Latest Version of Cisco’s Identity Services Engine Enhances Access Controls

ISE is an identity and access control platform that automatically enforces a range of network access policies based on user, device, location, role, application and other attributes. The latest version, ISE 3.1, includes dozens of new features that extend zero trust security principles through increased customization and automation. Some of the key updates to ISE 3.1 include:

• Agentless posture. ISE has always allowed organizations to check the security posture of all endpoints connecting to the network to ensure compliance with corporate security policies. Previous versions required lightweight agents to be installed on all endpoints to collect information, but ISE can now be configured to automatically deploy a temporary agent that removes itself after the assessment. The agentless system eliminates the need to install, configure and maintain perhaps thousands of separate endpoint agents, which frees up IT personnel to work on other tasks.
• Amazon Web Services deployment. ISE can now be deployed and managed from the AWS global infrastructure. With this capability, companies can deploy ISE at remote branch offices without the need for a physical data center. IT teams can use Infrastructure-as-Code (IaC) tools such as Ansible and Terraform to quickly spin up and configure ISE instances in AWS, minimizing repetitive work as well as human error. Additionally, running ISE in AWS provides access to cloud-native functions such as load balancing, auto scaling and backup to AWS storage buckets.
• Endpoint management integration. ISE can be configured to interoperate with unified endpoint management (UEM) and mobile device management (MDM) servers. When integrated, ISE can access device information from the servers to create access control lists and authorization policies. Non-registered endpoints accessing the network can be redirected to a registration page on MDM or UEM servers.
• Endpoint scripts. The Endpoint Scripts Wizard allows an administrator to run scripts on connected endpoints to carry out administrative tasks that comply with the organization’s requirements. This includes tasks such as uninstalling obsolete software, starting or terminating processes or applications, and enabling or disabling specific services.
• OpenAPI support. Beginning with version 3.1, ISE supports the OpenAPI Specification (OAS) for the standardization of REST APIs that can be used to automate a variety of tasks. ISE 3.1 includes APIs for managing policies, certificates and TrustSec operations, configuring backup and restore operations, monitoring the status of various tasks, deploying ISE nodes, and carrying out patch management operations.
• Sandboxing. Beginning with version 3.0, ISE provides users with a clean, unconfigured code installation that can be used for a test environment. The sandbox provides an environment for running demonstrations, training exercises, test drives and proof of value operations without impacting the production environment.
• Zero-touch provisioning. This feature simplifies the process of installing ISE nodes, using scripts to assign the hostname, IP Address, DNS Server, NTP Server, etc., for each node. The ZTP feature can also be used to automatically install any hot fixes or patches immediately after it is set up.

Through automated policy enforcement and network access control, Cisco ISE plays an important role in creating a zero trust framework to that assures users and devices accessing the network are validated and approved. The cybersecurity professionals at Cerium Networks can provide guidance on configuring and implementing the latest version of the solution. Contact us to learn more.