CREDANT Data Security Partner Guide

February 2012 Series

PrefaceFebruary 2012 Series

Preface

Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:

• Systemsengineerswhoneedstandardproceduresforimplementingsolutions

• ProjectmanagerswhocreatestatementsofworkforCiscoSBAimplementations

• Salespartnerswhosellnewtechnologyorwhocreateimplementationdocumentation

• Trainerswhoneedmaterialforclassroominstructionoron-the-jobtraining

In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costingofdeploymentjobs.

Release SeriesCiscostrivestoupdateandenhanceSBAguidesonaregularbasis.Aswedevelop a new series of SBA guides, we test them together, as a complete system.ToensurethemutualcompatibilityofdesignsinCiscoSBAguides,youshoulduseguidesthatbelongtothesameseries.

All Cisco SBA guides include the series name on the cover and at the bottomleftofeachpage.Wenametheseriesforthemonthandyearthatwerelease them, as follows:

month year Series

For example, the series of guides that we released in August 2011 are the“August2011Series”.

You can find the most recent series of SBA guides at the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

How to Read CommandsMany Cisco SBA guides provide specific details about how to configure CisconetworkdevicesthatrunCiscoIOS,CiscoNX-OS,orotheroperatingsystemsthatyouconfigureatacommand-lineinterface(CLI).Thissectiondescribestheconventionsusedtospecifycommandsthatyoumustenter.

CommandstoenterataCLIappearasfollows:

configure terminal

Commands that specify a value for a variable appear as follows:

ntp server 10.10.48.17

Commands with variables that you must define appear as follows:

class-map [highest class name]

Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:

Router# enable

Longcommandsthatlinewrapareunderlined.Enterthemasonecommand:

wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100

Noteworthypartsofsystemoutputordeviceconfigurationfilesappearhighlighted, as follows:

interface Vlan64 ip address 10.5.204.5 255.255.255.0

Comments and QuestionsIfyouwouldliketocommentonaguideoraskquestions,pleaseusetheforum at the bottom of one of the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

AnRSSfeedisavailableifyouwouldliketobenotifiedwhennewcommentsareposted.

Table of ContentsFebruary 2012 Series

ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.

AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)

©2012CiscoSystems,Inc.Allrightsreserved.

February 2012 Series

Table of Contents

What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

Overview of Cisco Borderless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Business Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

CREDANT Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

CREDANT Deployment Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

How to Contact Us . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

1What’sInThisSBAGuideFebruary 2012 Series

What’sInThisSBAGuide

About SBACiscoSBAhelpsyoudesignandquicklydeployafull-servicebusinessnetwork.ACiscoSBAdeploymentisprescriptive,out-of-the-box,scalable,andflexible.

CiscoSBAincorporatesLAN,WAN,wireless,security,datacenter,applicationoptimization, and unified communication technologies—tested together as a completesystem.Thiscomponent-levelapproachsimplifiessystemintegrationof multiple technologies, allowing you to select solutions that solve your organization’sproblems—withoutworryingaboutthetechnicalcomplexity.

For more information, see the How to Get Started with Cisco SBA document: http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf

About This GuideThis additional deployment guide includes the following sections:

• Business Overview—Thechallengethatyourorganizationfaces.Businessdecisionmakerscanusethissectiontounderstandtherel-evanceofthesolutiontotheirorganizations’operations.

• Technology Overview—HowCiscosolvesthechallenge.Technicaldecisionmakerscanusethissectiontounderstandhowthesolutionworks.

• Deployment Details—Step-by-stepinstructionsforimplementingthesolution.Systemsengineerscanusethissectiontogetthesolutionupandrunningquicklyandreliably.

Thisguidepresumesthatyouhavereadtheprerequisitesguides,asshownontheRoutetoSuccessbelow.

Design Overview Internet EdgeDeployment Guide

Cisco Data SecurityDeployment Guide

CREDANT Data SecurityPartner Guide

ENT BN

You are HerePrerequisite Guides

Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left ofthisguideontherouteabove.Anyguidesthatdependuponthisguideareshowntotherightofthisguide.

For customer access to all guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel

2OverviewofCiscoBorderlessNetworksFebruary 2012 SeriesFebruary 2012 Series

OverviewofCiscoBorderlessNetworks

TheCiscoSmartBusinessArchitecture—BorderlessNetworksforEnterpriseOrganizationsofferspartnersandcustomersvaluablenetworkdesign and deployment best practices; helps organizations to deliver supe-riorend-userexperiencesusingswitching,routing,securityandwirelesstechnologies; and includes comprehensive management capabilities for the entiresystem.CustomerscanusetheguidanceprovidedinthearchitectureanddeploymentguidestomaximizethevalueoftheirCisconetworkinasimple,fast,affordable,scalableandflexiblemanner.

Figure 1 - CREDANT Data Security Integrated into the Smart Business Architecture—Borderless Networks for Enterprise Organizations

Modular design means that technologies can be added when the organiza-tionisreadytodeploythem.Figure1showshowtheCREDANTdatasecu-ritysolutionintegratesintotheBorderlessNetworksarchitecture.

This guide is part of a comprehensive data security system designed to solvecustomers’businessproblems,suchasprotectingintellectualprop-erty and sensitive customer information assets, and meeting compliance requirements.TheguidefocusesonCisco’spartnershipwithCREDANTTechnologiestodeliveraffordableendpointencryptionasapartofCisco’sbroaderdatasecuritysystem.

3Business BenefitsFebruary 2012 Series

BusinessBenefits

Theglobalizationofinformationhasforeverchangedthesecuritylandscape.Informationisexchangedinlessthanamillisecond.Financialservicescom-paniesprocesstransactionsinvolvingbillionsofcustomerfinancialrecords.Healthcareprovidersstoreandaccessinformationonlife-threateningillnessesandconfidentialpatientrecords.Forbetterorworse,ournew,moredigitized world exposes sensitive corporate, personal, and employee data tolossortheftatthecorporateendpoint.Asaresultofthisprofoundshiftincomputing, the regulatory and compliance landscape has evolved as fast as thetechnologicallandscape.

IntheUnitedStates,Canada,andEurope,nationalregulatorystandardsincreasingly supplement local reforms as the government pressures indus-triesandbusinessesofallsizestoprotectconsumers’personalinformation.Inmanycases,thepenaltiesfornon-compliancecanbecrippling.Nocompanyorindustryisexemptfromdatatampering.Andwithoutpropermeasures,nonecanescapetheriskoffines,lossofreputation,orpossiblebankruptcy.

Dataencryptionisn’tjustabestpractice.Itisanimperativeforsurvivalintheglobal,digitizedmarketplace.Companiesfailingtomeettheircompliancerequirementsandadequatelyprotectagainstadatabreachfacefinesandothercostsextendingintothetensofmillionsofdollars.Yeteveryorganiza-tionisunique.Therightcombinationofdataencryptionsolutionsmustbedefinedbytheexistinginfrastructure,regulatoryrequirementsandbusi-nesspractices.BypartneringwithCiscoandCREDANT,organizationscanbegin to adopt a holistic approach to data security—encrypting data on the network,atthegateway,viaVPN,oratrestattheendpoint.

Protectingsensitiveinformationiscritical,andwithCREDANT,organiza-tionsgainflexibilityinhowtheychoosetoprotectsensitiveinformation.Encryptiontechnologyisbuiltonwellestablishedstandardalgorithms,butthesolutionsbuiltonthattechnologyincludeavarietyofsoftware-andhardware-basedencryptionoptionstomeetdifferentbusinessneeds.

As there is a wide range of options to secure critical corporate data, there is also a wide range of criteria to consider when deciding how to best protectyourbusiness.Powerusersordeveloperstendtobeverysensi-tivetoeventhesmallestimpactonsystemperformance.Lesstechnicallysavvyenduserswilllikelyinundatethehelpdeskwithcallsforassistanceiftheyencounterasolutionthatforcesthemtochangethewaytheywork.Executivesmaycarrymoresensitiveinformationthanendusersandthusrequiredifferentsecuritypolicies.Travelingemployeesnaturallyincurmoreriskofdatalossforanumberofreasonsthandoemployeesworkingonadesktopsysteminasecureoffice.Thesearejustafewofthecriteriathatorganizations must navigate when choosing the right solution or solutions fortheirbusiness.

4CREDANTProductOverviewFebruary 2012 Series

CREDANTProductOverview

CREDANToffersbothhardwareandsoftwareencryptionwithcentrallymanagedorunmanagedoptions,dependingonyourneeds.Allmanagedsolutions include extensive reporting to satisfy compliance needs and to easedeploymentandday-to-dayuse.Productscanbemixedandmatchedto find an overall solution that best fits your needs:

• CREDANT Mobile Guardian provides software encryption and security forWindowsorMacOSXlaptopsanddesktops,removablemedia,andPDAsandSmartphones.WindowssystemsareprotectedwithCREDANT’sIntelligentEncryptionandfulldiskencryption(FDE)isusedtoprotectMaccomputers.ExternalmediaencryptionisprovidedforbothWindowsandhandhelds.Windowsprotectionisavailableinbothmanagedandunmanagedvarieties.

Figure 2 - CREDANT Mobile Guardian

• CREDANT FDE for WindowsprovidesfulldisksoftwareencryptionforWindowslaptopsanddesktops.Alldataonthelocaldriveisencryptedatthesectorlevel,includinganyblankspaceonthedrive.Thisfullymanagedsolutionincludesmandatory,pre-bootauthenticationandAES-256encryption.CREDANT’snetwork-awarepre-bootauthentica-tion allows the end user to access the system via an existing domain login.Administratorsavoidthehighoverheadsetupandmaintenanceofproprietarypre-bootuserandadministratoraccounts.

• CREDANT FDE DriveManager technology fortifies the Seagate Momentusself-encrypting2.5”harddriveswithremotemanagement,strong authentication, and extensive auditing and reporting features, thus allowing companies to more easily implement Seagate hardware encryp-tion.FDEDriveManagercanbeconfiguredduringinstallationtorunasamanagedorunmanagedclient.

Figure 3 - CREDANT Drive Manager

• CREDANT Protectoroffersfine-grainedportcontrolcapabilitiestoorganizationswishingtocontroldataatthedeviceorfilelevel.

Asbusinessenvironmentsdiffer,sodotheoptionsCREDANTofferstosecurecriticaldatainthoseenvironments.AllCREDANTsolutionsaredesigned to provide the most comprehensive security available for data storedonlaptops,desktops,removablemediaandmobiledevices.Eachsolutionensuresmandatoryauthenticationandprovidesindustry-standardencryption so organizations can select a product or a combination of productsthatbestfittheirneedswithouthavingtogotomultiplevendors.CREDANT’sbroadrangeofsolutionshelpstokeepcorporatedatasecurewhileallowinguserstofocusondoingtheirjobs.

5CREDANTDeploymentWorkflowFebruary 2012 Series

CREDANTDeploymentWorkflow

ThissectionpresentsanoverviewofthetasksinvolvedindeployingCREDANTdatasecurityproducts.

Phase 1: Environment Planning and ReviewThisphaseofthedeploymentworkflowinvolvesareviewoftheorganiza-tion’scurrentenvironment,includingsoftwaredeployment,clienttypes,encryptionrequirements,andauthenticationmethods.Thisenvironmentalreview is necessary to determine how the software will be deployed, which clienttypesshouldbeconsidered(softwareFDE,hardwareFDE,file-basedencryption, and/or removable media), the number of servers that are required,andwhatauthenticationmethodswillbeused.

Phase 2: Server Software InstallationThis phase involves the installation of the server software that will provide themanagementofthevariousendpointencryptionsolutions.Thisprocessincludes the creation of the database, which will be used to escrow the encryptionkeys,configurationoftheauthenticationanddirectorysystems,andtheinstallationofthepolicyserver.Mostdeploymentsincludeasinglepolicyserver,oneactivedatabaseandconnectivitytoActiveDirectory.Management is accomplished using either a web browser or Microsoft ManagementConsoleplugin.

Phase 3: Policy DefinitionThisphaseinvolvesthecreationofthesecuritypolicy.Ascustomerstendtohaveawidevarietyofencryptionrequirements,thispartoftheprocesshelpsensurethatthoserequirementsaremet.CREDANTworkscloselywiththe customer to build a policy that meets the growing number of government regulationsandindustrystandardsthatrequireencryption.ThesemightincludeHIPAA,PCI,SOX,andvariousFederalandStateBreachLaws.Thepoliciesaredesignedtomeettheserequirementswhilehavingverylittleimpacttotheenduser.Figure4showsthepolicymanagementinterface:

Figure 4 - CREDANT Policy Definition

Phase 4: Client InstallationThisphaseofthedeploymentworkflowinvolvesthedeploymentoftheclienttotheendpoint.Thereareseveraldifferentclienttypestochoosefrom,andinmostcasestheclientcanbedeployedusingthecustomer’snormalsoftwaredeliverysystems.Aftertheclientisdeployedtotheendpointandactivated,theencryptionkeysarecreatedbytheserver,storedinthedatabase,andpassedtotheclient.Thepoliciescreatedinphasethreearethenconsumedbytheclientandtheencryptionprocesstakesplace.

Figure 5 - Client Configuration Options

6CREDANTDeploymentWorkflowFebruary 2012 Series

Figure 6 - Client Policy Configuration

Phase 5: Auditing and ReportingThisphaseofthedeploymentworkflowinvolvestheinstallationandcon-figurationoftheAuditandReportingtools.Thisinvolvestheinstallationofsoftware on the policy server, and the configuration of a connection to the database.Thesoftwarehasmanypre-definedreports,asshowninFigures7and 8, but most customers will want to customize these reports to meet their individualneeds.Reportsarecustomizedandthenscheduledduringthisphase.Configurationoftheauditandreportingsystemalsoincludesroledefinitionforauditors,andsettingupreportstobeemailedtovarioususers.

Figure 7 - Per-Device Statistics in the Reporting Interface

Figure 8 - Predefined Reports

Phase 6: Data Lifecycle Protection with Cisco AnyConnect and RSA Endpoint DLPCREDANTMobileGuardian,CiscoAnyConnectVPN,andRSAEndpointDLPtogether provide comprehensive protection of data in at rest, in use, and inmotion.DeploymentanduseofCREDANTMobileGuardianistranspar-ent,andworksseamlesslywhenusedwithRSADLPEndpointandCiscoAnyConnectVPN.

Cisco AnyConnect provides a secure transmission pipe to protect infor-mationasittravelsbetweenenterpriseenvironmentsandendusers.Sensitivedatastoredontheuser’snotebookharddriveisprotectedviaCREDANT’sencryptionsolution.DatawrittentoUSBdrivesmaybemoni-toredandloggedviaRSAEndpointDLP,andsimultaneouslyencryptedwithCREDANT’sUSBencryptioncapabilities.Tothatend,administratorsmaysetappropriateDLPEndpointpoliciestologalltransfereventstohaveaclearunderstanding of what is being written to external media, Credant encryp-tionpoliciestoensurethatalldataisencryptedonUSBdrives.

Takentogether,thesethreesolutionsenablemobilitywhileofferingthehighestdegreeofdatasecurity.

Products Verified with Cisco Smart Business ArchitectureCREDANTMobileGuardianEnterpriseServer6.7.0.188andCREDANTMobileGuardianShield6.7.0.1402arevalidatedacrossCiscoSmartBusinessArchitecturewithCiscoAnyConnect2.5.0.217.

7HowtoContactUsFebruary 2012 Series

HowtoContactUs

End Users • PleasecontactCREDANTviahttp://www.credant.com/cisco for anyquestions.

• SubmitaninquiryaboutCREDANTandtheCiscoSmartBusinessArchitecture—BorderlessNetworksforEnterpriseOrganizations.

Resellers• PleasecontactCREDANTviahttp://www.credant.com/partners.html.

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of

the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

SMARTBUSINESSARCHITECTURE

C07-608456-0302/12