July 25, 2018
TrustSec for Identity-Based Network Security: Why and How
Software-defined access helps organizations deploy network segmentation, a critical step to contain attacker reconnaissance and malware infestations.
To catch a casino’s big fish, cybercriminals first targeted its little ones. After attackers found a Linux box monitoring an aquarium’s temperature and other conditions, they used it as a back door to the casino’s network, where they were able to nab and extract its database of high-roller customers.
This hack highlights how the Internet of Things (IoT) creates a big, complex set of security considerations and challenges that IT leaders haven’t faced before. Part of this vulnerability stems from the fact that IoT devices, to be inexpensive enough for mass deployment, often have just enough memory and processing power to handle their core tasks. That means the network now has to shoulder the security workload. But security concerns also arise because connected devices can be harder for IT to manage directly, and users may not be aware of the potential consequences of unprotected devices.
Consider some of the most common examples of IoT devices in organizations: digital signage, security cameras and energy-management sensors. A typical enterprise network can easily have thousands of IoT endpoints. Add in employee and guest devices, such as laptops, and it’s not hard to see why so many IT departments struggle to create and enforce security policies consistently across the organization.
Network Segmentation Helps IT Staff Contain Threats
With the traditional “moat around the castle” security architecture, attackers are free to roam once they breach the firewall. Network segmentation is more effective because it restricts their movement once inside, thus controlling the spread of malware and limiting potential reconnaissance for confidential data.
Virtual LANs and IP subnets are ways to segment networks, but they’re tedious to implement, don’t scale well and aren’t effective for restricting traffic flows. That’s why enterprises are increasingly turning to Cisco’s TrustSec model. When used with Cisco’s Software-Defined Access (SD-Access), it can automate and simplify network segmentation and identity-based policy enforcement.
TrustSec eliminates traditional tasks such as creating and managing mammoth lists of usernames, IP addresses, subnet zones and other attributes. Instead, an application, IoT endpoint or employee device — wired or wireless — gets an identity, which determines the networks and resources it can access.
The segmentation can be highly granular. For example, guests could have identities that limit them to a partitioned wireless LAN to ensure their traffic cannot mix with that of other users. Employee tablets could have identities that give them access to specific networks, printers and other resources on certain floors in a building or in certain parts of a campus.
In a sense, TrustSec is like quality of service: Both use tags that the network infrastructure scans to understand how to treat each piece of data for each step of its journey. This model ensures that security policies are enforced end to end, which is key for maintaining compliance with regulations such as HIPAA and the Payment Card Industry Data Security Standard.
Start by Evaluating Your Network’s Fitness for TrustSec
The first step in implementing TrustSec is determining whether your existing network can support it. CDW offers workshops that help IT departments understand which infrastructures are TrustSec-ready and where upgrades and additions, such as Cisco’s Identity Services Engine, may be necessary. There’s a lot to consider when implementing TrustSec, but the security and simplicity you gain are more than worth it.
This blog post brought to you by: