We live in a connected world that has embraced digital
technology enabled services and is like a small village. We are always
connected; checking our devices for a status update, or we are the ones posting
an update or we are trying to send that status report or close a business deal
Access to the internet has increased a ten-fold compared to
previous years with many connecting in to the World Wide Web every second, we
like to call ourselves the .com generation or if you fancy the title
“millennial” you are in the right timeline.
But with such exposure, sometimes we just tend to forget the
dangers lurking behind our use of the internet. A few of us try to at least
ensure we are using a secure connection. But many ignore it all and end-up in a
really bad fix.
Take for example 2017 as we knew it, every IT security
professional will tell you that it was a terrible year for the cybersecurity
home-front especially as regards the malware category with Wannacry wreaking
havoc in the cyberspace by taking hostage company networks in a spat of
ransomware attacks that led to losses in millions if not billions of dollars.
Such occurrences are a network security professional’s worst
nightmare. According to Forbes.com, as cyberattacks increase in frequency and sophistication,
in the global security market is expected to be worth more $170 billion, and is
currently suffering from an acute skilled network security professional’s
shortage. In many cases of cyber-attacks taking place, attackers can infiltrate
an organization within minutes. The proportion of infiltrations discovered
within days always falls below the time to resolve them and fix the threats.
The enterprise network today has rapidly changed, especially
concerning employee mobility and access to company network facilities. Employees
are not tied down to desktops and office desks, but alternatively are able to access
the companies’ resources through a variety of devices such as smartphones, phablets,
and personal laptops.
The current norm is for a company’s employees to be able to
access the companies resources from anywhere, this significantly increases
productivity, but also exposes the organization potentially to possibilities of
leakages in highly confidential company data; increased cybersecurity threats,
given the fact you may not be able to track and control the security configuration
of all devices accessing the network from outside of the brick and mortar office
setup. Controlling all the devices accessing the network is a great task,
growing daily and becoming unsustainable as many gadgets get connected and on-boarded
onto the company network.
So, what can we do to
get out of this fix?
Fret not yourself, using a well configured identity service
engine such as the Cisco ISE would greatly alleviate this challenges. According
to CISCO, Cisco
Identity Services Engine (ISE) 2.0 is an identity-based network access control
and policy enforcement system. It helps you deal with the time-intensive
day-to-day network management duties, freeing your IT resources to concentrate
on other crucial tasks like keeping abreast with the current cybersecurity threats
and how to counteract them.
According to the
ISE product release notes, ISE will attach an identity to devices based on a
user, function, or other character that allows it to do policy enforcement and
security guidelines compliance before it is authorized to access the network
resources. Based on the results from different factors, a device can be allowed
access to the resources in the company network based on unique set of access
policies applied to the interface it is connecting to, or it can be explicitly denied
or given guest access privileges based on the specific company guidelines. Cisco ISE is a context aware policy service,
and it aims to control access and threats across wired networks, wireless
networks and VPN networks.
The ISE platform in
Platform in a nutshell – figure 1.0
The ISE platform comes with a distributed deployment approach
with nodes handling three different roles: the Policy Administration Node
(PAN), the Monitoring and Troubleshooting Node (MnT), and the Policy Services
Node (PSN). For ISE to work as it should, all profiles are required.
Let us review each of this profiles and service entry points:
The PAN profile is the screen the administrator will log
into so they can configure policies to drive the ISE setup and configuration.
It acts as the main control entry point for configuring and deploying the ISE. PAN
allows the admin to configure the ISE topology by making changes, with this
changes being send out from the administrator node to the Policy Services Node
(PSN) in ISE.
Policy Services Node
The PSN profile allows for policy decisions to be made. The
nodes here allows the network service enforcement devices to send all network
messaging. After processing the messages, the PSN will then give or deny access
to the network based on what was configured in PAN by the administrator.
Troubleshooting Node (MnT)
The MnT profile will log all service reports, occurrences
and give you the access to generate reports as needed. All the logs will be
received by MnT from other nodes in the ISE topology and sorted through, and compiled
in a readable configuration for you. It gives you the ability to generate various
informative and graphical reports that can aid you and the senior management
make strategic decisions regarding your companies’ network resources, as well
as notify you of any threats to ISE.
Fundamentally, the Cisco
ISE offers a more holistic approach to network access security and
? Accurate identification of every
user and device.
? Easy onboarding and provisioning
of all devices.
? Centralized, context-aware policy
management to control user access – whoever, wherever, and from whatever device.
? Deeper contextual data about
connected users and devices to more rapidly identify, mitigate, and remediate threats.
Security and Posture
The Cybersecurity landscape is changing very first and
becoming more complex and costly for organizations running legacy traditional
security setups. The cybersecurity demands have largely increased but the
security resources tend to remain the same. This increases the potential attack
surface greatly meaning the legacy cyber-security systems within an firm’s
premises has little to offer in terms of effectiveness and robustness in handling
current security threats.
Employing the correct security solution is paramount and a
move from on the premise, traditional cybersecurity setups is inevitable with
many firm’s changing tact by currently looking to install a solution that will
protect the company from inside and outside. Such solutions like the
Cisco ISE have some interesting security features that are likely to help organizations
meet their security needs. According to the cisco ISE
administrator security guide , some of these security features that can be
found within ISE are:
Greater control of endpoints with rich application
visibility, which aid enforcing granular user actions and device compliance. With
the AnyConnect distribution, there is resilience and ability to support more
posture functionality with non-Cisco network access devices.
A faster way to get started with enterprise-grade
network access security built-in ISE setup tool.
Efficient and scalable role-based segmentation
through TrustSec-enabled border routers.
Greater device management features with
streamlined migration tools and facilities.
Clustered control based separate administrative
domains based on agile criteria and responsibilities using multiple TrustSec
Deep visibility within the application–level allowing
you to set policy based on user actions.
Simplified, agile threat reaction with ability
to set pre-defined policy scenarios based on the organizations security
Vulnerability assessment and threat incidence intelligent
solutions (IoCs) that help you stop malicious devices before they connect to
ISE posture flow:
This is the detailed explanation for the
posture follow in ISE 2.2 according to the Cisco ISE posture style comparison for
pre and post 2.2
Benefits of Using an
Identity Services Engine
According to the research conducted by Forrester
on having an Identity services Engine solution such as Cisco ISE deployed
within an organization, it was found that an organization is likely to expect
the following benefits:
Reduced infrastructure management and support costs for your
guest wireless access services.
Reduced infrastructure management and support costs for BYOD
Reduced help desk support costs
Reduced risk of security issues and major outbreaks.
Reduce or eliminate IT management costs related to guest
Rich visibility of user and device details.
High end to end secure user access policy with automation
across a single network.
Low OpEx/CapEx due to
selection of the right solution
The cost of securing an organizations IT infrastructure can
go into billions of dollars. It is the intent of every organization to have the
most robust and up to date security setup. With cloud security services, many
organizations are moving from building their own, on premise security (CapEx) setup
to a cloud solution which will need operational expenditure (OpEx) alone and
enjoys the regular updates.
The cybersecurity products deployed within a firm usually
are funded out of the capital expenditure (CapEx) budget. The cost of such
hardware and software (for example buying a full security setup at $ 200,000) will
require an upfront payment of the total amount of $200,000 amortized according
to the accounting cycle, in order for the organization to enjoy those services.
In contrast, if an organization chooses to employ a cloud solution (for example
costing $100,000 annually), which usually comes at a reduced price annually,
and is funded out of the operating expense budget (OpEx), it has an advantage.
In accounting terms, it is more costly to take the first option
(CapEx) as compared to the second option (OpEx). In this two options, the cloud
services make a better option for the employment of the organizations cash,
since unlike the static hardware option that will require future replacement
and another cash outlay of $200,000, the cloud service enjoys a continual
update with the latest technology and at a cheaper price for the organization.
The question then arises, are their ways an organization can
still do an on premise cybersecurity solution deployment and enjoy a more
According to a research conducted by Forrester, regarding
the deployment of an on
premise Identity service engine such as the Cisco ISE within an
organization, a composite organization can incur risk adjusted costs, totaling
about $595,000 in one-time, initial investment and implementation costs, plus
$61,00 administration and maintenance costs per year. This costs relate to a deployment
of the Cisco ISE solution.
Having an ISE solution on premise will help you greatly
reduce the OpEx for the organization by cutting down on help desk support
costs, close major security holes avoiding major data breaches, and reduce or
totally eliminate IT management costs associated with guest wireless access
This are just but a few of the many economic and security
benefits to be derived from the use of Identity service engines such as Cisco
ISE 2.0 in your organization. And according to a research carried out by
Savings and Business Benefits Enabled by ISE, there is a huge incentive for
your organization to deploy an Identity service engine configuration and stay
abreast of the cybersecurity needs of the modern digital organization.