How to Sell Cisco Trustsec: Network Identity Architecture Solutions. Presenter s Name Date

Transcription

1 How to Sell Cisco Trustsec: Network Identity Architecture Solutions Presenter s Name Date

2 Session Objectives At the end of the session, the participants should be able to: Understand Cisco TrustSec relevant to Cisco Borderless Network Understand Security market landscape and customers need Understand Cisco TrustSec key offerings and how to position the right solution for customer Understand migration and opportunities 2010 Cisco Systems, Inc. All rights reserved.

3 The Transformation: The World Is Our New Workspace Right Any Resource Right Any Device Right Any Place Right Any Person BORDERLESS NETWORKS A Next Generation Architecture to Deliver the New Workspace Experience 2009 Cisco Systems, Inc. All rights reserved. 3

4 Borderless Network Market Drivers Complex workforce employees, guests, contractors, partners Users Employees demand mobility and device choice External Apps Internal Apps Devices Consumerization of access devices Purpose-built devices becoming network enabled Applications IaaS, SaaS Increased use of virtualization Move to cloud-based access and services 2009 Cisco Systems, Inc. All rights reserved. 4

5 Identity Critical to Borderless Security Security Challenges Who? Identify users and provide differentiated access in a dynamic, borderless environment What? Where? Enforce compliance for proliferating consumer and network capable purposebuilt devices Traditional borders are blurred. Access is possible from anywhere How? Establish, monitor, and enforce consistent global access policies 2009 Cisco Systems, Inc. All rights reserved. 5

6 Announcing Cisco TrustSec Cisco TrustSec rebrands our policy-based access control, identity-aware networking, and data integrity and confidentiality services under a single name The term TrustSec has been expanded from SGT to include both switch infrastructure and appliance-based solutions for securing network access and control, including: Identity-Based Networking Services (IBNS) and 802.1x Network Admission Control Cisco Secure Access Control Server (ACS) 2009 Cisco Systems, Inc. All rights reserved. 6

7 Market Opportunity Gartner predicts the adoption rate of 802.1x for wired networks will be 70% by It bases this on the belief that 802.1x implementation will be made simpler and that demand for NAC to control access of guest PCs will continue grow. Source: Network World, August Cisco Systems, Inc. All rights reserved. 7

8 Customer Challenge in Building an Access Policy in a Borderless Network Common questions customers ask Authorized Access How can I restrict access to my network? Can I manage the risk of using personal PCs? Common access rights when on-premises, at home, on the road? Endpoints are healthy? Guest Access Can I allow guests Internet-only access? How do I easily create a guest account? Can this work in wireless and wired? How do I monitor guest activities? Non-Authenticating Devices How do I discover non-authenticating devices? Can I determine what they are? Can I control their access? Are they being spoofed? 2010 Cisco Systems, Inc. All rights reserved. 8

9 Why Do Customers Care? Enables Secure Collaboration Dynamically authenticate and assign access based on user and device role and location Strengthens Security Enforce consistent security policy, ensure endpoint health, deliver a secure network fabric Supports Compliance Provides real-time access visibility and audit trails for monitoring, auditing and reporting 2010 Cisco Systems, Inc. All rights reserved. 9

10 TrustSec Addresses Customer Concerns 1 Identifies Authorized Users Who are you? An 802.1x-enabled device or a Network Admission Control (NAC) appliance authenticates the user 2 Increases Network Visibility What are you doing? The user s identity, location, and access history are used for compliance & reporting 3 Personalizes The Network What service level do you receive? The user is assigned services based on role and policy ( job, location, device, etc.) 4 Enforces Access Policy Where can you go? Based on authentication data, the user is placed in the correct VLAN 2010 Cisco Systems, Inc. All rights reserved. 10

11 What TrustSec Does NAC Appliances 802.1x/Infrastructure Identity Information Other Conditions Authorization (Controlling Access) Vicky Sanchez Employee, Marketing Wireline 3 p.m. Group: Full-Time Employee Time and Date Broad Access Limited Access Frank Lee Guest Wireless 9 a.m. Group: Contractor + Guest/Internet Quarantine Security Camera G/W Agentless Asset MAC: F5 AB 8B D4 Francois Didier Consultant HQ Strategy Remote Access 6 p.m. Group: Guest Posture Device Type Location Access Type Deny Access Access Compliance Reporting 2009 Cisco Systems, Inc. All rights reserved. 11

12 Guest Access for NAC and 802.1X Deployments NAC Guest Server Now Supports 802.1X Provision: Guest accounts via sponsor portal Manage: Sponsor privileges, guest accounts and policies, guest portal Notify: Guests of account details by print, , or SMS Report: On all aspects of guest accounts 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12

13 Non-Authenticating Device Policy for NAC and 802.1X Deployments NAC Profiler Device Identification Determine device type Centralized device discovery and inventory Uses network device tables and analyzes endpoint traffic Now Supports 802.1x Control and Audit Authorize based on device role Monitor and audit to prevent spoofing Many endpoint devices are undocumented and cannot authenticate to the network IP Cameras Fax Machines Cash Registers Video Conference Alarm Systems Turnstiles HVAC Systems Printers 50% PCs 50% Other 33% PCs 33% Other 33% IP Phones Enterprises without VoIP Wired Endpoints Distribution Enterprises with VoIP Wired Endpoints Distribution 2010 Cisco Systems, Inc. All rights reserved. 13

14 New TrustSec Capabilities Enhanced Switch Features: More authentication options: FlexAuth, WebAuth Additional deployment capabilities: Open Mode, IP Telephony Cisco ACS 5.1: Improve operations with monitoring and troubleshooting Cisco NAC Guest and Profiler: Lower the cost of managing identity and policy in both a 802.1X and NAC appliance environment MACsec: Addresses compliance by providing an encrypted link from the Catalyst 3750-X, 3560-X, and Nexus 7000 to the endpoint Security Group Tagging (SGT) and Security Group ACLs (SGACL) : Reduces OPEX and provides topology independence access and enforcement TrustSec for 802.1X is a long-term, multiphase opportunity: 1. Migrate the customer to an 802.1X infrastructure to secure their access layer 2. Create user and device posture with ACS, Guest, and Profiler appliances 3. Introduce SGTs and SGACLs to reduce OPEX and extend enforcement 2010 Cisco Systems, Inc. All rights reserved. 14

15 Two TrustSec Options for Any Customer NAC Appliances NAC overlay solution for quick deployment and/or heterogeneous environments 802.1X/Infrastructure Robust integrated enforcement solution for 802.1X-enabled infrastructures What s Right For Me? Immediate need for posture assessment? Largely non-cisco access infrastructure? NAC NAC NAC Manager Admin, Reporting, and Policy Store NAC Server Posture, Services, and Enforcement **Cisco 2900/3560/3700/4500/6500 and Nexus 7000 switches, Wireless and Infrastructure 802.1x or industry standard mandate over next 1-2 years? Infrastructure NAC Agent Web Agent No-Cost Persistent & Temporal Clients for Authentication, Posture, & Remediation SSC 802.1x Supplicant CSSC or OS- Embedded Supplicant ACS 5.1 Identity & 802.1x Access Policy System Have or plan to deploy a serviceenabled infrastructure? Infrastructure Note Guest Server and Profiler can be deployed with both NAC and ACS NAC Guest Full-Featured Guest Provisioning Server NAC Profiler Profiles Non-Authenticating Devices **First Switches targeted to support SGT Cisco 2900/3560/3700/4500/ Cisco Systems, Inc. All rights reserved. 15

16 Cisco NAC Appliance Advantages NAC Appliances Verify User and Device Identity Check Compliance Complete Posture Lifecycle Remediate Quarantine Non-Compliant Devices Complete Posture Lifecycle Offers endpoint compliance verification and remediation Agents for managed & unmanaged PCs Automated updates simplify compliance for 350+ security apps Comprehensive NAC Solution Flexible deployment options: in-band and out-of-band Covers all use cases: wired, wireless, and VPN Includes authentication, authorization, guest, profiling, posture Market Leadership customers Leading NAC vendor: Gartner, IDC, Infonetics, Frost & Sullivan 2010 Cisco Systems, Inc. All rights reserved. 16

17 NAC Appliance in Action A Conceptual View NAC Appliances THE GOAL 1 End user attempts to access network Initial access is blocked Single-sign-on or web login Authentication Server NAC Manager 2 NAC Server gathers and assesses user/device information NAC Server Intranet/ Network Username and password Device configuration and vulnerabilities 3a Quarantine Noncompliant device or incorrect login Access denied Placed to quarantine for remediation 3b Device is compliant Placed on certified devices list Network access granted 2010 Cisco Systems, Inc. All rights reserved. 17

18 Cisco 802.1X/Infrastructure Advantages 802.1X/Infrastructure Consistent Infrastructure Simplifies Rollout Web Auth 1X Impact Modes MAB Consistent functionality across Cisco switch platforms Broad use-case support for device authentication & enforcement Flexible deployment options: monitor-mode, low-impact, highsecurity Monitoring, Troubleshooting & Reporting Correlates access log data from multiple network enforcement sources Customized queries Centralized dashboard Integrated diagnostics Reporting Security Group Access Control Operationally simplified access control deployment Infrastructure-based, spans campus to data center Deployed independent of topology & network design Secure Network Fabric Provides consistent confidentiality and integrity across wireless, VPN, and now wired Ethernet Open standards based 802.1AE MACsec & 802.1X Network Edge Authentication Topology (NEAT): Only legitimate network devices join the fabric 2010 Cisco Systems, Inc. All rights reserved. 18

19 802.1X/Infrastructure in Action A Conceptual View 802.1X/Infrastructure Users, Endpoints Supplicant 802.1X Guest User 2 Policy Servers evaluate identity information NAC Profiler evaluates agentless device Guest Server manages temporary guest access ACS evaluates overall policy and returns authorization back to NAD Network-Attached Device IP Phones NAC Guest Server Directory Service NAC Profiler Server Cisco Catalyst Switch Campus Network 1 End user / Endpoint attempts to access network 802.1X Authentication for registered user MAC Authentication Bypass for agentless device Web Authentication for Guest Nexus 7000 Switch ACS 3 Access Control based on policies Catalyst switch to enforce access control based on policy (VLAN Assignment, dacl, SGT) Nexus 7000 to apply SGACL based on SGT mapped to role Protected Resources Control Plane: RADIUS 2010 Cisco Systems, Inc. All rights reserved. 19

20 Consistent Infrastructure Simplifies Rollout 802.1x/Infrastructure 1 Monitor Mode 2 Authenticated Access Mode/Low Impact 3 Differentiated Access Mode/High Impact What does it do? Open mode enables readiness assessment for 802.1X enforcement Discovers users and devices How does it do it? Monitor-only, no access restrictions Tracks user authentications Identifies non-802.1x capable devices and creates a device list What does it do? Low impact security mode provides two levels of access for all users and devices limited and normal How does it do it? Limited network access permitted by default for all users and devices Normal access granted based on user and device authorization via dacls What does it do? High impact security mode provides access control based on user and device group membership How does it do it? Traditional 802.1X Role-based access control: Dynamic VLANs, dacls, SGACL Consistent functionality across Cisco s switch platforms: Flexible Authentication Multiple Authentication Open Access Multi-Domain Access MAC Move/Replace 802.1X Cisco Systems, Inc. All rights reserved. 20

21 Differentiated Access Security Group Access Control (SGACL) 802.1x/Infrastructure Security Group Access Control Concept Define Roles for users in organization Authenticate user (802.1x) at access layer Assign Role to user Network enforces role-based access policy Benefits Significant OPEX savings! Reduces thousands of ACLs to pre-defined set Simplifies traffic management, add/change/move Immediate Opportunities Compliance Issue LAN Access to the Data Center Available NOW! (SXP* + Nexus ACS) *Technical Note: Upon 802.1X authentication, SXP (Security Exchange Protocol) binds the user s IP address to the user s role (defined by the ACS) on switches that do not yet support SG tagging. This SXP information is processed by the Nexus 7000 switch the same as an SGT. More robust SGT functions will be available as SGT rolls out across more switch devices Cisco Systems, Inc. All rights reserved. 21

22 Security Group Access Control 802.1X/Infrastructure Individuals Authz Rules Source Security Groups Destination Security Groups Resources Authz Rules Access Rules Employee Internet Confidential Guest/Unknown Special Projects Authz Rules Contractor Access Rules Print/Copy Authz Rules SGTs SGACLs Security group based access control allows customers: VLANs, ACLs, and Subnets are topology dependent and operationally intensive TrustSec To keep is existing topology logical independent design at and the streamlines access layer network segmentation To Security dynamically Group Tags change (SGTs) / apply are assigned policy to users, meet devices, today s or business VMs based on role requirements Security Group ACLs (SGACLs) enforce access policy based on SGTs To SGTs distribute and SGACLs policy can from replace a central multiple management ACLs, thereby server reducing OPEX 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 22

23 Cisco Secure ACS Policy Control Cisco Secure ACS is the world s most popular enterprise access and policy platform ACS delivers a centralized identity and access policy solution that seamlessly enables an enterprise grade network access policy and identity strategy for both large and small organizations 35,000+ ACS Installed Base Used by 95% of Cisco Top 100, 90% of Cisco Top 500, 85% of Cisco Top % 70% 86% S&P of Standard & Poors 100 Russell 1000 Fortune Cisco Systems, Inc. All rights reserved. Cisco Public 23

24 Cisco Secure ACS Monitoring, Troubleshooting, and Reporting 802.1X/Infrastructure Simplify operations with a centralized system dashboard Real-time network access visibility and monitoring Compliance reporting Diagnostics and failure analysis Custom query response and troubleshooting Alarms and alerts Tracks events from switches & ACS 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 24

25 Selling TrustSec 2010 Cisco Systems, Inc. All rights reserved. 25

26 Sales Tactics Low-hanging fruit Enterprise (500+ users) Security-conscious Regulatory compliance Internal mandates for 802.1X Key decision influencers Network decision-maker Security decision-maker Compliance officer IT director 2010 Cisco Systems, Inc. All rights reserved. 26

27 Sales Tactics: Drive ACS and Legacy Switch Migrations NOW: Accelerate switch migration to 802.1x Secure access layer with 802.1x infrastructure Identify existing legacy switch install base and migrate to 802.1x-enabled switch infrastructure NOW: Ensure account control with Access Control Seed ACS 5.1 in account by selling new features, including enhanced monitoring and troubleshooting, and flexible rules based policies Upgrade existing ACS devices to 5.1 to manage and control 802.1x access control policy NOW: Position Guest Access and Device Profiler appliances 2010 Cisco Systems, Inc. All rights reserved. 27

28 Sales Tactics (cont d): Drive ACS and Legacy Switch Migrations NEXT: Extend Cisco value by leveraging new TrustSec solutions for 802.1x Upgrade ACS/Guest Access/Device Posture devices to Positron Showcase competitive advantages of Cisco switches with hop-by-hop encryption and Security Group Tags and Security Group ACLs ONGOING: Add value-added professional services for migrations 2010 Cisco Systems, Inc. All rights reserved. 28

29 Sales Process Presentation and demo Assessment Proof of Concept Deployment Tools Available: Sales and technical presentations Infrastructure assessment guidelines Configuration guides for POCs Design and deployment guides 2010 Cisco Systems, Inc. All rights reserved. 29

30 Partner Program Opportunities and Incentives Partner Opportunities Migration: Use TrustSec features to drive switch upgrades Install Base Lifecycle Management (IBLM) Network Assessments Security Assessments Technology Migration Program (TMP) Trade in Accelerator Program (TAP) Insert either a bulleted list or graphic here. (Ref. SME note) Placeholder Specifications: Image size can range from 2-4 in. wide and in. high., dpi, RGB, png format (necessary for transparent backgrounds similar to slide 6) or jpg (if rectangular image) Other Incentives: Value Incentive Program (VIP) Opportunity Incentive Program (OIP) 2010 Cisco Systems, Inc. All rights reserved. 30

31 TrustSec Sales Opportunities 1. Create migration opportunities 2. Include security technology 3. Add high-margin professional services 2010 Cisco Systems, Inc. All rights reserved. 31

32 Migration Opportunity: Total Market 2K 3K 4K 6K 2010 Cisco Systems, Inc. All rights reserved. 32

33 Catalyst Migration Opportunity: Optimal Path Legacy Migration Plan Catalyst 2940, , 2960-S Catalyst , 2960-S, IE 3100 Catalyst , 3750, 3560E, 3750E, 3560X, 3750X Catalyst 400x & 4500 non-e Series (SUP1, SUPII, SUPII+TS, SUPII+, SUPII+10G, SUPIII, SUP-IV, SUPV ) 4500 E Series (with Sup6-E, Sup6L-E, 4500 with SupV-10GE) Catalyst 6K Sup 1, Sup 2 Sup 32 or Sup Cisco Systems, Inc. All rights reserved. 33

34 Switch Technical Differentiators Flexible Authentication Sequencing Rolling authentication with a flexible sequence (.1x, Mac Auth Bypass, and web authentication) Most flexible authentication in the market: automates the port configuration to accommodate all endpoint devices necessary to support the most enterprise use cases Monitor Mode Gathers information about device/user access without adverse impact Critical to deploying network-based identity without locking out users or devices Unified Guest Access Unified guest access with local web authentication on the switch Same infrastructure for wired and wireless guest access same premiere user experience 2010 Cisco Systems, Inc. All rights reserved. 34

35 Migration Opportunities ACS NAC Strategy Secure account control with customers who want posture with 8021.x, by preparing their base networking infrastructure. Migrate existing ACS 4.x customers to ACS 5.1 (SKUs and migration tools are available utility in ACS 5.1 to migrate data) Sell professional services required to facilitate the policy migration Strategy maximize customer satisfaction / minimize ongoing support by migrating existing NAC customers to Migrate existing SW-only customers to For customers on non-cisco HW, migration to latest appliance (33x5) is mandatory (program and SKUs are available) Migrate existing Profiler customers to 3.x UI and stability enhancements Upsell NAC Guest Server 2010 Cisco Systems, Inc. All rights reserved. 35

36 Product Evolution ACS Migration - Value and Migration Detail SW migration from ACS 5.1 to ACS 5.2 SW / HW migration from ACS 4.x to ACS 5.1 SW migration from ACS 5.0 to ACS 5.1 ACS 5.1 ACS 5.2 Customer Value - Enhanced support for GOV installations requiring FIPS compliance ACS 4.x Customer Value - Integrated View functionality, c/w extensive reporting templates - Simplified policy creation with enhanced policy monitoring - Improved visibility into network access and device admin specifics - Support for Cisco identity-enabled networks, with.1x and SGT support Time 2010 Cisco Systems, Inc. All rights reserved. 36

37 ACS 5.1 Upgrade and Migration From Any Previous Release To the latest 5.1 Release Upgrade part numbers available with special pricing (refer to ACS migration matrix) Upgrade from appliance or software to 1121 appliance or VMware versions Example 1 - Go from ACS 3.3 on Windows to 1121 Appliance Example 2 - Go from 1111 Appliance to 5.2 VMware Migration utility in 5.1 to migrate existing data Comes with all previous versions needed to perform a complete data migration 2010 Cisco Systems, Inc. All rights reserved. 37

38 ACS Migration Tools Category Education Migration Process Components ACS-specific collateral updates (BDM, TDM) ACS 5.1 Overview and Value Proposition presentation 5 Things You Need To Know about ACS 5 (short presentation) Archived Webinar series ACS What s In It For Me? (ACS value proposition, ACS Migration Strategy) Migration Workload Estimating Tool Migration Guide Migration Deep Dive webinar Migration Utility (in ACS 5.1) Offers 40% Upgrade discount for existing customers 2010 Cisco Systems, Inc. All rights reserved. 38

39 ACS 5.1 Summary Sell ACS 5.1 for the following customer benefits: - Compliance & Audit through integrated reporting across the entire deployment - Troubleshooting capabilities lower operational expenditure - Enable infrastructure services identity, TrustSec Sell ACS 5.1 to - Seed the account to prevent competition from switch vendors such as HP and Juniper - Position infrastructure upgrades by enabling advanced services like identity and TrustSec - Bundle additional products like NAC Guest and NAC Profiler 2010 Cisco Systems, Inc. All rights reserved. 39

40 Product Evolution NAC Migration - Value and Migration Detail SW migration from NAC 4.7.x to NAC 4.8 NAC Pre-4.5 to via SW / HW migration program SW migration from NAC 4.5x to NAC 4.6x NAC 4.5.x SW migration from NAC 4.6.x to NAC 4.7.x Separate FIPS HW module (note FIPS module supported on 33x5 platform only) NAC 4.6.x Customer Value - Enhanced agent side reporting - Improved user experience - Reduced client footprint - Easy NAC Agent Management - Simplified Troubleshooting NAC 4.7.x Customer Value - Dedicated FIPS certified HW Security Module, which handles cryptographic operations - Higher-scalability (5000 user) HW option - Support for Windows 7 and Mac Snow Leopard NAC 4.8 (Planned) Customer Value - Improved reporting capability - Faster response to AV / AS - Post-admission NAC for ongoing device posture Time 2010 Cisco Systems, Inc. All rights reserved. 40

41 NAC Migration Opportunities Details Migrate existing software-only customers to For customers on non-cisco hardware, migration to latest appliance (IBM Platform) is mandatory These customers can take advantage of 80% discount on new appliances Note that customers on Cisco hardware will only require a software upgrade. Upsell NAC Guest Server Add value added professional services 2010 Cisco Systems, Inc. All rights reserved. 41

42 NAC Migration Tools and Offers NAC Appliance Migrations Step by Step Migration Guide for Software-Only Customers Migration Deep Dive Webinar (archived version available) Migration Offer Pre-discounted NAC appliances (IBM Platform) Up to 80% off 2010 Cisco Systems, Inc. All rights reserved. 42

43 ACS and NAC - Migration Overview Today ACS 5.1 (1121 HW) ACS pre-5.x to 5.x migration - dedicated VMWare / appliance SKUs ACS 5.0 to 5.1 migration - SW migration NAC Pre-4.5 to NAC SW / HW migration program NAC 4.5 / 4.6 to SW migration NAC (33x5 HW) Mid-Year 2010 ACS 5.2 (1121 HW) ACS 5.1 to ACS FIPS Compliance migration (SW) NAC 4.5 / 4.6 to SW migration NAC 4.8 (33x5 HW) Q4CY 10 ACS 5.1 / 52 to Consolidated Platform - SW cross-grade, HW migration for pre-1121 HW Consolidated Platform (1121 / 33x5 HW) NAC 4.8 to Consolidated Platform - SW cross-grade, HW migration for pre-33x5 HW 2010 Cisco Systems, Inc. All rights reserved. 43

44 Sales Opportunity: Attach Security Discuss enhanced capabilities of ACS 5.1 to drive migration (35,000 + customers) NEW! Demonstrate the best-in-class guest access management of NAC Guest Server Position the ease of deployment with NAC Profiler All technologies provided by the proven leader in Network Security and Network Admission Control Cisco Systems 2010 Cisco Systems, Inc. All rights reserved. 44

45 Sales Opportunity: Data Center and SGACL Opportunity: Data center growth is exploding! Compliance mandates require appropriate access control for data center resources Huge opportunity to migrate not only access switches but data center switches TrustSec Relevance: Begin data center access control discussions with Security Group ACL Position Nexus 7000 and SXP Demonstrate how authentication for LAN users can be enforced easily in the data center 2010 Cisco Systems, Inc. All rights reserved. 45

46 Example TrustSec Deal Size Large enterprise network Switch Migration: 50 Catalyst 6500 Series 50 Catalyst 3750 Series 2000 Catalyst 2960 Series Mid-sized network Switch Migration: 15 Catalyst 6500 Series 50 Catalyst 3750 Series 125 Catalyst 4500E Series Attached Security: 14 Access Control Systems 3 Profilers (up to 40,000 MAC addresses each) 3 Guest Servers $24M (List) Attached Security: 5 Access Control Systems 1 Profiler (up to 40,000 MAC addresses) 1 Guest Server $7M (List) 2010 Cisco Systems, Inc. All rights reserved. 46

47 Sales Opportunity: Offer High-Margin Professional Services Business processes Network discovery Migration services Implementation services Leveraging partner services 2010 Cisco Systems, Inc. All rights reserved. 47

48 Professional Services Service Components Security Policy Review Design Strategy Development Controlled Deployment Full Deployment Training and Knowledge Transfer Activities and Deliverables Security policy review Match compliance to infrastructure Custom design for authentication and access objectives Customized solution for existing network Experienced rollout services Expertise decreases deployment time Training for operation, maintenance, management, and tuning Professional Services from Cisco, or one of our Services Partners, is an Important Component of Any Successful Rollout Cisco Systems, Inc. All rights reserved. 48

49 Next Steps: Determine the Appropriate Solution Engage your SE Clarify Customer s Pain Discuss Pro s and Con s (.1x, NAC, Profiler, GS) Present the BEST solution First, THEN discuss Cost Set Appropriate Expectations: Timeline, Pilot, Needed Customer Resources, etc. Ask for the Order NAC Appliances NAC (OVERLAY) Sell NAC Server Sell NAC Manager Upsell NAC Profiler Upsell NAC Guest 802.1X/Infrastructure ACS & SWITCHES (INFRASTRUCTURE) Upgrade Legacy Switches Sell/Upgrade ACS Sell CSSC Upsell NAC Profiler Upsell NAC Guest 2010 Cisco Systems, Inc. All rights reserved. 49

50 Guiding The Conversation Access control is a critical issue for many organizations, such as regulatory requirements. Access control can also be a key driver in getting customers to migrate to an 802.1xenabled infrastructure Control the Conversation: keep the customer on topic. Table topics such as Data Center, UC, etc. for later. Keep them thinking security. Use the questions on slide 8 to guide the conversation If they wander off topic ask another question to bring them back to Access/Identity Security 2010 Cisco Systems, Inc. All rights reserved. 50

51 Objection Handling Costs a) Be sure to be comparing Apples to Apples b) Emphasize total cost of ownership. Remember this is a solution sale that is part of an integrated, long-term strategy, NOT simply a box. c) Find Pain, Discuss, Provide Solution again Deployment Ease a) Set expectations and spotlight features b) Be sure to appropriately cover SOW Competitive Advantages a) No one else can offer this solution (see next slide) 2010 Cisco Systems, Inc. All rights reserved. 51

52 Sales Differentiators: Defend Against Competitors! Market-leading solution Ease of deployment: Monitoring (open) mode, authenticated (low impact), and differentiated (high-impact) deployment options Flexible: Three ways to authenticate using a single configuration Efficient, consistent, and scalable: Leverage your infrastructure and use a common policy Ease of ongoing management: Security Group Tagging (SGT) and Security Group ACLs (SGACL) enable scalable network access control through simplified network design Complete, single vendor solution 2010 Cisco Systems, Inc. All rights reserved. 52

53 Identity Compliance Requirements Cisco TrustSec addresses mandated access control security requirements Payment Card Industry (PCI) US Department of Defense Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures (Version 1.2.1, July 2009) Information Assurance Officers/Network Security Officers will ensure either MAC security (with profiling) or 802.1X port authentication is used on all network access ports Defense Information Systems Agency Access Control in Support of Information Systems, Security Technical Implementation Guide (26 December 2008) 2010 Cisco Systems, Inc. All rights reserved. 53

54 Case Study University of Montreal Background One of the top 100 universities in the world, with 55,000 students and an annual research budget of CAD$450 million Business Challenges Support collaboration between research groups Differentiated access for students, researchers, and faculties Cisco Solution Benefits Tailored network services with identitybased access Scalable network environment Improves OPEX with network moves, adds, and changes 08/case_study_c html Our new network is more secure, and we can do a better job by giving more specialized service to people. Michel L'Heureux Director of Telecommunications Université de Montréal 2010 Cisco Systems, Inc. All rights reserved. 54

55 Cisco Leadership Advantage The Network Provides Comprehensive Visibility and Control #1 NAC Vendor 41% market share 1 Leading analysts agree customers Info Security s Reader s Choice Gold Award 3 LAN Infrastructure Market Leader Widest range of market-leading switching platforms Widest range of market-leading routing platforms Cisco Innovation Pioneered NAC technology Developed NAC standards First to launch ,000+ ACS Installed Base 95% of Cisco Top % of Cisco Top % of Cisco Top Infonetics, June Gartner Magic Quadrant March 2009, Frost & Sullivan April 2008, Forrester September 2008, IDC Dec 2007, Infonetics June Cisco Systems, Inc. All rights reserved. Cisco Public 55

56 Next Steps Important Resources Resources TrustSec Business Presentations NEW! TrustSec Technical Presentation NEW! TrustSec At-A-Glance NEW! TrustSec Quick Reference Card NEW! TrustSec Alias NEW! Web Sites Partner Central Secure Borderless Networks Launch page Partner Central Borderless Networks Launch page Partner Central Security page Cisco TrustSec external page Cisco Systems, Inc. All rights reserved. 56

57 Next Steps 1. Establish executive sponsor leverage Cisco team to get access to CXO 2. Engage all key decision makers: Network, Data Center, Security teams 3. Create a multi-phase rollout to secure the access layer overlay or infrastructure a) Migrate switch infrastructure to enable 802.1X b) Migrate or upsell centralized access policy control with ACS 5.1 c) Upsell guest and profiler appliances d) Secure Data Center access with Nexus 7000 (SGT and SXP) 2009 Cisco Systems, Inc. All rights reserved. 57

58 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 58