Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
CREDANT Data Security Partner Guide
Revision: H2CY10
Using this Data Security Partner Guide
Using this Data Security Partner Guide
This document is for the reader who:
• HasreadtheCisco Smart Business Architecture (SBA) for Government Large Agencies—Borderless Networks Design Overview and the Cisco Data Security Deployment Guide
• WantstoconnectBorderlessNetworkstoaCREDANTdatasecurityendpointsolution
• WantstogainageneralunderstandingoftheCREDANTdatasecurityendpointsolution
• HasalevelofunderstandingequivalenttoaCCNA® certification
• Wantstopreventsensitivedata,includingintellectualpropertyandcustomerdatafromleavingtheorganizationwithoutprotection
• Wantstosolvedatasecuritycomplianceandregulatoryproblems
• Ismandatedtoimplementdatasecuritypolicies
• Wantstheassuranceofavalidateddatasecuritysolution
Related Documents
Before reading this guide
Design Overview
InternetEdgeDeploymentGuide
InternetEdgeConfigurationGuide
DataSecurityDeploymentGuide
CREDANT Data Security Partner Guide
Design Overview
Internet Edge Configuration Guide
Foundation DeploymentGuides
Network ManagementGuides
Data SecurityDeployment Guide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Internet EdgeDeployment Guide
TableofContents
ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.
AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)
©2010CiscoSystems,Inc.Allrightsreserved.
TableofContents
Overview of Cisco Borderless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Agency Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
CREDANT Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
CREDANT Deployment Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
How to Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Appendix A: SBA for Large Agencies Document System . . . . . . . . . . . . . . . . . . 7
1OverviewofCiscoBorderlessNetworks
Overview of Cisco BorderlessNetworks
TheCiscoSBAforLargeAgencies—BorderlessNetworksofferspartnersandcustomersvaluablenetworkdesignanddeploymentbestpractices;helpsagenciestodeliversuperiorend-userexperiencesusingswitching,routing,securityandwirelesstechnologies;andincludescomprehensivemanagementcapabilitiesfortheentiresystem.CustomerscanusetheguidanceprovidedinthearchitectureanddeploymentguidestomaximizethevalueoftheirCisconetworkinasimple,fast,affordable,scalableandflexiblemanner.
Figure1.CREDANTDataSecurityIntegratedintotheSBAforLargeAgencies—BorderlessNetworks
Modulardesignmeansthattechnologiescanbeaddedwhentheorganiza-tionisreadytodeploythem.Figure1showshowtheCREDANTdatasecu-ritysolutionintegratesintotheBorderlessNetworksarchitecture.
This guide is part of a comprehensive data security system designed to solveagencies’operationalproblems,suchasprotectingintellectualprop-ertyandsensitivecustomerinformationassets,andmeetingcompliancerequirements.TheguidefocusesonCisco’spartnershipwithCREDANTTechnologiestodeliveraffordableendpointencryptionasapartofCisco’sbroaderdatasecuritysystem.
2AgencyBenefits
AgencyBenefits
Theglobalizationofinformationhasforeverchangedthesecurityland-scape.Informationisexchangedinlessthanamillisecond.Financialservicescompaniesprocesstransactionsinvolvingbillionsofcustomerfinancialrecords.Healthcareprovidersstoreandaccessinformationonlife-threateningillnessesandconfidentialpatientrecords.Forbetterorworse,ournew,moredigitizedworldexposessensitivecorporate,personal,andemployeedatatolossortheftatthecorporateendpoint.Asaresultofthisprofoundshiftincomputing,theregulatoryandcompliancelandscapehasevolvedasfastasthetechnologicallandscape.
IntheUnitedStates,Canada,andEurope,nationalregulatorystandardsincreasinglysupplementlocalreformsasthegovernmentpressuresindus-triesandbusinessesofallsizestoprotectconsumers’personalinformation.Inmanycases,thepenaltiesfornon-compliancecanbecrippling.Noorganiza-tionisexemptfromdatatampering.Andwithoutpropermeasures,nonecanescapetheriskoffines,lossofreputation,orpossiblebankruptcy.
Dataencryptionisn’tjustabestpractice.Itisanimperativeforsurvivalintheglobal,digitizedmarketplace.Companiesfailingtomeettheircompliancerequirementsandadequatelyprotectagainstadatabreachfacefinesandothercostsextendingintothetensofmillionsofdollars.Yeteveryorganiza-tionisunique.Therightcombinationofdataencryptionsolutionsmustbedefinedbytheexistinginfrastructure,regulatoryrequirementsandagencypractices.BypartneringwithCiscoandCREDANT,agenciescanbegintoadoptaholisticapproachtodatasecurity—encryptingdataonthenetwork,atthegateway,viaVPN,oratrestattheendpoint.
Protectingsensitiveinformationiscritical,andwithCREDANT,agenciesgainflexibilityinhowtheychoosetoprotectsensitiveinformation.Encryptiontechnologyisbuiltonwellestablishedstandardalgorithms,butthesolutionsbuiltonthattechnologyincludeavarietyofsoftware-andhardware-basedencryptionoptionstomeetdifferentoperationalneeds.
Asthereisawiderangeofoptionstosecurecriticaldata,thereisalsoawiderangeofcriteriatoconsiderwhendecidinghowtobestprotectyouragency.Powerusersordeveloperstendtobeverysensitivetoeventhesmallestimpactonsystemperformance.Lesstechnicallysavvyenduserswilllikelyinundatethehelpdeskwithcallsforassistanceiftheyencounterasolutionthatforcesthemtochangethewaytheywork.Executivesmaycarrymoresensitiveinformationthanendusersandthusrequiredifferentsecu-ritypolicies.Travelingemployeesnaturallyincurmoreriskofdatalossforanumberofreasonsthandoemployeesworkingonadesktopsysteminasecureoffice.Thesearejustafewofthecriteriathatagenciesmustnavigatewhenchoosingtherightsolutionorsolutionsfortheiroperations.
3CREDANTProductOverview
CREDANTProductOverview
CREDANToffersbothhardwareandsoftwareencryptionwithcentrallymanagedorunmanagedoptions,dependingonyourneeds.Allmanagedsolutionsincludeextensivereportingtosatisfycomplianceneedsandtoeasedeploymentandday-to-dayuse.Productscanbemixedandmatchedtofindanoverallsolutionthatbestfitsyourneeds:
• CREDANT Mobile Guardian provides software encryption and security forWindowsorMacOSXlaptopsanddesktops,removablemedia,andPDAsandSmartphones.WindowssystemsareprotectedwithCREDANT’sIntelligentEncryptionandfulldiskencryption(FDE)isusedtoprotectMaccomputers.ExternalmediaencryptionisprovidedforbothWindowsandhandhelds.Windowsprotectionisavailableinbothmanagedandunmanagedvarieties.
Figure2.CREDANTMobileGuardian
• CREDANT FDE for WindowsprovidesfulldisksoftwareencryptionforWindowslaptopsanddesktops.Alldataonthelocaldriveisencryptedatthesectorlevel,includinganyblankspaceonthedrive.Thisfullymanagedsolutionincludesmandatory,pre-bootauthenticationandAES-256encryption.CREDANT’snetwork-awarepre-bootauthenticationallowstheendusertoaccessthesystemviaanexistingdomainlogin.Administratorsavoidthehighoverheadsetupandmaintenanceofpropri-etarypre-bootuserandadministratoraccounts.
• CREDANT FDE DriveManagertechnologyfortifiestheSeagateMomentusself-encrypting2.5”harddriveswithremotemanagement,strongauthentication,andextensiveauditingandreportingfeatures,thusallowingcompaniestomoreeasilyimplementSeagatehardwareencryption.FDEDriveManagercanbeconfiguredduringinstallationtorunasamanagedorunmanagedclient.
Figure3.CREDANTDriveManager
• CREDANT Protectoroffersfine-grainedportcontrolcapabilitiestoagencieswishingtocontroldataatthedeviceorfilelevel.
Asoperationalenvironmentsdiffer,sodotheoptionsCREDANTofferstosecurecriticaldatainthoseenvironments.AllCREDANTsolutionsaredesignedtoprovidethemostcomprehensivesecurityavailablefordatastoredonlaptops,desktops,removablemediaandmobiledevices.Eachsolutionensuresmandatoryauthenticationandprovidesindustry-standardencryptionsoagenciescanselectaproductoracombinationofproductsthatbestfittheirneedswithouthavingtogotomultiplevendors.CREDANT’sbroadrangeofsolutionshelpstokeepcorporatedatasecurewhileallowinguserstofocusondoingtheirjobs.
4CREDANTDeploymentWorkflow
CREDANTDeploymentWorkflow
ThissectionpresentsanoverviewofthetasksinvolvedindeployingCREDANTdatasecurityproducts.
Phase 1: Environment Planning and Review
Thisphaseofthedeploymentworkflowinvolvesareviewoftheorganiza-tion’scurrentenvironment,includingsoftwaredeployment,clienttypes,encryptionrequirements,andauthenticationmethods.Thisenvironmentalreviewisnecessarytodeterminehowthesoftwarewillbedeployed,whichclienttypesshouldbeconsidered(softwareFDE,hardwareFDE,file-basedencryption,and/orremovablemedia),thenumberofserversthatarerequired,andwhatauthenticationmethodswillbeused.
Phase 2: Server Software Installation
Thisphaseinvolvestheinstallationoftheserversoftwarethatwillprovidethemanagementofthevariousendpointencryptionsolutions.Thisprocessincludesthecreationofthedatabase,whichwillbeusedtoescrowtheencryptionkeys,configurationoftheauthenticationanddirectorysystems,andtheinstallationofthepolicyserver.Mostdeploymentsincludeasinglepolicyserver,oneactivedatabaseandconnectivitytoActiveDirectory.ManagementisaccomplishedusingeitherawebbrowserorMicrosoftManagementConsoleplugin.
Phase 3: Policy Definition
Thisphaseinvolvesthecreationofthesecuritypolicy.Ascustomerstendtohaveawidevarietyofencryptionrequirements,thispartoftheprocesshelpsensurethatthoserequirementsaremet.CREDANTworkscloselywiththecustomertobuildapolicythatmeetsthegrowingnumberofgovernmentregulationsandindustrystandardsthatrequireencryption.ThesemightincludeHIPAA,PCI,SOX,andvariousFederalandStateBreachLaws.Thepoliciesaredesignedtomeettheserequirementswhilehavingverylittleimpacttotheenduser.Figure4showsthepolicymanagementinterface:
Figure4.CREDANTPolicyDefinition
Phase 4: Client Installation
Thisphaseofthedeploymentworkflowinvolvesthedeploymentoftheclienttotheendpoint.Thereareseveraldifferentclienttypestochoosefrom,andinmostcasestheclientcanbedeployedusingthecustomer’snormalsoftwaredeliverysystems.Aftertheclientisdeployedtotheendpointandactivated,theencryptionkeysarecreatedbytheserver,storedinthedatabase,andpassedtotheclient.Thepoliciescreatedinphasethreearethenconsumedbytheclientandtheencryptionprocesstakesplace.
Figure5.ClientConfigurationOptions
5CREDANTDeploymentWorkflow
Figure6.ClientPolicyConfiguration
Phase 5: Auditing and Reporting
Thisphaseofthedeploymentworkflowinvolvestheinstallationandcon-figurationoftheAuditandReportingtools.Thisinvolvestheinstallationofsoftwareonthepolicyserver,andtheconfigurationofaconnectiontothedatabase.Thesoftwarehasmanypre-definedreports,asshowninFigures7and8,butmostcustomerswillwanttocustomizethesereportstomeettheirindividualneeds.Reportsarecustomizedandthenscheduledduringthisphase.Configurationoftheauditandreportingsystemalsoincludesroledefinitionforauditors,andsettingupreportstobeemailedtovarioususers.
Figure7.Per-DeviceStatisticsintheReportingInterface
Figure8.Predefined Reports
Phase 6: Data Lifecycle Protection with Cisco AnyConnect and RSA Endpoint DLP
CREDANTMobileGuardian,CiscoAnyConnectVPN,andRSAEndpointDLPtogetherprovidecomprehensiveprotectionofdatainatrest,inuse,andinmotion.DeploymentanduseofCREDANTMobileGuardianistranspar-ent,andworksseamlesslywhenusedwithRSADLPEndpointandCiscoAnyConnectVPN.
CiscoAnyConnectprovidesasecuretransmissionpipetoprotectinforma-tionasittravelsbetweenagencyenvironmentsandendusers.Sensitivedatastoredontheuser’snotebookharddriveisprotectedviaCREDANT’sencryptionsolution.DatawrittentoUSBdrivesmaybemonitoredandloggedviaRSAEndpointDLP,andsimultaneouslyencryptedwithCREDANT’sUSBencryptioncapabilities.Tothatend,administratorsmaysetappropriateDLPEndpointpoliciestologalltransfereventstohaveaclearunderstandingofwhatisbeingwrittentoexternalmedia,Credantencryp-tionpoliciestoensurethatalldataisencryptedonUSBdrives.
Takentogether,thesethreesolutionsenablemobilitywhileofferingthehighestdegreeofdatasecurity.
Products Verified with Cisco SBA
CREDANTMobileGuardianEnterpriseServer6.7.0.188andCREDANTMobileGuardianShield6.7.0.1402arevalidatedacrossCiscoSBAwithCiscoAnyConnect2.5.0.217.
6How to Contact Us
How to Contact Us
End Users
• PleasecontactCREDANTviahttp://www.credant.com/cisco for any questions.
• SubmitaninquiryaboutCREDANTandtheCiscoSBAforLargeAgencies—BorderlessNetworks.
Resellers
• PleasecontactCREDANTviahttp://www.credant.com/partners.html.
7AppendixA
AppendixA: SBAforLargeAgenciesDocumentSystem
Design Overview
IPv6 AddressingGuide
LAN DeploymentGuide
LAN Configuration Guide
WAN DeploymentGuide
WAN Configuration Guide
Internet EdgeDeployment Guide
Internet Edge Configuration Guide
SolarWinds Deployment Guide
Foundation DeploymentGuides
Network ManagementGuides
Wireless CleanAirDeployment Guide
Data SecurityDeployment Guide
Nexus 7000 Deployment Guide
ArcSight SIEM Partner Guide
LogLogic SIEM Partner Guide
nFx SIEM Partner Guide
RSA SIEM Partner Guide
Splunk SIEM Partner Guide
CREDANT Data Security Partner Guide
Lumension Data Security Partner Guide
SIEM DeploymentGuide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
C07-640799-0002/11