security market is expected to be worth more $170billion, and is currently suffering from a dire skilled network security professional’sshortage. In many cases of cyber-attacks taking place, attackers can infiltratean organization within minutes.
The proportion of infiltrations discoveredwithin days always falls below the time to resolve them and fix the threats.The enterprise network today has rapidly changed, especiallyconcerning employee mobility and access to network facilities. Today’s employeesare not tied down to desktops and office desks, but alternatively are able to accessthe companies’ resources through a variety of devices such as smartphones, phablets,and personal laptops. The current norm is for a company’s employees to be able toaccess the companies resources from anywhere, this greatly increasesproductivity, but also exposes the company to the possibility of leakages inhighly confidential company data and increased cybersecurity threats, due tothe fact that you may not be able to track and control the security configurationof devices accessing the network from outside of the brick and mortar office setup.Controlling all the devices accessing the network is a great task, which grows dailybecoming unsustainable as many gadgets get connected and on-boarded onto thecompany network.
So, what can we do toget out of this fix?Fret not yourself, using a well configured identity serviceengine such as the Cisco ISE would greatly alleviate this challenges. Accordingto CISCO, CiscoIdentity Services Engine (ISE) 2.0 is an identity-based network access controland policy enforcement system. It helps you take care of the time-intensiveday-to-day network management tasks, freeing your IT staff to concentrate onother crucial tasks like keeping abreast with the current cybersecurity threatsand how to counteract them.According to theISE product release notes, ISE will attach an identity to devices based on auser, function, or other character that allows it to do policy enforcement andsecurity guidelines compliance before it is authorized to access the networkresources. Based on the results from different factors, a device can be allowedaccess to the resources in the network based on unique set of access policiesapplied to the interface it is connected to, or it can be explicitly denied orgiven guest access privileges based on the specific company guidelines. Cisco ISE is a context aware policy service,and it aims to control access and threats across wired networks, wirelessnetworks and VPN networks.
The ISE platform inbriefFigure 1.0 The ISEPlatform in a nutshell – figure 1.0 The ISE platform comes with a distributed deployment approachwith nodes handling three different roles: the Policy Administration Node(PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy ServicesNode (PSN). For ISE to work as it should, all profiles are required.
Let us review each of this profiles and service entry points:Policy AdministrationNode (PAN)The PAN profile is the screen the administrator will loginto so they can configure policies to drive the ISE setup and configuration.It acts as the main control entry point for configuring and deploying the ISE. PANallows the admin to configure the ISE topology by making changes, with thischanges being send out from the administrator node to the Policy Services Node(PSN) in ISE. Policy Services Node(PSN)The PSN profile allows for policy decisions to be made. Thenodes here allows the network service enforcement devices to send all networkmessaging. After processing the messages, the PSN will then give or deny accessto the network based on what was configured in PAN by the administrator.Monitoring andTroubleshooting Node (MnT)The MnT profile will log all service reports, occurrencesand give you the access to generate reports as needed. All the logs will bereceived by MnT from other nodes in the ISE topology and sorted through, and compiledin a readable configuration for you.
It gives you the ability to generate variousinformative and graphical reports that can aid you and the senior managementmake strategic decisions regarding your companies’ network resources, as wellas notify you of any threats to ISE.Fundamentally, the CiscoISE offers a more holistic approach to network access security andprovides:? Accurate identification of everyuser and device.? Easy onboarding and provisioningof all devices.
? Centralized, context-aware policymanagement to control user access – whoever, wherever, and from whatever device.? Deeper contextual data aboutconnected users and devices to more rapidly identify, mitigate, and remediate threats.Security and Postureof ISEThe Cybersecurity landscape is changing very first andbecoming more complex and costly for organizations running legacy traditionalsecurity setups. The cybersecurity demands have largely increased but thesecurity resources tend to remain the same. This increases the potential attacksurface greatly meaning the legacy cyber-security systems within an firm’spremises has little to offer in terms of effectiveness and robustness in handlingcurrent security threats.Employing the correct security solution is paramount and amove from on the premise, traditional cybersecurity setups is inevitable withmany firm’s changing tact by currently looking to install a solution that willprotect the company from inside and outside.
Such solutions like theCisco ISE have some interesting security features that are likely to help organizationsmeet their security needs. According to the cisco ISEadministrator security guide , some of these security features that can befound within ISE are:· Greater control of endpoints with rich applicationvisibility, which aid enforcing granular user actions and device compliance. Withthe AnyConnect distribution, there is resilience and ability to support moreposture functionality with non-Cisco network access devices.· A faster way to get started with enterprise-gradenetwork access security built-in ISE setup tool.· Efficient and scalable role-based segmentationthrough TrustSec-enabled border routers.· Greater device management features withstreamlined migration tools and facilities.· Clustered control based separate administrativedomains based on agile criteria and responsibilities using multiple TrustSecmatrixes.
· Deep visibility within the application–level allowingyou to set policy based on user actions.· Simplified, agile threat reaction with abilityto set pre-defined policy scenarios based on the organizations securitysituation. · Vulnerability assessment and threat incidence intelligentsolutions (IoCs) that help you stop malicious devices before they connect toyour network.ISE posture flow:This is the detailed explanation for theposture follow in ISE 2.2 according to the Cisco ISE posture style comparison forpre and post 2.
2 Benefits of Using anIdentity Services EngineAccording to the research conducted by Forresteron having an Identity services Engine solution such as Cisco ISE deployedwithin an organization, it was found that an organization is likely to expectthe following benefits:Reduced infrastructure management and support costs for yourguest wireless access services. Reduced infrastructure management and support costs for BYODsupportReduced help desk support costsReduced risk of security issues and major outbreaks.Reduce or eliminate IT management costs related to guestwireless access.Rich visibility of user and device details.High end to end secure user access policy with automationacross a single network.
Low OpEx/CapEx due toselection of the right solutionThe cost of securing an organizations IT infrastructure cango into billions of dollars. It is the intent of every organization to have themost robust and up to date security setup. With cloud security services, manyorganizations are moving from building their own, on premise security (CapEx) setupto a cloud solution which will need operational expenditure (OpEx) alone andenjoys the regular updates.The cybersecurity products deployed within a firm usuallyare funded out of the capital expenditure (CapEx) budget. The cost of suchhardware and software (for example buying a full security setup at $ 200,000) willrequire an upfront payment of the total amount of $200,000 amortized accordingto the accounting cycle, in order for the organization to enjoy those services.In contrast, if an organization chooses to employ a cloud solution (for examplecosting $100,000 annually), which usually comes at a reduced price annually,and is funded out of the operating expense budget (OpEx), it has an advantage.
In accounting terms, it is more costly to take the first option(CapEx) as compared to the second option (OpEx). In this two options, the cloudservices make a better option for the employment of the organizations cash,since unlike the static hardware option that will require future replacementand another cash outlay of $200,000, the cloud service enjoys a continualupdate with the latest technology and at a cheaper price for the organization.The question then arises, are their ways an organization canstill do an on premise cybersecurity solution deployment and enjoy a morerobust service? According to a research conducted by Forrester, regardingthe deployment of an onpremise Identity service engine such as the Cisco ISE within anorganization, a composite organization can incur risk adjusted costs, totalingabout $595,000 in one-time, initial investment and implementation costs, plus$61,00 administration and maintenance costs per year. This costs relate to a deploymentof the Cisco ISE solution.Having an ISE solution on premise will help you greatlyreduce the OpEx for the organization by cutting down on help desk supportcosts, close major security holes avoiding major data breaches, and reduce ortotally eliminate IT management costs associated with guest wireless accessamong others.
ConclusionThis are just but a few of the many economic and securitybenefits to be derived from the use of Identity service engines such as CiscoISE 2.0 in your organization. And according to a research carried out byForrester, CostSavings and Business Benefits Enabled by ISE, there is a huge incentive foryour organization to deploy an Identity service engine configuration and stayabreast of the cybersecurity needs of the modern digital organization.