Contact Us




Change Locale

Microsoft PKI & Cisco Identity Services: Why You Need Both to Keep Your Data Secure

Microsoft | Posted on May 8, 2014 by Tadd Axon

Target … DigiNotar … LinkedIn …

What do all of these high-profile data breaches have in common?

Authentication gone wrong.

Target and LinkedIn are still dealing with aftermath of their data breaches. Dutch public CA, DigiNotar, immediately ceased operations and a few months later filed for bankruptcy, in the wake of an intruder gaining control of its servers.

What happened to these businesses may sound like every IT professional’s worst nightmare, but in today’s era of bring-your-own device and unsecured wireless networks, it’s easy for your data to fall into the wrong hands.

In 2013, 77.3 million consumer records were exposed in data breaches – an increase from 4.6 million in 2012. Meanwhile, HIPPA data breaches have increased 138% since 2009.

According to Wade Baker, creator and principal analyst of the Verizon 2014 Data Breach Investigations Report, attackers hack targeted networks within days, while it takes much longer for victims to realize that they were breached. Baker states, “the bad guys are winning at a faster rate than the good guys are winning and we’ve got to solve that; we’ve got to do something different.”

The first thing you should do differently is change how you manage your authentication. This means using two authentication technologies in tandem – Microsoft public key infrastructure (PKI) and Cisco Identity Services Engine (ISE) – to better protect your network and keep your data secure.

Microsoft PKI: Provide strong Proof of Identity

Microsoft PKI allows you to issue strong proof of identity, in the form of digital certificates, to trusted devices and users. This means that only enrolled and managed devices will have access to your network. With PKI, you also may revoke certificates if an employee leaves the company or loses a device, without necessarily forcing password changes.

PKI does have its limitations. According to Daniel Petri, “A PKI usually does not (and probably should not) handle authorization. Authorization services should be provided by a PMI (Privilege Management Infrastructure).” He also states that “A PKI does not automatically make a system secure.” Factors such as human error and malicious code may put you in danger even if you use a PKI.

Since PKI runs on a commercial OS, it also must be patched and maintained on a regular basis. You need to monitor all certificates as they are issued and revoked to ensure that you are keeping your data secure and remaining in compliance with your industry regulations and organizational practices.

Cisco Identity Services Engine: Strengthen Your Network Authentication

Cisco Identity Services Engine (ISE) provides you with strong network authentication by giving you a single policy control point for access control to all of your networks. When you use ISE for authentication, every device that accesses sensitive networks must receive a proof of identity certificate to do so. This is beneficial if you are in a regulatory environment where you must limit your liability and prove who or what connects to your network.

However, ISE doesn’t create the strong proof of identity – which is why you need to run it in conjunction with PKI.

Microsoft PKI and Cisco ISE: Why Two is Better Than One in the Fight Against Hackers

When you use PKI and ISE in tandem, all of the devices and users that access your network must be known, trusted and have proof of identity to access your network.

ISE provides an administrative portal that makes it easier for you to manage certificates issued to users and devices for network authentication. For example, it issues warnings when certificates are about to expire. Meanwhile, the PKI-issued certificates provide secure communication between your endpoints and management server, as well as between Cisco ISE nodes.

The Data Breach Investigation Report found that a number of high-profile breaches occurred because organizations failed to segment their networks. For example, the Target data breach happened when hackers acquired remote access credentials belonging to an HVAC contractor and used these to laterally access the network containing Target’s point-of-sales terminals, which they then infected with malicious code. This showed a basic segmentation flaw, as the contractor should not have been able to access the networks containing POS systems and, therefore, sensitive data. Had Target used ISE in conjunction with PKI, it could have enforced stronger controls over who could access sensitive areas of it’s network; this would have made it a lot harder for hackers to break in.

Next Steps

Contact your Softchoice Account Manager and to learn how to use both Microsoft PKI and Cisco ISE to build an integrated authentication system that helps you pass audits and avoid data leakage.

Related Articles

Culture | October 10, 2019 by Alex Macks

Softchoice’s co-op students are hired for their fresh ideas and wealth of knowledge they bring to our Softchoice teams. Ranjit Singh wrapped up his third consecutive co-op term with Softchoice in Summer 2019. He now works part-time as a .NET Developer while completing his last semester at Sheridan College in the Software Development and Network […]

Innovation Executive Forum | September 13, 2019 by Karen Bader

Enterprises today understand the requirement to combat slow and low end-user adoption, especially when the solutions are intended to transform the way people work, as with new communications and collaboration tools. For years, Softchoice has been offering end-to-end, turnkey adoption services, helping businesses across North America unlock more value, quickly, from their key collaboration investments. […]

Uncategorized | August 28, 2019 by Susana Byun

Here are your top 10 must-read Microsoft announcements from August 2019 curated by Softchoice: