Cisco DevNet, profile picture
Uploaded byCisco DevNet
PDF, PPTX2,856 views

Using Cisco pxGrid for Security Platform Integration: a deep dive

The document discusses Cisco's Platform Exchange Grid (pxGrid) and its integration with security platforms, focusing on functionality, use cases, and deployment perspectives from partners and Cisco IT. It emphasizes context sharing for improved security event response and access policy management, highlighting the ease of integration for IT departments. Additionally, it presents the benefits of using pxGrid for adaptive network control, customer implementations, and developer resources available for building integrations.

Embed presentation

Download as PDF, PPTX
DEVNET-1124 Using Cisco pxGrid for Security Platform Integration John Eppich Technical Marketing Engineer David Koenig Head of Business Development and Strategy, Situational Corp. Ranjan Jain Security Architect, Cisco IT
Agenda • Functional and Architectural Basics of Cisco Platform Exchange Grid (pxGrid) • DevNet Partner & Cisco Security Integration Use-Cases • First-hand pxGrid Developer Perspective from DevNet partner Situational Corp • Customer Deployment perspective – Cisco IT pxGrid SECURITY THRU INTEGRATI ON
Context is the Currency of the Solution Integration Realm …but it’s not easy to execute I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity… But Integration Burden is on IT Departments We Need to Share Context & Take Network Actions I have reputation info! I need threat data… I have application info! I need location & auth-group…SIO
I have reputation info! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have application info! I need location & auth-group…SIO pxGrid Context Sharing Event Response Context is the Currency of the Solution Integration Realm …but it’s not easy to execute…but pxGrid accomplishes this I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity…
WHY CUSTOMERS CARE Cisco pxGrid – Context-Sharing & Network Mitigation Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners Cisco Provides Network Context to Customer IT Platforms Use Eco-Partner Context for Cisco Network Policy for Customers Cisco Shares User/Device & Network Context with IT Infrastructure Cisco Receives Context from Eco- Partners to Make Better Network Access Policy 1 2 3 Help Customer IT Environments Reach into the Cisco Network CISCO PLATFORM ECO-PARTNER CONTEXT CISCO PLATFORM ECO-PARTNER CONTEXT ECO-PARTNER CISCO PLATFORM CISCO NETWORK ACTION MITIGATE Puts “Who, What Device, What Access” with Events. Way Better than Just IP Addresses! Creates a Single Place for Comprehensive Network Access Policy thru Integration Decreases Time, Effort and Cost to Responding to Security and Network Events
USE CASE: Contextual Awareness for Security/Network Event Prioritization, Response and Policy NETWORK ALERT! SRC/65.32.7.45 DST/165.1.4.9 : HTTP Is this event important? I need more info… Who is this? Is this a server? Smartphone? Is it still on the network? Where? Did this come over VPN? What’s their access level? What’s their posture? What else is on the network?
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8©2014 Cisco and/or its affiliates. All rights reserved. 8 “Sensitive Asset” “Other Asset” “Sensitive Asset” 87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report Access Criteria:  Who: User, Group USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security
©2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9©2014 Cisco and/or its affiliates. All rights reserved. 9 ACCESS POLICY – “Critical Data” WHO = Exec Group Only WHAT = No Non-Registered Mobile WHERE = UK Only WHEN = UK Business Hours Only HOW = No VPN Access Vary this gent’s application access privilege based on device enrollment, geo-location and access method “Financial Reports” “Café Menus” “HR Database” ISE Context Completes the Picture – Granular Application Data Control Access Criteria  Non-Sensitive  Sensitive  Critical Data
Vulnerability Assessment Packet Capture & Forensics SIEM & Threat Defense IAM & SSO pxGrid SECURITY THRU INTEGRATION pxGrid – Industry Adoption Critical Mass as of June 2015 18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago Net/App Performance IoT Security Cisco ISE Cisco WSA Cloud Access Security ?
I have identity & device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… Cisco ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query
I have identity & device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query Traditional APIs have many limitations - pxGrid addresses these issues: •Single-purpose function = need for many APIs/dev (and lots of testing) •Not configurable = too much/little info for interface systems (scale issues) •Pre-defined data exchange = wait until next release if you need a change •Polling architecture = can’t scale beyond 1 or 2 system integrations •Security can be “loose”
“1-touch” network mitigation action – from 3rd party partner console pxGrid ANC API ISE as unified policy point User/Device Quarantine Dynamic ACLs, Increase Inspection Adaptive Network Control provides the ability to: •Quarantine user devices from 3rd party products, such as SIEM systems •Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels •Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica pxGrid: Adaptive Network Control Makes Cisco Infrastructure a Unified Event Response Network
pxGrid Architecture & Components pxGrid Controller pxGrid Controller Responsible for Control Plane: •Establishing the “grid” instance •Authenticating clients on to the grid •Authorizing what clients can do on the grid •Maintaining directory of context information “topics” available on the grid pxGrid Client pxGrid Clients (Eco-Partner Platforms) Responsible for: •Utilizing pxGrid Client Libraries (in SDK) to communicate with the pxGrid Controller •If sharing contextual information, publishing it to a “topic” •If consuming contextual information, subscribing to appropriate “topic” •Filtering “topics” to exclude unwanted information •Ad-hoc query to “topics” pxGrid Client
Example: Evolution from REST to pxGrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues pxGrid Solution Periodic polling using REST API Publish & Subscribe notification push DB queries causing high I/O usage No DB query with published events caching Bulk download takes more than 3 hours for 200,000 endpoints using REST API • pxGrid provides XML streaming of sessions with pagination • Provides semantic filtering capability (ex: location) to download only a subset Receiving all attributes per session To only send interested attributes through syntactic filtering Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent No visibility and mechanism to authorize, control who is accessing MnT • pxGrid provides single point of authentication and authorization, allowing only authorized systems to access the MnT • pxGrid provides visibility into topics, publishers, subscribers … Other issues: •requires opening up firewall ports for reverse web services calls •no support for federation •Lacks scale with endpoints increase • XMPP protocol supports bi-directionality with tunneling • XMPP supports federation • pxGrid scaling and HA is achieved by leveraging XMPP server architecture
Cisco pxGrid SDK Components & Function Component Function Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system • Connects partner system to the pxGrid Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection to test with Sample Data Generator • Generates live session data across a pxGrid connection • Uses Cisco ISE user/device session data pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local testing in your lab Hosted Testing Sandbox • Enables developer to connect to an already setup test environment pxGrid Documentation: Tutorials, Development Guides, testing guides, • Complete documentation to guide the developer from concept to implementation to verification testing
A Closer Look at the pxGrid Connection Library… • Connection to pxGrid Server • Multiple pxGrid servers • Round-robin auto retries • Reports connection status • Client certificate based authentication • A root cert is installed in pxGrid server • pxGrid server verifies client certs are signed by the root cert • Capability subscription and publishing • Capability is a set of queries and notifications supported • pxGrid provides discovery of Capability • Notifications are sent to XMPP pub/sub • Queries are directly sent to Capability provider
How to Get Only the Context You Need… pxGrid Message Filtering • Allows subscriber to filter/restrict messages based on specified filter criteria. • Two kinds of filters: • Content Based Filters • Restrict messages based on the content of the message • e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet • Schema Based Filter • Allows clients to receive only a subset of attributes instead of the full message object • Not supported in this phase
How to Install and Test Using the pxGrid SDK 1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM. 2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxGrid client for mutual authentication to the pxGrid controller. 3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE. 4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS). 5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore. 6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK
Using the pxGrid Client Libraries Developer platforms interact with pxGrid by registering the appropriate query and notification callers and handlers as detailed below: • Query Handler: A provider must register query handler with the pxGrid client library to service a query that it needs to expose over pxGrid. • Query Caller: A query caller is created by assembling a request and calling the query method on the pxGrid connection. • Notification Handler: Registers a notification handler with the pxGrid connection to receive notifications for a capability. • Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.
pxGrid Sample Scripts Currently Available in the SDK • Sample pxGrid scripts provide development partners with executable example code for how to use the API • These scripts can also be useful in demos with customers • Most commonly used pxGrid API scripts on Cisco ISE: • Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group. • Session Subscribe: pxGrid client subscribes to capability • Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE • Session Query by IP: retrieves all active session from ISE based on IP address • Session Download: downloads all active sessions from ISE • ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address • ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address • Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in this case)
pxGrid on DevNet
pxGrid Sandbox now available on DevNet • DevNet Sandbox pxGrid environment allows users to integrate with pxGrid services on Cisco ISE
Developer perspective – Situational Corp.
• Situational is Venture backed Cisco Ecosystem Partner • Deep expertise in Identity and Access Management • Context Sharing Enables Enforcement of Security Policy • Two key use cases: • dot1x based Single Sign On • Device driven application security Security Integration At Work
• Use Case: Single Sign On based on dot1x Authentication • Example: Single network authentication provides secure authenticated access to cloud and web applications • Solution: Integrate Network Session with Application Sign On Security Integration At Work
• Use Case: Restrict application access based on device context • Example policy: Only employees using managed laptops can access patent research data stored in cloud application. • Solution: Integrate Network Access Control Policy and Identity and Access Management Security Integration At Work
• Technical Detail • Develop pxGrid Integration based on Session Query • Associate Client with User Session • Leverage User Identity and Session Attributes in IAM Standards including SAML Security Integration At Work
• Benefits • Significantly lower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
• Benefits • Significantly lower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
Customer Deployment Perspective – Cisco IT
About me 32 • Security Architect (IT) • Cisco IT Identity & Access team : 12 years • 11 years in core Identity and Access • 1 year in web and cloud security • Industry speaker at RSA, Gartner, CIS, OOW, IRM Goal for this session: Idea exchange among peers Questions: Interrupt as needed Ranjan Jain #identity_guy
ACCESS POLICY – “Critical Data” WHO = Exec Group Only Financial Reports Café Menus HR Database CFO Current Access Management Access Criteria  Sensitive  Non-Sensitive  Critical Data
Who? When? Where? How? What? Employee Customer/Partner Guest Personal Device Company Asset Wired Wireless VPN @ Starbucks Headquarters Weekends (8:00am – 5:00pm) PST Context Aware Security: Classification Attributes Kiosk Extranet Context Aware Security
ACCESS POLICY – “Critical Data” WHO = Exec Group Only WHAT = Registered Corp device only WHERE = US Only WHEN = US Business Hours Only HOW = No VPN Access Access Criteria  Sensitive  Non-Sensitive  Critical Data 1. Data sensitive access policies Financial Reports Café Menus HR Database Context Aware Security Use Cases CFO
2. Portable Assurance Level for Cloud Apps Context Aware Security Use Cases
Internet Only Access Full access No restrictions Limited Access Fully Compliant Trusted devices Manager Doesn’t meet Trusted Device Standard IT Analyst Engineer/Coder Some Trusted Device Elements Policy Decision Point Identity and Device drive Access Permission
Key Takeaways • Federated and Contextual security is the only secure way for Cloud and Mobility • ISE is the glue for contextual security • Visibility is important – into both network and endpoint • Standard based access management is the key Picture credit: http://www.impulse.com/
In Summary…and How to Get Started Cisco pxGrid Enables: • Integration between development partners and the Cisco security products • Many-to-many integration scalability • The ability to integrate once to pxGrid and re- use that implementation to interface with any other pxGrid platform (even other Cisco development partners) • Integrations with the Cisco Identity Services Engine (ISE) are available today Get Started: •Cisco Identity Services Engine (ISE) integrations available today •Use user-to-IP address bindings answer “who” in your platforms •Use device identification to answer “what type of device” in your platforms •Use mitigation capabilities to take actions on users/device from your platform •Access SDK, client libraries and tutorials at: https://developer.cisco.com/site/pxgrid/
Thank you

More Related Content

DOCX
Cách viết đồ án tốt nghiệp đại học giao thông vận tải
byLuanvantot.com 0934.573.149
 
DOC
Đồ Án Tốt Nghiệp Nghiên Cứu Xây Dựng Hệ Thống An Toàn Thông Tin Trong Lĩnh Vự...
bymokoboo56
 
PPTX
Network Simulation using Mikrotik Router OS CHR (MUM Presentation)
byArif Hossen
 
PDF
Control builder
byquanglocbp
 
PDF
Nghiên cứu công nghệ mã vạch hai chiều và đề xuất dự án ứng dụng nghiệp vụ nh...
bysunflower_micro
 
PDF
Đề tài: Hệ thống giám sát mạng dựa trên phần mềm nguồn mở, HAY
byDịch vụ viết bài trọn gói ZALO 0917193864
 
PDF
thông tin thầy cô khoa an tonaf thông tin PTIT
byNguynMinh294
 
DOCX
Giao trinh ctmt
bycanh071179
 
Cách viết đồ án tốt nghiệp đại học giao thông vận tải
byLuanvantot.com 0934.573.149
 
Đồ Án Tốt Nghiệp Nghiên Cứu Xây Dựng Hệ Thống An Toàn Thông Tin Trong Lĩnh Vự...
bymokoboo56
 
Network Simulation using Mikrotik Router OS CHR (MUM Presentation)
byArif Hossen
 
Control builder
byquanglocbp
 
Nghiên cứu công nghệ mã vạch hai chiều và đề xuất dự án ứng dụng nghiệp vụ nh...
bysunflower_micro
 
Đề tài: Hệ thống giám sát mạng dựa trên phần mềm nguồn mở, HAY
byDịch vụ viết bài trọn gói ZALO 0917193864
 
thông tin thầy cô khoa an tonaf thông tin PTIT
byNguynMinh294
 
Giao trinh ctmt
bycanh071179
 

What's hot

PDF
Phân tích và thiết kế hệ thống thông tin - Đề tài Quản lý hãng tour du lịch
byColeman Ferry
 
PDF
Hướng dẫn thực hành các trạm MPS.pdf
byMan_Ebook
 
PDF
HART as an Attack Vector
byDigital Bond
 
PDF
36579601 packet-tracer-manual
byRomanyhanna
 
PPTX
Getting the most out of the Aruba Policy Enforcement Firewall
byAruba, a Hewlett Packard Enterprise company
 
PDF
Troubleshooting BGP Juniper Examples
bySalachudin Emir
 
PPTX
Network Engineer Interview Questions with Answers
bySarmad Ali
 
PPT
Rung Chuông vàng
byTuấn Nguyễn
 
DOCX
Hệ thống phát hiện xâm nhập mạng Suricata.docx
byDV Viết Luận văn luanvanmaster.com ZALO 0973287149
 
PDF
Policy Based Routing (PBR)
byKHNOG
 
PDF
Star topology
byAbidHasan575032
 
DOCX
Tìm hai số khi biết Tổng và Hiệu
byBồi Dưỡng HSG Toán Lớp 3
 
DOC
Bài Tập Lớn Hệ Quản Trị Cơ Sở Dữ Liệu Access.doc
byDịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
PDF
Báo cáo chuyên đề HỆ THỐNG SCADA QUẢN LÝ, GIÁM SÁT ĐIỆN NĂNG
bynataliej4
 
PPT
Bao cao session hijacking it-slideshares.blogspot.com
byphanleson
 
PPT
C3 stack queue
byhiep0109
 
PDF
Cài đặt dns trên máy ảo
byTrường Tiền
 
DOC
Báo cáo thực tập kỹ thuật
byHoang Anh Vi
 
PDF
Đo khoảng cách bằng MSP430 Launchpad
byFPT Telecom
 
DOCX
He thong truyen dan PDH va SDH
byĐinh Công Thiện Taydo University
 
Phân tích và thiết kế hệ thống thông tin - Đề tài Quản lý hãng tour du lịch
byColeman Ferry
 
Hướng dẫn thực hành các trạm MPS.pdf
byMan_Ebook
 
HART as an Attack Vector
byDigital Bond
 
36579601 packet-tracer-manual
byRomanyhanna
 
Getting the most out of the Aruba Policy Enforcement Firewall
byAruba, a Hewlett Packard Enterprise company
 
Troubleshooting BGP Juniper Examples
bySalachudin Emir
 
Network Engineer Interview Questions with Answers
bySarmad Ali
 
Rung Chuông vàng
byTuấn Nguyễn
 
Hệ thống phát hiện xâm nhập mạng Suricata.docx
byDV Viết Luận văn luanvanmaster.com ZALO 0973287149
 
Policy Based Routing (PBR)
byKHNOG
 
Star topology
byAbidHasan575032
 
Tìm hai số khi biết Tổng và Hiệu
byBồi Dưỡng HSG Toán Lớp 3
 
Bài Tập Lớn Hệ Quản Trị Cơ Sở Dữ Liệu Access.doc
byDịch Vụ Viết Bài Trọn Gói ZALO 0917193864
 
Báo cáo chuyên đề HỆ THỐNG SCADA QUẢN LÝ, GIÁM SÁT ĐIỆN NĂNG
bynataliej4
 
Bao cao session hijacking it-slideshares.blogspot.com
byphanleson
 
C3 stack queue
byhiep0109
 
Cài đặt dns trên máy ảo
byTrường Tiền
 
Báo cáo thực tập kỹ thuật
byHoang Anh Vi
 
Đo khoảng cách bằng MSP430 Launchpad
byFPT Telecom
 
He thong truyen dan PDH va SDH
byĐinh Công Thiện Taydo University
 

Viewers also liked

PDF
Fipp world media trends special report social media
byTuan Anh Nguyen
 
PDF
2016 06 Radboud Technology Centers
byAlain van Gool
 
PPT
6 Important Questions To Ask Before Becoming An Events Manager
bySkills Academy
 
PPTX
Consumer Protection
byEndcode_org
 
PDF
Subcription vod
byTuan Anh Nguyen
 
PPT
Software project management interview questions and answers
bysimonthomas990
 
PDF
Intro to Git: a hands-on workshop
byCisco DevNet
 
PPTX
DevNet UX Creative Design 101 workshop
byCisco DevNet
 
PPTX
DEVNET-1186 Harnessing the Power of the Cloud to Detect Advanced Threats: Cog...
byCisco DevNet
 
PDF
Fipp world media trends special report video report
byTuan Anh Nguyen
 
PDF
EU FP7 CarTarDis project overview April 2015
byAlain van Gool
 
PDF
2015 03-11 Opening EATRIS Finland, Helsinki
byAlain van Gool
 
PDF
Bijlage 2-shell-ffs-reactor
bypouya_ms
 
PPT
3 dalis. kas yra besimokantis miestas vaizdine medziaga svietejams
byvalentina valentina
 
PDF
Social Media strategy
byTuan Anh Nguyen
 
PPTX
презентация
bysadas asdsad
 
PDF
2015 06-02 Steering group 'Personalized Medicine: eligible or not'
byAlain van Gool
 
PDF
Cfs proposal
byRandy Nobleza
 
PPTX
Patient confidentiality training
byLacey Bredehoeft-Fiene
 
PPTX
Presenting my edited photographs
byalexjr1996
 
Fipp world media trends special report social media
byTuan Anh Nguyen
 
2016 06 Radboud Technology Centers
byAlain van Gool
 
6 Important Questions To Ask Before Becoming An Events Manager
bySkills Academy
 
Consumer Protection
byEndcode_org
 
Subcription vod
byTuan Anh Nguyen
 
Software project management interview questions and answers
bysimonthomas990
 
Intro to Git: a hands-on workshop
byCisco DevNet
 
DevNet UX Creative Design 101 workshop
byCisco DevNet
 
DEVNET-1186 Harnessing the Power of the Cloud to Detect Advanced Threats: Cog...
byCisco DevNet
 
Fipp world media trends special report video report
byTuan Anh Nguyen
 
EU FP7 CarTarDis project overview April 2015
byAlain van Gool
 
2015 03-11 Opening EATRIS Finland, Helsinki
byAlain van Gool
 
Bijlage 2-shell-ffs-reactor
bypouya_ms
 
3 dalis. kas yra besimokantis miestas vaizdine medziaga svietejams
byvalentina valentina
 
Social Media strategy
byTuan Anh Nguyen
 
презентация
bysadas asdsad
 
2015 06-02 Steering group 'Personalized Medicine: eligible or not'
byAlain van Gool
 
Cfs proposal
byRandy Nobleza
 
Patient confidentiality training
byLacey Bredehoeft-Fiene
 
Presenting my edited photographs
byalexjr1996
 

Similar to Using Cisco pxGrid for Security Platform Integration: a deep dive

PPTX
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
byCisco DevNet
 
PDF
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
byCisco Canada
 
PDF
Application Centric Infrastructure (ACI), the policy driven data centre
byCisco Canada
 
PPTX
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
byCisco DevNet
 
PPTX
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
byCisco DevNet
 
PPTX
Cisco Security DNA
byMatteo Masi
 
PDF
Demystifying ISE Deployments.pdf........
byAntonioIsipJr1
 
PPTX
Cisco Identity Services Engine (ISE)
byAnwesh Dixit
 
PDF
ISE_FireJumper_Design.pdf---------------------------
byJarita6
 
PPT
Cisco Security Technical Alliances
byCisco DevNet
 
PPTX
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
byVeronica916344
 
PPTX
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
byVeronica916344
 
PPTX
ISE_2.1_BDM_v3a.pptx
byYaser330700
 
PPTX
Sem cis ise
byLino Quivén
 
PDF
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
byNetworkCollaborators
 
PPTX
Enterprise Network Design and Deployment
bySandeep Yadav
 
PDF
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
byPrimend
 
PDF
CIS14: Network-Aware IAM
byCloudIDSummit
 
PDF
Cisco Connect 2018 Thailand - Telco service provider network analytics
byNetworkCollaborators
 
PDF
infraxstructure: Piotr Wojciechowski "Secure Data Center"
byPROIDEA
 
DEVNET-1010 Using Cisco pxGrid for Security Platform Integration
byCisco DevNet
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
byCisco Canada
 
Application Centric Infrastructure (ACI), the policy driven data centre
byCisco Canada
 
DEVNET-1124 Cisco pxGrid: A New Architecture for Security Platform Integration
byCisco DevNet
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
byCisco DevNet
 
Cisco Security DNA
byMatteo Masi
 
Demystifying ISE Deployments.pdf........
byAntonioIsipJr1
 
Cisco Identity Services Engine (ISE)
byAnwesh Dixit
 
ISE_FireJumper_Design.pdf---------------------------
byJarita6
 
Cisco Security Technical Alliances
byCisco DevNet
 
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
byVeronica916344
 
Cisco Identity Services Engine (ISE) Zero Trust Workplace BDM.PPTX
byVeronica916344
 
ISE_2.1_BDM_v3a.pptx
byYaser330700
 
Sem cis ise
byLino Quivén
 
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
byNetworkCollaborators
 
Enterprise Network Design and Deployment
bySandeep Yadav
 
Primend Praktiline Konverents - Rakenduse keskne IT infrastruktuur / Cisco Ap...
byPrimend
 
CIS14: Network-Aware IAM
byCloudIDSummit
 
Cisco Connect 2018 Thailand - Telco service provider network analytics
byNetworkCollaborators
 
infraxstructure: Piotr Wojciechowski "Secure Data Center"
byPROIDEA
 

More from Cisco DevNet

PPTX
UCS Management APIs A Technical Deep Dive
byCisco DevNet
 
PPTX
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
byCisco DevNet
 
PPTX
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
byCisco DevNet
 
PPTX
Device Programmability with Cisco Plug-n-Play Solution
byCisco DevNet
 
PPTX
WAN Automation Engine API Deep Dive
byCisco DevNet
 
PPTX
Application Visibility and Experience through Flexible Netflow
byCisco DevNet
 
PPTX
DevNet Express - Spark & Tropo API - Lisbon May 2016
byCisco DevNet
 
PPTX
NETCONF & YANG Enablement of Network Devices
byCisco DevNet
 
PPTX
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
byCisco DevNet
 
PPTX
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
byCisco DevNet
 
PPTX
Coding 102 REST API Basics Using Spark
byCisco DevNet
 
PPTX
Getting Started: Developing Tropo Applications
byCisco DevNet
 
PPTX
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
byCisco DevNet
 
PPTX
Cisco's Open Device Programmability Strategy: Open Discussion
byCisco DevNet
 
PPTX
Rome 2017: Building advanced voice assistants and chat bots
byCisco DevNet
 
PPTX
OpenStack Enabling DevOps
byCisco DevNet
 
PPTX
Cisco Spark and Tropo and the Programmable Web
byCisco DevNet
 
PPTX
Cisco Spark & Tropo API Workshop
byCisco DevNet
 
PPTX
How to Build Advanced Voice Assistants and Chatbots
byCisco DevNet
 
PPTX
How to Contribute to Ansible
byCisco DevNet
 
UCS Management APIs A Technical Deep Dive
byCisco DevNet
 
NetDevOps for the Network Dude: How to get started with API's, Ansible and Py...
byCisco DevNet
 
Open Device Programmability: Hands-on Intro to RESTCONF (and a bit of NETCONF)
byCisco DevNet
 
Device Programmability with Cisco Plug-n-Play Solution
byCisco DevNet
 
WAN Automation Engine API Deep Dive
byCisco DevNet
 
Application Visibility and Experience through Flexible Netflow
byCisco DevNet
 
DevNet Express - Spark & Tropo API - Lisbon May 2016
byCisco DevNet
 
NETCONF & YANG Enablement of Network Devices
byCisco DevNet
 
Building a WiFi Hotspot with NodeJS: Cisco Meraki - ExCap API
byCisco DevNet
 
DevNet @TAG - Spark & Tropo APIs - Milan/Rome May 2016
byCisco DevNet
 
Coding 102 REST API Basics Using Spark
byCisco DevNet
 
Getting Started: Developing Tropo Applications
byCisco DevNet
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
byCisco DevNet
 
Cisco's Open Device Programmability Strategy: Open Discussion
byCisco DevNet
 
Rome 2017: Building advanced voice assistants and chat bots
byCisco DevNet
 
OpenStack Enabling DevOps
byCisco DevNet
 
Cisco Spark and Tropo and the Programmable Web
byCisco DevNet
 
Cisco Spark & Tropo API Workshop
byCisco DevNet
 
How to Build Advanced Voice Assistants and Chatbots
byCisco DevNet
 
How to Contribute to Ansible
byCisco DevNet
 

Recently uploaded

PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PPTX
Full course that Prymehat uploads for you
byOhenebaManu1
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PPTX
Grade 8 LESSON 7 - VIDEO EDITING lessonb
byclarizzairahmanansal
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PPTX
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
PDF
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
Full course that Prymehat uploads for you
byOhenebaManu1
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
Grade 8 LESSON 7 - VIDEO EDITING lessonb
byclarizzairahmanansal
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 

Using Cisco pxGrid for Security Platform Integration: a deep dive

  • 2.
    DEVNET-1124 Using Cisco pxGridfor Security Platform Integration John Eppich Technical Marketing Engineer David Koenig Head of Business Development and Strategy, Situational Corp. Ranjan Jain Security Architect, Cisco IT
  • 3.
    Agenda • Functional andArchitectural Basics of Cisco Platform Exchange Grid (pxGrid) • DevNet Partner & Cisco Security Integration Use-Cases • First-hand pxGrid Developer Perspective from DevNet partner Situational Corp • Customer Deployment perspective – Cisco IT pxGrid SECURITY THRU INTEGRATI ON
  • 4.
    Context is theCurrency of the Solution Integration Realm …but it’s not easy to execute I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have MDM info! I need location… I have app inventory info! I need posture… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity… But Integration Burden is on IT Departments We Need to Share Context & Take Network Actions I have reputation info! I need threat data… I have application info! I need location & auth-group…SIO
  • 5.
    I have reputationinfo! I need threat data… I have MDM info! I need location… I have app inventory info! I need posture… I have application info! I need location & auth-group…SIO pxGrid Context Sharing Event Response Context is the Currency of the Solution Integration Realm …but it’s not easy to execute…but pxGrid accomplishes this I have NBAR info! I need identity… I have firewall logs! I need identity… I have sec events! I need reputation… I have NetFlow! I need entitlement… I have identity & device-type! I need app inventory & vulnerability… I have threat data! I need reputation… I have location! I need identity…
  • 6.
    WHY CUSTOMERS CARE CiscopxGrid – Context-Sharing & Network Mitigation Connecting Partners & Cisco Security Platforms, Connecting Partners-to-Partners Cisco Provides Network Context to Customer IT Platforms Use Eco-Partner Context for Cisco Network Policy for Customers Cisco Shares User/Device & Network Context with IT Infrastructure Cisco Receives Context from Eco- Partners to Make Better Network Access Policy 1 2 3 Help Customer IT Environments Reach into the Cisco Network CISCO PLATFORM ECO-PARTNER CONTEXT CISCO PLATFORM ECO-PARTNER CONTEXT ECO-PARTNER CISCO PLATFORM CISCO NETWORK ACTION MITIGATE Puts “Who, What Device, What Access” with Events. Way Better than Just IP Addresses! Creates a Single Place for Comprehensive Network Access Policy thru Integration Decreases Time, Effort and Cost to Responding to Security and Network Events
  • 7.
    USE CASE: ContextualAwareness for Security/Network Event Prioritization, Response and Policy NETWORK ALERT! SRC/65.32.7.45 DST/165.1.4.9 : HTTP Is this event important? I need more info… Who is this? Is this a server? Smartphone? Is it still on the network? Where? Did this come over VPN? What’s their access level? What’s their posture? What else is on the network?
  • 8.
    ©2014 Cisco and/orits affiliates. All rights reserved. Cisco Confidential 8©2014 Cisco and/or its affiliates. All rights reserved. 8 “Sensitive Asset” “Other Asset” “Sensitive Asset” 87% of data breaches involve poor access rules… we need to do this better. Verizon Data Breach Report Access Criteria:  Who: User, Group USE CASE: Context from Cisco Identity Services Engine (ISE) to Application Control System to Increase Application Security
  • 9.
    ©2014 Cisco and/orits affiliates. All rights reserved. Cisco Confidential 9©2014 Cisco and/or its affiliates. All rights reserved. 9 ACCESS POLICY – “Critical Data” WHO = Exec Group Only WHAT = No Non-Registered Mobile WHERE = UK Only WHEN = UK Business Hours Only HOW = No VPN Access Vary this gent’s application access privilege based on device enrollment, geo-location and access method “Financial Reports” “Café Menus” “HR Database” ISE Context Completes the Picture – Granular Application Data Control Access Criteria  Non-Sensitive  Sensitive  Critical Data
  • 10.
    Vulnerability Assessment Packet Capture & Forensics SIEM& Threat Defense IAM & SSO pxGrid SECURITY THRU INTEGRATION pxGrid – Industry Adoption Critical Mass as of June 2015 18 Partner Platforms and 9 Technology Areas Since Release 7 Months Ago Net/App Performance IoT Security Cisco ISE Cisco WSA Cloud Access Security ?
  • 11.
    I have identity& device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… Cisco ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query
  • 12.
    I have identity& device! I need geo-location & MDM… I have application info! I need location & device-type I have location! I need app & identity… ISE as pxGrid Controller Publish Publish Discover TopicDiscover Topic Continuous Flow Directed QuerypxGrid Context Sharing CISCO ISE Continuous Flow Directed Query I have sec events! I need identity & device… I have MDM info! I need location… How pxGrid Works: Partners Connecting to Cisco Security Platforms…and to Other Partners Authenticate  Authorize  Publish  Discover  Subscribe  Query Traditional APIs have many limitations - pxGrid addresses these issues: •Single-purpose function = need for many APIs/dev (and lots of testing) •Not configurable = too much/little info for interface systems (scale issues) •Pre-defined data exchange = wait until next release if you need a change •Polling architecture = can’t scale beyond 1 or 2 system integrations •Security can be “loose”
  • 13.
    “1-touch” network mitigationaction – from 3rd party partner console pxGrid ANC API ISE as unified policy point User/Device Quarantine Dynamic ACLs, Increase Inspection Adaptive Network Control provides the ability to: •Quarantine user devices from 3rd party products, such as SIEM systems •Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels •Who supports today: Lancope, Splunk, LogRhythm, NetIQ, Tenable, Bayshore, Rapid 7, Elastica pxGrid: Adaptive Network Control Makes Cisco Infrastructure a Unified Event Response Network
  • 14.
    pxGrid Architecture &Components pxGrid Controller pxGrid Controller Responsible for Control Plane: •Establishing the “grid” instance •Authenticating clients on to the grid •Authorizing what clients can do on the grid •Maintaining directory of context information “topics” available on the grid pxGrid Client pxGrid Clients (Eco-Partner Platforms) Responsible for: •Utilizing pxGrid Client Libraries (in SDK) to communicate with the pxGrid Controller •If sharing contextual information, publishing it to a “topic” •If consuming contextual information, subscribing to appropriate “topic” •Filtering “topics” to exclude unwanted information •Ad-hoc query to “topics” pxGrid Client
  • 15.
    Example: Evolution fromREST to pxGrid Cisco ISE User/Device Context-Sharing Example Session Context sharing from ISE MnT Issues pxGrid Solution Periodic polling using REST API Publish & Subscribe notification push DB queries causing high I/O usage No DB query with published events caching Bulk download takes more than 3 hours for 200,000 endpoints using REST API • pxGrid provides XML streaming of sessions with pagination • Provides semantic filtering capability (ex: location) to download only a subset Receiving all attributes per session To only send interested attributes through syntactic filtering Use of syslog as interim approach - All events are processed Pubsub notification - only relevant events will be sent No visibility and mechanism to authorize, control who is accessing MnT • pxGrid provides single point of authentication and authorization, allowing only authorized systems to access the MnT • pxGrid provides visibility into topics, publishers, subscribers … Other issues: •requires opening up firewall ports for reverse web services calls •no support for federation •Lacks scale with endpoints increase • XMPP protocol supports bi-directionality with tunneling • XMPP supports federation • pxGrid scaling and HA is achieved by leveraging XMPP server architecture
  • 16.
    Cisco pxGrid SDKComponents & Function Component Function Grid Client Library (GCL) in C and Java • Software libraries for embedding in partner system • Connects partner system to the pxGrid Sample pxGrid Data Output • Sample data from Cisco ISE across a pxGrid connection to test with Sample Data Generator • Generates live session data across a pxGrid connection • Uses Cisco ISE user/device session data pxGrid Controller Virtual Machine for Testing • ISO of bundled Cisco ISE and pxGrid Controller for local testing in your lab Hosted Testing Sandbox • Enables developer to connect to an already setup test environment pxGrid Documentation: Tutorials, Development Guides, testing guides, • Complete documentation to guide the developer from concept to implementation to verification testing
  • 17.
    A Closer Lookat the pxGrid Connection Library… • Connection to pxGrid Server • Multiple pxGrid servers • Round-robin auto retries • Reports connection status • Client certificate based authentication • A root cert is installed in pxGrid server • pxGrid server verifies client certs are signed by the root cert • Capability subscription and publishing • Capability is a set of queries and notifications supported • pxGrid provides discovery of Capability • Notifications are sent to XMPP pub/sub • Queries are directly sent to Capability provider
  • 18.
    How to GetOnly the Context You Need… pxGrid Message Filtering • Allows subscriber to filter/restrict messages based on specified filter criteria. • Two kinds of filters: • Content Based Filters • Restrict messages based on the content of the message • e.g. an ASA device interested in receiving session information from ISE only for end points belonging to a subnet • Schema Based Filter • Allows clients to receive only a subset of attributes instead of the full message object • Not supported in this phase
  • 19.
    How to Installand Test Using the pxGrid SDK 1. Install pxGrid Controller: Install Cisco ISE 1.3 ISO on a VM. 2. Setup pxGrid Controller/Client Key-stores and Trust-stores: Import samples certificates from SDK. These certificates will be used by the pxGrid client for mutual authentication to the pxGrid controller. 3. Enable pxGrid Controller: Enable pxGrid persona in Cisco ISE. 4. Setup pxGrid Test Client: Download SDK onto pxGrid client. This can be installing client libraries in your platform or hosting on an external test client (linux box, e.g. CentOS). 5. Authenticate pxGrid Client: Import the ISE identity sample cert into your platform or the linux client, and add to keystore. 6. Test with SDK Scripts: Run pxGrid sample scripts included in the SDK
  • 20.
    Using the pxGridClient Libraries Developer platforms interact with pxGrid by registering the appropriate query and notification callers and handlers as detailed below: • Query Handler: A provider must register query handler with the pxGrid client library to service a query that it needs to expose over pxGrid. • Query Caller: A query caller is created by assembling a request and calling the query method on the pxGrid connection. • Notification Handler: Registers a notification handler with the pxGrid connection to receive notifications for a capability. • Notifier: To be able to publish notifications, the developer platform must first invoke a publish capability method.
  • 21.
    pxGrid Sample ScriptsCurrently Available in the SDK • Sample pxGrid scripts provide development partners with executable example code for how to use the API • These scripts can also be useful in demos with customers • Most commonly used pxGrid API scripts on Cisco ISE: • Register: registers pxGrid client to the pxGrid controller to an authorized session or ANC/EPS group. • Session Subscribe: pxGrid client subscribes to capability • Identity Group download: Downloads user identity information such as the user and profiled group information from active sessions in ISE • Session Query by IP: retrieves all active session from ISE based on IP address • Session Download: downloads all active sessions from ISE • ANC/EPS Quarantine: executes the Adaptive Network Control (ANC) quarantine action on ISE for a given IP address • ANC/EPS Unquarantine: executes the ANC/EPS unquarantine action on ISE for a given IP address • Capability: queries the registered pxGrid client name for available topic provided by the publisher (ISE in this case)
  • 22.
  • 23.
    pxGrid Sandbox nowavailable on DevNet • DevNet Sandbox pxGrid environment allows users to integrate with pxGrid services on Cisco ISE
  • 24.
  • 25.
    • Situational isVenture backed Cisco Ecosystem Partner • Deep expertise in Identity and Access Management • Context Sharing Enables Enforcement of Security Policy • Two key use cases: • dot1x based Single Sign On • Device driven application security Security Integration At Work
  • 26.
    • Use Case:Single Sign On based on dot1x Authentication • Example: Single network authentication provides secure authenticated access to cloud and web applications • Solution: Integrate Network Session with Application Sign On Security Integration At Work
  • 27.
    • Use Case:Restrict application access based on device context • Example policy: Only employees using managed laptops can access patent research data stored in cloud application. • Solution: Integrate Network Access Control Policy and Identity and Access Management Security Integration At Work
  • 28.
    • Technical Detail •Develop pxGrid Integration based on Session Query • Associate Client with User Session • Leverage User Identity and Session Attributes in IAM Standards including SAML Security Integration At Work
  • 29.
    • Benefits • Significantlylower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
  • 30.
    • Benefits • Significantlylower risk of core business operations • Extend value of in place security components • Minimal operational impact • Rapid development cycles Security Integration At Work
  • 31.
  • 32.
    About me 32 • SecurityArchitect (IT) • Cisco IT Identity & Access team : 12 years • 11 years in core Identity and Access • 1 year in web and cloud security • Industry speaker at RSA, Gartner, CIS, OOW, IRM Goal for this session: Idea exchange among peers Questions: Interrupt as needed Ranjan Jain #identity_guy
  • 33.
    ACCESS POLICY –“Critical Data” WHO = Exec Group Only Financial Reports Café Menus HR Database CFO Current Access Management Access Criteria  Sensitive  Non-Sensitive  Critical Data
  • 34.
    Who? When? Where? How? What? Employee Customer/Partner Guest PersonalDevice Company Asset Wired Wireless VPN @ Starbucks Headquarters Weekends (8:00am – 5:00pm) PST Context Aware Security: Classification Attributes Kiosk Extranet Context Aware Security
  • 35.
    ACCESS POLICY –“Critical Data” WHO = Exec Group Only WHAT = Registered Corp device only WHERE = US Only WHEN = US Business Hours Only HOW = No VPN Access Access Criteria  Sensitive  Non-Sensitive  Critical Data 1. Data sensitive access policies Financial Reports Café Menus HR Database Context Aware Security Use Cases CFO
  • 36.
    2. Portable AssuranceLevel for Cloud Apps Context Aware Security Use Cases
  • 37.
    Internet Only Access Full access No restrictions LimitedAccess Fully Compliant Trusted devices Manager Doesn’t meet Trusted Device Standard IT Analyst Engineer/Coder Some Trusted Device Elements Policy Decision Point Identity and Device drive Access Permission
  • 38.
    Key Takeaways • Federatedand Contextual security is the only secure way for Cloud and Mobility • ISE is the glue for contextual security • Visibility is important – into both network and endpoint • Standard based access management is the key Picture credit: http://www.impulse.com/
  • 39.
    In Summary…and Howto Get Started Cisco pxGrid Enables: • Integration between development partners and the Cisco security products • Many-to-many integration scalability • The ability to integrate once to pxGrid and re- use that implementation to interface with any other pxGrid platform (even other Cisco development partners) • Integrations with the Cisco Identity Services Engine (ISE) are available today Get Started: •Cisco Identity Services Engine (ISE) integrations available today •Use user-to-IP address bindings answer “who” in your platforms •Use device identification to answer “what type of device” in your platforms •Use mitigation capabilities to take actions on users/device from your platform •Access SDK, client libraries and tutorials at: https://developer.cisco.com/site/pxgrid/
  • 40.