cis14: network-aware iam

©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Identity & Device Aware IT Platforms Securing Access in a Cloud Centric IT Model

Dave Frampton VP/GM Secure Access & Mobility Product Group Cisco Systems


33% of Global Companies already experienced a breach

Visibility into WHO and WHAT accesses sensitive data

20B Connected Devices by 2020

Associated Growth of Security & Compliance Risks sensitive data

28% of execs think virtualization increases security risks

Expanding Security & Access Controls while Controlling Costs

Securing Access in a Cloud Centric IT Model A first step – access controls driven by a broader definition of identity

BUSINESS TRENDS SECURITY CONCERNS


Context Drives Control in Networks…

The Power of Context in Identity Architectures

Getting the Context You Need in Distributed Network Environments

IAM & SSO Example

Role of Context in Evolving IT Architectures

Call to Action: Making Context-Aware Networks a Reality

©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

“Sensitive Asset”

“Other Asset”

“Sensitive Asset”

87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report

Access Criteria: §  Who: User, Group

Access Controls Today – Operating with Less than Half the Picture

©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

ACCESS POLICY – “Critical Data” §  WHO = Exec Group Only §  WHAT = No Non-

Registered Mobile §  WHERE = US Only §  WHEN = US Business

Hours Only §  HOW = No VPN Access

Vary this gent’s application access privilege based on device enrollment, geo-location and access method

“Financial Reports”

“Café Menus”

“HR Database”

Context Completes the Picture – Granular Data Control to Adapt to a Disaggregated IT model

Access Criteria §  Non-Sensitive §  Sensitive §  Critical Data


Context is the Currency of this Realm

I have NBAR info! I need identity…

I have firewall logs! I need identity…

I have sec events! I need reputation…

I have NetFlow! I need entitlement…

I have reputation info! I need threat data…

I have MDM info! I need location…

I have app inventory info! I need posture…

I have identity & device-type! I need app inventory & vulnerability…

I have application info! I need location & auth-group…

I have threat data! I need reputation…

I have location! I need identity…

SIO

But Integration Burden is on IT

Departments

We Need to Share Context


I have vulnerability! I need identity and posture

I have application info! I need device and access-type

I have location! I need user identity

How Can We Solve This? Traditional Vendor APIs for Context Distribution

I have sec events! I need identity and device

I have MDM info! I need asset value

Context-Enabled Network Fabric

?








?

Deployment Considerations Traditional Vendor APIs for Context Distribution

TRADITIONAL APIs – Ubiquitous and Well-Understood, but… §  Single-purpose function = need for many APIs/dev (and lots of testing) §  Not configurable = too much/little info for interface systems (scale issues) §  Pre-defined data exchange = wait until next release if you need a change §  Polling architecture = can’t scale beyond 1 or 2 system integrations §  Security can be “loose” §  Typically one-way = no mutual context exchange between systems §  Proprietary = vendor lock-in


Or Maybe Some In-House Custom Middleware? (Maybe Not)

SIO


How Can We Solve This? Publish, Subscribe and Query Frameworks for Context Exchange







?

Context Sharing Fabric

Publish Publish

Discover Topic Discover Topic

Continuous Exchange Directed Query


Deployment Considerations Publish, Subscribe and Query Frameworks for Context Exchange







?

Context Sharing Fabric

Publish Publish

Discover Topic Discover Topic

Continuous Exchange Directed Query

PUB/SUB/QUERY – Still Emerging, but has Advantages… §  Single framework – develop once, instead of multiple APIs §  Customize and secure what context gets shared and

with which platforms §  Bi-directional – share and consume context §  Enables any adopting platform to share with any other adopting platform


THE NEW EASIER WAY Accurate Data,

Granular Access Policy

THE OLD HARD WAY Many Systems, Missing Data, Incomplete Policy and Visibility

Context-Awareness Makes Life a Little Easier in IT An IAM & SSO Example

IDENTITY ACCESS MANAGEMENT

AAA LOGS FOR USER-TO-IP

?

DATA SENSITIVITY

DEVICE REG STATUS

GEO/PHY LOCATION

USER ROLE

ACCESS TYPE

IDENTITY-ENABLED NETWORK FABRIC

CONTEXT-ENABLED IDENTITY ACCESS

MANAGEMENT

DATA SENSITIVITY

DEVICE REG STATUS

GEO/PHY LOCATION

ACCESS TYPE

USER ROLE

AAA LOGS FOR USER-TO-IP

SECURITY POSTURE

? ? ?

HTTP DEVICE FINGERPRINT


Implications for Cloud-Centric IT

Sales Data


HR Data

Hosted Mail Payroll

Productivity Apps

Ops Tools

Accounting Systems

Network Management

$

Is he on the corporate network? Is he accessing cloud apps from 4G? How can I tell? How can I enforce data access policies off-prem?


Implications for Cloud-Centric IT…and the SDN Evolution

Sales Data


HR Data

Policy-based Service Levels

(e.g., QoS)

Policy-based Security Actions (e.g., access policy)

SDN Control

Hosted Mail Payroll

Ops Tools

Accounting Systems

Network Management

$

Productivity Apps


Getting from Here to There…as an Industry

Push Vendors to:

•  Make context exchange frameworks real

•  Reward real context openness

•  Experiment with new context exchanges

Consider Strategy & Approach

•  Openness can make you

stronger •  Folly and inefficiency of

context hoarding •  Industry is evolving – new

approaches to context exchange

Mine the White Space

•  Context-exchange is opportunity unto itself

•  Systems integration, security frameworks, etc.

•  Build bridges across diverse IT systems

NET management

IT DEPARTMENTS VENDORS THOUGHT LEADERS


Thank You


?

Implications for the SDN Evolution

Vulnerability Assessment

IP Address & DNS Management

IoT Policy Management

Mobile Device Management

SIEM & Threat Defense

IAM & SSO

Content Security


Performance Management

Packet Capture & Forensics

Policy-based Service Levels

(e.g., QoS)

Policy-based Security Actions (e.g., investigation)

SDN Control

10010

`

cis14: network-aware iam

Technology