CREDANT
Data Security
Partner Guide
Revision: H2CY10
Using this Data Security
Partner Guide
Related Documents
This document is for the reader who:
• Has read the Cisco Smart Business Architecture (SBA) for Government
Large Agencies—Borderless Networks Design Overview and the Cisco
Data Security Deployment Guide
Before reading this guide
• Wants to connect Borderless Networks to a CREDANT data security
endpoint solution
Design Overview
• Wants to gain a general understanding of the CREDANT data security
endpoint solution
Internet Edge Deployment Guide
• Has a level of understanding equivalent to a CCNA certification
®
• Wants to prevent sensitive data, including intellectual property and
customer data from leaving the organization without protection
Internet Edge Configuration Guide
• Wants to solve data security compliance and regulatory problems
• Is mandated to implement data security policies
Data Security Deployment Guide
• Wants the assurance of a validated data security solution
Deployment Guides
Design Guides
Design Overview
Supplemental Guides
Foundation Deployment
Guides
Data Security
Deployment Guide
Internet Edge
Deployment Guide
CREDANT Data Security
Partner Guide
Internet Edge
Configuration Guide
Network Management
Guides
Using this Data Security Partner Guide
You are Here
Table of Contents
Overview of Cisco Borderless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Agency Benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
CREDANT Product Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
CREDANT Deployment Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
How to Contact Us. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Appendix A: SBA for Large Agencies Document System. . . . . . . . . . . . . . . . . . 7
ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, "DESIGNS") IN THIS MANUAL ARE PRESENTED "AS IS," WITH ALL FAULTS. CISCO AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL
OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY
DEPENDING ON FACTORS NOT TESTED BY CISCO.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes
only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Unified Communications SRND (Based on Cisco Unified Communications Manager 7.x)
© 2010 Cisco Systems, Inc. All rights reserved.
Table of Contents
Overview of Cisco
Borderless Networks
The Cisco SBA for Large Agencies—Borderless Networks offers partners
and customers valuable network design and deployment best practices;
helps agencies to deliver superior end-user experiences using switching,
routing, security and wireless technologies; and includes comprehensive
management capabilities for the entire system. Customers can use the
guidance provided in the architecture and deployment guides to maximize
the value of their Cisco network in a simple, fast, affordable, scalable and
flexible manner.
Figure 1. CREDANT Data Security Integrated into the SBA for Large
Agencies—Borderless Networks
Modular design means that technologies can be added when the organization is ready to deploy them. Figure 1 shows how the CREDANT data security solution integrates into the Borderless Networks architecture.
This guide is part of a comprehensive data security system designed to
solve agencies’ operational problems, such as protecting intellectual property and sensitive customer information assets, and meeting compliance
requirements. The guide focuses on Cisco’s partnership with CREDANT
Technologies to deliver affordable endpoint encryption as a part of Cisco’s
broader data security system.
Overview of Cisco Borderless Networks
1
Agency Benefits
The globalization of information has forever changed the security landscape. Information is exchanged in less than a millisecond. Financial
services companies process transactions involving billions of customer
financial records. Healthcare providers store and access information on lifethreatening illnesses and confidential patient records. For better or worse,
our new, more digitized world exposes sensitive corporate, personal, and
employee data to loss or theft at the corporate endpoint. As a result of this
profound shift in computing, the regulatory and compliance landscape has
evolved as fast as the technological landscape.
In the United States, Canada, and Europe, national regulatory standards
increasingly supplement local reforms as the government pressures industries and businesses of all sizes to protect consumers’ personal information. In
many cases, the penalties for non-compliance can be crippling. No organization is exempt from data tampering. And without proper measures, none can
escape the risk of fines, loss of reputation, or possible bankruptcy.
Data encryption isn’t just a best practice. It is an imperative for survival in the
global, digitized marketplace. Companies failing to meet their compliance
requirements and adequately protect against a data breach face fines and
other costs extending into the tens of millions of dollars. Yet every organization is unique. The right combination of data encryption solutions must be
defined by the existing infrastructure, regulatory requirements and agency
practices. By partnering with Cisco and CREDANT, agencies can begin to
adopt a holistic approach to data security—encrypting data on the network,
at the gateway, via VPN, or at rest at the endpoint.
Protecting sensitive information is critical, and with CREDANT, agencies gain
flexibility in how they choose to protect sensitive information. Encryption
technology is built on well established standard algorithms, but the solutions
built on that technology include a variety of software- and hardware-based
encryption options to meet different operational needs.
As there is a wide range of options to secure critical data, there is also a
wide range of criteria to consider when deciding how to best protect your
agency. Power users or developers tend to be very sensitive to even the
smallest impact on system performance. Less technically savvy end users
will likely inundate the help desk with calls for assistance if they encounter a
solution that forces them to change the way they work. Executives may carry
more sensitive information than end users and thus require different security policies. Traveling employees naturally incur more risk of data loss for
a number of reasons than do employees working on a desktop system in a
secure office. These are just a few of the criteria that agencies must navigate
when choosing the right solution or solutions for their operations.
Agency Benefits
2
CREDANT Product
Overview
CREDANT offers both hardware and software encryption with centrally
managed or unmanaged options, depending on your needs. All managed
solutions include extensive reporting to satisfy compliance needs and to
ease deployment and day-to-day use. Products can be mixed and matched
to find an overall solution that best fits your needs:
• CREDANT Mobile Guardian provides software encryption and security
for Windows or Mac OS X laptops and desktops, removable media,
and PDAs and Smartphones. Windows systems are protected with
CREDANT’s Intelligent Encryption and full disk encryption (FDE) is used
to protect Mac computers. External media encryption is provided for
both Windows and handhelds. Windows protection is available in both
managed and unmanaged varieties.
• CREDANT FDE DriveManager technology fortifies the Seagate
Momentus self-encrypting 2.5” hard drives with remote management,
strong authentication, and extensive auditing and reporting features,
thus allowing companies to more easily implement Seagate hardware
encryption. FDE DriveManager can be configured during installation to
run as a managed or unmanaged client.
Figure 3. CREDANT Drive Manager
Figure 2. CREDANT Mobile Guardian
• CREDANT Protector offers fine-grained port control capabilities to
agencies wishing to control data at the device or file level.
• CREDANT FDE for Windows provides full disk software encryption for
Windows laptops and desktops. All data on the local drive is encrypted
at the sector level, including any blank space on the drive. This fully
managed solution includes mandatory, pre-boot authentication and
AES-256 encryption. CREDANT’s network-aware pre-boot authentication
allows the end user to access the system via an existing domain login.
Administrators avoid the high overhead setup and maintenance of proprietary pre-boot user and administrator accounts.
As operational environments differ, so do the options CREDANT offers
to secure critical data in those environments. All CREDANT solutions are
designed to provide the most comprehensive security available for data
stored on laptops, desktops, removable media and mobile devices. Each
solution ensures mandatory authentication and provides industry-standard
encryption so agencies can select a product or a combination of products
that best fit their needs without having to go to multiple vendors. CREDANT’s
broad range of solutions helps to keep corporate data secure while allowing
users to focus on doing their jobs.
CREDANT Product Overview
3
CREDANT Deployment
Workflow
Figure 4. CREDANT Policy Definition
This section presents an overview of the tasks involved in deploying
CREDANT data security products.
Phase 1: Environment Planning and Review
This phase of the deployment workflow involves a review of the organization’s current environment, including software deployment, client types,
encryption requirements, and authentication methods. This environmental
review is necessary to determine how the software will be deployed, which
client types should be considered (software FDE, hardware FDE, file-based
encryption, and/or removable media), the number of servers that are
required, and what authentication methods will be used.
Phase 2: Server Software Installation
This phase involves the installation of the server software that will provide
the management of the various endpoint encryption solutions. This process
includes the creation of the database, which will be used to escrow the
encryption keys, configuration of the authentication and directory systems,
and the installation of the policy server. Most deployments include a single
policy server, one active database and connectivity to Active Directory.
Management is accomplished using either a web browser or Microsoft
Management Console plug in.
Phase 4: Client Installation
This phase of the deployment workflow involves the deployment of the client
to the endpoint. There are several different client types to choose from,
and in most cases the client can be deployed using the customer’s normal
software delivery systems. After the client is deployed to the endpoint
and activated, the encryption keys are created by the server, stored in the
database, and passed to the client. The policies created in phase three are
then consumed by the client and the encryption process takes place.
Figure 5. Client Configuration Options
Phase 3: Policy Definition
This phase involves the creation of the security policy. As customers tend
to have a wide variety of encryption requirements, this part of the process
helps ensure that those requirements are met. CREDANT works closely with
the customer to build a policy that meets the growing number of government
regulations and industry standards that require encryption. These might
include HIPAA, PCI, SOX, and various Federal and State Breach Laws. The
policies are designed to meet these requirements while having very little
impact to the end user. Figure 4 shows the policy management interface:
CREDANT Deployment Workflow
4
Figure 6. Client Policy Configuration
Figure 8. Predefined Reports
Phase 6: Data Lifecycle Protection with Cisco
AnyConnect and RSA Endpoint DLP
Phase 5: Auditing and Reporting
This phase of the deployment workflow involves the installation and configuration of the Audit and Reporting tools. This involves the installation of
software on the policy server, and the configuration of a connection to the
database. The software has many pre-defined reports, as shown in Figures 7
and 8, but most customers will want to customize these reports to meet their
individual needs. Reports are customized and then scheduled during this
phase. Configuration of the audit and reporting system also includes role
definition for auditors, and setting up reports to be emailed to various users.
Figure 7. Per-Device Statistics in the Reporting Interface
CREDANT Mobile Guardian, Cisco AnyConnect VPN, and RSA Endpoint DLP
together provide comprehensive protection of data in at rest, in use, and
in motion. Deployment and use of CREDANT Mobile Guardian is transparent, and works seamlessly when used with RSA DLP Endpoint and Cisco
AnyConnect VPN.
Cisco AnyConnect provides a secure transmission pipe to protect information as it travels between agency environments and end users. Sensitive
data stored on the user’s notebook hard drive is protected via CREDANT’s
encryption solution. Data written to USB drives may be monitored and
logged via RSA Endpoint DLP, and simultaneously encrypted with
CREDANT’s USB encryption capabilities. To that end, administrators may set
appropriate DLP Endpoint policies to log all transfer events to have a clear
understanding of what is being written to external media, Credant encryption policies to ensure that all data is encrypted on USB drives.
Taken together, these three solutions enable mobility while offering the
highest degree of data security.
Products Verified with Cisco SBA
CREDANT Mobile Guardian Enterprise Server 6.7.0.188 and CREDANT
Mobile Guardian Shield 6.7.0.1402 are validated across Cisco SBA with
Cisco AnyConnect 2.5.0.217.
CREDANT Deployment Workflow
5
How to Contact Us
End Users
• Please contact CREDANT via http://www.credant.com/cisco for any
questions.
• Submit an inquiry about CREDANT and the Cisco SBA for Large
Agencies—Borderless Networks.
Resellers
• Please contact CREDANT via http://www.credant.com/partners.html.
How to Contact Us
6
Appendix A:
SBA for Large Agencies Document System
Deployment Guides
Design Guides
Design Overview
IPv6 Addressing
Guide
Supplemental Guides
Foundation Deployment
Guides
Wireless CleanAir
Deployment Guide
LAN Deployment
Guide
Nexus 7000
Deployment Guide
SIEM Deployment
Guide
LAN
Configuration Guide
WAN Deployment
Guide
ArcSight SIEM
Partner Guide
LogLogic SIEM
Partner Guide
WAN
Configuration Guide
Internet Edge
Deployment Guide
nFx SIEM
Partner Guide
Internet Edge
Configuration Guide
Network Management
Guides
SolarWinds
Deployment Guide
RSA SIEM
Partner Guide
Splunk SIEM
Partner Guide
Data Security
Deployment Guide
CREDANT Data Security
Partner Guide
You are Here
Lumension Data Security
Partner Guide
Appendix A
7
Americas Headquarters
Cisco Systems, Inc.
San Jose, CA
Asia Pacific Headquarters
Cisco Systems (USA) Pte. Ltd.
Singapore
Europe Headquarters
Cisco Systems International BV
Amsterdam, The Netherlands
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word
partner does not imply a partnership relationship between Cisco and any other company. (1005R)
C07-640799-00 02/11