Contact Us




Change Locale

Microsoft PKI & Cisco Identity Services: Why You Need Both to Keep Your Data Secure

Microsoft | Posted on May 8, 2014 by Tadd Axon

Target … DigiNotar … LinkedIn …

What do all of these high-profile data breaches have in common?

Authentication gone wrong.

Target and LinkedIn are still dealing with aftermath of their data breaches. Dutch public CA, DigiNotar, immediately ceased operations and a few months later filed for bankruptcy, in the wake of an intruder gaining control of its servers.

What happened to these businesses may sound like every IT professional’s worst nightmare, but in today’s era of bring-your-own device and unsecured wireless networks, it’s easy for your data to fall into the wrong hands.

In 2013, 77.3 million consumer records were exposed in data breaches – an increase from 4.6 million in 2012. Meanwhile, HIPPA data breaches have increased 138% since 2009.

According to Wade Baker, creator and principal analyst of the Verizon 2014 Data Breach Investigations Report, attackers hack targeted networks within days, while it takes much longer for victims to realize that they were breached. Baker states, “the bad guys are winning at a faster rate than the good guys are winning and we’ve got to solve that; we’ve got to do something different.”

The first thing you should do differently is change how you manage your authentication. This means using two authentication technologies in tandem – Microsoft public key infrastructure (PKI) and Cisco Identity Services Engine (ISE) – to better protect your network and keep your data secure.

Microsoft PKI: Provide strong Proof of Identity

Microsoft PKI allows you to issue strong proof of identity, in the form of digital certificates, to trusted devices and users. This means that only enrolled and managed devices will have access to your network. With PKI, you also may revoke certificates if an employee leaves the company or loses a device, without necessarily forcing password changes.

PKI does have its limitations. According to Daniel Petri, “A PKI usually does not (and probably should not) handle authorization. Authorization services should be provided by a PMI (Privilege Management Infrastructure).” He also states that “A PKI does not automatically make a system secure.” Factors such as human error and malicious code may put you in danger even if you use a PKI.

Since PKI runs on a commercial OS, it also must be patched and maintained on a regular basis. You need to monitor all certificates as they are issued and revoked to ensure that you are keeping your data secure and remaining in compliance with your industry regulations and organizational practices.

Cisco Identity Services Engine: Strengthen Your Network Authentication

Cisco Identity Services Engine (ISE) provides you with strong network authentication by giving you a single policy control point for access control to all of your networks. When you use ISE for authentication, every device that accesses sensitive networks must receive a proof of identity certificate to do so. This is beneficial if you are in a regulatory environment where you must limit your liability and prove who or what connects to your network.

However, ISE doesn’t create the strong proof of identity – which is why you need to run it in conjunction with PKI.

Microsoft PKI and Cisco ISE: Why Two is Better Than One in the Fight Against Hackers

When you use PKI and ISE in tandem, all of the devices and users that access your network must be known, trusted and have proof of identity to access your network.

ISE provides an administrative portal that makes it easier for you to manage certificates issued to users and devices for network authentication. For example, it issues warnings when certificates are about to expire. Meanwhile, the PKI-issued certificates provide secure communication between your endpoints and management server, as well as between Cisco ISE nodes.

The Data Breach Investigation Report found that a number of high-profile breaches occurred because organizations failed to segment their networks. For example, the Target data breach happened when hackers acquired remote access credentials belonging to an HVAC contractor and used these to laterally access the network containing Target’s point-of-sales terminals, which they then infected with malicious code. This showed a basic segmentation flaw, as the contractor should not have been able to access the networks containing POS systems and, therefore, sensitive data. Had Target used ISE in conjunction with PKI, it could have enforced stronger controls over who could access sensitive areas of it’s network; this would have made it a lot harder for hackers to break in.

Next Steps

Contact your Softchoice Account Manager and to learn how to use both Microsoft PKI and Cisco ISE to build an integrated authentication system that helps you pass audits and avoid data leakage.

Related Articles

Culture | August 6, 2020 by Softchoice

This July, we celebrated our third annual Social Impact Month.   At Softchoice, July serves as a rallying point for every person in the company to generate meaningful impact. With the unprecedented events of this year, it was more important than ever that we looked to better support the communities in which we live and work while building a more giving and compassionate culture.   Although our […]

Culture | July 27, 2020 by Softchoice

Toward the end of February, the reality of the COVID-19 pandemic was becoming more evident to the Softchoice leadership team. Our People and Growth leaders knew they would need an agile response to keep our people and our customers safe.    Our business continuity plans to address technology redundancy were in place.  As a result of processes that had been in place for 3 years, we were perhaps ahead of most in our ability to move to a full remote work […]

Culture | June 17, 2020 by Softchoice

In 1989, Jone Panavas founded Softchoice along with David Holgate to make it easier for businesses to source and acquire hard–to–find software products. Jone and David set out to make Softchoice a different kind of company from the very beginning, one where inclusiveness was a core tenet and employees were encouraged to bring their authentic selves to work.   While the technology landscape has become far more complex in the last 30 years, another […]