Zero Trust Identity Management with Cisco ISE

Appreciate everybody joining in. See, Andres, today, May 24th, and welcome to the Security in 45 show, everybody. Today, we’ve got a pretty cool topic, identity management, something that everybody is using and could probably simplify. I like this topic, Andres.

Users are the biggest threats in the network that we see every day. Proper identity management rules can make our lives as network and security engineers a lot simpler once we get kind of centralized management control. So I’m excited to learn a little bit more about that today. Yeah, and it’s gonna be interesting.

Identity management, what we see today is that very vital for any company doing hybrid work, users working from home, users working from anywhere or even in the office. So it’s gonna make a lot of sense in basically, identity management is how we define roles and force role-based access, which is one of the things that we hear a lot from our customers nowadays. It is also one of the things that we want to make sure we know when we start planning our zero trust frameworks or implementations and things like that. And today we have John and we have Sam and these guys are amazing.

They’ve been doing security for a while. So super excited to have them on the show today just to talk about identity management. And with that, John and Sam, I’m gonna give it to you. John, if you wanna introduce yourself and then pass it to Sam.

Awesome, thank you very much. So a little bit about myself. I’ve been with Cisco for a little over a decade at this point, so I think pushing 11, 12 years, about 10 of those years I was in tech, specifically around security, around ICE, and then literally every single piece of security we have out there. And then from there I got pulled over to pre-sales where I got to meet back up with Mike and Andreas and Sam, pushing commercial East.

And now I am one of the two TSAs in the Navy for the DoD. Again, all things secured. Sam. Hi everyone, so my name’s Sam Baxter and I’m a Solutions Engineer as well at Cisco.

I’ve been here going on nine years. The first half of that I worked as a consulting engineer, doing a lot of post-sales delivery for multiple technologies. I moved into pre-sales, so got to work with these fine gentlemen with commercial East. And now I’m working to support our enterprise customers.

So just focusing on all things security. And my background has been focused on identity. So looking forward to the conversation today. Nice to meet you all.

I’m pretty fortunate to have been able to work with all of you on the same team at different times throughout our career. John, you were always the guy I could ask all my ICE questions to back in the TAT days and then coming to pre-sales, being on the same team with you and Sam and now with Andreas. Guys are already getting some good compliments in the chat here. Ferdinand and Lucas and Anthony, appreciate the comments.

Any comments or questions you guys have, just throw them in there. And if we can’t answer them live on the show, happy to sync up with you guys one-on-one or we’ll of course answer those all through email as well. All right. IAM, like what is IAM Sam?

What does it do? Is IAM Active Directory? Could you elaborate kind of high level what IAM stands for and what we’re talking about here? Yeah, yeah, so IAM stands for Identity and Access Management.

It’s important to understand that IAM is not a specific product. It’s really like a strategy and a framework. Multiple different products can provide IAM capabilities. But essentially the core objective of IAM is to make sure that you protect your assets.

As users are accessing your resources, you wanna make sure you’re giving the right level of access to the right people. And Active Directory can play a big part there as a user directory, but it doesn’t have to be just Active Directory, right? Could be a SAML IDP, could be another authentication source. But there are a lot of capabilities within IAM.

So things like single sign-on, focusing on helping users, to eliminate friction with users. And then you also have like your security components, right? Device trust, lightweight posturing. So a lot of that stuff we’ll get into in the future on this call, but IAM also should allow you to do governance of your policies.

So you really wanna make sure you have adequate logging. Wanna make sure that you can look back at the access request and make sure that this user logging into this resource is tracked, right? So you can have a trail of these requests. But yeah, it’s not a specific product.

At Cisco we have Duo, and that’s gonna provide a lot of IAM capabilities, but we can integrate with other solutions as well to strengthen that identity security. Just to kind of really continue on with what Sam is mentioning. It is a full solution. We have to make sure that you are looking at the right product for the features that you are trying to secure.

So IAM is not gonna be a single vendor. Cisco has multiple different pieces that can do IAM, or can do parts of IAM, but it’s not gonna be a single vendor. It’s not gonna be a single product that we’re gonna be looking forward to really lock down an entire environment. And that’s where pretty much this whole conversation is gonna go into is what pieces and parts that we can look at to make sure that your full solution is ready.

Very nice. So thinking of it more holistically in terms of a solution, maybe it takes a while, a journey to get to where you really wanna be since it’s not a particular product, but great stuff. And Sam, I like to call about the accounting portion of it as well, kind of having those logs so we can see if we need to look back in time for any type of threats or access control. Yeah, just to add onto that, right?

Like we just wanna make sure if there is unauthorized access or any type of breach or anything, right? Session theft, we wanna make sure that we’re able to track that. And a big component of IAM is being able to respond to those threats in real time, right? So that’s a capability that Cisco has improved upon.

So we can definitely talk about that later on the call. And would that be just people running around like manually unplugging ports out of walls and stuff like that? Is that what we’re talking about? No, no, you wanna make sure you can tie it back into that directory, right?

Maybe to adjust those rights in real time or just remove the user from the network, right? Adjusting the session or making that session invalid. Yeah, glad to hear there’s a better way. And honestly, you could still run around and unplug and plug for us.

That’s where I am. I’m just using the old scissors. Just to cut the cable. Just updating myself here.

That was awesome. And it’s a good, interesting just conversation about capabilities features, things that we can do with IAM. So pretty cool with that. John, the next question I have and it’s just to dig deeper into identity management or IAM capabilities, if we can share a little bit about that.

Yeah, so the main purpose of IAM is to validate users and devices coming onto the network. So that can be done many different ways. And then from there, the authorization of it. So we’re really talking AAA across the board.

Authentication for the users, for the devices, pieces and parts coming onto, whether it’s your network accessing applications, your workloads, what have you. And then the authorization part. What are they doing? What are they allowed to be doing?

Should we allow access, block access, really kind of give it restrictive pieces? If somebody’s coming in, they have a vulnerability on their machine. How can we quarantine them so we can fix them later? It may not just be restriction that’s going on here.

We could also redirect. So if we’re looking at user or guest user access that’s coming onto the network, we can redirect them to a portal, make people log in. So you know anything and everything that’s going on. And really leaning back on that, that’s where we can go onto the last A of AAA, the accounting portion of it.

Where are we getting those logs? What logs do we need? Where are we sending those logs that we can go back and look at? Like Sam was mentioning earlier.

What is our audit trail? How do we prevent the sensitive data from getting out there? And of course, as Mike mentioned at the very beginning, it’s all about, first we wanna protect the users with IAM. Then we also wanna protect the devices when it comes to whether it’s ICE doing posture, or Duo doing device insights.

How can we see things coming into your environment? And a lot of it’s going to kind of circle back into a conversation of zero trust. Andrea, as you mentioned earlier, zero trust is a big term that’s gonna be out there. And I’m sure we’re gonna be talking more and more about it.

So I don’t wanna belabor it right now. But IAM starts off with let’s validate everybody. And now let’s make sure that we have the correct authorization for them within the network, accessing the application, your workload, what have you. That’s great info, John.

Thank you, thank you so much. And yeah, that is also one of the pillars for zero trust. And that’s good segue for what we’re gonna talk in a few minutes. John, the part you mentioned about the authorization, do you, in your opinion, do you feel that that’s a part that maybe gets overlooked too frequently?

Because I think of the first A, the authentication, that’s something everyone’s doing. But how common is it, or are people doing a great job with authorization that you generally find? It is a very mixed bag that’s out there. So it’s easy to give somebody all access, and it’s easy to give somebody no access.

So the no access is usually the most secure. That’s where we start talking zero trust. Zero access, zero trust. We don’t trust anybody that’s out there.

But then it’s very easy to give somebody full access. So when it comes to modern IAM capabilities, a lot of this can be dynamic. So as a user comes in, they authenticate, maybe as you mentioned, they go through, they pulled a cable, but then they plug the cable in somewhere else. How do we make sure that they have the same authorization from port to port?

Or if they’re trying to spoof a phone or something like that, how do we make sure that they stay where they’re supposed to be? How do we make sure that they stay in their lane is the easiest way I can say it. And all of that is going to come down to that authorization side. Most users out there, again, zero or all.

It doesn’t have to be that way. Everything can be configured on the central side. Again, whether it’s gonna be off of Duo, it’s gonna be off of ICE, secure workload. We can start locking things down based off of segmentation rules.

So we’re looking at macro segmentation, micro segmentation. However, we can really start limiting it down. And for me, the implementation is gonna be key. So you always start off large and you start scoping it down.

I’m sure we’ll talk about that more here in a bit too. That’s great. Excellent. A live question did come in in terms of what are the key benefits of using Cisco as an identity solution?

So any thoughts on that? I know we’re not trying to plug Cisco here. We’re talking more industry concepts, but any call-outs there? So I’ll jump onto that.

Sam, back me up with whatever you wanna put in there. Interoperability is the biggest thing that comes from Cisco. So when it comes to whether we’re looking at ICE and Duo or really just ICE is kind of a linchpin across your whole system, the interoperability that we put out there, we follow the RFCs for anything and everything. So if we’re looking at specifically say radius, if we’re looking at communication between them, we have open APIs across all of our platform now.

We’ll use PXGrid to be able to communicate, share information back and forth. And we’re not looking at just our IAM solutions when it comes to that interoperability. So we’ll integrate with our secure firewalls, our secure workload, our email access is gonna be out there, our web access is out there. The amount that we can operate, and it’s not just with Cisco products, it’s kind of across the whole board.

Our whole goal is that we want to interoperate with everything that’s in your network. We want to be the central part of your security, but we don’t want to overload your system. We don’t wanna change out what’s there. If something’s working, let’s work with it.

Instead of pulling out your whole IAM solution now and adding in something else and trying to change everything all at once, let’s build. Let’s utilize what you have, let’s build and make it stronger. Let’s fill those holes within your security. Yeah, I’ll just add, just based on where Cisco is going, from our identity portfolio.

So we’ve been doing a lot of development acquisitions, and now we do have the capability for identity threat detection and response. So that’s another market that Gartner is putting out there that a lot of organizations are starting to look into. So we do have that capability where, like I said earlier, you might have multiple authentication sources. So we can track a user that may be coming in from a workday or an HR system.

We can look at, if you have like an Okta or another IAM vendor, we can look at session theft and be able to remove that user session from the network or from an asset. So there’s a lot of innovation going in at Cisco. So we can definitely provide links and give you some direction on where we’re going. But I think that’s one of the biggest selling points or the biggest advantages of looking at Cisco for identity.

Just the direction that we’re going is huge. That’s really good information on both fronts. And just, as you guys mentioned, multi-factor authentication is probably the easiest thing to knock out on a security strategy. That’s great.

All right. So I do have the- Sam, what tools or methods do we have specific to IAM that you see customers utilizing to harden their security for the identity of the users and the devices that are connecting onto the network? Yeah, so number one, we really recommend customers to move beyond just a single factor. So not just relying on username and password to grant access to resources.

So one of the biggest components of IAM solution is multi-factor authentication. It’s going to be table stakes to protect some of these user accounts against unauthorized access. So within Duo, within a lot of solutions, there are multiple authentication methods you can use. Some of the more legacy ones are SMS, text messages or phone callbacks.

But we’re seeing a lot of customers moving towards stronger authentication methods. So things like security keys, so like UB keys or using biometrics or platform authenticators on the end points. So those are some of the components, right? And then we talked about role-based access control.

We’ll talk about zero trust in the future, but we’re really seeing a lot of focus on layering security on top of just MFA, in general. Of course you have the user directory, which is a key component, but for the security, you have the MFA, you have the single sign-on, right? So that’s going to help with just the friction of users access and resources. And then that’s going to help with security as well.

So a lot of users are reusing passwords. You know, bad actors can go on the dark web, download a lot of passwords and do like credential stuffing or a lot of common attacks. So just having MFA in place on an account is going to stop that threat actor. And that’s something that they’re looking for today.

They’re just looking for accounts that don’t have MFA protection, right? So they can bypass any security you have. But yeah, those are some of the things that we’re seeing with our customers, right? Focusing on like public key cryptography with password lists and the biometrics, like I discussed earlier.

No, I think at that MFA is just, when I talk to customers daily, that’s one of the things I definitely make sure of, that MFA is there because it’s just the low hanging fruit. It’s like one of the easiest things to get in place and talk about bang for your buck. Like I think back about, was it two years ago, we had that colonial pipeline cyber attack. I mean, that costs like $5 million.

And I remember just here in North Carolina, you couldn’t get like gasoline for like two weeks because of that. And that was an absence of MFA on a VPN connection, something that was very easily preventable and pretty light investment to be proactive about your security there. Yeah, and I mean, that’s a real world impact, right? We all consume those services.

So security should be in the forefront. And like you said, I mean, that’s just a simple check that could have been added, but it is easy to miss. Within like the average enterprise these days, it’s not just one identity source, right? You could have a contractors coming in.

It’s not just gonna be just one active directory. So the combination of something like duo with ICE, right? Locking down the network as well. So you can prevent some lateral movement.

Definitely a defense in depth type of conversation is needed, but having MFA is definitely gonna shut the door that first access attempt. Sam, I think you’re hitting it right on the head. If we look back at a lot of the attacks that have been happening over the last five years, really, well, you had the target, you’ve had, I mean, not Pegasus, but you’ve had really below is the Home Depot, all of these different attacks that have come in and it’s always been user phishing. So getting access into contractor devices coming in, getting their VPN access, getting just their username, passwords, whether they’re doing a SIM swap or anything along those lines, being able to really go into that.

And that’s where multifactor authentication is really gonna come in to protect. Again, it doesn’t have to be SMS. A lot of us don’t suggest even do SMS anymore. Let’s switch over to biometrics.

Let’s switch over to pen and cat cards. Let’s switch over to something that is more secure, more central to your location. And I’m sure we’ll talk about it more, but if we look at the notification alert drag, that’s kind of out there, everyone’s getting so used to seeing those notifications, they just click approve and move on. It’s all these different things that are, it’s just hitting us all at once.

So multifactor authentication is gonna be a big one to really hit that low hanging fruit, as you said, Mike. Yeah. We got a live question that just came in. Sorry, Andres.

Next question, and this one’s gonna be for you, John, hearing a lot from the customers that I talk to in a daily basis about a NAC solution, network access control. And it’s getting more and more and more attention. And I see a lot of customers coming in and saying, hey, we need NAC, but what can you tell us a little bit about that if you can share some info? John, I can just see you smiling, getting excited as that question was being asked.

Yeah, I mean, I’ve been dealing with NAC for my entire tenure here at Cisco. Network access control, that’s really where ICE and ACS has lived, but it’s been around much further than that. So if we look back into the olden days, and we look at port security and sticky Macs, that’s where NAC control really started. How do we limit who comes into it?

With the introduction and the adoption of laptops and phones and movement and VPN and blah, blah, blah, wireless is gonna be a big one that comes to it as well. Basically, users aren’t sitting with a desktop at the same desk every single day. I mean, they may still come into the same desk, but they’re still getting up, they’re moving around, they’re using wireless, they’re switching ports. NAC now is a dynamic functionality.

So you might say you come in, you plugged in to your standard desk, you work for the morning, and then you get up and you wanna go home and work remotely for the rest of it. How do we make sure that your same access is done? And that’s where NAC is really gonna come in. It is the authentication of the users, it’s the authentication of the machines, and then we’re also gonna give the authorization.

So I do like to put out there that we’re not looking at just users out there. We want to know what machines, that’s where our compliance piece is gonna come in, that’s where posture is gonna really, really weigh in of what antivirus is running on your system, is your system up to date, is it patched? Do you have a specific file or registry setting? One of my favorite things is there a USB plugged into your machine that’s not supposed to be there.

Whether or not that endpoint is gonna be vulnerable is a big piece of when it comes to NAC control. So it is something that’s been around for a long time, but the way that we’ve made it dynamic, the way that just users keep moving changes that front for us. Of course, we always wanna look at it of what logs are going out there, what are people doing, where are they moving, where can we see things going through? But the most important that we’re gonna go into is what devices are there and how can we prevent it?

And I’ve used this example before, so anybody that’s talked with me is that what device comes in, it doesn’t matter who it’s from. So say you have an executive that comes in, that they have access to your entire network at any given time, because that’s what they require. Great, fantastic. Most people are gonna base that off the user, but what if they have an iPhone that comes into your environment?

Sure, it could be on an MDM, it could have gone through the compliance checks off of an MDM that we can integrate with, they pass all their user information, but what if Pegasus got to them? That is where our profiles wanna come in. We can make sure that it is an iPhone, it’s being checked the right way, we glean that information that’s out there. We can validate that they are not vulnerable before they come onto the network with their own device.

There’s a lot of extra information that we can actually pull and push coming across it, but again, kind of circling back to the beginning, that control is what access are we giving at that port level, so at that access layer, and that can be limiting them, whether it’s based off of VLANs, whether it’s ACLs, or TrustSec, so security group tags or scalable group tags, whatever we’re calling them nowadays, that are going to go through the entire network to be able to protect everything down. Yeah, and that part of AAA, the authorization, I know we were talking about the other day, it’s probably the most fun of it, like when you’re implementing some security there, that you can take advantage of those ACLs, those dynamic VLANs, the security, so it just makes a lot of sense when you start working with that. It is always fun being able to block somebody and then showing them why they’re blocked. That is always gonna be the most fun, but to add onto that authorization side, I kind of mentioned at the end, the security group tags, so they get put onto the port, but it can be enforced anywhere within your network, so it can be dropped off to the firewall, it can be dropped off to secure workload, if you want to add the visibility functionality to it, secure network analytics, it’s gonna follow that packet, so the fun work for me is going to start really coming down to, I put you onto the network, I gave you layer two access to be able to see some things, but you hit my firewall, and I want to make sure my firewall is blocking everything that isn’t supposed to be out there, and that simple integration between ICE and our secure firewall is able to see those security group tags, and then really just lock everything down.

They’re network agnostic, so now I don’t have to worry about VLANs, I don’t have to worry about changing my routing system, my routing tables, just to be able to add on a new VLAN in there or anything along those lines, just add somebody into the same network, give them a new tag, whether they even change positions in the same company, they get a quick tag change, and their whole access is now modified. Yeah. Before we go on to the next question I have for you, Sam, we did get a question in the chat, and I can actually take this one, regarding integrations that we have, and we were talking about the benefits of Cisco integrating with what we have. Roger had a good call out in the Q&A here about the cloud FMC, which is a newer offering, and how it does integrate, but has little bit differences in terms of a lack of logging compared to an on-prem FMC.

So for that, and that is true, and you’ll see that addressed in the near future, but in the meantime, you will always have the on-prem option in which, to be specific, you can run the on-prem FMC with your cloud FMC, and your cloud FMC do the deployment and management. Your on-prem FMC can still remain there, and will do all the logging, so you won’t actually have any loss of logs. But a great call out I wanna do, bring that one up. Thank you again for this.

It’s not limited to just like the on-prem FMC, we also have FDM that’s gonna be on-prem and on-box. Yeah. So we have a lot of different options that are coming out there. So while Cisco is moving a lot to the cloud, and I speak to this specifically because I do support DoD.

DoD’s not allowed to touch cloud 90% of the time. So the on-prem functionalities aren’t going away. Our air gap pieces are still remaining there. So we have FDM, we have FMC, those integrations are there.

I’ll be the first to admit, there are some issues when it comes to certain integrations when we have to run, say, FIPS mode, or compliance modes or anything along those lines. But there are pieces that we’re working through, we’re fixing, we’re getting more and more pieces and parts coming. So if we watch our FMC, we watch our FDM, it’s just getting bigger and bigger. So keep an eye into it.

Our on-prem stuff will not go away. We’re just adding more functionality to it as we’re really looking through. Perfect, thank you for that, John. Appreciate the question, Roger.

John, what is, we get a lot of confusion with like profiling versus posturing, especially when it comes to something like Cisco ICE. Can you just briefly differentiate that? Briefly is gonna be the challenge. So profiling is one of my favorite parts when it comes to ICE.

And it’s really not limited to just ICE, Duo can do some of it as well. But it is gleaning information from the network that’s already there to see what that specific device is. And also this is the most terrifying part when it comes to all of it. We’re not asking for anything extra from a device.

We’re not asking you to put an agent onto your machine for us to be able to see, again, if it’s an iPhone, is it a Samsung or anything along those lines. We’re able to gank the information from packets that are already there. So whether we’re looking at CDP, LLDP information, we’re looking at DHCP, Dora requests. So we’re gonna discover the requests, HTTP packets with the user agent string inside of it.

We can see say a Windows XP device is running in your environment. A lot of customers in their IT are gonna say, no, that’s not possible, we don’t have it. I’ve proven many, many wrong before. Simply based off of the profiling, it’s a checkbox to be able to turn it on.

On the other hand, posturing, that’s our compliance side. That is to make sure that inside the system, the actual software that’s running on the system is up to date. So if we’re looking at specifically Windows, are your patches up to date? Does that box need to reach out to SCCM?

We’ve said it many times before, users are the number one way into a network. Easiest way that users are gonna be out there is, hey, I’ve got a Windows update, defer. I’ve deferred it now for a week. I’ll admit, I’m to blame as well.

I’ve got an update sitting on my machine that’s ready to go right after this call. But that is now a vulnerability that could come into the system. Posture is gonna be that piece that makes sure of, hey, you have a vulnerability there. We’re going to patch this before you’re even allowed onto the system.

Or your antivirus is out of date by five days. Or you don’t have a specific registry on there. So I don’t know if you’re actually a machine that we can control or somebody else has gotten it into it. A lot of different pieces and parts that we can look into it.

And then the remediation side of it. Not only are we looking, but if we are running our agent, we can now fix it as well for a lot of things. Not everything, but a lot of things that are gonna be out there. So short profiling is what the device is.

Posture is what is running on that device. Excellent. Great answer. Next question, Sam.

We talked about MFA. Beyond MFA though, can you tell me what we see a lot of literature about? We call it what adaptive risk-based security or dynamic risk adjustment. We see this in Cisco Duo a lot.

Maybe Cisco ICE with PX grid. Can you touch on this risk-based authentication a little bit? Yeah, so the risk-based authentication is gonna really take in authentication behavior from a user over a certain period of time. And then we’ll combine that with a lot of known threat vectors, understanding if a user has like impossible travel or maybe there’s like a ASN mismatch for BGP.

So on the backend, Duo is monitoring authentications, looking at the history for that user, the devices they’re coming in. And then if anything changes, we’re able to adjust which authentication method that user can use. So instead of being able to use SMS, we’ve determined this is a riskier authentication request. So you have to use a biometric or you have to use a security key.

So that’s just one part of it. Within Duo, we also offer remembered devices. And that’s gonna help with the usability for users access to resources and not having to authenticate a lot. But maybe that user has already authenticated, they have a remembered session, but then they go to access another resource and something’s changed on their machine, right?

The posture’s changed or the wifi fingerprint has changed, right? The list of wifi SSIDs around them has changed. Then we can adjust that remembered device session and make that user authenticate again, right? So we can determine if they’re changing locations.

There are a lot of different risk signals that go into the risk-based authentication. But another thing we’ve added is like a verified push, right? So- I wanted to ask you about that because yeah, I think that’s a big one. Yeah, so I think John was talking about that earlier.

A user, for example, users at dinner, they’re getting a bunch of push requests to their smartphone, right? Maybe they might just approve that request and that attacker is in. So for push harassment, push fatigue, we’ve added our verified push. So now if an attacker does compromise that first factor, that username and password, and they’re at that application, now they’re gonna see a screen where it has a four digit or up to six digits where they’re gonna have to put that code in on the smartphone.

Obviously they’re not gonna have access to that smartphone. That end user at dinner is not gonna be at that browser session. So they’re not gonna know what those codes are. So it’s just a quick way to lock out that attacker, right?

And then the user can alert the help desk that their primary, their username and password is compromised. So that’s just one layer of security that Duo has added. But we also have device trust. So as John talked about, we can do profiling, we can do some posturing.

We can look at the user agent string as a user goes to a web browser, right? So we can see like the operating system, some of those attributes, but we also have a Duo desktop, which is a piece of software that sits on the operating system. And we can look at, is the disk encryption on on this machine? If you have a EDR running, right?

It’s not just a Cisco secure endpoint, it can be a competitor’s endpoint. We can make sure that that’s running at the time of off, we can make sure the local firewall is on, right? There’s a lot of different controls. So if you wanna start blocking based on operating systems and browsers and things like that, we have those controls, but also that Duo desktop will allow you to do access based on corporate versus non-corporate devices.

So we can report back to Duo that machine identifier for that computer. So as a user goes to access a resource, right? We can look to make sure their domain joint, right? Looking at the security identifier field from Active Directory, we can tie in with a Google workspace, we can tie in with another MDM, right?

And check with that MDM to make sure that this is a device we recognize before we give access. So there are a lot of security controls on top of that initial MFA. So long one answer, so hopefully that answers. No, that’s great.

I just think that that verified push is just such a simple way to prevent that MFA push fatigue. Thank you for that, Sam. Quick time check. So we’ve got about six minutes left.

Still got some good questions here we wanna ask. We’ll have to maybe keep it to just 60 seconds or less for the next questions coming up here, because gotta leave some time for the dad jokes. That is the important part of this show. All right, I do have the next question.

This one is really nice. I get asked this one a lot of the times in probably you guys too, but when it comes to Cisco Ice versus Duo, which one we pick? Is that a thing? Is…

Oh man, let the battle begin. So I’ll admit when I first saw Duo when Cisco acquired it, I was against it in full. Again, full Ice background and stayed solid with it for many years. But really they have two different spots.

Duo is looking more at the application access side of things, as well as doing multifactor authentication and so on and so forth. Ice is going to be that linchpin that’s in the middle of your network. So as network access pieces are coming in, as people are hitting VPN, switching or wired and wireless, that is where Ice is going to shine. The two complement each other.

So you can utilize Duo as the multifactor authentication behind Ice. There is a new integration with it. Now we’re kind of getting rid of some of the old pieces at utilizing the APIs that we talked about earlier to really get that Ice and Duo story together so they can work together to be as solid as possible. But in reality, both of them are necessary for two different spots within the network.

As we kind of mentioned earlier, it’s a solution. It’s not a single product. And both sides are going to give you different parts of visibility that we’re really going to be looking for. Excellent.

And they do integrate together as well as we kind of touched on earlier. Sam, I’m going to give you this question that just came in on the live chat here because I think it’ll line up with what I was essentially going to ask anyway. But I’ll just read this off from Ferdinand here. So for a company just starting a zero trust journey, what are the initial steps they should take to effectively implement zero trust?

Any common challenges you’d want to call out? Anything they want to do to prepare for that? And again, maybe about 60 seconds or so. Oh yeah, yeah.

Yeah, so visibility is going to be key. So you want to make sure that you have a good grasp of what’s running in your environment, what type of applications users are trying to access. And then you really want to look at the business and the compliance requirements for your organization. So breaking down the assets that you have and then understanding, are there some compliance standards that we have to abide by?

That’s going to help you roll out your policy first. You get visibility and then you want to start building your policies. Then understanding which type of endpoints are on the network as well is going to allow you to say, for this application, you have to be using this sanctioned device, right? So you can’t get to that point until you have visibility.

So definitely the first step is going to be do a review of your compliance requirements, get visibility into your network. And you can do a lot of that with Duo and ICE. So ICE you can utilize like monitor only mode, and start seeing what devices are attempting to authenticate on the network. And then you can start building policies from there.

That’s great, Sam. I think the visibility call out upfront is really important. And it’s interesting that Duo and ICE both give you that visibility to kind of help you build that inventory. John, you talked about device profiling, so we’re able to see what is on the network.

And Sam, you talked about Duo having that same capability to see kind of what operating systems. So we can find those old XP devices that you mentioned, which we know are out there. Yeah. Yeah.

We’ve seen them. All right, I do have the last question. This one’s going to be around zero trust. And again, we’re bringing another buzz word into the mix, but we hear about it, we think we understand, we know about it.

And if you don’t mind, John, going over a little bit of what is the strategy, for example, the take from Cisco standpoint, what do we use to tackle zero trust? Yeah, I know we’re up against a time wall, so I’ll do this as quick as I can. Zero trust is exactly that. It is no trust to anything or everything that comes through your network.

But it’s not, but if you think of your network, you have multiple areas of it. So we kind of split that out within Cisco of our workforce. So those are the users, the devices that are going to be out there. The workplace, that’s going to be your network, and then the workload, your data center, your cloud.

We have different pieces and parts across all of that. Of course, your workforce, we’re going to be protecting that with Duo specifically. So what users are logging in? Can we do that MFA?

Can we double check all of that? Of course, device insights for posture and all of that. The workplace, we’re going to wrap ICE into that one. That is making sure that the pieces and parts that are coming in, we’re confirming them off the workforce.

We’re kind of overlapping a little bit with ICE when it comes to posture, profile, and make sure those right pieces are coming in, working with Duo, or we’re protecting their network at the network access. Now, finally, the workload side of things, again, your data centers, your cloud, all your applications, that is going to be protected by secure workload. So that is going to be the piece that sits out there that’s monitoring everything. Again, ICE sits in the middle.

It integrates with both sides of it. Across all of that, across all of the zero trust that we’re looking at, as Sam mentioned, visibility is key. So we’re also going to want to look at secure network analytics. Let’s see the east, west, north, south, every direction you can imagine traffic that’s coming through.

All the pieces and parts that you put in, the policies you develop, how do you know that they have actually been implemented? That’s where secure network analytics comes from. So really those four products that we’re looking at, Cisco’s going to really tell you three, ICE, Duo, secure workload. I like to throw secure network analytics to really round out the whole picture.

Great. That was great. And as a tongue twister, how fast can you say workplace, workforce, workload, as many times as you can? No, I’m just kidding.

All right. Did you guys all bring a dad joke for today? Well, I mean, I don’t know. Well, I’ll wing it as we go into it.

Okay. Sam, would you like to kick us off? Yeah, this one is very corny, but yeah, so my question is, why was the computer so good at golf? I was going to say something about like a whole, a whole one.

Keystrokes. Good answer though, I like it. Thanks. All right.

Want me to answer? Sure. All right, so yeah, the answer is because it has, it had a hard drive. Very cool.

All right, let’s keep this rolling. Andres, what do you got? I actually brought three, but I’m going to say only one because I think it was fun. So how does a hacker propose?

Short. Yeah. The answer is going to be on the next episode. No, I’m good.

Something was like ransomware or something, I don’t know. No, with a fishing ring. John? All right, so it reminds me more of a pun.

My wife was complaining that her computer was cold the other day. So she asked me to take a look at it. So I walked over, took a look. Her windows was open.

She didn’t have her firewall turned on. That’s good. That’s awesome, that’s awesome. All right, I’ll go last here.

Which social dating platform has had the most user traffic since the invention of SAML? Single sign on.com. Closing remarks, Sam, anything you’d like to close out with here? Yeah, we talked about this.

I think it’s very important to know that you’re only as strong as your weakest link. Typically in users or legacy systems are going to be those weakest links. So I think that’s a good point. In users or legacy systems are going to be those weakest links.

And it only takes one place for a successful initial access for a bad actor. So you definitely want to have multi-factor authentication turned on. Defense in depth is very big as well and useful. But if you have any interest in seeing what Duo is, working on any of the innovations, you can go to duo.com, or 30 day trial, reach out to Mike, any of us on the calls and we can work with you.

Sam, that was great. And I can see you still chuckling about the dad jokes a little bit. Yeah, that was good. That was good.

We made him cry. John, closing remarks? I mean, really, let’s go back to the very beginning of the whole conversation that remember it’s not going to be a single shot. It’s not going to be a single product.

It’s a solution that we’re going to be looking at. I am as a big piece, but really look at the zero trust conversation coming into it. Look at exactly what we’re trying to lock down, pieces and parts. One product’s not going to do it.

One vendor is not going to do it. Really look at it as that holistic solution and you’ll set yourself up more for success than anything. That’s excellent. I mean, big takeaways for me, really just that identity management is a solution, not a product, and it’s going to be customized for each implementation.

Not forgetting about the authorization and the accounting piece. A lot of people just do that authentication, but don’t forget about limiting the scope of access. And then working on that profile and posture, knowing what is on the network as well as the hygiene of what’s on the network. Yeah, that was good, Mike.

And for my takeaway, dual more than an MFA. Probably you’ve heard it more than you know, and there’s so many features, capabilities that we have there. Always that question about eyes versus dual. Just remember eyes for the network, dual for applications, and they integrate together.

The other thing that I have, and those are the last two things, implementation of an IM solution. Remember, planning is key. One of the things that I always hear and incorporate it into my talk tracks lately is measure twice, cut once. So make sure you have your planning in order.

And the same thing for zero trust. Understand the framework. The framework doesn’t have to be the same for everybody, but remember you’re securing the workplace, the workloads or your applications, and then you’re also securing your workforce. So that’s my takeaway.

That’s excellent. John and Sam, thank you guys so much. I’ve had the pleasure of knowing you both a long time, but in all sincerity, thanks for the security aspect you do in the world, keeping people safe, especially when we’re talking about healthcare, DOD type stuff. Protecting our customers and the world is something we all are very involved with and you guys do a great contribution there.

Next episode, Andres, Zero Trust. So that’s kind of cool that we talked about that a little bit today. We’ll get into talking about modern security principles that as Andres said, frustrate attackers, not the users. Maybe Sam that said that.

I really enjoyed today’s conversation. Stay secure and we’ll see everybody on the next show. Thank you all. Have a good one.