Cisco Cisco Identity Services Engine 1.3 Libro blanco
White Paper:
Cisco Systems and the Migration from NAC to EVAS
6
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
documents from her PC connected to the corporate LAN but deny access when she tries to access the same
content using her iPad on a public network.
content using her iPad on a public network.
Integration. Large organizations want integrated intelligence, policy management, and context and control
to improve risk management, incident detection/responses, and security automation. EVAS is architected
for these imperatives because it is designed for continuous monitoring, endpoint profiling, data capture,
and interoperability with SIEM, firewall/VPN, identity management, vulnerability scanning, trouble
ticketing, IT-GRC, MDM, web security gateways, etc.
to improve risk management, incident detection/responses, and security automation. EVAS is architected
for these imperatives because it is designed for continuous monitoring, endpoint profiling, data capture,
and interoperability with SIEM, firewall/VPN, identity management, vulnerability scanning, trouble
ticketing, IT-GRC, MDM, web security gateways, etc.
Table 2. NAC Versus EVAS
Function
NAC
EVAS
Endpoint profiling
Basic inspection of configuration
and presence of endpoint security
software. PC-only support. No data
collection.
Advanced inspection of endpoint
software and hardware
configuration. Support for PCs,
mobile devices, IoT, etc. Extensive
data collection and processing.
Policy enforcement
Grant or deny network access based
upon PC configuration and security
status. Access policies for
information security only.
Granular access controls for network
access based upon device, user,
network location, time of day, data
sensitivity, etc. Access policies for
business, security, compliance, etc.
Integration
Some integration between NAC and
networking devices like Ethernet
switches and wireless access points
(APs).
Extensive integration with SIEM,
vulnerability scanning, MDM,
advanced malware
detection/prevention technologies,
IoT/operations technology, etc.
Source: Enterprise Strategy Group, 2014.
By offering this functionality, EVAS acts as a logical evolution, represents what NAC was meant to be, and plays a
vital role in a number of business, information security, and IT functions. For example, continuous monitoring can
be used for risk management and mitigation by the security and IT operations team. Endpoint profiling can help
security, operations, and help desk personnel identify risky devices, restrict access to unauthorized resources, and
prioritize remediation activities. Finally, business, IT, and security managers can work collectively to create security
policies that enable new mobile computing-based business processes without adding undue IT risk (see Figure 2).
vital role in a number of business, information security, and IT functions. For example, continuous monitoring can
be used for risk management and mitigation by the security and IT operations team. Endpoint profiling can help
security, operations, and help desk personnel identify risky devices, restrict access to unauthorized resources, and
prioritize remediation activities. Finally, business, IT, and security managers can work collectively to create security
policies that enable new mobile computing-based business processes without adding undue IT risk (see Figure 2).