The cloud is the foundation for many of the world’s largest enterprises, but without the right security in place your organization can also be a good target for vulnerability exploits. Regardless of why you decide to provision resources in the cloud, deploying cloud infrastructure expands your attack surface, making it more difficult to manage cybersecurity. The cloud is inherently secure, but it must be configured properly with the right monitoring tools in place to prevent data loss and stay compliant.
Not only is cloud architecture a target for attackers, but client devices and endpoints connecting to your infrastructure must be visible, monitored, and protected from malware and malicious intent. Shadow IT, compromised user devices, poor authentication and authorization controls, and non-compliance all threaten the integrity of your data. Egress and ingress traffic must be monitored and analyzed to detect ongoing attacks.
Two Cisco technologies work well together to help secure your cloud environment and give you visibility into connected endpoints: Identity Services Engine (ISE) and Umbrella. ISE is an identity management and access control platform, and Umbrella offers several security strategies for cloud architecture including DNS-based security, cloud-based firewalls, Cloud Access Security Broker (CASB) services, web gateways, and Remote Browser Isolation (RBI). We’re going to cover the benefits of deploying both Cisco ISE and Cisco Umbrella to your environment.
Cisco ISE: Controlling Access to Various Network Resources
Identity based access policies are critical for protecting various network resources especially when you have several user roles allowing only specific privileged users to obtain sensitive data. It’s also important for compliance, and most enterprises have at least one regulatory standard overseeing their technology infrastructure. Cisco ISE is a great tool to deploy as an “afterthought” if your current solution isn’t providing enough flexibility and control, but you don’t want to build an identity management system from the ground up. With ISE, you can build policies using various protocols including Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP).
Using ISE, an administrator can gather contextual information from the network to build access policies more quickly. It will collect the “who, what, when, where, and how” of a network user identity. For example, a user identity gives you the “who,” the device used to request data access is the “what,” the date and timestamp are the “when,” the user’s IP address is the “where,” and the type of connection (e.g. VPN vs wireless) gives you the “how.” Using this information, an administrator can then build data access policies surrounding common use cases across all roles and permissions.
Visibility is necessary even after rolling out any identity management solution. ISE is especially useful in environments where users bring their own devices, often referred to as BYOD (bring your own device) policies. It gives administrators the ability to set up policies based on user device identification and network assets across the environment. Assets and devices will query the ISE for authentication and authorization and privileges are granted based on an administrator’s configured policies.
Some organizations offer guest Wi-Fi for visitors. You probably know that guest Wi-Fi access should be highly controlled, segmented off the main network using a firewall, locked down, and filters used to control web content requests. ISE gives administrators granular control over guest Wi-Fi access by offering portals, asking for authentication, and then granting permissions based on user identification. The use cases for this type of security are numerous, but public Wi-Fi is a primary target for threats. Contractors, outside vendors, visitors, and consultants who aren’t under contract should all use the public Wi-Fi and never have access to the internal production environment unless they pass through verification from your IT department.
For industries that rely heavily on compliance, Cisco ISE provides many technology features (e.g. network segmentation, access request logs, and device control) to keep organizations from risking hefty fines from violations. For example, the Health Insurance Portability and Accountability Act (HIPAA) has strict regulations controlling the way data should be stored on user devices and the ways a device can connect to the network environment. Cisco ISE gives administrators visibility over device configurations and monitors cybersecurity agents. Administrators will know when devices have outdated software that must be patched or don’t have antivirus software installed, both of which put devices out of compliance and could risk data exposure to threats.
Most importantly, Cisco ISE has automated threat containment features. It only takes minutes for a threat to steal, destroy, or encrypt data. A ransomware threat will scan the network and quickly take advantage of any high-privilege user access to hold data and files hostage for a ransom. Using heuristics and detection of anomalies in device behaviors, Cisco ISE will “cut off” a device’s access and wait until an administrator can review its configurations and current status. Once the device is reviewed, it can be returned to its standard access permissions.
These highlights are a few ways enterprises can take advantage of better identity management, but Cisco ISE has a few more features Neetek works with to better protect your data:
- Various authentication protocols for flexibility during deployment. ISE works with 802.1X, RADIUS, MAB, web, and EasyConnect.
- Network segmentation. Using data collected from various assets, ISE will segment the network based on group tags, access control lists (ACLs), network protocols being used, administrator-created policies, and authentication type.
- Share security and device information with third-party vendors. Good cybersecurity is layered, and some layers in your environment might be from different vendors. Cisco ISE will integrate well with other security vendors so that you can add it to your existing network or use it as a security resource to help other assets authorize requests and detect anomalous behavior.
- Supports redundant or stand-alone deployments. A stand-alone deployment assumes that the Cisco ISE system is the sole identity management solution, or administrators can deploy ISE as a backup where another system assumes the primary identity management role and continues authentication until the backup ISE system is needed as a failover.
- Set security thresholds on client devices. To ensure only secure devices are allowed to access the network, ISE will work with administrator policies to validate that devices have updated cybersecurity applications (e.g. antivirus and antimalware), patched operating systems, and proper configurations. A Cisco agent must run on the user device to monitor it for settings.
- Manage VPN connectivity and access controls. Many environments still use VPN for remote user access, and Cisco ISE adds a layer of security to protect internal assets and data. With Cisco ISE, authenticated users pass through a layer of “posture assessment” set up by an administrator to determine the level of access allowed for the user account.
Cisco Umbrella: Protect Cloud Services and Add Security to User Internet Browsing
The challenge of protecting access to the internal network is covered with Cisco ISE, but you still need to protect user devices connected to the network. Allowing unfettered access to the internet or to cloud resources is a risk that must be dealt with. Cisco Umbrella handles device and cloud security protection for egress traffic or connections from “VPN-less” devices. It stops threats from accessing your sensitive cloud services and stops users from accessing malicious sites using various security strategies.
Cisco Umbrella deploys and runs in the cloud, so there is little-to-no downtime for an enterprise. Administrators still must test and migrate over to the new system, but users should be able to continue being productive during deployment. Umbrella has several notable features beneficial to large organizations, and it offers some of the latest technology to protect user internet browsing.
One of the most notable features in Umbrella is DNS-based web content filtering. For every web-based request, a user’s browser queries DNS servers for an IP address that matches a fully qualified domain name (FQDN). Umbrella acts as a layer between this request to identify if the domain is registered as malicious. Users are blocked immediately at this point and cannot open any malicious content on the hosted domain. It’s an effective way to block malicious content instead of relying on basic domain filtering.
Because Umbrella deploys in the cloud, it can also handle traffic for devices connected to the network without using VPN. This protection is accomplished using Umbrella’s DNS-based filtering, which blocks a myriad of threats including malware, ransomware, command-and-control (C2) installations and calls to attacker-controlled services, phishing, and exfiltration of data from already compromised systems.
DNS-based web filtering works well with Umbrella’s Secure Web Gateway (SWG). The SWG proxies web traffic for inspection, including inspection of HTTPS (SSL/TLS) traffic. It will block web requests using Cisco Talos, which is a threat intelligence team dedicated to researching dark web activity and identifying zero-day threats. Together with DNS-based filtering, Umbrella’s SWG greatly reduces risks from users browsing malicious websites, pages, and domains.
An add-on option is Umbrella’s remote browser isolation (RBI). This technology is new to some organizations, but it’s also great for reducing risks from internet usage. In a traditional setting, users install their favorite browser (or a corporate accepted browser) on their device and use it as if they were browsing the internet at home. Browser-based phishing or drive-by installations threaten the security of not only the local device, but the corporate network as well. With RBI, the browser runs in a sandboxed environment, and the session is terminated after the user completes browsing activities. The environment is no longer threatened from accidentally downloading malware or browsing to a site that exploits browser vulnerabilities. Outdated and unpatched browsers and operating systems are no longer a security risk, because the browser no longer resides on the user’s local device.
Protecting the environment by safeguarding user devices and endpoints is just one of the several benefits of adopting Cisco Umbrella. It has several other features that Neetek supports and suggests our customers should consider. A few additional features include:
- Location-based browsing policies. Domains are categorized in 80 different categories, and administrators can use various user properties to set up browsing permissions. Administrators can use network, IP address, group, user account, or device to configure domain category browsing.
- Discover shadow IT devices. Rapidly growing enterprises often provision cloud resources without any documentation, leaving devices unmanaged but active in the corporate environment. Without administration, these shadow IT devices could be a target of a compromise from unpatched and outdated firmware, operating systems, or applications.
- Cloud-based firewalls. To protect your cloud resources, Umbrella works with firewalls so that administrators can use layer 3 and layer 4 filtering based on IP address, protocol, and port.
- Traffic inspection in transit. Umbrella will inspect traffic (including SSL/TLS traffic) for any anomalies or possible data exfiltration to support the latest data loss prevention (DLP) strategies.
- Threat intelligence for future detection of zero-days. The cybersecurity landscape is always evolving, and any defenses must be able to rapidly change to detect the latest threats. A small change in malware code can bypass traditional security strategies. With heuristic analysis – called XDR or EXtended Detection and Response – and tracking threats across an entire environment, organizations get a more robust defense solution.
Working with Us to Safeguard Corporate Data
Provisioning and managing cybersecurity is challenging and requires a skillset difficult to find within the organization. Even with administrators familiar with cybersecurity, integration of the right systems takes a team familiar with the many pitfalls involved with migrations and common misconfigurations that could create vulnerabilities and give attackers opportunities for exploiting them.
Not only are configurations important, but limiting downtime is also a goal to keep your organization productive. Together with your administrators, Neetek helps design, plan, migrate, integrate, and maintain advanced technology for your organization so that you can focus on what’s important – growing revenue and improving your business productivity.