Tweet

With all the investment in IT security over the years, one would think that threats would have subsided; but they have only increased and largely increased with exploits and iframes (redirection on a reputable website to infect its visitors) up nearly by a factor of 2000 over the past two years. This has resulted in an increase in data theft Trojans over the same period by a factor of 6000, according to the 2009 ScanSafe Global Threat Report, enriching hackers and cybercriminals. What’s driving this exploit growth is that hackers and cybercriminals are automating successful techniques for mass website infection. In addition, hackers increasingly collaborate, sharing best practices to infect websites for personal gain. In short, IT and business leaders are not confronting individual hackers, but a community of cybercriminals working together to steal corporate data that is increasingly organized as a traditional business with suppliers, resellers and end users. And this community’s opportunities to attack individuals and corporations have only increased with the huge growth in mobile access and deep corporate reliance of web-based applications to automate business processes.

IT leaders, especially those in small- to medium-sized companies are at a disadvantage with limited and even decreased IT staff and capital budgets, making it difficult for them to keep up with an ever-increasing volume of threats and complex exploit profiles. To mitigate these fears and concerns IT leaders have been turning to Cloud Web Security offerings by Cisco, BlueCoat, Websense, McAfee and others. While limited at first to URL filtering, Cloud Web Security is becoming sophisticated enough to identify threats by analyzing content in a contextual basis. Further, Cloud Web Security is in essence a SaaS offering affording on premises and mobile threat defense by extending a corporate perimeter around its mobile workforce.

The Web has become fundamental to business and the overall economy. The use of the internet has evolved from a static research tool to a dynamic communication platform, with corporate revenue directly linked to Web availability. Second, Web access is wide and varied in terms of end-points used, be it desktops, laptops, netbooks, smartphones, kiosks, etc., and networks providing access such as corporate networks, broadband, WLAN, hotspots. From a security point of view exploits infect corporate IT assets primarily through malicious content on web sites, email and blended email/web combinations. The Web will be used increasingly as the threat vector of choice by hackers and cybercriminals to distribute malware and perpetuate identity theft, financial fraud, and corporate espionage. As networks have become borderless, security vulnerabilities have increased by opening up doors or entry points that hackers can exploit, be those doors end-point devices, web sites, bad sections of web sites, applications, email, etc.

To mitigate these vulnerabilities IT leaders have deployed Web Security services in their enterprises in an effort to control which web sites employees’ access. But with the huge growth of laptops and smartphones, Cloud Web Security has been introduced beyond the corporate perimeter to protect all users and mobile devices too. Cloud Web Security threat prevention is getting much smarter by incorporating both content analysis with context offering, a powerful defense against zero-day exploits for all users regardless of location.

Cisco ScanSafe

To make these points, I focus on Cisco’s Cloud Web Security offering through their acquisition of ScanSafe. Prior to Cisco’s acquisition of ScanSafe, IDC’s “Worldwide Web Security 2009-2013 Forecast and 2008 Vendor Shares” ranked it as the worldwide market leader with over 30% share with Websense in second place at 7%. ScanSafe’s suite of services includes Web Malware Scanning, Web Filtering and Anywhere+ for roaming user protection. Unlike other solutions, which rely on URL databases and signatures to filter and identify malicious sites, ScanSafe, through its Outbreak Intelligence engine scans all Web requests in real time, so IT leaders receive comprehensive protection from all threats, including threats that appear before an anti-virus signature is available – and that’s a huge advantage.

What’s unique about Cisco ScanSafe is the sheer volume of data – billions of web requests daily – it processes for threat identification. The visibility gained from ScanSafe is also fed into Cisco’s Security Intelligence Operations (SIO) that incorporates data from IntelliShield, SensorBase and the huge footprint from participating Cisco customers who have opted into send their IPS appliance security data to SIO, creating the largest threat collection network on the planet. SIO’s broad threat collection and exploit mitigation dissemination will only increase the accuracy of the entire Cisco security portfolio, including ScanSafe.

Since ScanSafe is a Cloud Web Security service consisting of over 15 data centers deployed across the world, access is independent of geographic location. In essence a user connecting to the Web will have their traffic pass through one of ScanSafe’s data centers. In the ScanSafe data center the requested Web page is split into its basic components such as Java, PDF, Windows EXE, etc., and scanned within an analysis engine called Outbreak Intelligence for zero-day exploits via twenty-six specialized scanlets. The output of the scanlets is processed by a meta scanner that processes contextual information to decide if the content should be blocked or allowed to pass. This process of content scanning takes less than 5ms assuring user performance is not impeded. What’s impressive about ScanSafe is its scale. It sees billions of web requests per day and all of this scanning and filtering of traffic is captured within Outbreak Intelligence that provides real time harvesting of data that allows it to identify and stop an exploit well before anti-virus vendors can produce a signature and propagate it to their customers.

Signatures Defense Is Not An Effective Zero Day Threat Mitigation Technique

For example, during the Zeus Botnet and Gumblar exploit ScanSafe was blocking these exploits from propagating to clients well before anti-virus firms developed and distributed a signature. This lapse of time between exploit identification, signature development and mitigation is reduced to zero in ScanSafe’s Outbreak Intelligence, offering a much better approach to defense. Consider Gumblar, which first spiked near the 16th of April 2009 and took anti-virus vendors nearly a week to develop a signature, all the while ScanSafe was blocking it from clients. After anti-virus vendors released a Gumblar signature Gumblar traffic did indeed decline, but the hacker modified his/her exploit and near the 23rd of April Gumblar spiked again forcing the anti-virus vendors to identify it, analyze it, write a new signature and finally distribute it. During this time ScanSafe had been blocking the mutated Gumblar from its clients. This cycle continued for nearly six weeks starting from threat outbreak and included four hacker mutations and subsequent signatures until the anti-virus vendors delivered consistent protection.

The above is an example of ScanSafe’s ability to detect and block exploits in scale. The more content ScanSafe’s data centers scan the smarter its Outbreak Intelligence gets. This is important for two reasons. First in this market the suppliers with the largest market share are rewarded with the greatest visibility into exploits and thus offer the quickest and most potent defenses. Thus with its dominant share ScanSafe has a level of threat visibility that allows it to accurately and quickly mitigate exploits. Second since ScanSafe is a cloud-based service it can deliver a solution for on-premise and mobile users quickly and easily. This combination is not only powerful for large enterprises but for small- to medium-sized business as well, where IT skills and capital constraints had precluded them from offering the same protections as larger firms, until now. In fact the small to medium enterprise (SME) market can offer its employees the same level of protection as large enterprises when using ScanSafe.

ScanSafe’s data centers not only offer scale of processing but fault tolerance and redundancy are built into their design so that in the case of a data center outage, the data center that’s nearest in proximity is equipped with enough capacity to support all users without negatively impacting performance. ScanSafe has a track record of 100% availability over the past 7 years. For traveling mobile users their protection follows them anywhere in the world. For example a traveling mobile worker may deplane in Singapore connecting to the ScanSafe Singapore data center, but upon arrival in the U.K. the London data center will service this mobile user so that his/her policy is consistent worldwide while performance is maximized.

Reporting Is A Key ScanSafe Differentiator

ScanSafe reporting is arguably the most detailed in the market at analyzing web security threats and offers depth unattainable by enterprise system thanks to its position in the cloud. There are over 5000 customizable reports with 75 reporting attributes and 11 categories with comprehensive drill downs. This reporting flexibility allows administrators to define important data too. There are virtually no report design restraints offering great insight and visibility into web activity. The reports are based on a data warehouse infrastructure providing cumulative, trending and forensic reports being processed and maintained by ScanSafe’s storage, compute and network infrastructure. Its reporting is SaaS-based, meaning that IT leaders do not need to purchase or run reporting software on-premise. Reporting is key as IT leaders are provided with visibility for both on-premise and off-premises Web usage, offering them tools for charge back, forensics, application planning, etc.

Consistent or Different Policy

Policy is an enabler for IT leaders to gain control over Web use by in office and mobile workers. ScanSafe delivers IT leaders control knobs over content such as URL filtering, dynamic classifications of websites, end-user education through threat labeling of search engine results before employees click on links plus other traditional policy settings. In addition, ScanSafe’s Anywhere+ allows IT Security leaders to set flexible on- and off- premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention. As Anywhere+ becomes integrated with Cisco’s AnyConnect client, this capability will be pushed to the millions of users that use the AnyConnect client. Providing a consistent policy framework for on- and off-premises is a work in progress at Cisco, but they do have the product breadth to deliver on its implementation.

Cloud Web Security has primarily been focused on URL filtering as its primary control. But URL filtering has become less effective as a control or security technique due to large quantities of dynamic content delivered over the internet. URL filtering schemes are unable to identify different types of content within pages especially within Web 2.0 sites. This is where content analysis has blossomed as an accurate approach to identify every component of web page content that is attempting to traverse a corporate firewall or reach a mobile end-point independent of website categorization.

Cloud Web Security offerings are delivering a network approach to zero-day exploit mitigation that is faster and more accurate than traditional client-based anti-virus signature approaches. Cloud Web Security offerings that are based upon content analysis with a contextual basis are best positioned to mitigate exploits. As these offerings are cloud-based their use is naturally extended to static and mobile locations offering protection to both desktop and mobile users with consistent reporting and customizable policy creation. Another large benefit is that Cloud Web Security solutions are well within the reach of small- to medium-sized businesses, offering these firms an effective way to close the gap between effective defense and budget plus staff limitations. Cloud Web Security should be considered as part of IT’s overall arsenal to defend workers and corporate assets from hacker and cybercriminal threats.

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are increasingly being accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. SaaS has taken off and is far more prevalent than most executives realize as they are acquired by line of business and divisional budgets, leaving many IT leaders blind-sided and out of control with their relevance coming into question. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial control to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being are corporate assets secure when applications are being accessed and used within and outside of corporate perimeter? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we review Cisco’s New AnyConnect approach to securing mobile devices, which promises invisible use along with safeguards, visibility, control and relevance for IT security leaders.

With mobility comes productivity. As users work anywhere through a wide range of devices or end-points business productivity accelerates. This has been the case with every cycle of computing, from mainframes, minis, PCs, internet-connected PCs to now mobility; a correlated significant jump in productivity at a macro-economic level occurred and the mobile computing cycle will be no different. But to cease this productivity IT leaders need to be comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and Web/SaaS applications from a vast array of locations and network access methods is a challenge.

Three major mobile computing themes stand out:

Theme one: Increase Productivity: IT business leaders need employees to be productive, so they provide access to information, making that access as seamless as possible so employees obtain the tools they need and information they require to do their jobs. A central component to this is providing consistency between out-of-office and in-office IT experience.

Theme two: Deliver Mobile Security: Many IT leaders feel this way: “I built all of this infrastructure to protect my users when they’re sitting within the organization. When they leave and are remote what is protecting them and corporate assets? I protect them eight hours a day, then they go home with their laptop and get infected for 16 hours.” In short a disproportionate amount of security investment has been made within the corporate perimeter that needs to be extended to remote and mobile access.

Theme three: End-point Agnostic: Consumerization of the enterprise is forcing IT business leaders to not only support traditional remote devices such as laptops, but also IPhones, Android, Blackberry, netbooks and other end-points that are on the horizon such as the iPad. Consumerization is focusing IT business leaders to deliver seamless network access with always-on security and protection across a broad array of devices to enable business productivity.

Securing Mobile End-points With Existing Defense Techniques
From a security point of view, IT defense for mobile devices share many of the same concerns as securing fixed end-points. Unique to mobility is the security issue of lost mobile devices/end-points. To address this concern IT leaders typically need complementary product that can enforce PIN locks/encryption and support remote data wipe. Common to mobile and desktop security are concerns with acceptable use and threat protection. Malware plus web-based threats have spiked over the past 18 months, increasing threat awareness as business press coverage of exploits have expanded. IT leaders have data security on the top of their minds too. Therefore, access control, threat protection, data security, etc., are common security concerns to fixed and mobile computing with IT leaders and vendors seeking to expand/extend existing defenses to this new wave of computing.

Legacy VPNs Too Cumbersome: A New Generation of Remote Access Emerges
Clearly existing technologies such as Virtual Private Networks (VPN) is a remote access approach that seeks to provide a solution to mobile computing, but it falls short. The challenge with legacy VPNs is its cumbersome use model with multiple boxes to check, tokens and keys to exchange plus certificates to obtain. The process is not transparent and as a result is too painful to use resulting in legacy VPNs use only when absolutely necessary. This use difficulty is both a lost productivity opportunity and security vulnerability.

The vast majority of time a user is outside the corporate network its end-point is unconnected to that network and thus largely unprotected and invisible to IT. Laptops in essence have no security except perhaps a desktop anti-virus (AV) client, which is becoming less and less effective over time due to signature-based defenses lagging exploit propagation. Connectivity may even be so rare that end-points spend much of their time out-of-compliance on patch levels. SaaS makes the problem even worse. Many use SaaS applications such as Salesforce.com, et al., to conduct business-critical or business-relevant tasks by simply accessing these sites over the internet where IT doesn’t have visibility let alone control over these sessions. Most don’t use VPNs to access SaaS applications, which would route traffic through the corporate network, due to the use hassle.

With corporate applications having moved rapidly to both HTTP/Web/SaaS web security is an increasing threat breeding ground that requires a new defense model. There are web security solutions in the market such as Websense and BlueCoat, but their current models are limited to URL-filtering clients, which enforce approved URLs to each end-point. Further, their current operating system support for clients is limited to Windows XP omitting MAC OS X and smartphone mobile platforms. And while URL-filtering does provide limited acceptable use and malware security it does not address data loss, access control and thus full threat prevention, particularly given the nature and mechanism used by hackers to propagate threats today.

Enter Cisco AnyConnect Secure Mobility

To address mobile computing, Cisco has announced its Cisco AnyConnect Secure Mobility to combine access control and web security, which in essence creates a flexible perimeter around a corporation’s mobile end-points providing them the safeguards and security that desktop systems enjoy behind the corporate firewall. AnyConnect Secure Mobility combines Cisco’s AnyConnect client, Cisco’s ASA (VPN, Firewall, IPS, content switch appliance), IronPort (Web security), ScanSafe (Cloud Web Security), and SIO (Security Intelligence Operation) to deliver the next generation of remote access and security for mobile end-points.

While AnyConnect utilizes and integrates much of Cisco’s security technology, the real innovation is how the mobile client captures ease of use and simplicity, allowing users to access both corporate and Web/SaaS applications without the hassle of traditional VPNs for any type of end-point, be it laptop, smartphone, netbook, etc., while protecting corporate assets. In many cases the user experience will be far superior to existing remote access solutions as they don’t need to be concerned with network access type, be it VPN, internet, 3G, WLAN, 4G, etc. The hope is that AnyConnect will provide IT leaders with the assurances they need to enable employees to embrace mobile computing allowing their corporations to exploit its productivity advantages.

Making Remote Access Secure and Invisible

AnyConnect is a pervasive end-point controlling network access and security. The idea is that it fades away into the background, versus the very manual VPN configuration of today. AnyConnect decides where to connect and establishes the connection when the end-point needs to network. If a laptop or iPhone moves from WiFi to the 3G network, AnyConnect figures out what it needs to establish the connections. In addition, AnyConnect provides persistence, keeping all session state. The more intelligent AnyConnect gets over time the more it will fade into the background, being invisible to the user. Cisco is committing to a broad range of device support. Support for Windows XP, Vista, Windows 7, MAC OS X laptops has been made. Smartphones from Apple’s iPhone, Android and Windows Mobile are rapidly changing the enterprise mobility landscape which has been dominated by BlackBerry thus far and it seems logical that these end-points will be supported by Cisco at some point.

Flexible Policy Creation

For web security clients AnyConnect delivers an innovation around policy so that specific policies for remote workers can be distinguished and reported differently than desktop policies. This is important from a compliance point of view as IT leaders often set policy for workers within the network perimeter around “acceptable use” and from a compliance and liability standpoint IT leaders need to be concerned with “where” users go on the web. However, when an employee is home on their own time using their laptop to browse the internet, IT Security leaders don’t care “as much” about which web sites they visit, only that they are secure and protected from propagating threats. Therefore, AnyConnect allows IT Security leaders to set flexible on- and off-premises policy. For example, in-office employees may have policy set for both acceptable use and malware prevention; however, off-premises employees may have policy set for malware prevention.
Device Collaboration Takes Complexity Away From Mobile End-point

AnyConnect promises to deliver an end-to-end user experience, thanks to the engineering that Cisco has done to enable the above mentioned security products to collaborate between each other. One example of this value is during AnyConnect user authentication via the ASA configured for remote access VPN headend. The ASA authentication information along with the fact that the user is mobile is passed to the web security appliance so that both can apply the right policy without delivering another prompt to the user; thus allowing mobile-specific policy to be applied to the remote access session. For the mobile user this process streamlines their access as he/she is not greeted with two different screens (ASA and Web security) during authentication, just one.

Hybrid Hosting: The Way We Work

Backhauling internet destined traffic from remote sites over the corporate network is unfortunately more often done for security reasons. As many security leaders are requiring remote or mobile users to pass through the corporate perimeter to access SaaS applications and other Web content, application performance may suffer. AnyConnect performs performance optimization between VPN and Web access scenarios to significantly lower latency improving user experience even during backhaul scenarios. But as internet video traffic has skyrocketed there’s increased pressure and demand to maintain high user experience by allowing these flows to bypass backhauling and go straight to internet, or “enforcement points” such as a ScanSafe cloud. AnyConnect promises to seamlessly find the closest network attach point and optimal enforcement point, whether that’s the backhaul path, a ScanSafe cloud or even a Cisco ISR G2 running in a branch office equipped with web security capabilities. It’s logical that Cisco will release these capabilities over time.

Securing mobile/remote users via cloud-based services and desktop users with on premise security appliances have emerged as an important security design approach. Security services delivered to mobile and desktop users via on premises and cloud solutions respectively are what some call “hybrid hosting”. Policy consistency is important to a successful hybrid hosting implementation. That is the ability to define user access policy on one policy server and propagate it to on-premises and cloud providers, providing common enforcement, single consolidated reporting and a better user experience.

Key to hybrid hosting is the mobile client. Cisco has built connection intelligence into the Cisco AnyConnect Secure Mobility Client. AnyConnect manages connections by finding a trusted network, meaning assessing if the connection is a secure enforcement point. If an end-point is currently connected to an unsecured public internet link, but the user application requires a secure connection, Secure Mobility Client will find it without operator intervention. Optimal gateway detection is another feature that automatically finds the fastest gateway for VPN access and connects to it.

Security For Thin Client End-points: Full Context Awareness

As end-point devices become thinner and thinner, meaning devices with less processing power and memory, the harder it is to enforce security on the end-point. Laptops can run sophisticated AV and scanning software to protect the end-point, but this software will not run on iPhones, BlackBerries, Android, etc., as they don’t possess adequate resources to run the code. Therefore as end-points become thinner and their numbers balloon while threats continue to be more sophisticated and web-based the question is how to protect these devices and corporate IT assets from them if they become infected? The answer is to leverage the processing power that resides within the network. With the network providing security services on behalf of thin client mobile end-points, a consistency across devices is gained that is independent of end-point type. Malware or exploits are identified along with web site destinations, policy can be enforced, reporting is captured and in the process IT Security leaders gain visibility.

For web security AnyConnect has integrated Cisco’s Web Security Appliance, which provides malware security, acceptable use, access control, and data security for web traffic. By performing this in the network rather than the end-point it’s possible to obtain powerful security capabilities such as multiple layers of malware defense and web application controls which are very difficult to deliver, especially across a breadth of end-points via an end-point solution.

Malware defense includes Web reputation, which is delivered by Cisco’s Security Intelligence Operation (SIO), and is effectively a risk rating for how likely a specific Web object is to be hosting malware. Additionally, multiple AV signature sets are run in parallel on suspicious traffic providing better coverage than any single engine. Currently Cisco offers Webroot and McAfee, and is planning to offer Sophos in the near future.

For acceptable use, Cisco offers standard URL filtering. But URL filtering has become less effective as the number of pages on the Web is exploding, making it impossible for URL lists to keep up. To address this, Cisco dynamically categorizes web sites in real-time. In addition, Web 2.0 sites and tunneling applications mean that a URL filter is not enough to protect users or create meaningful policy. Enter application control. What Cisco has done to expose web traffic is build an engine that understands web traffic and applications that traverse within it. That is to be able to identify if the traffic is IM, WebEX, Facebook, Facebook chat, an application running on Facebook such as Mafia Wars, Twitter, streaming media, etc. With all traffic being distinguished Web Security Appliance’s application control can “block” or “allow” the traffic but more importantly provide greater policy granularity.

Consider this. An IT leader can develop a policy that allows chat on IM, but it’s a data security violation if a user attempts to send a file via IM. Or a user can participate in a WebEx session but he/she can’t relinquish remote control of his/her desktop because it’s a security violation. A user may be allowed to go to Facebook and read, but not post as this may be a potential DLP risk. Cisco’s AnyConnect Web Security Appliance offers this deep application control thanks to its parsing of web traffic and subsequent policy granularity.
It’s difficult if not impossible to obtain this level of security and policy enforcement even on a traditional mobile end-point like a laptop. Imagine trying to make it possible for all of those smartphones that are flooding into the enterprise; virtually impossible. This is the value of Cisco’s network-based approach.

With SaaS Growth, IT Managers May Become Less Relevant

With the large number of mobile devices that access SaaS applications that are out of an IT leader’s control and visibility, IT leaders have become concerned with their own relevance. Most SaaS purchases are in fact not from IT departments but from business unit or line of business managers. Therefore, IT becomes less relevant as IT leaders don’t see this surge in SaaS application use, how to secure it and protect existing IT assets from potential threats. As SaaS use grows so does this challenge to IT.

To address this challenge, Cisco is building in SAML (Security Assertion Markup Language) assertion into the Cisco IronPort Web Security Appliance, in addition to authenticating web traffic as it egresses the enterprise. IronPort already works with AD (Active Directory) and LDAP to authenticate users. Therefore, Cisco is adding the capability to create a SAML token, which will offer a better user experience by delivering single sign-on into SalesForce, WebEx, Concur, Google Docs, and all SaaS applications that support SAML.

SaaS Access Control

What this does for IT leaders is provide control back as IT can demand that their SaaS providers support SAML token, meaning that users can’t access the SaaS application directly but through the corporate network. So if a user is at home he/she can’t go directly to SalesForce.com and download a customer list onto his/her home PC or onto an unmanaged end-point. Users have to come back through the corporate infrastructure via AnyConnect to obtain their token. This provides IT leaders with both control and visibility independent upon where applications are hosted; be it in their data center or the cloud. With this link to all applications IT leaders can apply access control policy, data security policy and in the event of data loss or theft IT leaders now have granular forensic evidence too. With SAML token in IronPort, IT leaders have both control and great visibility that gives them the confidence to enable SaaS applications for workers and remain relevant. This is a huge point as many companies don’t know how many SaaS applications are being used. Cisco for example has over 350 SaaS application in use throughout their corporation, which is more than likely the rule rather than the exception.

One critical challenge SaaS presents is when employees leave or are terminated from their employer. How does IT remove access to these SaaS applications? It’s easy if there are only a few SaaS applications in use, but when the number of SaaS applications grows to the tens and hundreds the process becomes daunting and DLP vulnerabilities increase. With Cisco’s Web Application Controls IT can simply implement a zero day revocation; that is pull the terminated employee’s credential out of the AD and all access to every SaaS application is terminated.

What AnyConnect is offering IT leaders is the assurances and safeguards to say yes to employees to use the IT tools they desire, be it a laptop, iPhone, SaaS applications, Android, Blackberry, etc. For users, they get a simplified way to connect to applications independent upon where they are hosted along with the protections and safeguards once only available to them while in their offices behind the corporate perimeter. From a security leader perspective they get increased control and more security as AnyConnect extends out to that entire mobile workforce. Cisco’s AnyConnect promises to successfully thread the needle to avoid the typical tradeoffs that accompany security products such as security versus business process or security versus user experience. With AnyConnect IT leaders will be able to enable business mobility, increased user experience, and protect corporate assets through strong security services. In short the AnyConnect Secure Mobility Client offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, SIO, and more then likely in the future ScanSafe, to wrap a corporate perimeter around its mobile workforce.

For existing Cisco customers that utilize ASA and WSA their implementation of AnyConnect is straightforward and the ability to absorb this innovation fast. These IT organizations would install AnyConnect Secure Mobility Client on end-points with required configuration changes to ASA and WSA. AnyConnect can be implemented piece meal too starting with AnyConnect Secure Mobility Client and ASA adding other security defenses when appropriate.

But to make AnyConnect a success Cisco needs to expand its smartphone support and prove that its AnyConnect Secure Mobility Client is indeed as simple and invisible as it claims. Also IT leaders will have to get comfortable with and trust the various enforcement points and its policy granularity. AnyConnect will have to work in conjunction with other security technology such as anti-malware engines, PIN locks and data encryption, plus remote data wipe to protect against lost devices. Look for Cisco to partner with others to deliver these aspects of mobile security. The key value proposition of AnyConnect is a simple yet powerful user experience. The success of AnyConnect rests upon Cisco’s ability to deliver on the promise of an exceptional user experience with an always-connected remote access and security architecture.

Tweet

IT leaders are not comfortable with mobile computing security. And they do have a lot to be concerned about as securing a plethora of different devices accessing both corporate and SaaS applications from a vast array of locations and network access methods is a challenge. Traditional VPN methods are too cumbersome for users and don’t factor the huge growth in SaaS application use. A new model for securing remote and mobile access is needed and Cisco has delivered one. Cisco just launched AnyConnect Secure Mobility Client that offers a simple use model for mobile workers that leverages Cisco’s ASA, IronPort Web Security Appliance, ScanSafe, and SIO to wrap a corporate perimeter around its mobile workforce. Kevin Kennedy, Product Marketing Manager at Cisco Systems discusses a new approach to securing mobile computing.

Listen to the Podcast

Tweet

No matter where you look today the structure of IT is fundamentally changing. Applications are being increasingly accessed from mobile devices along with traditional laptop, desktop and even kiosk machines. Applications are downloaded for free or a few dollars on mobile devices, while cloud computing and anything as a service offers a new approach to application delivery. As a result corporate application portfolios are shifting in their mix under IT leaders from one of total control to partial to none. In short, IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter and with no control knobs. In essence applications and networks are becoming borderless.

While borderless networks offer productivity improvements allowing work to follow individuals, IT leaders are concerned about its security implications, that being how do I secure corporate assets when applications are being accessed and used within and outside of corporate perimeters? Can IT leaders deliver the ease of use afforded by borderless networks securely? In this Lippis Report Research Note we offer an approach to securing networks without borders.

Traditionally security has taken the form of a perimeter environment where IT assets are housed in the data center under tight corporate control. This environment offers the ability to protect and control these assets. For example, remote access via VPN for employees, customers, suppliers and partners access can be managed as security is managed via firewall perimeter. This approach is the traditional security model and it will stay in place for a long time to come.

But IT is fundamentally changing. There is tremendous diversity in network access from a device, network type and geographic independence points of view. The explosion in device diversity accessing networks, be it smart mobile phones such as the iPhone, blackberry, Nexus One, Android or laptops, notebooks, desktop, readers and kiosk is challenging traditional IT security norms. Not too long ago IT leaders would distribute a corporate-approved computer with a locked corporate standard software image to employees as their IT tools. Not any longer; legitimate business applications have arrived for mobile devices and cloud computing scenarios offer new approaches to application development and delivery. In addition a richness and increased velocity of applications tunneling through Port 80 further challenges perimeter security and IT control. The new world of IT is device diversity, network access point diversity and application diversity, changing how IT leaders mitigate threats while enabling users freedom of access to applications without boundaries.

As device and application diversity flourish, data too is increasingly being distributed. This is very different from the early 2000s IT model and before that as data was centralized in data centers. What used to be stored in a data center and locked behind a firewall is shifting out into clouds. Salesforce.com offers a good example of how proprietary information such as sales leads and prospects are now outside a corporate perimeter and into a public cloud. Further, most corporations don’t know how much their employees are using clouds or SaaS offerings for mission critical business functions. One client conducted an internal survey asking business and IT leaders “how many kinds of SaaS cloud-based applications do you use?” The initial answer was “probably a dozen or so.” After an audit, the real answer was well over 300 SaaS applications were being used from ADP, engineering to Salesforce. The bottom line is that there are a tremendous number of applications already moving outside the data center and the question now being asked is how to protect corporate assets in this new IT environment.

The New World IT Order

With device, network access and application diversity booming along with distributed data, more and more of IT is happening outside the traditional corporate boundary or perimeter. The diversity trend while small in terms of overall corporate application use will only grow and may very well dominate typical corporate application portfolio mixes in the next five years. But in the mean time the traditional perimeter does not go away but needs to be a pillar in a more expansive overall approach to securing borderless networks.

Borders by nature define trust and create trust boundaries. The European Union has eliminated many borders such as walls, physical access, currency differences, etc., but what remains are rules, regulations, passports, etc. The EU reconfigured their boundaries to allow greater freedom of movement and trade. Networking is undergoing a similar transition as corporate defense shifts from a single perimeter to a set of pervasive fungible perimeters or trust boundaries where protection is pushed out to follow users around based on what application they are using, how network access is gained and on what device. Security services have to move in this direction as forcing the new world order of IT into an old world IT security model will not scale and defend corporate IT assets.

For example, IT leaders could choose to back haul all their internet connections to a central site but this will clog their enterprise network, drive up internet access bandwidth and routing requirements plus slow application performance. In addition with more and more devices such as mobile end-points, notebooks, etc., readers connect to the network differently than laptops, IP phones, desktops, etc., and thus don’t lend themselves to back hauling. Therefore, IT and business leaders are thinking about a need to provide IT delivery in the cloud, or maybe perhaps a virtual environment. A much more dynamic approach is needed for applying security in the new IT world order.

An Approach to Borderless Security

One approach is to utilize a family of existing security appliances including firewalls, IPS, web filtering, web security, email security, VPN, etc., as a security enforcement array. These appliances could be put to work to enforce existing and create new trust boundaries such as cloud security, the enterprise perimeter, mobile security, etc. The enforcement array can be segmented into four architecture components. Cisco is the only large IT company to embrace this approach thus far. Cisco breaks down a secure borderless network into 1) Borderless End Zone; 2) Borderless Internet; 3) Borderless Data Center; and 4) Borderless Policy.

The Borderless End Zone provides security services to end-point devices such as securing the end-point and obtaining secure network access. End-point security is increasingly important as a plethora of new mobile and innovative end points have emerged and are consumed in mass. One significant trend is that end-points are thin with little footprint or storage/memory for large security agent software. In addition mobile end-points access networks and IT assets differently than traditional laptops and desktops, requiring a different approach to protecting today’s powerful mobile devices that preserve the ease of user experience. A transparent VPN connection that is able to select an appropriate persistent network connection and apply the right kind of security independent of end point device without user intervention will go a long way to securing new thin and mobile end-points.

The second component is the Borderless Internet which plays a large enforcement array role by delivering real time threat protection, signatures, etc., to existing gateways, appliances and network infrastructure to make enforcement decisions. For example, even though users may be accessing cloud-based applications as simple as email and not even traversing back to their corporate premise, a borderless internet applies some of the same security policies and protections afforded to them within their enterprise to enforce what users can do and then protect them from exploits and threats. Expect to see large security portfolio moves into this enforcement array as the borderless internet develops.

The third security component of a secure borderless network architecture is a Borderless Data Center. Data center network security has become more critical, particularly as servers and soon I/O becomes virtualized. Data center security services such as firewalls, et al., are becoming virtualized, affording a wide range of threat protection without additional hardware. There is a new dynamic security model needed in the data center that allows security services to move without operational intervention when VM workloads are moved. To address dynamic security more security services are required in the hypervisor such as moving firewall features closer to the virtualization layer.

The fourth and last security component of a secure borderless network architecture is Borderless Policy including access control, acceptable use, data security and exploit mitigation. Policy has traditionally been focused on permissions and access control of resources within the corporate perimeter, but policy now needs to be pushed out across enterprise, internet and mobile networks to follow users and afford them policy enforcement. In other words, as users traverse outside their corporation using different devices, network access and a mix of applications how do IT leaders provide the same policy enforcement across a global network and ensure that access and data usage is appropriate while protecting users and corporate assets from exploits, threats and malicious websites, avoiding back haul into the corporate perimeter?

The main point of borderless policy is to enable IT leaders to make greater policy decisions that are pushed out across a global network that factors who, what, when, where and how a user accesses networked resources. Borderless policy will strive to provide ubiquitous control over how users are using IT assets across different devices. To achieve this, policy needs to be translated into code that a machine understands, can enforce, and then monitor.

Securing networks without borders needs to provide protections and enforce policy in a new set of use scenarios that are growing rapidly in their adoption and use within corporations. This is not to say that existing IT security is not critically important. None of today’s security appliances will be displaced or removed any time soon. Private data centers will be with us for decades as will the need for effective corporate perimeters. IT leaders want to leverage existing security investments to protect corporate IT assets when users access applications on mobile end-points, across and behind the perimeter. The Secure Borderless Network offers an approach of providing security, protection by setting new boundaries for a different IT use and delivery model that will only accelerate as the global economy continues its recovery.

Tweet

How we do IT is fundamentally changing. Applications are increasingly being accessed from mobile devices while cloud computing offers a new approach to application delivery. Case in point, the iPhone adoption rate is 8 times faster than AOL was! As a result corporate application portfolios are shifting in their mix of total IT manager control to partial control to none. IT leaders are finding that the largest application growth in their corporation is coming from outside of their traditional perimeter/firewall with no control knobs. In essence applications and networks are becoming borderless and as a result a new flexible security model is needed to reestablish boundaries. To address this industry concern, I talk with Fred Kost, Director Security Solutions for Cisco Systems about a new approach to securing networks without borders.

Listen to the Podcast