A new approach to segmentation that simply delivers more
Network segmentation has been around for quite a while as a way to isolate environments and critical systems to secure data and IT assets. Recent breaches have highlighted the value of segmentation in reducing the attack surface and preventing the lateral movement of targeted malware. But traditional approaches to segmentation are difficult to manage and don’t give you the dynamic, granular control to contain these attacks sooner, particularly as your environment, devices, and user roles expand or change.
Cisco TrustSec technology provides software-defined segmentation to simplify segmentation from the hybrid cloud or data center all the way to the user and device level so you can do a number of things:
- Restrict the lateral movement of malware, which is critical for dealing with ransomware
- Maintain consistent segmentation (security policy) even as your environment evolves
- Assist in meeting compliance goals
- Manage IoT proliferation
- Simplify security operations
It reminds me of a Swiss Army knife – so many capabilities in one elegant package, the essence of efficiency and effectiveness.
Cisco TrustSec is embedded technology in Cisco switches, routers, and wireless and security devices. These TrustSec-capable network devices can deliver segmentation without requiring VLANs or IP address-based access control lists (ACLs). Systems are classified and assigned to logical groups called Security Groups. A Security Group Tag (SGT) is assigned to each endpoint and the network devices use the SGT to download segmentation policies from Cisco’s Identity Services Engine (ISE). Independent of an IP address or the topology of the network, policies are based on the endpoint and role.
This ability to implement and change segmentation patterns without reconfiguring network devices or redesigning the network is the essence of software-defined segmentation.
An example from the medical field shows the simplicity and extent of capabilities in Cisco TrustSec. Most hospital environments are highly complex and fluid. A typical X-ray room includes several different endpoints — control heads in readers that are IP-enabled, technician reader stations (typically a Windows-based PC) that can move from room to room, and a cache server that stores high-definition images locally and converts them to digital format before sending them to the data center for physician access. The number of endpoints rises dramatically in MRI or CT scanning rooms and in operating theaters.
Gaining visibility and control over all these endpoints, amplified by the fact that doctors, staff, students (in the case of teaching hospitals), patients and medical equipment share the same network, can present serious risk. Malware and other threats are difficult to contain, and ensuring compliance with HIPAA regulations on a continual basis is a significant challenge.
Cisco TrustSec decouples security rules from the IP network design and the network topology. Defining policies using logical tags means that system access does not depend on an IP address or VLAN and can be dynamically changed transparently to the endpoint. Policies work independently of the network location and are managed centrally. TrustSec-enabled devices download only policies they need. In the case of malware, based on Indications of Compromise (IoCs), group tags can be instantly changed and pushed to TrustSec-enabled devices to contain threats. Meeting compliance requirements and undertaking audits are easier too because policies are based on meaningful groups that are easy to understand and manage.
Any industry that deals with a range of devices (many that don’t even look like computers), a variety of users (partners, contractors, guests), mobility, and compliance shares similar challenges. Just like a Swiss Army knife that’s equipped to help you tackle a variety of situations and needs – there’s a model with 19 tools and 33 functions! – Cisco TrustSec offers a new approach to segmentation that’s efficient and more effective. It can’t help you open a bottle of wine or scale a fish, but it can make it a lot easier for you to relax and enjoy a nice meal knowing you’ve got software-defined segmentation at work for you.
To learn more, visit cisco.com/go/trustsec
Segmentation is the least sexy and underused means of protecting critical data. And with the advent of IoT and the potential of gazillions of vulnerable devices to pollute networks, well, a more agile means to segment should be on the top of every CISO’s priority list. AND, because this TrustSec that Kevin speaks of so eloquently is ALREADY IN THE NETWORK which is probably why Cisco is seeing a torrent of TrustSec adoption.