cisco - global home page - sba for enterprise organizations · february 2012 series what’s in...
TRANSCRIPT
CREDANT Data Security Partner Guide
February 2012 Series
PrefaceFebruary 2012 Series
Preface
Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:
• Systemsengineerswhoneedstandardproceduresforimplementingsolutions
• ProjectmanagerswhocreatestatementsofworkforCiscoSBAimplementations
• Salespartnerswhosellnewtechnologyorwhocreateimplementationdocumentation
• Trainerswhoneedmaterialforclassroominstructionoron-the-jobtraining
In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costingofdeploymentjobs.
Release SeriesCiscostrivestoupdateandenhanceSBAguidesonaregularbasis.Aswedevelop a new series of SBA guides, we test them together, as a complete system.ToensurethemutualcompatibilityofdesignsinCiscoSBAguides,youshoulduseguidesthatbelongtothesameseries.
All Cisco SBA guides include the series name on the cover and at the bottomleftofeachpage.Wenametheseriesforthemonthandyearthatwerelease them, as follows:
month year Series
For example, the series of guides that we released in August 2011 are the“August2011Series”.
You can find the most recent series of SBA guides at the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
How to Read CommandsMany Cisco SBA guides provide specific details about how to configure CisconetworkdevicesthatrunCiscoIOS,CiscoNX-OS,orotheroperatingsystemsthatyouconfigureatacommand-lineinterface(CLI).Thissectiondescribestheconventionsusedtospecifycommandsthatyoumustenter.
CommandstoenterataCLIappearasfollows:
configure terminal
Commands that specify a value for a variable appear as follows:
ntp server 10.10.48.17
Commands with variables that you must define appear as follows:
class-map [highest class name]
Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:
Router# enable
Longcommandsthatlinewrapareunderlined.Enterthemasonecommand:
wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100
Noteworthypartsofsystemoutputordeviceconfigurationfilesappearhighlighted, as follows:
interface Vlan64 ip address 10.5.204.5 255.255.255.0
Comments and QuestionsIfyouwouldliketocommentonaguideoraskquestions,pleaseusetheforum at the bottom of one of the following sites:
Customer access: http://www.cisco.com/go/sba
Partner access: http://www.cisco.com/go/sbachannel
AnRSSfeedisavailableifyouwouldliketobenotifiedwhennewcommentsareposted.
Table of ContentsFebruary 2012 Series
ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.
AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)
©2012CiscoSystems,Inc.Allrightsreserved.
February 2012 Series
Table of Contents
What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Overview of Cisco Borderless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Business Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
CREDANT Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
CREDANT Deployment Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
How to Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
1What’sInThisSBAGuideFebruary 2012 Series
What’sInThisSBAGuide
About SBACiscoSBAhelpsyoudesignandquicklydeployafull-servicebusinessnetwork.ACiscoSBAdeploymentisprescriptive,out-of-the-box,scalable,andflexible.
CiscoSBAincorporatesLAN,WAN,wireless,security,datacenter,applicationoptimization, and unified communication technologies—tested together as a completesystem.Thiscomponent-levelapproachsimplifiessystemintegrationof multiple technologies, allowing you to select solutions that solve your organization’sproblems—withoutworryingaboutthetechnicalcomplexity.
For more information, see the How to Get Started with Cisco SBA document: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf
About This GuideThis additional deployment guide includes the following sections:
• Business Overview—Thechallengethatyourorganizationfaces.Businessdecisionmakerscanusethissectiontounderstandtherel-evanceofthesolutiontotheirorganizations’operations.
• Technology Overview—HowCiscosolvesthechallenge.Technicaldecisionmakerscanusethissectiontounderstandhowthesolutionworks.
• Deployment Details—Step-by-stepinstructionsforimplementingthesolution.Systemsengineerscanusethissectiontogetthesolutionupandrunningquicklyandreliably.
Thisguidepresumesthatyouhavereadtheprerequisitesguides,asshownontheRoutetoSuccessbelow.
Design Overview Internet EdgeDeployment Guide
Cisco Data SecurityDeployment Guide
CREDANT Data SecurityPartner Guide
ENT BN
You are HerePrerequisite Guides
Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left ofthisguideontherouteabove.Anyguidesthatdependuponthisguideareshowntotherightofthisguide.
For customer access to all guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel
2OverviewofCiscoBorderlessNetworksFebruary 2012 SeriesFebruary 2012 Series
OverviewofCiscoBorderlessNetworks
TheCiscoSmartBusinessArchitecture—BorderlessNetworksforEnterpriseOrganizationsofferspartnersandcustomersvaluablenetworkdesign and deployment best practices; helps organizations to deliver supe-riorend-userexperiencesusingswitching,routing,securityandwirelesstechnologies; and includes comprehensive management capabilities for the entiresystem.CustomerscanusetheguidanceprovidedinthearchitectureanddeploymentguidestomaximizethevalueoftheirCisconetworkinasimple,fast,affordable,scalableandflexiblemanner.
Figure 1 - CREDANT Data Security Integrated into the Smart Business Architecture—Borderless Networks for Enterprise Organizations
Modular design means that technologies can be added when the organiza-tionisreadytodeploythem.Figure1showshowtheCREDANTdatasecu-ritysolutionintegratesintotheBorderlessNetworksarchitecture.
This guide is part of a comprehensive data security system designed to solvecustomers’businessproblems,suchasprotectingintellectualprop-erty and sensitive customer information assets, and meeting compliance requirements.TheguidefocusesonCisco’spartnershipwithCREDANTTechnologiestodeliveraffordableendpointencryptionasapartofCisco’sbroaderdatasecuritysystem.
3Business BenefitsFebruary 2012 Series
BusinessBenefits
Theglobalizationofinformationhasforeverchangedthesecuritylandscape.Informationisexchangedinlessthanamillisecond.Financialservicescom-paniesprocesstransactionsinvolvingbillionsofcustomerfinancialrecords.Healthcareprovidersstoreandaccessinformationonlife-threateningillnessesandconfidentialpatientrecords.Forbetterorworse,ournew,moredigitized world exposes sensitive corporate, personal, and employee data tolossortheftatthecorporateendpoint.Asaresultofthisprofoundshiftincomputing, the regulatory and compliance landscape has evolved as fast as thetechnologicallandscape.
IntheUnitedStates,Canada,andEurope,nationalregulatorystandardsincreasingly supplement local reforms as the government pressures indus-triesandbusinessesofallsizestoprotectconsumers’personalinformation.Inmanycases,thepenaltiesfornon-compliancecanbecrippling.Nocompanyorindustryisexemptfromdatatampering.Andwithoutpropermeasures,nonecanescapetheriskoffines,lossofreputation,orpossiblebankruptcy.
Dataencryptionisn’tjustabestpractice.Itisanimperativeforsurvivalintheglobal,digitizedmarketplace.Companiesfailingtomeettheircompliancerequirementsandadequatelyprotectagainstadatabreachfacefinesandothercostsextendingintothetensofmillionsofdollars.Yeteveryorganiza-tionisunique.Therightcombinationofdataencryptionsolutionsmustbedefinedbytheexistinginfrastructure,regulatoryrequirementsandbusi-nesspractices.BypartneringwithCiscoandCREDANT,organizationscanbegin to adopt a holistic approach to data security—encrypting data on the network,atthegateway,viaVPN,oratrestattheendpoint.
Protectingsensitiveinformationiscritical,andwithCREDANT,organiza-tionsgainflexibilityinhowtheychoosetoprotectsensitiveinformation.Encryptiontechnologyisbuiltonwellestablishedstandardalgorithms,butthesolutionsbuiltonthattechnologyincludeavarietyofsoftware-andhardware-basedencryptionoptionstomeetdifferentbusinessneeds.
As there is a wide range of options to secure critical corporate data, there is also a wide range of criteria to consider when deciding how to best protectyourbusiness.Powerusersordeveloperstendtobeverysensi-tivetoeventhesmallestimpactonsystemperformance.Lesstechnicallysavvyenduserswilllikelyinundatethehelpdeskwithcallsforassistanceiftheyencounterasolutionthatforcesthemtochangethewaytheywork.Executivesmaycarrymoresensitiveinformationthanendusersandthusrequiredifferentsecuritypolicies.Travelingemployeesnaturallyincurmoreriskofdatalossforanumberofreasonsthandoemployeesworkingonadesktopsysteminasecureoffice.Thesearejustafewofthecriteriathatorganizations must navigate when choosing the right solution or solutions fortheirbusiness.
4CREDANTProductOverviewFebruary 2012 Series
CREDANTProductOverview
CREDANToffersbothhardwareandsoftwareencryptionwithcentrallymanagedorunmanagedoptions,dependingonyourneeds.Allmanagedsolutions include extensive reporting to satisfy compliance needs and to easedeploymentandday-to-dayuse.Productscanbemixedandmatchedto find an overall solution that best fits your needs:
• CREDANT Mobile Guardian provides software encryption and security forWindowsorMacOSXlaptopsanddesktops,removablemedia,andPDAsandSmartphones.WindowssystemsareprotectedwithCREDANT’sIntelligentEncryptionandfulldiskencryption(FDE)isusedtoprotectMaccomputers.ExternalmediaencryptionisprovidedforbothWindowsandhandhelds.Windowsprotectionisavailableinbothmanagedandunmanagedvarieties.
Figure 2 - CREDANT Mobile Guardian
• CREDANT FDE for WindowsprovidesfulldisksoftwareencryptionforWindowslaptopsanddesktops.Alldataonthelocaldriveisencryptedatthesectorlevel,includinganyblankspaceonthedrive.Thisfullymanagedsolutionincludesmandatory,pre-bootauthenticationandAES-256encryption.CREDANT’snetwork-awarepre-bootauthentica-tion allows the end user to access the system via an existing domain login.Administratorsavoidthehighoverheadsetupandmaintenanceofproprietarypre-bootuserandadministratoraccounts.
• CREDANT FDE DriveManager technology fortifies the Seagate Momentusself-encrypting2.5”harddriveswithremotemanagement,strong authentication, and extensive auditing and reporting features, thus allowing companies to more easily implement Seagate hardware encryp-tion.FDEDriveManagercanbeconfiguredduringinstallationtorunasamanagedorunmanagedclient.
Figure 3 - CREDANT Drive Manager
• CREDANT Protectoroffersfine-grainedportcontrolcapabilitiestoorganizationswishingtocontroldataatthedeviceorfilelevel.
Asbusinessenvironmentsdiffer,sodotheoptionsCREDANTofferstosecurecriticaldatainthoseenvironments.AllCREDANTsolutionsaredesigned to provide the most comprehensive security available for data storedonlaptops,desktops,removablemediaandmobiledevices.Eachsolutionensuresmandatoryauthenticationandprovidesindustry-standardencryption so organizations can select a product or a combination of productsthatbestfittheirneedswithouthavingtogotomultiplevendors.CREDANT’sbroadrangeofsolutionshelpstokeepcorporatedatasecurewhileallowinguserstofocusondoingtheirjobs.
5CREDANTDeploymentWorkflowFebruary 2012 Series
CREDANTDeploymentWorkflow
ThissectionpresentsanoverviewofthetasksinvolvedindeployingCREDANTdatasecurityproducts.
Phase 1: Environment Planning and ReviewThisphaseofthedeploymentworkflowinvolvesareviewoftheorganiza-tion’scurrentenvironment,includingsoftwaredeployment,clienttypes,encryptionrequirements,andauthenticationmethods.Thisenvironmentalreview is necessary to determine how the software will be deployed, which clienttypesshouldbeconsidered(softwareFDE,hardwareFDE,file-basedencryption, and/or removable media), the number of servers that are required,andwhatauthenticationmethodswillbeused.
Phase 2: Server Software InstallationThis phase involves the installation of the server software that will provide themanagementofthevariousendpointencryptionsolutions.Thisprocessincludes the creation of the database, which will be used to escrow the encryptionkeys,configurationoftheauthenticationanddirectorysystems,andtheinstallationofthepolicyserver.Mostdeploymentsincludeasinglepolicyserver,oneactivedatabaseandconnectivitytoActiveDirectory.Management is accomplished using either a web browser or Microsoft ManagementConsoleplugin.
Phase 3: Policy DefinitionThisphaseinvolvesthecreationofthesecuritypolicy.Ascustomerstendtohaveawidevarietyofencryptionrequirements,thispartoftheprocesshelpsensurethatthoserequirementsaremet.CREDANTworkscloselywiththe customer to build a policy that meets the growing number of government regulationsandindustrystandardsthatrequireencryption.ThesemightincludeHIPAA,PCI,SOX,andvariousFederalandStateBreachLaws.Thepoliciesaredesignedtomeettheserequirementswhilehavingverylittleimpacttotheenduser.Figure4showsthepolicymanagementinterface:
Figure 4 - CREDANT Policy Definition
Phase 4: Client InstallationThisphaseofthedeploymentworkflowinvolvesthedeploymentoftheclienttotheendpoint.Thereareseveraldifferentclienttypestochoosefrom,andinmostcasestheclientcanbedeployedusingthecustomer’snormalsoftwaredeliverysystems.Aftertheclientisdeployedtotheendpointandactivated,theencryptionkeysarecreatedbytheserver,storedinthedatabase,andpassedtotheclient.Thepoliciescreatedinphasethreearethenconsumedbytheclientandtheencryptionprocesstakesplace.
Figure 5 - Client Configuration Options
6CREDANTDeploymentWorkflowFebruary 2012 Series
Figure 6 - Client Policy Configuration
Phase 5: Auditing and ReportingThisphaseofthedeploymentworkflowinvolvestheinstallationandcon-figurationoftheAuditandReportingtools.Thisinvolvestheinstallationofsoftware on the policy server, and the configuration of a connection to the database.Thesoftwarehasmanypre-definedreports,asshowninFigures7and 8, but most customers will want to customize these reports to meet their individualneeds.Reportsarecustomizedandthenscheduledduringthisphase.Configurationoftheauditandreportingsystemalsoincludesroledefinitionforauditors,andsettingupreportstobeemailedtovarioususers.
Figure 7 - Per-Device Statistics in the Reporting Interface
Figure 8 - Predefined Reports
Phase 6: Data Lifecycle Protection with Cisco AnyConnect and RSA Endpoint DLPCREDANTMobileGuardian,CiscoAnyConnectVPN,andRSAEndpointDLPtogether provide comprehensive protection of data in at rest, in use, and inmotion.DeploymentanduseofCREDANTMobileGuardianistranspar-ent,andworksseamlesslywhenusedwithRSADLPEndpointandCiscoAnyConnectVPN.
Cisco AnyConnect provides a secure transmission pipe to protect infor-mationasittravelsbetweenenterpriseenvironmentsandendusers.Sensitivedatastoredontheuser’snotebookharddriveisprotectedviaCREDANT’sencryptionsolution.DatawrittentoUSBdrivesmaybemoni-toredandloggedviaRSAEndpointDLP,andsimultaneouslyencryptedwithCREDANT’sUSBencryptioncapabilities.Tothatend,administratorsmaysetappropriateDLPEndpointpoliciestologalltransfereventstohaveaclearunderstanding of what is being written to external media, Credant encryp-tionpoliciestoensurethatalldataisencryptedonUSBdrives.
Takentogether,thesethreesolutionsenablemobilitywhileofferingthehighestdegreeofdatasecurity.
Products Verified with Cisco Smart Business ArchitectureCREDANTMobileGuardianEnterpriseServer6.7.0.188andCREDANTMobileGuardianShield6.7.0.1402arevalidatedacrossCiscoSmartBusinessArchitecturewithCiscoAnyConnect2.5.0.217.
7HowtoContactUsFebruary 2012 Series
HowtoContactUs
End Users • PleasecontactCREDANTviahttp://www.credant.com/cisco for anyquestions.
• SubmitaninquiryaboutCREDANTandtheCiscoSmartBusinessArchitecture—BorderlessNetworksforEnterpriseOrganizations.
Resellers• PleasecontactCREDANTviahttp://www.credant.com/partners.html.
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
SMARTBUSINESSARCHITECTURE
C07-608456-0302/12