Introducing ISE Expert as a Service

Network Access Control (NAC) has come a long way since 2004, when it was all the rage. As a young CCIE at the time, Cisco's acquisition of Perfigo made me realize how necessary it was for a solution that recognizes users, their devices and roles; evaluates the security posture of the endpoint and scans for vulnerabilities; and enforces policy in the network. Fast forward over 20 years later, and NAC is still an illustrious solution critical to modern security architecture including Zero Trust. As an example, the US Department of Defense views Comply-to-Connect (C2C): The foundation for DoD’s zero trust journey.

Cisco Identity Services Engine or ISE in short, is a market-leading NAC solution that offers a network-based approach for adaptable, trusted access everywhere, based on context. It gives you intelligent, integrated protection through intent-based policy and compliance solutions. And it is all delivered with streamlined, centralized management that lets you scale securely in today's market. According to Cisco, the average ISE customer has seen $1.6M saved by avoiding security events over three years and 200 fewer hours spent remediating major network security events. Cisco ISE addresses many challenges with a broad set of mission-critical Network Access Control (NAC) use cases:

• Pervasive visibility:  The first step to building a resilient security posture is gaining the ability to see and know everything that is connecting to the network. Cisco ISE automates the discovery of devices connecting to the network. With Cisco ISE, teams can identify, classify, and track endpoints connected to the network to allow the automation of policy provisioning before allowing access to network resources.
• Dynamic control: Confidently build security into your network with visibility-driven network segmentation. Network segmentation builds zero trust into the network with policy-based access to contain and prevent the lateral movement of threats.
• Automated threat containment: Don’t just block threats—remove them. Cisco ISE integrates with Cisco Security products and third-party ecosystem partners through pxGrid and pxGrid Cloud to gain contextual information from on-premise and cloud-native solutions.
• Endpoint compliance: ISE continually verifies that device posture complies with your security policy so that risky, unpatched, and outdated devices cannot threaten the network. Cisco ISE increases organizational posture with a customizable approach to gaining continuous posture assessments for endpoints connecting to your managed infrastructure.
• Secure access: Accelerates value by simplifying the provisioning of policies and devices. Cisco ISE enables self-registration, automates device configuration, and manages certificates and mobile policy compliance.

With ISE having so many capabilities, organizations have a plethora of design and configuration options that require a lot of expert knowledge. In most instances, leveraging an expert to provide Planning, Design, and Implementation services is typically highly recommended by Cisco and Partners. 

Many organizations limit their initial deployment scope to accelerate Cisco ISE adoption, but that leads to a bigger question....

What happens after implementation?

As with many network and security solutions, organizations will be required to perform routine activities to maintain ISE, including:

• Software Version Upgrades
• Software Patch Installation
  
• Certificate Renewals and Maintenance
• Monitor and Assess the Health of the Solution
• Troubleshoot Issues
  
• Stay up-to-date on New Features and Capabilities

Most organizations will also need to address new networking and security requirements and use cases, for example:

• New Device Types – When new IoT (Printers, Sensors, Cameras, etc.), Mobile Devices (Phones & Tables), or Workstations have to connect, ISE administrators will typically have to create new policies, profiles, supplicant support, etc
• New Network Devices - Adding new Switches, Wireless Access Points, etc
  
• Add Guest types, add or modify BYOD policies
• New Device Administration or TACACS+ Policies - Whether it's a new automation tool or an IT Admin group
  
• New Partner Integrations - Integrating a new Firewall or SIEM via pxGrid, API, or Syslog

Building engineering and operations capabilities around Cisco ISE can be a struggle for many organizations. Most organizations look to train existing staff on ISE or hire the necessary expertise.

Train

• Knowledge Transfer - During design and implementation, knowledge transfer sessions should be utilized to train different teams on how to perform policy changes, routine maintenance, and how to operate Cisco ISE.
  
• Official Cisco Training - Implementing and Configuring Cisco Identity Services Engine (SISE)
• Expansive Resources provided by Cisco - Cisco ISE Big Encyclopedic Resources Guide (BERG)

With gaps in network and security skills, resources, and expertise, IT teams are stretched thin already, and security breaches, network performance issues, and delayed IT projects are commonplace. With the Cisco ISE Administrator Guide being 1,470 pages, asking anyone to learn, understand, and apply this knowledge is difficult. If you are a smaller organization you might have a small team with shared responsibilities and ISE might be 5% of their job responsibility. Far too often, the end result is, "I refuse to touch ISE!" or much worse, "that change we made just broke network access."

Hire

Tech moves at warp speed, and so do the skills it demands. Many organizations are struggling to find candidates with the specific skills and expertise they need, especially in solutions like Zero Trust, NAC, and Cisco ISE.  A staggering 86% of CIOs surveyed by Gartner said they faced increasing competition for hiring top tech talent, with 71% also concerned about talent attrition. To make matters worse, many of the individuals with existing Cisco ISE & NAC expertise are extremely rare which equates to higher salary demands. Unless you are a fairly large organization, you probably do not need a full time ISE expert on staff.

ModernCyber's ISE Expert as a Service

ISE Expert as a Service (ISEEaaS) is designed to augment and supplement your IT Team by providing on-demand access to experts to manage, maintain, and optimize Cisco ISE. This service helps organizations enhance their existing Cisco ISE deployment, ensuring an up-to-date deployment and configuration in accordance with Cisco & industry best practices.

Available as a 1 or 3 year subscription. ISEEaaS includes a full ISE Health Assessment, ISE Software Upgrade, Certificate Maintenance, Software Patch Installation, and a quarterly allocation of Consulting & Advisory hours.

CONSISTENT ONGOING OPTIMIZATION, MAINTENANCE, AND SUPPORT

Benefits

• Optimize your Cisco ISE investment by keeping the solution up-to-date, adopting new use-cases, and enhancing the configuration by incorporating current industry best practices.
• Maximize and extend the capabilities of your current IT Team with predictive costs by leveraging our ISE experts for solution escalations, complex use-cases, and integrations.
• Leverage continuous white-glove engagements with Cisco ISE hyper-specialists to assist in the planning, design, and implementation of your ISE adoption journey.
• Minimize risks of configuration changes and upgrades, circumvent complex issues via our proven test plan methodology and solution view.
• Work side-by-side with our technical advisors to assist with troubleshooting and provide customer advocacy with Cisco TAC.

Summary

ISEEaaS was created as a result of our implementation customers requesting assistance after initial deployment with operationalizing, maintaining & supporting Cisco ISE. With ISEEaaS, organizations can focus on supporting existing technologies and innovation, and leverage ISE Experts to provide:

Want to learn more about ISEEaaS?