cis14: network-aware iam
Post on 05-Dec-2014
204 Views
Preview:
DESCRIPTION
TRANSCRIPT
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Identity & Device Aware IT Platforms Securing Access in a Cloud Centric IT Model
Dave Frampton VP/GM Secure Access & Mobility Product Group Cisco Systems
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
33% of Global Companies already experienced a breach
Visibility into WHO and WHAT accesses sensitive data
20B Connected Devices by 2020
Associated Growth of Security & Compliance Risks sensitive data
28% of execs think virtualization increases security risks
Expanding Security & Access Controls while Controlling Costs
Securing Access in a Cloud Centric IT Model A first step – access controls driven by a broader definition of identity
BUSINESS TRENDS SECURITY CONCERNS
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Context Drives Control in Networks…
The Power of Context in Identity Architectures
Getting the Context You Need in Distributed Network Environments
IAM & SSO Example
Role of Context in Evolving IT Architectures
Call to Action: Making Context-Aware Networks a Reality
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
“Sensitive Asset”
“Other Asset”
“Sensitive Asset”
87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report
Access Criteria: § Who: User, Group
Access Controls Today – Operating with Less than Half the Picture
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
ACCESS POLICY – “Critical Data” § WHO = Exec Group Only § WHAT = No Non-
Registered Mobile § WHERE = US Only § WHEN = US Business
Hours Only § HOW = No VPN Access
Vary this gent’s application access privilege based on device enrollment, geo-location and access method
“Financial Reports”
“Café Menus”
“HR Database”
Context Completes the Picture – Granular Data Control to Adapt to a Disaggregated IT model
Access Criteria § Non-Sensitive § Sensitive § Critical Data
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Context is the Currency of this Realm
I have NBAR info! I need identity…
I have firewall logs! I need identity…
I have sec events! I need reputation…
I have NetFlow! I need entitlement…
I have reputation info! I need threat data…
I have MDM info! I need location…
I have app inventory info! I need posture…
I have identity & device-type! I need app inventory & vulnerability…
I have application info! I need location & auth-group…
I have threat data! I need reputation…
I have location! I need identity…
SIO
But Integration Burden is on IT
Departments
We Need to Share Context
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
I have vulnerability! I need identity and posture
I have application info! I need device and access-type
I have location! I need user identity
How Can We Solve This? Traditional Vendor APIs for Context Distribution
I have sec events! I need identity and device
I have MDM info! I need asset value
Context-Enabled Network Fabric
?
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
I have vulnerability! I need identity and posture
I have application info! I need device and access-type
I have location! I need user identity
I have sec events! I need identity and device
I have MDM info! I need asset value
Context-Enabled Network Fabric
?
Deployment Considerations Traditional Vendor APIs for Context Distribution
TRADITIONAL APIs – Ubiquitous and Well-Understood, but… § Single-purpose function = need for many APIs/dev (and lots of testing) § Not configurable = too much/little info for interface systems (scale issues) § Pre-defined data exchange = wait until next release if you need a change § Polling architecture = can’t scale beyond 1 or 2 system integrations § Security can be “loose” § Typically one-way = no mutual context exchange between systems § Proprietary = vendor lock-in
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Or Maybe Some In-House Custom Middleware? (Maybe Not)
SIO
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
How Can We Solve This? Publish, Subscribe and Query Frameworks for Context Exchange
I have vulnerability! I need identity and posture
I have application info! I need device and access-type
I have location! I need user identity
I have sec events! I need identity and device
I have MDM info! I need asset value
Context-Enabled Network Fabric
?
Context Sharing Fabric
Publish Publish
Discover Topic Discover Topic
Continuous Exchange Directed Query
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Deployment Considerations Publish, Subscribe and Query Frameworks for Context Exchange
I have vulnerability! I need identity and posture
I have application info! I need device and access-type
I have location! I need user identity
I have sec events! I need identity and device
I have MDM info! I need asset value
Context-Enabled Network Fabric
?
Context Sharing Fabric
Publish Publish
Discover Topic Discover Topic
Continuous Exchange Directed Query
PUB/SUB/QUERY – Still Emerging, but has Advantages… § Single framework – develop once, instead of multiple APIs § Customize and secure what context gets shared and
with which platforms § Bi-directional – share and consume context § Enables any adopting platform to share with any other adopting platform
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
THE NEW EASIER WAY Accurate Data,
Granular Access Policy
THE OLD HARD WAY Many Systems, Missing Data, Incomplete Policy and Visibility
Context-Awareness Makes Life a Little Easier in IT An IAM & SSO Example
IDENTITY ACCESS MANAGEMENT
AAA LOGS FOR USER-TO-IP
?
DATA SENSITIVITY
DEVICE REG STATUS
GEO/PHY LOCATION
USER ROLE
ACCESS TYPE
IDENTITY-ENABLED NETWORK FABRIC
CONTEXT-ENABLED IDENTITY ACCESS
MANAGEMENT
DATA SENSITIVITY
DEVICE REG STATUS
GEO/PHY LOCATION
ACCESS TYPE
USER ROLE
AAA LOGS FOR USER-TO-IP
SECURITY POSTURE
? ? ?
HTTP DEVICE FINGERPRINT
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Implications for Cloud-Centric IT
Sales Data
Context-Enabled Network Fabric
HR Data
Hosted Mail Payroll
Productivity Apps
Ops Tools
Accounting Systems
Network Management
$
Is he on the corporate network? Is he accessing cloud apps from 4G? How can I tell? How can I enforce data access policies off-prem?
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Implications for Cloud-Centric IT…and the SDN Evolution
Sales Data
Context-Enabled Network Fabric
HR Data
Policy-based Service Levels
(e.g., QoS)
Policy-based Security Actions (e.g., access policy)
SDN Control
Hosted Mail Payroll
Ops Tools
Accounting Systems
Network Management
$
Productivity Apps
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Getting from Here to There…as an Industry
Push Vendors to:
• Make context exchange frameworks real
• Reward real context openness
• Experiment with new context exchanges
Consider Strategy & Approach
• Openness can make you
stronger • Folly and inefficiency of
context hoarding • Industry is evolving – new
approaches to context exchange
Mine the White Space
• Context-exchange is opportunity unto itself
• Systems integration, security frameworks, etc.
• Build bridges across diverse IT systems
NET management
IT DEPARTMENTS VENDORS THOUGHT LEADERS
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Thank You
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
?
Implications for the SDN Evolution
Vulnerability Assessment
IP Address & DNS Management
IoT Policy Management
Mobile Device Management
SIEM & Threat Defense
IAM & SSO
Content Security
Context-Enabled Network Fabric
Performance Management
Packet Capture & Forensics
Policy-based Service Levels
(e.g., QoS)
Policy-based Security Actions (e.g., investigation)
SDN Control
10010
`
top related