Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cloud Web Security Update

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Cloud Web Security Update

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

ScanSafe is nowCloud Web Security

(CWS)


Session ObjectivesAt the end of the session, the participants should be able to:

• Articulate the strategy of the product

• Speak to the upcoming feature sets

• Understand the deployment mechanism

• Defend against competitive talking points


5 beta customers with100% functional coverage

Included strategic partners BT, CDW and key customers like Nike

ASA-based Connector Update

Positive’s Learning's

• “ASA with ScanSafe is brilliant” - BT

• 3 customers tested the code in production

• Easy configuration and setup

• Management across two platforms

• Documentation clarity

• Configuration with the new identity mechanism via IDFW not fully stressed

Overview


http://sswiki.cisco.com/index.php/ASA

Sizing Information ASA Platform Number of Users

5505 25

5510 75

5512-X 100

5515-X 250

5520 300

5525-X 500

5540 1,000

5545-X 1,500

5550 2,000

5555-X 3,000

5585-X SSP10 – 5585-X SSP60 7,500





From

• IronPort / ScanSafe Pricebook with Multiple Buying Options

• Silo-ed Development of Features

• Perceived Product Complexity

• GPL Availability – May 2013

• Convergence of Features within Web Security Portfolio

• Fewer deployment options, auto provisioning and configuration

To

Our Strategy is Attach

Cloud Web Security

ISR G2 ASA AnyConnect WebSecurity

WSA ConnectorPLATFORMS

SERVICE


End Customer Experience Today• Time varies from 3 days to weeks

Order VerificationProvision & Capacity

DeploymentService Enabled

• Specialized sales or CSE engagement

• Need details on customer’s network (IP, breakout’s etc.)

• Order verified; if information is incomplete sent back to customer via partner

• Portal provisioned and capacity allocated manually (towers, proxy etc.)

• TAM engages with customer to deploy CWS

• Can be time-consuming if network is complicated or poor sales qualification

Manual activation process not conducive to Cisco and partner-led saleAutomated order-deployment process is key to higher attach


How Do We Simplify

Business OpsMinimize touch points, integrate with GPL

Order & Quoting

Eliminate non-essential or double-entry of data

Create a single source of truth for customer data

Portal 2.0Faster, smarter and flexible. Rebrand to Cisco

Ease-of-useReduce CS overhead, enhance customer experience

On-going Service

Rebrand to CiscoElement of self diagnosis in the portal

Category checker, notifications, exception managementOpen support tickets via portal, automated error report

Simplified portal for reporting and policy, flexibility in design and customization

Create a full Cisco kit for the datacenter; economies of scale

Next Gen TowerLeverage UCS for scalability and cost savings

Infrastructure

Customers not tied to a tower; dynamically move customers

Reduce manual steps in capacity allocation

Smart ConnectorSelf-deploying proxy

Automatically configured ASA/ISR; reduce dependencies on the proxy

Reduce the number of supported deployment mechanisms

Deployment


Network Attach

Enterprise FeaturesSimplification Security Services Convergence

Roadmap Pillars


Network Attach


• Next Gen Tower

• Smart Connector

• CS tools


Ne

two

rkS

tora

ge

Co

mp

ute

• 20 Gbps capable fully redundant network stack (2nd IP transit provider) and auto geo site DR

• Internet scale router for full upstream connectivity• Peering capability

• Virtualization layer (VMware) on scalable Cisco UCS hardware• Proxy services: Thousands of VMs securing customer traffic• Management services

+ Logging | Reporting | Monitoring | Debugging• Future services

+ Room for product evolution and completely new products on same hardware

• SAN Based• Fast | Flexible | Scalable storage• Highly available

Next Gen Tower


Smart Connector

Features Support

Monitoring

Information

User Details One format

Configuration

Auto Provisioning Identity Exception

Smart Connector

End customer experience should reflect that of AnyConnect WebSecurity


Message from Cisco Cloud Web Security: New Feature - A Cloud first, click here for more information

© 2011 Cisco and/or its affiliates. All rights reserved.© 2011 Cisco and/or its affiliates. All rights reserved.

Service Health

Your Cloud Proxies

Your Cloud Connector

Your Cloud Identity

Who’s Connected

LondonSan FranciscoParis

Remote Users

LondonParisNew York

Cisco Cloud Web Security

Policy Backup

Policy Tracer

Submit Recat

Website Checker

Open :Ticket 1Ticket 2Ticket 3

ClosedTicket 4Ticket 5Ticket 6

Service Improvements

1. Recommended Web Polices

2. Use Delegated Admin

3. Upgrade your Cloud Connector

Service ToolsService Incident Tickets

Revamped Portal (Artist Rendition)


Support ToolsRank Bucket Feature Priority

1 Web Filtering Tools Recat Checker / Submit Essential

Policy Import / Backup Essential

2 Customer Notification Ability to create notifications & allow customers to select how to receive the notification

Essential

3 Service Status Page Connector Status Essential

Tower Status Essential

Latency Monitoring tool Essential

4 Customer Troubleshooting Website checker High

ScanCenter Auditing High

5 Customer Self Help Policy Tracer Essential

PAC filer validator Essential

Whoami.scansafe.net improvements Essential

Templates (filtering + reporting) High

6 Ad-Hoc Features ScanCenter UI Easy wins Essential

ScanCenter configuration page changes Essential

7 Security Tools More information of block classification – Threat Defense Essential

BC: October 2012


Self Deployment Process

• Easy to follow deployment guides

• VODs of deployment options

• Projects to streamline service deployment process

• Beta process running successfully for months – Complete

• 8 customers and over 1400 seats self deployed

DeploymentDeployment for All Accounts with < 500 seats


Network Attach


• Integrate Web Reputation

• Additional OI ScanLets


Web Reputation Integration

• We dynamically block web requests based on SIO Generated WBRS Scores

Continuous monitoring by OI / SecApp

• The system will continue to work with the current WebRep db

• Mapping of Web Reputation threat types into Cloud Web Security types (e.g. Phishing, Spyware, Adware, Info)

• Provide whitelisting per company (for Operational use and NOT customer facing


Network Attach


• SAML 2.0 Authentication

• WSA-based Connector

• iOS Protection


How Does CWS Use SAML?

This solution is limited to any customer already using an IdP for Single Sign On (SSO) purposes

ScanSafe uses the SAML technology to identify and authenticate users

No need for Connector or other authentication method

The SP is located within the ScanSafe cloud infrastructure

All communication is performed via browser redirects and hidden forms containing SAML messages

BETA Customers include: HCA, GE, ABF


SAML 2.0 Data Flow


WSA-based Connector

Web Security customer requirement:

• Transparent deployment• Local logging / SIEM• Caching• DLP Integration• Native FTP support

All these features will be available on the WSA-based

Connector

Phase 1:• High performance connector• NTLM v2• Transparent identification• Local caching support• Offbox DLP integration • Appliance based

Phase 2 (Not Committed):• All of the above• Native FTP scanning• Local Logging• Virtual form factor – VMware

What? How?


3rd Party MDM Appliance

CSM / ASDM

MDM Manager

AC VPN (All Mobile)AC Cloud Web Security (All PC’s)

IronPort WSA

CWS

Apple + CWS


Cisco Cloud Web Security BYOD Solution

• FutureOutside the Enterprise

3rd Party MDM Appliance

MDM Manager

Hosted PAC + EasyID

POC only !!!!!!!

If successful CCB

Hosted PAC

EasyID

CWS

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 24

Additional Resources


Competitive Strategy

Focus on attach model

Continued integration with Monish Pahwa’s team

WebSense and BC updates at competitive forum Nov 5-9th

Focus on Efficacy, Simplification of deployment, Enterprise integration

# ! %


Empower the Field

• http://wwwin.cisco.com/stg/products/web_security/cloud_web_security.shtml -

• http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.html

• http://sswiki.cisco.com/index.php/Main_Page

• http://sswiki.cisco.com/index.php/Labs

• http://wikicentral.cisco.com/display/SSAFE/Home

www.cisco.com/go/demo

http://wwwin.cisco.com/stg/products/web_security/cloud_web_security.shtml

http://wwwin.cisco.com/stg/products/web_security/cloud_web_security.shtml

http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.html

http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.html

http://sswiki.cisco.com/index.php/Main_Page



http://sswiki.cisco.com/index.php/Labs



http://wikicentral.cisco.com/display/SSAFE/Home



Thank you.

Documents

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cloud Web Security Update