GSF 2011 Bill Mcgee 2-5 Securing Mobile Government

• 1. Securing A MobileGovernmentBill McGee, Manager Security Solutions, CiscoGovernment Solutions ConferenceMarch 1, 2011 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

2. Cisco 3Q10 Threat Report 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 3. Cisco Annual Security Report, December 2010 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 4. Whats HappeningConsumerization, Mobility,Virtualization, Collaboration The Challenges We FaceThe current environment andthe evolving threatsRegulatory Requirements StrategiesA look at secure mobilitysolutions AnyConnect Client Cisco Virtual Office TrustSec Access Control 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 5. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 6. 60% 66% 45% 45% 57%Dont need toAccept a lower- Work an extra Of IT staff Of IT staff said be in the officepaying job2-3 hours a unprepared tosecurity is the (10%) for workdays if allowed makebiggest challengeflexibility to do soworkforces for mobileremotelymore mobileworkforce 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 7. Economic Uncertainty Service EfficiencyCitizen ExperienceGovernments of all sizes 1.3 Billion new networked Increasing Citizenare looking to maximizemobile devices in next Expectationsinvestment while reducingthree years Agent Self ServicecostsImpacting communications 9 to 5 24/7 and service delivery Anyone, Anything, Anywhere, Anytime 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 9 8. Mobile Collaboration and Virtualization Computing Social Media and Cloud Explosive growthContent rich, real timeAgility, cost savings 462 M new devices per year175 M Twitter usersMost new servers virtual 40% plan move to cloud 1.2 B mobile users 500M + Facebook usersCloud computing services 4X video traffic by 2014to grow to $44 B by 2013 Changing IT Environment. New Security Challenges. 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 10 9. Mobile Worker Access from various devices (e.g., kiosks, PDAs, netbooks, laptops)Disaster Recovery Supply PartnerRequires greatest access Unmanaged desktop;flexibility to accommodatediverse devices andlocations; Access ? complex support issues Requires limited access torequirements vary widelycorporate resourcesSecurity/access is criticalTeleworker Contractor, TempRequires consistentAccess requirementsLAN-like performancevary greatly. Unmanagedor managed computers; access needs to be limitedRemote Access Requirements Vary Greatly by User, Location, Desktop and Other Criteria 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 11 10. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 11. Cisco Connect World Report, Fall 2010 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 12. How do I manage multiple devices? How do I manage a workforce in motion? Where do I make policy decisions? Where and how do I enforce policy? How do I ensure consistency? How can I scale this across my distributed network? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 13. Common Regulatory Requirements Control access to information,applications, records, etc. Control ingress/egress of data Ensure privacy for groupsand individuals Segment certain classes of users Control access to devices, servers,and management platforms by bothusers and devices Manage and inventory IP-enableddevices, and controlling their behaviorbased on policy Enforce access policy beyond the ingress point Monitor, record, and audit users and devices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 14. Service Efficiency CitizenSafety and ExperienceSecurity 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 16 15. Government Service Efficiency Borderless Mobility Delivers Integrated communications increases speed of decision making by improving collaboration and access to the right people at the right time Replacing legacy systems to reduce ongoing costs Improves worker flexibility and productivity by eliminating the requirement to be in the office for many job functions. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 16. Citizen Experience BorderlessMobilityDelivers Citizen Contacts City for InspectionApprovalCitizen interaction tailored to effectivelycommunicate and more efficiently provideservices Presence Helps Reduced time for question/issueFind Inspectorto Sign Off onresolutionsPermit soBusiness CanBusiness canScale unique employee capabilities via Open toOpenCustomers virtual experts 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 17. Safety and SecurityBorderlessMobilityDelivers A CitizenCaptures aVideo of a Situation and Sends toEmergency Services Local ControlFacilitated collaboration during incidents improves RelaysInformation and decision processes and accelerates response Video to FirstRespondersIP- based video sharing enables efficient and morecomprehensive situation analysis and response CoordinatedResponseAddressesSecure, integrated communications network Incident and enables all systems to interoperate and maintainMinimizes situational awarenessDisruption 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 19 18. National cybersecurity awareness campaign Help educate everyone Tools and content to drive security awareness www.stopthinkconnect.org 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 19. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 20. The WorldThe World Un-Managedas We Knew ItToday Devices Un-Managed Managed Devices Devices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 21. Secure network connection and communication from endpoint devices Move Security enforcement closer to the userAnyConnect Secure MobilityClient 3.0Unified access interface for SSL-VPN,IPSec & 802.1X for LAN/WLANMACsec / MKA data encryption insoftwareScanSafe mobile web security 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 22. Network and Security Follows UserIt Just Works Corporate MobileHomeOfficeUser OfficeBroad Mobile Support Fixed and semi-fixed platforms Mobile platforms Persistent Connectivity WiredWi-FiAlways-on connectivity Cellular/Wi-FiOptimal gateway selectionAutomatic hotspot negotiationSeamless connection hand-offsNext-Gen Unified SecuritySecure, User/device identityConsistent Posture validation Access Integrated web security for always-on security (hybrid) Clientless and desktop virtualization VoiceVideoAppsData 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 24 23. Architecture Overview AnyConnect User InterfaceManagementHead-endsServices InterfacesService ProviderIntegration AnyConnect Platform Architecture Head End Devices Trustsecand CiscoMedianetWired switches and NACASA Remote Access Web Security Cloud WebWireless controllers Appliances ISRsSecurity 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 24. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 25. Flexible WorkspacesRetaining employees and talentEnsuring employee satisfactionIncreasing workforce productivityand efficiencyMaintaining business continuityand disaster recoveryControlling rising cost of realestate and overheadManaging and deploying mobiledevices and infrastructureMaintaining securitySupporting a variety ofmobile devices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 26. Corporate OfficeHome OfficeSingle 2010 Cisco and/or its affiliates. All rights reserved. Phone Line Wireless Network Same Secure Application Resource Access Cisco Confidential 28 27. Cisco Virtual Office Cisco Virtual Office Express Optimized for - site-to-site resilientOptimized for - express deployment Unified Communications Services include Unified Full featured management platform,Communication, policy definition, services include UC, policy identity and automated configuration definition, identity, and automated push. configuration push Cisco ASR or ISR G2:ISR G2: Head-End VPNHead-End VPNCorporate Corporate CampusCampus Cisco Manage ExpressConfiguration Engine AAA Virtual Office AAA (ACS optional) (MEVO) 2010 Cisco and/or its affiliates. All rights reserved.(ACS optional) Cisco Confidential 29 28. Remote SiteHead-End SiteCisco UnifiedCisco 800 Series SecureCisco SecureZero TouchPhone 7900 SeriesWireless Router Router with VPN Management 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 29. Lowers Real Estate and Overhead Costs Increases Productivity Enables Business Continuity Planning Decreases Carbon Emissions Enables Next Generation Workforce Helps meet compliance such as PCI 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3131 30. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 31. How dodoon mywantof this? Where is controlnetwork?What is on my network?Who I they all to go? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 32. Non- Non-Authenticating Authorized Access Guest Access Devices How can I restrict access Can I allow guests How do I discover to my network?Internet-only access? non-authenticating Can I manage the risk of How do I easily create adevices? using personal PCs? guest account? Can I determine what Common access rights Can this work in wireless they are? when on-premises, atand wired? Can I control their home, on the road? How do I monitor guestaccess? Are endpoints healthy?activities? Are they being spoofed? 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 34 33. IdentityOtherAuthorizationInformation Conditions (Controlling Access) Vicky SanchezGroup:Broad Access Employee, Marketing Wireline Full-Time 3 p.m. Employee Limited AccessTime and DateFrank Lee Guest/InternetGuestWireless9 a.m.Group: QuarantineContractorPosture LocationDeny AccessSecurity Camera G/WAgentless AssetMAC: F5 AB 8B 65 00 D4Group:GuestFrancois DidierConsultantDeviceAccessTrack Activity forHQStrategyRemote Access TypeType Compliance6 p.m. 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 35 34. Differentiated AccessRemote/Mobile Workers Users & Devices AnyConnect w/802.1X Guests NAC Agent Non-User DevicesCentralized PolicyInternetPosture AssessmentGuests Users andClient Management EndpointsISE Centralized Policy CreationSTOPPolicy Distribution and ControlDirectory Monitoring & TroubleshootingService Device ProfilingNonUserGuest ServicesIdentityBased Devices Wireless Firewall Access ASA Enforced802.1X IdentityPolicy Switch-basedVirtual CiscoCampusAuthenticationData CenterCatalystNetwork MACsec Encryption Switch Hop-by-Hop Data STOP InspectionProtected Security Group TaggingResources Security Group-based Nexus 7000 Enforcement Switch 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 36 35. With a Cisco TrustSec solution in place, organizations are able to: Secure NetworkSecure AccessSecure Endpoints Resources Provide unified access Enforce device health Tag data and enforce policy for wired, through posture policy using Secure wireless, and VPN assessmentGroup Access connections Secure communications Secure access to and Provide role-basedbetween endpoints and between Data Center access for any user the network resources (static and or groupvirtual) Provide self-service guest access Ensure switch-to-switch data security using MACsec encryption 2010 Cisco and/or its affiliates. All rights reserved.Cisco Confidential 37 36. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 37. 1 Do I Have a Consistent Access Policy Architecture Across MyNetwork for all Users and Devices? Does my wireless network provide pervasive, reliable and scalable coverage to support new mobile devices? Can I manage my wired and wireless networks together? Can my network provide guest access?2 Can My Network Deliver Real-Time Collaboration Experiences? Can I deliver video and collaboration across any network?Can Mobile Devices Access My Network Securely, Reliably3and Seamlessly? Can my wireless network proactively mitigate the impact of wireless interference? Can I ensure security for mobile devices like the Cius, iPad, iPhone, BlackBerry and Android? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 38. Enable Borderless ExperiencesThe TheRIGHT RIGHTUserDevice From ANY At LocationANY Time Securely, Reliably, Seamlessly 40 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39. Always on connectivity with mobile devices that you may not procureAttacks targeting your users, exploiting trust and in policy actionsCollaboration and social media as the new communication toolsThe ongoing need for education and awareness 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 40. Resources www.stopthinkconnect.org/ www.cisco.com/go/fedsecurity www.cisco.com/security www.cisco.com/go/security www.cisco.com/go/designzoneBill McGee, [email protected] 41. Thank you.