Cisco outlined its security product-development strategy on Monday, aimed at providing a new type of "always on" security protection for mobile devices as well as a way to establish controls over cloud-computing applications used by the enterprise. Cisco is calling the initiative its Secure Borderless Network architecture.
The initiative basically entails bringing enhancements to three Cisco products — the Cisco AnyConnect client, Cisco Adaptive Security Appliance (ASA) and Cisco's IronPort Web Security appliance — to have them work in unison to provide an "always on" VPN function and client protection that extends to data-loss prevention, access to cloud-based applications and web filtering. One of its main advantages will be in extending those capabilities to mobile devices used by employees, according to Tom Gillis, vice president and general manager at the security technology business unit at Cisco.
The announcement was made at this week's RSA Conference in San Francisco.
"The traditional VPN works great when it's on," said Gillis, who noted that Cisco itself has many millions of its VPN client products in use today. But the AnyConnect 2.5 client expected to ship in the second quarter for Windows and Mac computers, as well as other types of computers, plus many types of mobile devices that Cisco will later announce, would allow a business to establish an always-on VPN connection that would "automatically log you in" and "maintain session state." This new VPN client on the mobile smartphone and other types of computers would be the means to also establish policy controls to set restrictions on Web browsing, prevent unauthorised transmissions of sensitive data through data-loss prevention filtering, and provide automated access to cloud-based applications, as well as a way to de-provision use of applications, if needed.
But to obtain the full spectrum of benefits, enterprises would need to use Cisco AnyConnect 2.5, ASA 8.3 and an updated version of Cisco IronPort S-Series, all expected out in the second quarter. The mobile-security piece is expected to be marketed as Cisco Secure Mobility Solution.
The idea is for this Cisco's client software to be able to distinguish applications used by devices in order to determine they are being used under security policies approved by the business. The goal is to be able to differentiate between business and personal-use applications, too. At Cisco, "we're saying HTTP is the new TCP," Gillis said, since this is what most major applications use today. The goal is to have iPhone be able to automatically get to a Salesforce application, for example. And the business would be able to easily de-provision that use, if need be, through centralized management.
The updates to the current Cisco products needed to accomplish the Secure Borderless Network architecture vision will be incremental changes, Gillis said. But he acknowledged that some of the pieces to the puzzle require cooperative effort with partners, such as handset manufacturers such as iPhone or cloud providers. But Cisco expects to make further announcements about what specific mobile devices will be supported and other partnerships.
Analysts attending the Cisco event here were intrigued but also questioning.
"It's not revolutionary, it's incremental," said Trent Henry, analyst at Burton Group (recently acquired by Gartner). For the mobility and cloud pieces to work as planned, "the ecosystem of partners to buy into it is yet to come."
Gartner analyst Victor Wheatman said Cisco's plans paint an appealing picture, especially for mobility, but there are bound to be questions about the security pieces as described in a demo that Cisco provided today. "No passwords, no login, no ID — is that secure?" Wheatman commented about the functionality of an "always on" VPN as described..
Cisco says the beta versions of the products are undergoing testing at some organizations now, but declined to provide names, though noted Cisco itself is a beta for it.