At a glance

Cisco public

Cisco TrustSec Software-Defined

Segmentation
Policy-based approach to simplifying security Benefits
and reducing risk • Limit the impact of data
Network segmentation is essential for protecting critical business assets. But
breaches, compromised
traditional segmentation approaches are operationally complex. You need to scale devices, and prevent the
the network and still restrict access to critical applications in the data center while lateral movement of threats
improve situational awareness on the network. As the number of roles and endpoints with micro-segmentation
increase within an organization, the cost for managing virtual LANs (VLANs) can be
• Rapid threat containment
significant. Balancing the demands for agility and security requires a new approach.
to isolate attacks and
Cisco TrustSec® software-defined segmentation dynamically organizes endpoints vulnerable devices
into logical groups, called security groups. Security groups are assigned based
on business decisions using a richer context than an IP address. They are easier • Control access to critical
for people to understand and manage. And the number of group-based rules is enterprise resources in
dramatically less than an equivalent set of rules based on IP addresses. an easy-to-use matrix
Cisco TrustSec technology is embedded in more than 40 Cisco product families • Lower operational
and thirdparty products. It isolates attacks, quickly restricts the lateral movement of expenses through simplified
threats with micro-segmentation, enables a scalable bring-your-own-device (BYOD) policy management
environment, and reduces the scope of compliance for industry and government
regulations. A commissioned study conducted by Forrester Consulting on behalf of • Easily comply with
Cisco now available indicates that customers have found that time-to-implement PCI audits and other
policy changes can be reduced by 98% and operational costs reduced by as much compliance requirements
as 80% with TrustSec software-defined segmentation.

© 2017 Cisco and/or its affiliates. All rights reserved.

At a glance
Cisco public

Forrester interviewed customers that had

deployed Cisco TrustSec and found:
Easily control access to your resources
Cisco TrustSec security groups give users access that is consistently maintained as resources move in
• 140% Return on investment mobile or virtualized networks. Management at a group-based policy level simplifies switch, router, and
Composite NPV was $2.33 million. firewall rules while still giving you granular control of your network. Want to deny guest tablets on your
Composite cost to implement was network? Done. Want to allow tablets for employees in finance? Done.
only $1.66 million
Decoupling access entitlements from IP addresses and VLANs simplifies security policy and
• 80% Reduction in IT operational costs
maintenance tasks, lowers operational costs, and allows policies to be consistently applied to
Avoid associated costs with operating
wired, wireless, and VPN access.
VLANS and firewalls. Reduce manpower
needed to deploy and maintain Policy through the use of security group ACLs (SGACLs) can be dynamically or statically provisioned on
• 98% Reduction in time to switches, routers, and wireless LAN infrastructure. TrustSec segmentation enables security policy to be
implement changes responsive. It’s not just applied when a user enters the network but also responds to how they behave
Faster time-to-market for projects. Make while in the network.
changes in minutes instead of weeks

Integration with the Cisco Identity Services Engine

The Cisco® Identity Services Engine (ISE) acts as the controller for software-defined segmentation
groups and policies, providing a layer of policy abstraction and centralized administration.
Cisco ISE allows segmentation policies to be applied to networks of any size using a simple
and clear policy matrix.

Simplifying cross-domain security policy

Cisco ISE is able to share TrustSec group information with other group-based policy schemes used in
Cisco’s Application-Centric Infrastructure (ACI) and Open Daylight environments to simplify security
policy management across domains.

Start protecting your assets today

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco
For more information, please visit: [Link]
logo are trademarks or registered trademarks of Cisco and/or its affiliates in
the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: [Link]/go/trademarks. Third-party trademarks mentioned are
the property of their respective owners. The use of the word partner does
not imply a partnership relationship between Cisco and any other company.
(1110R)

C45-577269-04 06/17