This section explores the steps Cisco is taking to come to a more mature Any Device architecture, including how Any Device has challenged traditional security norms, and the solutions Cisco has deployed in our network.
In implementing various Any Device solutions,
Cisco focused on three scenarios:
• Remote access
• Internal access
• Desktop
Virtualization access
Remote Access from Any Device
Step 1: Proxy-Based Access from Any Device
The massive adoption of mobile smartphones
over the past 5 years increased pressure on Cisco IT to allow access to
corporate resources from devices such as Palm, Windows Mobile, Nokia, iPhone,
Android, and others. Although offering this access had productivity benefits
for Cisco, there were also significant risks (refer to sidebar: “Potential
Any Device Risks”). Cisco opted for a pragmatic approach by delivering a
controlled set of services—email and calendar—to mobile devices through
proxy-based access. Users can choose their device, while Cisco enforces
security policies that maximize data security and confidentiality. For example,
users must configure and enter a four-digit PIN to access their email or
calendar. Ten failed attempts locks the service, and the connection times out
after 10 minutes of inactivity. And if a smartphone is lost or stolen, the
worker simply calls the Cisco Helpdesk representative, who can issue a wipe
command to the device.
Although this
approach may not be foolproof, choosing not to offer this solution would have
introduced even greater risks to the organization. As mobile devices
continually accessed the corporate network through a wireless LAN (WLAN)—in
addition to those who chose access capabilities beyond corporate control, such
as Yahoo IM and Gmail—Cisco had virtually no control over our security posture
prior to the rollout of this service. By enabling mobile mail access, Cisco
provided users with an attractive access package, incorporating simple, but
effective, access control. Cisco has currently protected about 35,000 handheld
devices3 through this mobile mail access. As Cisco offers new access to other
corporate resources through smartphones, the security requirements will
increase accordingly.
Step 2: Full Remote Access from Any Device
After Cisco IT implemented the mobile mail
services for handheld devices, it addressed upgrading and expanding remote
access for all portable devices. Traditionally, remote workers with
IT-provisioned laptops accessed the Cisco corporate network using VPNs.
However, demand was increasing from workers who wanted to use a variety of Mac,
Windows, and Linux PCs, whether IT provisioned them or not. Further, the
growing popularity of tablet PCs meant users of these devices also wanted
remote access. These requests posed a significant challenge to the Cisco
security paradigm of IT-controlled assets.
As a result, Cisco introduced the concept of
a “trusted device.” A trusted device can be any type of device, but it must
adhere to a certain security baseline to obtain full remote access to the
corporate network. Cisco defines a trusted device using the following
architectural principles:
• Device security posture assurance: Cisco must be able to
identify unique devices when they enter the corporate network and link them to
a specific user, as well as control the security posture of devices used to
connect to corporate services. This capability is a critical one for Cisco
incident-management teams.
• User authentication and authorization: Cisco requires corporate
users to be authenticated. Authentication identifies users while preventing
unauthorized access to user credentials. In addition, Cisco prevents the
authentication of terminated workers and denies them access to corporate assets
and data.
• Secure data storage: Activities used for corporate services (for
example, reading email, accessing documents, or collaborating using the Cisco
Quad™ enterprise collaboration platform) must secure any data stored locally on
the device. Users should be able to access and store data on the device without
the risk of leaving corporate data behind, a situation that could lead to
unauthorized access.
With so many
users selecting their own mobile devices and attaching them to the corporate
network, the network becomes vulnerable to security holes, putting IT and data
assets at risk. Cisco AnyConnect™ Secure Mobility—which includes a VPN client,
the Cisco Adaptive Security Appliances as a firewall and VPN head-end, and
Cisco’s on-premise or cloud-based web security—answers this concern by
providing an intelligent, transparent, and “always-on” connectivity experience
with context-aware, comprehensive, and preemptive security policy enforcement,
and secure mobility across today’s managed and unmanaged mobile devices (Figure
3).
0 Komentar