Dream world for the CISO
Organizations have all kinds of assets to guard. And a few assets are simpler to guard than others. Nevertheless, it’s not the simple stuff that retains a CISO up at night time. Earlier than we dive into the more difficult examples, let’s think about a state of affairs that enables a CISO to sleep peacefully.
On this state of affairs, when a employee “goes to work” (both within the workplace or remotely), they open their company laptop computer and login to a SaaS software. This employee varieties the URL into their browser, logs in with their SSO supplier and authenticates utilizing their fingerprint (biometric) on the machine. Behind the scenes, this consumer is connecting to the applying by way of a Zero Belief Community Entry (ZTNA) answer and authenticating with SAML protocol (or OIDC or OAuth2.0), the trendy authentication technique for cloud functions.
This state of affairs is the dream state of affairs (and simpler) to guard:
- Fashionable, cloud software
- Coverage-driven software entry
- Phishing-resistant authentication
- Trusted, managed machine
The fact test
Nevertheless, the dream state of affairs can be the least prone to be the reason for a breach. As a substitute, attackers are exploiting legacy expertise or networks the place it’s troublesome to deploy additional safety and implement coverage, like phishing-resisting multi-factor authentication (MFA) or ZTNA. Whereas organizations are on their infrastructure modernization journey, we have to have a sensible plan to guard the lengthy tails of legacy belongings which can be nonetheless in place and could also be troublesome to safe.
What might be carried out?
Layered safety with RADIUS
Considered one of these under-rated, however frequent, authentication protocols is RADIUS (Distant Authentication Dial-In Consumer Service). RADIUS is a standard network-based authentication protocol for customers and units that want to connect with the community.
In case your group is ready the place routers, switches, wi-fi entry factors and VPNs all use RADIUS, Cisco can assist. First, Cisco Identity Services Engine (ISE) supplies a layer of Community Entry Management by providing AAA safety (Authentication, Authorization, and Entry). This safety exists for customers connecting to the community within the workplace and staff connecting to the community by way of the VPN.
The challenges and safety implications round legacy VPN entry are nicely documented, which is why organizations are shifting towards fashionable structure with ZTNA. The issue is that many legacy functions will not be suitable with ZTNA and organizations should cling on to their VPN infrastructure. It’s not a shock that whereas 86% of organizations have began to undertake zero belief, 98% haven’t reached maturity. Basically, they’re caught on this journey.
That’s the place Cisco Secure Access is available in. Safe Entry has built-in each VPNaaS and ZTNA capabilities. This enables organizations to modernize VPN infrastructure and join utilizing Cisco’s cloud answer, falling again to VPNaaS if ZTNA is just not attainable. In follow, all customers have the identical expertise when connecting to functions (legacy or fashionable, VPN-required or ZTNA-compatible) and the expertise takes care of the work behind the scenes.
In terms of VPNaaS use instances, organizations with ISE deployment can leverage the distinctive integration between Secure Access and Cisco ISE to supply an additional layer of safety. Which means that when customers hook up with VPNaaS, they’re protected by ISE’s authentication, posture evaluation, and community segmentation, all by way of a single agent — Secure Client.
We begin with VPNaaS and Cisco ISE working collectively and subsequent we add an additional layer of protection with one other type of authentication (that’s the place the “multi” in MFA is available in). Cisco Duo can supply RADIUS help for legacy VPNs by way of the Duo Authentication proxy by including servers to a corporation’s setting. However if you use Duo with ISE and VPNaaS, there’s a distinctive API integration that allows RADIUS authentication with out the necessity for the extra server in your setting. And all the tip consumer sees is the everyday Duo push that they’re used to when accessing cloud functions.
Now, even when authenticating with RADIUS, customers have a seamless expertise, and organizations have layered safety to shut potential gaps within the assault floor.
Safe organizations with Consumer Safety Suite
Within the ideally suited world, a corporation might defend all its assets utilizing probably the most superior and fashionable expertise and protocols. Nevertheless, organizations have a variety of belongings that each one want safety, no matter how simple or laborious it’s to guard. When combining the community safety by way of Cisco ISE with User Protection Suite instruments, Cisco can present the options you want right this moment whilst you proceed to modernize for the longer term. And permit CISOs to get a very good night time’s relaxation.
To study extra about how Cisco’s Consumer Safety Suite can defend your workforce, connect with an expert right this moment.
Share: