Centralized Policy Management and Granular Controls Essential for BYOD
The 2018 BYOD report from Bitglass finds that 85 percent of organizations now allow users to access corporate data from their personal devices. What’s more, organizations are extending the Bring Your Own Device (BYOD) model to contractors (27 percent), partners (25 percent) customers (22 percent) and suppliers (19 percent). In larger organizations, there may be hundreds or even thousands of mobile users logging in and out of the network at any given time.
Clearly, these organizations aren’t as concerned about BYOD security as they were when the model first emerged several years ago. However, 51 percent of survey respondents say that mobile device threats have increased in the past year, and 30 percent are worried about data leakage and unauthorized access. Yet only 42 percent of organizations say they use access control for mobile security.
To protect sensitive data and assets, organizations need the ability to centrally configure and manage access control policies and uniformly enforce them across the enterprise. Cisco Identity Service Engine (ISE) provides user authentication and highly granular device identification, profiling and posturing to give organizations tight control over network access.
Why AAA Is No Longer Enough
Traditionally, organizations have used authentication, authorization and accounting (AAA) to control access to IT resources. Authentication compares the credentials entered by the user against those stored in a database. If there’s a match, the user is granted access. Authorization then determines what the user is allowed to do — the specific systems, applications and data the user is allowed to access. Accounting logs usage information and statistics for billing, trending, capacity planning and other functions.
While AAA remains a key component of access control, it is no longer sufficient in today’s highly mobile environment. In order to effectively control access by mobile workers, organizations need to supplement AAA with contextual data about the user and device. Increasingly, that means using mobile behavior to establish a user’s identity. Location is an obvious clue. If an employee device suddenly starts trying to gain network access from a different state or a foreign country, the system should lock out the user or demand an additional form of authentication.
Organizations must also ensure that mobile workers access the network using devices that meet minimum security requirements. Given the ever-increasing variety of devices in use, it’s not feasible to limit access based on types of devices. Moreover, organizations need granular controls, ideally down to the firmware level, to effectively manage the security posture of individual devices.
How Cisco ISE Secures BYOD
Cisco ISE provides those controls. Combining AAA features with device monitoring and profiling, Cisco ISE not only validates user identities but assesses the security posture of the endpoints used to access the network. It also looks at the user’s location and access history, and grants access to applications, services or network segments based upon the user’s role and other policy-based criteria.
In addition, Cisco ISE serves as the centralized policy management platform for Cisco TrustSec software-defined segmentation, and tightly integrates with the Cisco StealthWatch threat detection and analysis solution. ISE provides context of who, what, where, when, and how users and devices are connected and accessing network resources, enabling StealthWatch to block suspicious activity by initiating network segmentation changes. ISE can then modify access policies for Cisco routers, switches and wireless LAN controllers embedded with TrustSec technology.
Yesterday’s access control measures cannot adequately secure today’s highly mobile environments, in which employees, contractors, partners and customers with a diverse array of endpoints are accessing a wide range of sites, domains and platforms. Organizations need a context-based, policy-driven solution that controls access to any resource via any device. Cisco ISE supports and enables the BYOD model by enabling uniform enforcement of centrally configured policies across the enterprise.