Cisco Cisco AnyConnect Secure Mobility Client v3.x 白書
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 16
Cisco Trusted-Device Policy
Architectural principles should be translated into
technical specifications to guide organizations
toward implementable solutions. Trusted devices
should comply with the following policy enforcement
and asset-management requirements.
technical specifications to guide organizations
toward implementable solutions. Trusted devices
should comply with the following policy enforcement
and asset-management requirements.
Policy Enforcement
Devices that access corporate services should
validate the implementation of the following security
controls before they are connected. Unauthorized
removal of these controls should disable access to
enterprise resources:
validate the implementation of the following security
controls before they are connected. Unauthorized
removal of these controls should disable access to
enterprise resources:
●
Local access controls that enforce strong
passwords (complexity)
passwords (complexity)
●
10-minute inactivity timeouts, and a lockout after
10 unsuccessful login attempts
10 unsuccessful login attempts
●
Encryption that includes the encryption of any
device or data that is sensitive to Cisco
device or data that is sensitive to Cisco
●
Remote wipe and lock capabilities when an
employee is terminated or a device is lost or
stolen
employee is terminated or a device is lost or
stolen
●
Inventory tracking capabilities to check the
presence of specific security software, patch
updates, and corporate applications and versions
presence of specific security software, patch
updates, and corporate applications and versions
Asset Management
Devices that access corporate services should
adhere to a number of controls. The devices should
be:
adhere to a number of controls. The devices should
be:
●
Uniquely identifiable where identification is not
trivially spoofed
trivially spoofed
●
Explicitly and individually authorized for corporate
access, and registered and traceable to a specific
user
access, and registered and traceable to a specific
user
●
Capable of blocking corporate access
●
Capable of producing forensic log data (for
example, security software logs, user
authentication and authorization, and
configuration changes) if required for
investigation
example, security software logs, user
authentication and authorization, and
configuration changes) if required for
investigation
Stage 1: Internal Access
As the last millennium came to a close, all IT devices resided within corporate locations, and employees had to be
physically in an office for internal access to IT resources, as shown in Stage 1 of Figure 2.
Stage 2: Anywhere
Over time, laptops and VPNs gave workers mobility, and an
increasingly globalized workforce made more flexible work
patterns necessary. Stage 2 depicts how work environments
and regular office hours no longer restricted productivity, as a
more mobile workforce accessed corporate IT resources from
such locations as customer sites, homes, cafés, or hotels. With
this dissolution of geographic borders, users can access
resources from anywhere with IT-managed assets.
Stage 3: Any Device, Anywhere
In recent years the commoditization of smartphones, tablets,
and laptops has brought about outstanding new features,
upgrades to functions, more efficient form factors, and
shortened device lifecycles. As a result, employees want to
use their own devices to do everything from accessing the
company email and intranet to using corporate business
applications. These factors came into play in a relatively short
timeframe that challenged corporate IT support and security
teams. Furthermore, employees who joined Cisco through an
acquisition wanted to continue to use their preferred devices
for work even
when those device profiles didn’t align with
Cisco corporate standards.
The rapid adoption of new client technologies has led to the
implementation of approaches, tools, and technologies from
other enterprises. It has created communities of users and
allowed a transformational change in how the Cisco IT staff
provides support and how end users are able to use the
knowledge of their peers to solve common problems. Cisco
IT’s role within these communities is not to own a process but
IT’s role within these communities is not to own a process but
to contribute as a peer.
For example, the introduction of Apple products within Cisco was initially led by users who brought these devices
into the environment as their preferred tools and platforms on which to conduct business. An estimated 3,000 Mac
users were within Cisco before the IT team officially made these tools available to the greater population.
Independent of IT, Mac users initiated an effort to provide setup, use, and maintenance assistance through email
aliases, wikis, the intranet, and video content. When Cisco IT began offering the Mac as an option as part of its PC
Refresh procedure, IT adopted the self-support model without disrupting or changing the Mac community. IT has
embraced this model and used it to develop more self-supporting services.