June has always been a favored period for me. During my younger years, it signified the end of the school term. Now that I’m a bit older, the latter reason doesn’t hold as much importance, yet I still cherish the season. Moreover, June brings along an annual event that now replaces the final days of school.
That event is Cisco Live and the launch of the upcoming version of Identity Services Engine (ISE)!
Each year brings an array of new features and functionalities that I am eager to discuss, and 2024 proves to be no different, as we unveil a groundbreaking approach known as Common Policy.
Common Policy = Unifying Communication
Currently in Beta phase, the initial Common Policy release is anticipated to be accessible to the general public in the Fall. You now comprehend when you can acquire it, but what exactly is Common Policy?
Prior to delving into the specifics of what Common Policy achieves, it is vital to establish the background. Access patterns have evolved, with users logging in from different locations daily, and accessing applications housed in either the cloud or local data center. For an organization dedicated to a robust zero trust solution, it is imperative for an administrator to ensure that the security policies for all devices, users, and application workloads remain uniform across the entire network and other products like Application Centric Infrastructure (ACI). The predicament lies in the fact that depending on where the policy is enforced by the administrator, each domain has its distinct structure for implementing access and segmentation policy and not all domains utilize a unified language.
Here enters Common Policy, equipping administrators with the capability to furnish every domain with the same user, endpoint, and application workload context, enabling them to enforce policies within their chosen domain. Common Policy guarantees coherence in communication.
Cisco ISE as Central Node of Exchange
Let it be clear, Common Policy is not a newfound panacea solution. Cisco ISE assumes a central position within the strategy as an exchange node that interfaces with both the network and security domains. As you are aware, identity—emphasized in the acronym ISE—is leveraged to implement policies across domains as identifiers like location, posture, amidst others are ingrained within the context.
Context information is generated closer to the domain where it is situated, at the access layer for users and devices, and in the data center or cloud for application workloads. The context is normalized into a group construct—the likes of a security group tag (SGT)—which is universally comprehensible across the domains. The normalized user, device, and app workload context is dispatched to each domain leveraging Cisco ISE as the exchange core. This empowers security administrators to institute consistent access and segmentation policy, irrespective of the domain they opt to enforce policy upon.
Acquisition of this data by ISE is seamless due to its possession of pxGrid—one of the largest ecosystems in the industry for context exchange. ISE heightens visibility by sharing data with other products, sourced from end devices on the network. Furthermore, pxGrid assimilates information gleaned from other products, paving the way for the creation of more detailed, targeted policies.
With Common Policy, the network evolves to a more contemporary and holistic state. An administrator can furnish specific users with access to particular workloads as well as enterprise and corporate assets within their premises. Moreover, improvement has been attributed to sending context and enforcing policies on ACI. Security group tags (SGT) can be translated into External Endpoint Groups (EEPG) and be granted contracts directly from Cisco ISE.
Common Policy catalyzes the expansion of the ecosystem, thereby incorporating application workloads from external on-premises and cloud providers such as VMware, AWS, Azure, along with application workload identity details. Within Cisco ISE, customers can assign these workloads to SGTs and subsequently disseminate them to other domains—embracing ACI, Cisco Secure Access, SD-WAN, and beyond—for utilization in constructing segmentation and access policies.
Cisco ISE 3.4 Refinements
While Common Policy rightfully garners the spotlight in this year’s release, numerous other remarkable features await our clientele for their benefit. An added advantage comes from now ensuring everyone communicates using a common language. Frequently, especially in large organizations, multiple administrators manage distinct network segments. Each administrator, inadvertently, often operates within their domain and devises policies using disparate terminologies. Common Policy aids these administrators in harmonizing their communications.
Decreased Reboot Time for Cisco ISE
Although infrequent, Cisco ISE reboots may consume a bit of time. Now, this time has been slashed by up to 40%. It’s certainly commendable that your network quickly springs back to life, yet on the flip side, your coffee breaks may need to be curtailed as well.
Dynamic Reauthentication
In environments where guests tend to extend their stay, offering them full network access might not be optimal. However, simply relegating them to the guest network may not suffice either. Enter Dynamic Reauthentication, a solution to your dilemma. It presents a transitory policy where a set of devices are grouped under defined parameters, granting access for a predetermined duration. Upon expiry of this stipulated time, the devices are automatically disassociated from the network.
For instance, in a retail setting where at the close of the day, all endpoints or a specific endpoint needs to be disconnected. As the store shuts down and the devices are no longer required, they automatically disconnect from the network. The following day, when the proprietor returns to their establishment to prepare for the day, the devices seamlessly reconnect. Beyond the initial parameter setting, administrators are relieved from this day-to-day chore.
Enhancements to pxGrid Direct
The already robust collaboration between Cisco ISE and pxGrid gets a substantial boost thanks to these recent enhancements.
The first update, named pxGrid Direct Sync Now, empowers customers to expeditiously synchronize data from pxGrid Direct Connectors. Currently, Cisco ISE can synchronize a thorough database update once a week or less (with incremental updates daily). Through immediate synchronization, there’s no longer the waiting time for extensive network changes to take effect.
The second enhancement introduces the capability to instantly push updates to Cisco ISE. This novel feature dubbed pxGrid Direct URL Pusher will enable ISE to directly interface with Configuration Management Data Base (CMDB) servers that support JSON format. This allows customers to bypass the CMDB server, particularly if one is absent, and transmit the JSON file directly to Cisco ISE.
Eliminating Protected Access Credentials (PAC) from Communication
During the EAP-FAST authentication process between ISE and a TrustSec Network Device, Cisco ISE typically leans on a PAC file. At the inception of the authentication journey, a PAC file is generated. In specific scenarios, certain TrustSec devices may encounter issues while processing the PAC file. Commencing from Cisco ISE 3.4, it is now feasible to engage in PAC-less communication between ISE and the TrustSec devices, effectively reducing management overhead.
In summary, Cisco ISE 3.4 unveils 15 new features this month, with these being just a sample of the myriad enhancements. While schools close for some, Cisco ISE 3.4 beckons for all!
We are eager to hear your thoughts. Pose a Question, Offer a Comment Below, and Stay Engaged with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
About Author
