Your SlideShare is downloading. ×
CIS14: Network-Aware IAM
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

CIS14: Network-Aware IAM

131
views

Published on

David Frampton, Cisco Systems …

David Frampton, Cisco Systems

How to position the network as a real-time source of critical security data; get more out of existing IT platforms by serving a wider set of use-cases, especially for mobility and BYOD environments; and translate heterogeneous IT platform capabilities into actionable network access policy.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
131
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Identity & Device Aware IT Platforms Securing Access in a Cloud Centric IT Model Dave Frampton VP/GM Secure Access & Mobility Product Group Cisco Systems
  • 2. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 33% of Global Companies already experienced a breach Visibility into WHO and WHAT accesses sensitive data 20B Connected Devices by 2020 Associated Growth of Security & Compliance Risks sensitive data 28% of execs think virtualization increases security risks Expanding Security & Access Controls while Controlling Costs Securing Access in a Cloud Centric IT Model A first step – access controls driven by a broader definition of identity BUSINESS TRENDS SECURITY CONCERNS
  • 3. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Context Drives Control in Networks… The Power of Context in Identity Architectures Getting the Context You Need in Distributed Network Environments IAM & SSO Example Role of Context in Evolving IT Architectures Call to Action: Making Context-Aware Networks a Reality
  • 4. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 “Sensitive Asset” “Other Asset” “Sensitive Asset” 87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report Access Criteria: §  Who: User, Group Access Controls Today – Operating with Less than Half the Picture
  • 5. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 ACCESS POLICY – “Critical Data” §  WHO = Exec Group Only §  WHAT = No Non- Registered Mobile §  WHERE = US Only §  WHEN = US Business Hours Only §  HOW = No VPN Access Vary this gent’s application access privilege based on device enrollment, geo-location and access method “Financial Reports” “Café Menus” “HR Database” Context Completes the Picture – Granular Data Control to Adapt to a Disaggregated IT model Access Criteria §  Non-Sensitive §  Sensitive §  Critical Data
  • 6. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Context is the Currency of this Realm I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have application info! I need location & auth-group… I have threat data! I need reputation… I have location! I need identity… SIO But Integration Burden is on IT Departments We Need to Share Context
  • 7. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 I have vulnerability! I need identity and posture I have application info! I need device and access-type I have location! I need user identity How Can We Solve This? Traditional Vendor APIs for Context Distribution I have sec events! I need identity and device I have MDM info! I need asset value Context-Enabled Network Fabric ?
  • 8. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 I have vulnerability! I need identity and posture I have application info! I need device and access-type I have location! I need user identity I have sec events! I need identity and device I have MDM info! I need asset value Context-Enabled Network Fabric ? Deployment Considerations Traditional Vendor APIs for Context Distribution TRADITIONAL APIs – Ubiquitous and Well-Understood, but… §  Single-purpose function = need for many APIs/dev (and lots of testing) §  Not configurable = too much/little info for interface systems (scale issues) §  Pre-defined data exchange = wait until next release if you need a change §  Polling architecture = can’t scale beyond 1 or 2 system integrations §  Security can be “loose” §  Typically one-way = no mutual context exchange between systems §  Proprietary = vendor lock-in
  • 9. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Or Maybe Some In-House Custom Middleware? (Maybe Not) SIO
  • 10. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 How Can We Solve This? Publish, Subscribe and Query Frameworks for Context Exchange I have vulnerability! I need identity and posture I have application info! I need device and access-type I have location! I need user identity I have sec events! I need identity and device I have MDM info! I need asset value Context-Enabled Network Fabric ? Context Sharing Fabric Publish Publish Discover Topic Discover Topic Continuous Exchange Directed Query
  • 11. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Deployment Considerations Publish, Subscribe and Query Frameworks for Context Exchange I have vulnerability! I need identity and posture I have application info! I need device and access-type I have location! I need user identity I have sec events! I need identity and device I have MDM info! I need asset value Context-Enabled Network Fabric ? Context Sharing Fabric Publish Publish Discover Topic Discover Topic Continuous Exchange Directed Query PUB/SUB/QUERY – Still Emerging, but has Advantages… §  Single framework – develop once, instead of multiple APIs §  Customize and secure what context gets shared and with which platforms §  Bi-directional – share and consume context §  Enables any adopting platform to share with any other adopting platform
  • 12. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 THE NEW EASIER WAY Accurate Data, Granular Access Policy THE OLD HARD WAY Many Systems, Missing Data, Incomplete Policy and Visibility Context-Awareness Makes Life a Little Easier in IT An IAM & SSO Example IDENTITY ACCESS MANAGEMENT AAA LOGS FOR USER-TO-IP ? DATA SENSITIVITY DEVICE REG STATUS GEO/PHY LOCATION USER ROLE ACCESS TYPE IDENTITY-ENABLED NETWORK FABRIC CONTEXT-ENABLED IDENTITY ACCESS MANAGEMENT DATA SENSITIVITY DEVICE REG STATUS GEO/PHY LOCATION ACCESS TYPE USER ROLE AAA LOGS FOR USER-TO-IP SECURITY POSTURE ? ? ? HTTP DEVICE FINGERPRINT
  • 13. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Implications for Cloud-Centric IT Sales Data Context-Enabled Network Fabric HR Data Hosted MailPayroll Productivity Apps Ops Tools Accounting Systems Network Management $ Is he on the corporate network? Is he accessing cloud apps from 4G? How can I tell? How can I enforce data access policies off-prem?
  • 14. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Implications for Cloud-Centric IT…and the SDN Evolution Sales Data Context-Enabled Network Fabric HR Data Policy-based Service Levels (e.g., QoS) Policy-based Security Actions (e.g., access policy) SDN Control Hosted MailPayroll Ops Tools Accounting Systems Network Management $ Productivity Apps
  • 15. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Getting from Here to There…as an Industry Push Vendors to: •  Make context exchange frameworks real •  Reward real context openness •  Experiment with new context exchanges Consider Strategy & Approach •  Openness can make you stronger •  Folly and inefficiency of context hoarding •  Industry is evolving – new approaches to context exchange Mine the White Space •  Context-exchange is opportunity unto itself •  Systems integration, security frameworks, etc. •  Build bridges across diverse IT systems NET management IT DEPARTMENTS VENDORS THOUGHT LEADERS
  • 16. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Thank You
  • 17. ©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 ? Implications for the SDN Evolution Vulnerability Assessment IP Address & DNS Management IoT Policy Management Mobile Device Management SIEM & Threat Defense IAM & SSO Content Security Context-Enabled Network Fabric Performance Management Packet Capture & Forensics Policy-based Service Levels (e.g., QoS) Policy-based Security Actions (e.g., investigation) SDN Control 10010 `