Access and Policy License Double Click

Transcription

1 Access and Policy License Double Click Matt Schmitz April 2015

2 Agenda License Refresher Positioning Old vs New Renewals Wrap-up Cisco Con!dential 2

3 Cisco Identity Services Engine (ISE) Delivering Visibility, Context, and Control to Secure Network Access NETWORK / USER CONTEXT PARTNER CONTENT DATA Who What THE CENTERPIECE FOR CONSISTENT SECURITY ACROSS WIRED, WIRELESS & VPN Cisco Con!dential 3

4 Why ISE Is Important Policy + Infrastructure + Security di#erentiation (!ght point product sales) Professional services attach (retire quota) Widen conversation with your customer s organization (BYOD -> new enterprise apps -> lines of business) Eco-system integration allows partners to sell portfolio Bolster cross selling opportunities (AC -> ASA, AMP, CWS, etc)

5 Quick Refresher Why New License Structure Line up licenses tiers with di#erent enterprise use cases (e.g. pro!ling + BYOD vs forcing customer to buy all Advanced) Right size customer expenditure based on what they need Ensure consistent selling motion with AC (same as all the other headends) Break out 3 rd Party MDM/EMM integration (Meraki alignment)

6 1.3 License Changes Use Case Focused What s Changing with ISE 1.2 Licensing? * ISE Base/Plus/Apex under ATP * AnyConnect Apex not under ATP O L D Base (Perpetual Lic.)! AAA! 802.1X! Guest Plus (Term Lic.)! BYOD! Pro!ling & Feed Service! TrustSec SGT! Endpoint Protection Svcs! BYOD! Pro!ling! Feed Service! TrustSec SGT Advanced (Term Lic.)! Endpoint Protection Svcs.! MDM 3 rd Party! Endpoint Compliance & Remediation N E W Base (Perpetual Lic.)! AAA! 802.1X! Enhanced Guest! TrustSec! Multiple APIs Plus (Term Lic.)! BYOD! Internal CA! Pro!ling & Feed Service! EPS! pxgrid Apex (Term Lic.) NEW!! MDM 3 rd Party Integration! Endpoint Compliance & Remediation NEW! AC Apex (Term Lic.)! Uni!ed Posture Agent! All APEX VPN Services! Base License Remains The Same In ISE 1.3! Plus License Remains The Same In ISE 1.3! Advanced decomposed into Plus and Apex and then Apex into Headend (ISE Apex) and Endpoint (AC Apex) Cisco Con!dential 6

7 Selling Motion Old Subset ADVANCED New Subset APEX AC APEX Compliance Veri!cation of user-based compute platforms Everywhere PLUS Context Visibility and sharing throughout network Everywhere BASE Everywhere BASE Access Core AAA services throughout the network Cisco Con!dential 7

8 What does a la carte mean - Enables Flexible Combinations Grey Box = Deployment AC APEX APEX APEX APEX BASE BASE PLUS APEX Licenses > BASE licenses Not Allowed BASE APEX AC APEX PLUS BASE PLUS PLUS PLUS Licenses > BASE licenses Not Allowed BASE BASE BASE Licenses Any Other Licenses Cisco Con!dential 8

9 Examples - I Want Basic Access + Guest BASE Cisco Con!dential 9

10 Examples I Want BYOD + Pro!ling PLUS BASE Cisco Con!dential 10

11 Examples I Want 3 rd Party MDM Integration APEX BASE Cisco Con!dential 11

12 Examples I Want Endpoint Compliance (Posture) APEX AC APEX BASE Cisco Con!dential 12

13 Examples I Want It All (Guest, Pro!ling, 3 rd Party MDM/ EMM, Posture, Advanced VPN) APEX AC APEX PLUS BASE Cisco Con!dential 13

14 Wireless -> Mobility ISE 1.2 WIRELESS (Term) All ISE Services >Wireless Devices ONLY WIRELESS UPGRADE (Term) Add Wired Services Mobility Adds VPN Access - AC Apex Ordered Separately ISE 1.3 MOBILITY-BASE MOBILITY* (Term) (Term) Basic All ISE RADIUS services (same AAA as existing Guest Wireless Services Lic) Only for Wireless & Remote Access (No Device Registered via Guest Portal Wired Services) >Wireless & Remote Access Devices Option to add AC Apex NEW! MOBILITY UPGRADE** (Term) Add Wired Services NEW! * Mobility Cisco Not and/or Under its a"liates. All ATP rights reserved. AC APEX ** Mobility Upgrade Cisco Under Con!dential ATP 14

15 Agenda License Refresher Positioning Old vs New Renewals Wrap-up Cisco Con!dential 15

16 Base (Perpetual) Positioning Core Features AAA/ RADIUS Guest Services TrustSec/ SGT Use Case X - MAC Authentication Bypass - Centralized Web Auth - Sponsor controlled guest access - Self-serve guest access Value - Secure, credential/certi!cate enterprise access to separate friend from foe - Simple device ID-based access as alternative to 802.1X - Portals driven interaction allows IT to di#erentiate users - Employee empowered to host guests - Secure visitor access without burdening IT - Software De!ned Segmentation - Simpli!es!rewall rule, ACL, VLAN management without costly re-architecture Aruba - Has Guest/AAA/RADIUS o#er but much more expensive than BASE Forescout - Does not have Guest only o#er - No TrustSec/Segmentation - No TrustSec/Segmentation, Non-scalable control architecture -> troubleshooting issues

17 Plus (5/3/1 YR Term) Positioning Core Features Pro!ling BYOD Use Case - Active and Passive Probes - Feed Service - Easy User Onboarding with Self- Service Device Portal - Built in CA for System Operations, Portals and Device Registration Value - Combination of endpoint scanning services delivers robust identi!cation - New, vetted devices means faster onboarding and lower number of unknowns - Simplifying BYOD removes burden from IT - Avoids added CA expense and operational complexity within IT domains pxgrid - Context-focused eco-system - Make disparate IT solutions smarter Aruba - No standards-based eco-system, API scale issues - Limited probes, no automatic feed service, OnBoard + Guest cost more than Base + Plus Forescout - No standards-based eco-system, API scale issues, pay for integrations - No feed service, limited BYOD capabilities (e.g. no CA)

18 Apex (5/3/1 YR Term) Positioning Core Features Posture MDM Integration Use Case - Endpoint compliance checks across wired, wireless and VPN - Endpoint remediation - Leverage Meraki / 3 rd Party MDM context to enable mobile access Value - Prevent/limit network access for noncompliant devices across entire enterprise lowers security risks ( before action) - Allow users to bring endpoints into compliance without increasing IT workload - Ensure mobile devices get proper level of access for services they need and maximize user productivity Aruba Forescout - No integrated VPN agent - No integrated VPN agent - Clientless story only applies to Windows and requires common admin credentials - No optional security services (CWS, AMP) - No optional security services (CWS, AMP)

19 Agenda License Refresher Positioning Old vs New Renewals Wrap-up Cisco Con!dential 19

20 Per-endpoint pricing by license SKU (slight premium for AnyConnet as posture agent) $160,00 $140,00 $120,00 $100,00 $80,00 Base Lic Base+Plus Lic Base+Plus+ISE APEX+AC APEX Base+Adv Lic $60,00 Base+Adv+AC Premium $40,00 $20,00 $0, Cisco Con!dential 20

21 Advanced vs A La Carte Posture Only Example " Old License Model - 100K Base + 50K Adv (3 yr) - $87,500 + $1,242,000 = $1,329,500 vs " New License Model - 100K Base + 50K Apex (3 yr) + 50K AC Apex (3 yr) - $87,500 + $745,300+ $195,600 = $1,028,400 Moving to a la carte allows customers to right size consumption This saves customer money even with cost of ISE Apex and AC Apex Cisco Con!dential 21

22 Advanced vs A La Carte Posture + Pro!ling Example " Old License Model - 100K Base + 50K Adv (3 yr) - $87,500 + $1,242,000 = $1,329,500 vs " New License Model - 100K Base + 50K Plus (3 yr) + 50K Apex (3 yr) + 50K AC Apex (3 yr) - $87,500 + $497,000 + $745,300+ $195,600 = $1,525,400 Premium of ~ $200K but now services on spread across 100K vs just 50K So 14.7% cost increase for 100% increase in service expansion Cisco Con!dential 22

23 Agenda License Refresher Positioning Old vs New Renewals Wrap-up Cisco Con!dential 23

24 Renew Options for 1.1 and 1.2 Count A / Term X Term Expires #1 - Same Count A / Term X Renew Option # 2 More Count B / Term X ADVANCED or WIRELESS ADVANCED or WIRELESS # 3 Less Count C / Term X ADVANCED or ADVANCED or WIRELESS #4 - Length Count A / Term Y ADVANCED or WIRELESS WIRELESS #5 No Renew (Adv Only) Cisco Con!dential 24

25 Renew Options for Count A / Term X ADVANCED and/or PLUS Term Expires # 6 Mix Count D / Term X ADVANCED and Count E / Term X PLUS Renew Option #1-5 Same as Before # 7 Downgrade Count A / Term X PLUS # 8 Add (to Base) Count F / Term X PLUS WIRELESS #1-5 Same as Before Cisco Con!dential 25

26 Renew Options for 1.3 Count A / Term X APEX and/or AC APEX and/or PLUS Term Expires # 9 Alter Count D / Term X APEX and Count A / Term X PLUS Renew Option #1-8 Same as Before # 10 Phase Count A / Term X PLUS and Count A / Term X-2 APEX MOBILITY #1-5 Same as Before Cisco Con!dential 26

27 Upgrade to 1.3 What Happens -> Auto Convert ISE 1.2 Count A / Perpetual Count B / Term C Count B / Term C BASE PLUS ADVANCED APEX ISE 1.3 Count A / Perpetual BASE Count B / Term C PLUS Count B / Term C PLUS + Count B / Term C* APEX *Hang On AC Apex/ Cisco Con!dential 27 Posture in Next Slide

28 Existing ISE Adv Customer - Motion Grandfathered under old model - Get as many AC Apex as needed for remainder of Adv term - At renewal, decide how much Plus, Apex and AC Apex is needed - Wireless -> Mobility Exact same motion ($0 PO for AC Apex) - DSA Field Deals Desk / BU!nance will rubberstamp transaction ISE 1.2 (or lower) Upgrade to 1.3 Renewal APEX *AC Apex Licenses at $0 are only available to ISE Advanced customers who bought prior to Q3 FY 2015 AC APEX* ADVANCED NAC Agent BASE + AC APEX* $0 PO for as many users as required Base/Plus/Apex Licensed on ISE while AnyConnect Apex is just Right-To-Use PLUS BASE Cisco Con!dential 28

29 Agenda License Refresher Positioning Old vs New Renewals Wrap-up Cisco Con!dential 29

30 Cisco ISE is Core to Cisco Security Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web + Security Network Behavior Analysis NAC + Identity Services pxgrid + ISE Ecosystem ISE Provides Visibility, Context, and Control Across the Entire Continuum

31 Where to sell Question Yes No 1 Has your customer recently suffered a security breach? What about their industry peers? 2 3 Does your customer s workforce using a range of mobile devices? Are exploring how mobile will impact their business? Does your customer have different types of users (employees, contractors, partners, etc) accessing the network? 4 Do they have frequent guests that need Internet access or other services? 5 6 Are they expanding, merging, moving into a new building, or consolidating sites and want to evolve how IT delivers services? Are they in an industry where regulations or legislation has a direct impact on information security or operational risk and segmenting information is becoming a pressing concern? 7 Is enforcing business policies an operational nightmare due to complex IP based firewall rules 8 Are they an organization that has many different devices accessing the network? 9 Are they struggling with disparate security systems that lack contextual intelligence? 10 Do they have users that access the network via wired, wireless and VPN?

32 Questions?

33

34 Simplifying Guest Access for the Enterprise Corporate Branding and Themes Desktop & Mobile Ready! Create Accounts Streamlined Guest Creation Print SMS Mobile Guest Sponsorship Your credentials username: trex42 password: littlearms Guest Access Noti!cation via SMS Design Easily in Minutes, Deploy Securely in Just Hours Cisco Con!dential 34

35 Cisco TrustSec Software-De!ned Segmentation Control Access to Resources Based on Business Policies access-list 102 permit icmp lt 2361 X.Y.Z eq 116 access-list 102 deny udp eq 1112 X.Y.Z eq 959 access-list 102 deny tcp eq 2587 X.Y.Z lt 4993 access-list 102 deny tcp eq 970 X.Y.Z lt 848 access-list 102 deny ip eq 1493 X.Y.Z gt 4878 access-list 102 permit icmp lt 4962 X.Y.Z eq 1216 access-list 102 deny icmp gt 26 X.Y.Z gt 1111 access-list 102 deny ip eq 3914 X.Y.Z eq 4175 access-list 102 permit tcp lt 3146 X.Y.Z gt 1462 access-list 102 permit tcp gt 1843 X.Y.Z lt 4384 access-list 102 permit icmp eq 946 X.Y.Z eq 878 access-list 102 permit ip gt 3972 X.Y.Z eq 467 Traditional Security Policy Simpli!es Firewall Rule, ACL, VLAN Management Prevents Lateral Movement of Potential Threats Eliminates Costly Network Re-architecture Switch Router VPN & Firewall DC Switch Wireless Controller TrustSec Security Policy Segmentation Policy Enforced Across the Extended Network Cisco Con!dential 35

36 Dynamic Control with Rich Contextual Pro!ling Simple Identity Simply Isn t Helpful Enough Anymore POOR context awareness # Simple Identity - Who are you? # IP Address RESULT: Any user, Any device, Anywhere gets on the network EXTENSIVE context awareness # RICHER Identity Who? # Bob What? # ios Tablet Where? # Building 200, 1 st Floor When? # 11:00 AM EST on April 10 th RESULT: The Right user, on right device, from the right place is granted the RIGHT ACCESS

37 Streamlining BYOD and Enterprise Mobility Reducing the Complexity of Managing BYOD and Device Onboarding Improved Device Recognition Integrated Native Certi!cate Authority for Devices Desktop & Mobile Ready! Customizable Branded Experiences Easy User Onboarding with Self-Service Device Portals Comprehensive Device Security with Posture and EMM Cisco Con!dential 37

38 Streamline Security Operations with ISE Ecosystem Connect Disparate Solutions and Reduce Threat Response Time Faster Remediation of Threats with SIEM / TD Extension of Access Policy & Compliance with MDM Context-driven OT Policy and Segmentation for IoT Endpoint Vulnerability Remediation Simpli!ed Network Troubleshooting and Forensics SSO Secure Access to Sensitive Data on Mobile Devices Cisco Con!dential 38

39 Uni!ed Agent Common agent across wired, wireless & VPN Supports device posture & authorization across multiple access methods Simpli!es management with only one agent Prevents non-compliant devices from accessing the network Cisco Con!dential 39

40 Enterprise Mobility Management Integrations Enforce True Device Compliance for All Mobile Devices Sees unregistered devices on the network? Forces EMM Policy Compliance? Keeps noncompliant devices o# network? Sees ALL devices on the network Requires devices to comply with EMM policy Provides guest access to non-emm devices EMM Secures Actual Device SOLUTION ISE + EMM Together Cisco ISE Secures Network Access Cisco Con!dential 40