October 14, 2004

By Charles Waltner, News@Cisco

Two of the most trusted names in information technology are working together to make it easier for companies and organizations to protect their computing assets.

Announced in February, Cisco and IBM are actively integrating their security products and technologies to create a new model for enterprise security. The overarching goal of the effort is to help customers implement effective end-to-end security in their organizations by creating integrated, comprehensive endpoint defenses while linking them with integrated control and management of user identities, networks and applications. This collaboration aims to improve the security of computing resources while lowering the cost and easing the management of end-to-end network defenses. The Cisco-IBM effort focuses on integrating technologies in three areas: managing identities, creating secure remote connections, and automating compliance of users and devices.

Key to the endeavor is IBM's support for the Cisco Network Admission Control Program (NAC). In a pioneering initiative designed to dramatically increase the capabilities of data networks to protect themselves against viruses, worms, and other security threats, NAC will use Cisco network devices to enforce admission privileges to "end-point" devices--personal computers, servers, or PDAs--based on the security status of those end-points and their compliance with a network's security policies. By working with IBM, Cisco can tie these capabilities into the extensive system management tools IBM offers through its Tivoli line of products.

"NAC is the first example of the steps we are taking to create a much more dynamic network security architecture that can respond automatically to attacks and threats," says Bob Gleichauf, the chief technology officer of Cisco's Security Technology group. "Clearly, businesses are being significantly hurt by viruses and worms, so we need to find a better ways to protect their networks, computers and applications. This is the inspiration behind Cisco's Self-Defending Network strategy."

In this recent announcement, IBM and Cisco are making several key improvements in network and computer resources security. First, with the IBM Tivoli Compliance Manager, corporations can enforce their established security policies and automatically probe devices attempting to connect to the network, helping identify any non-compliant devices. The Tivoli Compliance Manager works in conjunction with Cisco's NAC by extending it to check for dozens of endpoint parameters used in admission decisions. Also, with IBM Tivoli Identity Manager and the Cisco Identity Based Networking Services, enterprises can more effectively manage their user population's access rights by enabling port-level authentication throughout their networks.

The IBM and Cisco security collaboration has also created new ways organizations can isolate devices that are not compliant with security policies. Once non-compliant devices are identified and isolated, the IBM Tivoli Provisioning Manager works in conjunction with Cisco's NAC to automatically remediate devices prior to granting admission to the network.

The Cisco-IBM collaboration is an ongoing effort, with Cisco and IBM targeting development and delivery of new products and technologies every six to eight months. The first phase began last February with the announcement of the program. During the first six months of the collaboration, Cisco and IBM focused on integrated user provisioning by creating better communications between IBM's Tivoli Identity Manager and the Cisco Secure Access Control Server. When administering credentials, provisioning is a key management process for effective and efficient security. By integrating the IBM Tivoli Identity Manager with the Cisco Secure Access Control Server, organizations can now manage user identities from a centralized application.

Thanks to this effort, for the first time IBM and Cisco customers can use one tool to provision user identities and authorize access to systems, middleware, applications, and network resources. This integration eliminates redundant and painstaking manual efforts for entering user accounts profiles and system policies, making network security less expensive and more effective.

These new capabilities can reduce common security risks, such as invalid user accounts, a problem that plagues an estimated 60 percent of large organizations and can lead to identity theft or intellectual capital theft. This new integration by Cisco and IBM can also decrease the time it takes to provide employees access to appropriate applications and network resources.

In the future, Cisco and IBM plan to work on increasing security collaboration in areas such as shared credentials between the network and application layers, infection containment, and endpoint security.

As Richard Palmer, vice president of Cisco's VPN and Security business unit notes, the two companies are a perfect match for improving information technology security.

"The skills and security products of our two companies are extremely complementary," Palmer says. "Cisco is a leader in network security and IBM is an expert in identity management, systems, and application management. Together Cisco and IBM provide comprehensive solutions across our customers' IT infrastructure."

Charles Waltner is a freelance journalist in Oakland, Calif.