Security is a top priority for people in IT. Everyone knows how important security is to an organization, its devices, and most significantly, its people.
While putting a firewall in your network is the first line of defense, another primary foundation to network security is the enforcement of access security policies. Permitting or denying access to specific resources establishes security in your network. For example, guests should not be able to access business servers. Organizations can have long lists of access policies, dictating who can access what. But how many organizations have a clear and concise policy list they easily understand, manage, and configure?
Access control lists are daunting in most environments. This is due to how access policies are built. Access policies are based on an IP architecture, where sources and destinations are defined by your network topology. While this works, IP-based access policies do not easily scale with large scale environments, businesses with distributed sites, and frequently changing organizations.
Most are familiar with policy lists that look something like this:
Would you be able to tell what these IP addresses represent? Is XXX.XXX.XXX.XXX your cloud server? Or the HR team?
The point is, it’s difficult to tell. It also becomes more troublesome as your business needs change, such as a growing business dealing with company acquisitions, a university expanding their campus with new sites, or a firm that’s redesigning their entire organizational structure. In every one of these cases, access policies must be re-configured to mirror the way the network topology changes.
What if access policies no longer needed to be dependent on network topology; no longer IP-based, and instead, based on the intent of the user, device, or service?
Today’s the day – we’re introducing Adaptive Policy.
*(Beta available H1CY2020)
Adaptive Policy is a new solution where revolutionary Cisco Security Group Tag (SGT) technology meets the most powerful Cisco Meraki switch hardware yet. This software feature addresses the shortcomings of traditional policy administration using Cisco SGT and the MS390. With Cisco SGT, numerical tags are used to profile users, devices, services, and time of access. Tags can be assigned using a RADIUS server like Cisco Identity Services Engine (ISE). When Cisco ISE is used, the tag is transmitted to all devices in the network — every packet is tagged and decisions based on the tag are made by the MS390.
How does Adaptive Policy actually work?
IT team creates an access policy whereby the sales team cannot access a product roadmap application.
When a salesperson connects their laptop to the network, Cisco ISE will authenticate the user using Active Directory, then assign a tag, let’s pretend, tag 4 for the salesperson. The MS390 will receive tag 4 sent from ISE and will then add the tag 4 to every packet coming the salesperson’s device. If the salesperson tries to connect to the product roadmap server, which only allows tag 5, the MS390 will deny the request. But let’s say the salesperson moves to the product team, the user profile changes based on Active Directory, and now this user can access the roadmap application without having to re-configure all the switches in the network.
This policy enforcement process has become scalable, effective, and automatic. Adaptive Policy utilizes Cisco SGT to determine traffic intent and can help scale and reinforce security for customers of any deployment size.
With Adaptive Policy, security is agnostic to network topology, making security orchestration and mass configuration changes consistent. Furthermore, instead of using IP addresses, we can now use natural language to determine how a policy is adjusted and implemented. Instead of seeing XXX.XXX.XXX.XXX, you’ll find yourself reading “Marketing team”.
Adaptive Policy is built with flexibility.
Adaptive Policy is a new feature built with a Meraki API-first strategy that will guarantee full consumption. Together with Cisco, we are able to provide interoperability with an open implementation of tagging, which means it won’t be tied to only one vendor. Thanks to Cisco SGT’s open and extensible technology, Adaptive Policy provides maximum potential across Cisco and 3rd party vendors, giving you flexibility for your networking needs.
MR customers can take advantage of Adaptive Policy too!
Customers who have Meraki MR access points (ac Wave 2 and above) but do not have the MS390 can still deploy Adaptive Policy. Under a hybrid environment, current Cisco Catalyst switch (3K to 9K series) customers with Meraki MR can implement Adaptive Policy utilizing inline-SGTs.
How can I enable Adaptive Policy?
Adaptive Policy is available as an advanced feature on the MS390. You will need the MS390 switch along with the MS390 Advanced licensing to enable this new feature.
To learn more about Adaptive Policy and the MS390 switch, watch the launch webinar or read the MS390 blog. Starting early 2020, you can also give Adaptive Policy a whirl by starting a free trial.
Additional Resources:
Todd Nightingale, Cisco Meraki GM talks about Security Made Simple