Cisco and Microsoft recently revealed how they are working toward interoperability between Cisco's Network Access Control and Microsoft's Network Access Protection technologies. The companies used The Security Standard conference last week in Boston to detail how -- when Microsoft's Vista sees widespread adoption and Longhorn server ships at the end of 2007 -- customers will be able to use a jointly developed API to integrate Microsoft systems with, for instance, Cisco's Access Control Server.
At the conference, Denise Dubie caught up with Bob Gleichauf, CTO of Cisco's Security Technology Group, and Mark Ashida, general manager of Windows Networking at Microsoft, to learn more about why the companies joined forces on security and what's in store for future collaborations.
Explain a bit how Cisco and Microsoft technologies working together will ultimately help customers.
Gleichauf: These technologies have been designed to be much more transparent, because they are trying to just get a basic assessment to figure out what category you fit in: fully compliant, partially compliant, risk or dangerous, as an example; those are arbitrary definitions to which policy could be written. Then you can start assigning network access based on that and the remediation process based on that, if that is appropriate. Automating that process frees up administrative time for other tasks.
Did you find customers uncomfortable with the level of automation the technology the interoperability between the products poses? If yes, how did you address it in the technology?
Gleichauf: You will always have a certain part of the user community that fears being overmanaged, being overmonitored, but in the enterprise, which is the initial target for this type of technology, it's a different value proposition between the corporation and the employee.
Ashida: One of the things Bob and I both discussed in very early days. We often came across the issue of, should we do it this way or that way. We often said, this should be an IT admin decision so let's make it configurable. Because every company has a different architecture, a different infrastructure, so we made that configurability a key element in the technology.
Gleichauf: That is one of the hardest things we did.
How would your classify C-NAC/NAP as an approach to enterprise security? Is it reactive or proactive?
Gleichauf: It is more like preventive medicine. You are making sure you are healthy by going to the doctor periodically, and hopefully you'll have lower medical bills in the long term.
Ashida: This may be an obscure reference. I am not sure if you ever heard of the health-of-the-herd idea, which is like when a lot of people say I am not going to get a flu shot and I won't get sick, but that is partially because everyone around them had flu shots so they did not get sick because everyone around them was healthy. But if everyone stopped getting flu shots, there might be a lot more flu. One of the key things about NAP/C-NAC is that it raises the overall health of the average computer in the company.
Gleichauf: And of the infrastructure.
Ashida: And that is really important, because as the overall health of the individual pieces goes up, so does the company's overall health.
How does the technology deal with a reluctant end user, one that maybe procrastinates updating agents or keeping systems up-to-date with software upgrades?
Gleichauf: What will happen in a corporation, at least one like Cisco where we have a very rich tradition of engineering entitlement and independence, they will get on the network. They just may not have as good a user experience as if they were fully compliant. These systems are being designed so security IT staff can reward people for compliance, and only the people that are out of compliance pay some kind of tax.
I know policy-based management can be a challenge for enterprise IT staff. How does the jointly developed technology work toward enforcing policies across systems down to the network elements?
Ashida: We view Active Directory as the place where you can store your policies. We view [Network Policy Server] as a place where you can transactionally evaluate those policies. And we view ACS as a way to have a common interface into the network for any kind of enforcement as we go forward. That is how we see the technology from a policy cascading down through the infrastructure.
Gleichauf: We have customers running ACS to Active Directory now, where the policy is in Active Directory. When Vista/Longhorn comes in, inserting NPS in the middle to act as that policy arbitrator is transparent. It will fit in because of the way it's being done with the architecture.
I'd like to focus a bit on Cisco. How does this partnership affect others that Cisco has with software providers? For instance Cisco and Microsoft initially announced their partnership in 2004, around the same time Cisco and IBM said they would team on network access through Cisco products andTivolisoftware. Can we expect to see Cisco engage in more joint development efforts with software vendors?
Gleichauf: We could discuss this more offline, but the relationship with IBM is a good relationship for both companies and we are maintaining it. And until IBM has consummated the [ISS] acquisition, the relationship will be maintained. Until they close the acquisition and they are allowed to talk to us in greater detail about how they are incorporating ISS, we can't really know how it impacts the relationship and it's pointless to speculate.
Cisco's recent push toward network management is spreading to security policy enforcement. Why is Cisco suddenly very much interested in managing its own gear, whether it to achieve greater efficiencies or security?
Gleichauf: Any vendor who is successful has a lot of control over its fundamental control plane. Our control plane is the network fabric. Google's is search engines. Microsoft's is the server, desktop and the operating system environment. When you have a significant presence in one of those areas, it is only logical over time that you will then decide in an opportunistic fashion what businesses you want to get into to enhance that fundamental control plane. It's logical for Cisco. It may not be the core competency or the first thing customers will think when they see the Cisco brand, but it is something that will be an important enabler. Network management and policy is something that we will actively develop where it makes sense.
And it seems Cisco today is more open to sharing at least its management development efforts with specific partners?
Gleichauf: Microsoft and Cisco have been very open with one another that we will both be providing policy management components. That is why to the point of cross-licensing our development efforts, we were smart enough to cross-license without knowing where our respective business units may decide to go with the technology in the future.
Now on to Microsoft. The company has its Dynamic Systems Initiative, and recently announced it would work with other management vendors on developing and fostering support for the Service Modeling Language. Why are management vendors today more apt to work together on standards to ease management and security for customers than they were five years ago?
Ashida: A key part is that enterprises, which have been stovepiped in functional groups, now want or need to manage end-to-end. End-to-end will more quickly tell them why e-mail is not working, because it is no longer satisfactory to have to call eight people to figure out what the problem is. They want to see in one place how systems and infrastructure are working. This is going to be an opportunity for vendors such as Microsoft and Cisco to work together, because those are two elements that enterprises need to correlate.
Gleichauf: Convergence is king in driving down costs and improving the reliability and the quality of decisions you make.