Solved: Re: ISE global deployment in relation to data privacy of guests

neal.aberdeen · ‎02-01-2017

I'm looking to roll out ISE globally, current thinking is with admin etc. nodes in the US, and policy nodes in the US, EMEA and APAC.

The issue is around data privacy of guests, and I'm looking for community advice on the best approach.

The way it is designed at the moment, guests at European offices would need to be notified at point of registration that their data will be held in the US (fine), and registration means they accept this. However, some guests would be self-excluded from being guests, and there is the possibility of some guests accepting and using the network when they shouldn't (there are reasons why the Privacy Shield would not apply in some instances. Also, privacy rules are often different even around Europe; is it possible to identify users depending on location/nationality and e.g. present them with different terms etc. etc.

Would it be better to have separate admin nodes in each region to prevent e.g. data transfer outside of Europe? What would the licencing implications be in terms of machine images?

Is there someone out in the community who has experience of deploying ISE globally; how did you address the whole data privacy thing?

Thanks

Craig Hyps · ‎02-01-2017

If require data isolation between regions today, then recommend that you deploy separate ISE domains. I would work with your local Cisco sales team to address the licensing concerns of deploying one larger domain versus many smaller domains. Consideration should be provided for this scenario and they con consult with business unit if have specific questions on how to best handle.

Regards,
Craig

View solution in original post

Jason Kunst · ‎10-30-2018

Would recommend looking at scalling and performance information in the following locations
http://cs.co/ise-training
Great overview of scaling design

Designing ISE for Scale & High Availability - BRKSEC-3699

Craig Hyps, Prinicipal Technical Marketing Engineer , Cisco Systems

Also this link for latest numbers
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

View solution in original post

Craig Hyps · ‎02-01-2017

If require data isolation between regions today, then recommend that you deploy separate ISE domains. I would work with your local Cisco sales team to address the licensing concerns of deploying one larger domain versus many smaller domains. Consideration should be provided for this scenario and they con consult with business unit if have specific questions on how to best handle.

Regards,
Craig

kpapadop@cisco.com · ‎10-30-2018

Hi there - my customer has acquired another company and wants to consolidate AD/ISE backend as both the parent company and the acquired company use ISE/AD. The parent company is primarily based in US and the acquired one in UK. Do we have best practices (latency, multiple AD domain joins) to consolidate such scenario in a single global ISE deployment?

Jason Kunst · ‎10-30-2018

Would recommend looking at scalling and performance information in the following locations
http://cs.co/ise-training
Great overview of scaling design

Designing ISE for Scale & High Availability - BRKSEC-3699

Craig Hyps, Prinicipal Technical Marketing Engineer , Cisco Systems

Also this link for latest numbers
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148