Transcript
Cisco AnyConnect Secure Mobility
US Partner Playbook
Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
1
Cisco AnyConnect Secure Mobility Cisco AnyConnect Secure Mobility Overview Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers
Cisco provides a set of solution offerings that deliver seamless, secure connectivity to today’s increasingly mobile, increasingly decentralized workforce. Whether employees are onsite, in home or remote offices, or on the road, mobility and connectivity are key components of staying productive. Users require access to a company’s resources from anywhere and at any time, whether they are using a company-issued laptop, personal home computer, or mobile device/ smartphone. IT departments face the challenge of providing secure access to the exponentially growing number of employees’ mobile devices, while at the same time having the responsibility for ensuring that the company’s data is safe and protected. This playbook focuses on the new Cisco® AnyConnect Secure Mobility solution and client. For mobile workers who are working outside of the office using smartphones or laptops, the new AnyConnect Secure Mobility solution provides Cisco’s industry-leading web security and next-generation remote access technology to deliver a highly robust and secure enterprise mobility solution. This solution is part of the Cisco Smart Business Architecture (SBA), which is now available for networks with up to 10,000 endpoint devices and provides a blueprint for accelerating technology adoption. SBA has been tested with version 2.5 of the AnyConnect client. Version 3.0 of the client is scheduled to be tested in the Cisco Smart Business Architecture in 2011. For Cisco, secure mobility means providing a new level of protection for the varied mobile endpoints accessing corporate data today, offering access, security, and choice:
Competitive Positioning
• Easy access to applications and information that users need to do their jobs
Additional Resources
• Accurate security to protect endpoints from threats and to enforce corporate policy on devices
Why Cisco
• The ability to support a wide variety of devices in order to provide users with a choice of tools to use These fundamental characteristics establish the foundation that enterprises need to embrace mobility.
US Partner Playbook
The Cisco AnyConnect Secure Mobility solution provides a comprehensive, highly secure enterprise mobility solution. It combines industry-leading Cisco web security with next-generation remote access technology to help organizations easily manage the security risks of borderless networks. With this mobile security solution, users can access the network with their device of choice, including laptops and handhelds. They can then easily and securely use the applications and information they need to do their jobs. Based on the Cisco AnyConnect endpoint client for the Cisco ASA 5500 Series Adaptive Security Appliance, Cisco AnyConnect Secure Mobility extends VPN beyond intermittent connectivity to a more persistent, user-friendly experience and enhanced security for webbased threats. The AnyConnect solution uses the Cisco Ironport® Web Security Appliance or web security in the cloud (via ScanSafe) in conjunction with the AnyConnect client. Through this added protection, mobile workers can enjoy “always on” security protection, while at the same time enterprises can enforce appropriate IT policy.
Play Goals The goals of the Cisco AnyConnect Secure Mobility play are as follows: • To position Cisco as the leader in secure mobility solutions for today’s borderless networks • To target customers who have limited or no security for their mobile and remote workers • To encourage installed base customers (Cisco and non Cisco) to migrate, including: –– Traditional remote access VPN to AnyConnect Secure Mobility –– Standalone Cisco IronPort® Web Security Appliance (WSA) and ScanSafe Web Security deployments to AnyConnect Secure Mobility –– Standalone ASA deployments to Cisco Web Security and AnyConnect Secure Mobility
This document is Cisco Confidential. For Partner Use Only.
2
Cisco AnyConnect Secure Mobility
US Partner Playbook
Products in the Solution Overview Sales Opportunity Solution Description Targeting Licensing Options
This playbook discusses the Cisco AnyConnect Secure Mobility solution, which includes the ASA with the AnyConnect client and Cisco Web Security with the IronPort Web Security Appliance (WSA) or ScanSafe. It includes the new AnyConnect client version 3.0, which began shipping in January 2011. Version 3.0 supports the broader AnyConnect Secure Mobility solution with IP Security (IPsec) VPN support, 802.1X and MACsec for Cisco TrustSec® technology, and ScanSafe web security, in addition to the Secure Sockets Layer (SSL) VPN support offered with AnyConnect 2.5. AnyConnect 2.5 has been tested in the Cisco Smart Business Architecture is available from Cisco today. AnyConnect client version 3.0 is scheduled to be tested in the Cisco Smart Business Architecture in 2011.
Trigger Questions
AnyConnect Secure Mobility Sales Opportunity
Objection Handling
Market Drivers
Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
Mobility is everywhere, and there are many opportunities to ensure that mobile workers stay secure. Worldwide, mobility is a huge market, with more than 1.3 billion networked mobile devices with the potential to enter the workplace. The overall worldwide mobility market opportunity is $3 billion USD with a compound annual growth rate (CAGR) of 15 percent over the next 3 years. At the same time, users want to have the freedom to easily and immediately get the information they need to do their job on their mobile device of choice, anywhere. No matter where people are working or accessing information, the company and network must continue to stay secure. The worldwide market for securing mobile endpoints is projected to reach $1.6 billion USD by 2013, with a 5-year CAGR of 70 percent.1 Juniper Research estimates that the value of data on corporate mobile handsets, and the need to protect it, will boost the number of corporate devices using security software to 77.7 million by 2014.2 With end user demand and continued compliance and regulatory pressures, companies may be seeing a need to upgrade their networks to support secure mobility. 1 Infonetics, Security Appliances and Software for Mobile Networks and Devices, July 2009 2 Endpoint Security for Business: Desktops, Laptops & Mobile Devices 2009-2014, http://juniperresearch.com/shop/viewpressrelease.php?pr=172
3
Cisco AnyConnect Secure Mobility Customer Benefits of AnyConnect Secure Mobility Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning
Enforcement of network policy is straightforward in a traditional business environment. Corporate-issued devices chosen by IT are loaded with standard company-approved software applications from trusted vendors. Once these hosts are loaded with a standard image, they reside on a company’s network and are protected using both hostbased and network-based security solutions. Users are also preventedfrom visiting or downloading inappropriate or hostile web content. As business demands change and employees work from anywhere at any time, companies find themselves having to manage ubiquitous networks. These expansive networks bring new challenges. Companies must find ways to enforce acceptable use policy, abide by regulatory requirements, and protect company resources while not limiting the productivity of their mobile users. AnyConnect Secure Mobility solutions offer customers the following benefits: • Always-on threat defense: With the Ironport Web Security Appliance, Cisco’s rich IP reputation capabilities can be used with AnyConnect’s always-on VPN mode to close the hole of unprotected Internet surfing (which leads to an infected endpoint and later an infected corporate network). Additionally, with version 3.0 of the AnyConnect client, companies will be able to have Internet requests scanned directly by Cisco’s cloud web security service (ScanSafe) so that whether always-on VPN mode is configured or not, endpoints are always protected.
US Partner Playbook
• Location-aware acceptable use policies: Using the Ironport WSA, corporate acceptable use policies can be applied to mobile workers depending on their location. This capability enables more liberal policies to be applied when employees are mobile versus on the corporate LAN, thus allowing an IT group to make more allowances for personal freedom on the employee’s device of choice. • Broader coverage of new mobile platforms: The AnyConnect client increasingly supports major enterprise mobility platforms. Current support includes all major PC operating systems (Windows, Mac, and Linux) and an ever-growing number of popular smartphone and mobile tablet operating systems. As of December 2010, current mobile OS support includes Apple iOS, Palm WebOS, and Windows Mobile. It should be noted that the AnyConnect Secure Mobility features are optimized for PC OS options (Windows, Mac and Linux), with continual improvement of features for mobile OS options. • Expandability to AnyConnect’s broader unified architecture: The AnyConnect client represents a unification of key Cisco assets in a modular way, providing companies with an upgrade path to newer services in that portfolio over time. Rather than having to manage new endpoint software clients for each capability, organizations using AnyConnect can turn on new services easily and use the same management infrastructure and end-user interface. In version 3.0, AnyConnect extends its capabilities from SSL and Datagram Transport Layer Security (DTLS) VPN only to IPsec VPN, an 802.1X connection manager, and the mobile web security client for Cisco’s ScanSafe Web Security services. Note that both SSL VPN and IPsec VPN will support the “always on, always protected” capability of the AnyConnect Secure Mobility solution.
Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
4
Cisco AnyConnect Secure Mobility Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
US Partner Playbook
AnyConnect Secure Mobility Solution Description—Cisco’s Unique Capabilities Networks are evolving to support seamless access and enforced security for workers, no matter where they are located. The Cisco AnyConnect Secure Mobility solution combines Cisco’s industry-leading cloud- and premises-based web security and next-generation remote access technology to deliver a robust and secure enterprise mobility solution. Cisco is the only vendor that offers a secure mobility solution that integrates web policy enforcement. In addition, Cisco AnyConnect Secure Mobility supports the broadest set of mobile devices and applications. The Cisco AnyConnect Secure Mobility solution delivers enhanced productivity for mobile users on their device of choice, anywhere, anytime. On the web security side, Cisco has been recognized by Gartner as a Leader in the Magic Quadrant for Secure Web Gateway (2009), and Cisco’s innovation in software-as-a-service (SaaS) access control, combined with threat defense knowledge from the Security Intelligence Operations center, provides leading web security and policy enforcement. On the remote access side, Gartner has also recognized Cisco as a Leader in the Magic Quadrant for SSL VPNs (2010). That status, combined with the innovative always-on, persistent secure access and transparent experience, delivers the next-generation technology leadership for remote access. In addition to industry-leading VPN capabilities, the AnyConnect client enables IEEE 802.1X capabilities for a single authentication framework to manage the user and device identity, and network access protocols required to move smoothly from wired to wireless networks with Cisco TrustSec technology. Consistent with its VPN capabilities, the Cisco AnyConnect client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network. See the “Competitive Positioning” section for more information.
This document is Cisco Confidential. For Partner Use Only.
5
Cisco AnyConnect Secure Mobility AnyConnect Secure Mobility Targeting Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning
Different buyers should be approached with different messages to match their key concerns and buying triggers. However, from a CXO perspective, the overlay message is consistent. Cisco provides secure mobility for mobile users to enable enhanced productivity on the devices they choose from anywhere they may be connecting. An executive will want a secure mobility strategy that ensures that the devices they work with are always protected with consistent security and that corporate liability can be minimized unobtrusively. The ideal buyer is an enterprise or midmarket customer who already has ASA and/or AnyConnect and is considering securing a mobile workforce that wants protection against web-based malware and requires visibility and control for remote web usage. For AnyConnect Secure Mobility, the focus should be on the VPN buyer or the secure web gateway buyer. The sales approach for AnyConnect Secure Mobility will depend on which aspect of the solution the customer already has in place (which will determine what aspects of the solution they still require). What to Sell The solution consists of: • Cisco ASA version 8.3 or later • Cisco AnyConnect client version 2.5 or later • A web security solution: –– Cisco Web Security Appliance version 7.0 with the new Secure Mobility license –– ScanSafe hosted web security with the Secure Mobility license for ScanSafe (with AnyConnect client version 3.0) • A router (exact sizing based on the traffic required)
Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
For the most part, the decision as to whether an organization uses an on-premises or cloud web security solution with AnyConnect Secure Mobility will depend on the organization’s preferences for managing the solution themselves and their attitude toward SAAS and storing corporate data in the cloud. For more information on discussing cloud-based security with your interested parties, see www.cisco.com/go/security. Beyond these high-level decision points, the following criteria can be used to help determine which option to position.
US Partner Playbook
The IronPort WSA solution should be positioned when organizations are interested in: • Always-on VPN: The cloud web security services can run with AnyConnect not in always-on mode, which means not all traffic is backhauled to the corporate network. Nonetheless, this does not imply that Cisco’s cloud web security services are less secure, since they are also providing constant protection to the endpoint. • On-premises control: Some companies are resistant to moving corporate data to the cloud. • Location-based policy: The WSA implementation defines different policies per user or group when the connection is coming from off the corporate network than when a user is on-site. • Granular application control: The WSA’s fingerprinting technology allows it to look inside web traffic at a deeper level and make policy decisions on web applications based on the user’s identity. For example, with the WSA a marketing user may have the right to use a web-based application such as Gmail, but a policy could be instituted to block a file upload. • Data security through integrated data loss prevention (DLP): In addition to the data security enabled by granular application control, the IronPort WSA has an on-box integration with the RSA enterprise-class DLP solution, enabling deeper DLP content inspection than the Cisco cloud-based web security services currently offer. AnyConnect Secure Mobility with cloud-based web security (ScanSafe) should be positioned when organizations are interested in: • Geographic flexibility • Having flexibility regarding whether to backhaul technology from a remote office For example, suppose that a multinational company has all of its offices in the United States, but has five employees in Bangalore, India. Rather than backhauling all of the traffic for the remote workers so their traffic can be scanned through the corporate WSA, the customer can simply set up web security policy enforcement with ScanSafe for remote workers.
6
Cisco AnyConnect Secure Mobility Figure 1 gives a matrix that details the customer engagement strategy. Overview
Figure 1. Customer Engagement Strategy for Cisco AnyConnect Secure Mobility
ASA with AnyConnect License
Cisco Web Security (ScanSafe or WSA)
Solution Description
3
3
Targeting
3
8
Sales Opportunity
Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
8
3
8
8
Who
What to Sell
Web buyer
WSA or ScanSafe Secure Mobility license
Web buyer
WSA or ScanSafe with a Secure Mobility license
VPN buyer
AnyConnect plus WSA or ScanSafe Secure Mobility license
Either
Get a toehold: AnyConnect, WSA, or ScanSafe
The easiest sell will be to customers who already have Cisco ASA with the AnyConnect client and a Cisco Web Security option. To take advantage of the AnyConnect Secure Mobility capabilities, they simply need the appropriate Secure Mobility license. For those customers who have ASA and VPN, there are numerous upgrade options. The first step is to upgrade the existing VPN client (examples include older versions of AnyConnect, the Cisco IPsec VPN client, and competitive products) to AnyConnect. Upgrading AnyConnect Essentials licenses to AnyConnect Premium also delivers the always-on capability and seamless productivity between devices. (See the following section for a comparison of the AnyConnect Essentials and Premium licenses.) Once the Cisco AnyConnect VPN client is upgraded, the following up-sell opportunities are available: • Up-sell the AnyConnect VPN client to include a complete AnyConnect Secure Mobility solution with on-premises web security with the WSA and Secure Mobility licenses. • Up-sell the VPN client to include a complete AnyConnect Secure Mobility solution with hosted web security with ScanSafe and the Secure Mobility license for ScanSafe.
US Partner Playbook
• Up-sell the VPN client to include a hybrid AnyConnect Secure Mobility solution with both on-premises and hosted web security. There are four major Cisco installed base opportunities that Cisco channel partners can capitalize on to upgrade networks to support secure mobility: 1. There are AnyConnect Essentials customers who can take advantage of the robust capabilities of AnyConnect Premium licenses when they upgrade. 2. More than 10 million AnyConnect or SSL VPN clients have been purchased worldwide. These customers should be upgraded to the latest version of the AnyConnect Premium license. They are primary targets to up-sell a WSA and the new Secure Mobility license. 3. There are 150 million legacy IPsec VPN clients ripe for upgrade. AnyConnect 3.0. will allow customers to upgrade more easily from their legacy IPsec VPN client to the AnyConnect client, which will also support the IPsec VPN protocol. In addition, this presents an opportunity to up-sell web security with WSAs or ScanSafe and Secure Mobility licenses for a broader solution upgrade. 4. Some customers have purchased a Cisco ASA firewall without any VPN license. These ASA customers are possible targets for upgrades to Cisco AnyConnect VPN client version 2.5 or later and for up-selling with WSA and the new Secure Mobility license. Here are the items to consider for each buyer: Engage VPN buyers on: • Persistent connectivity for in-office experience • Choice of platform for end users • Ability to extend to web security Engage secure web gateway buyers on: • Always-on, comprehensive web security • Highly secure, integrated mobility with no new client
This document is Cisco Confidential. For Partner Use Only.
7
Cisco AnyConnect Secure Mobility Targeting Prospects and Identifying Leads Overview
Use the following categories to explore your installed base opportunities:
Sales Opportunity
Name
Description Identify customers who purchased the end-of-sale PIX and VPN 3000 and upgrade them to ASA with the AnyConnect client
• New capabilities to address
Solution Description
Cisco PIX® and VPN 3000 to ASA migration
AnyConnect upgrade to Cisco AnyConnect Secure Mobility solution
Identify customers who purchased AnyConnect and do not have any web security appliances, and drive migration to IronPort WSAs with AnyConnect Secure Mobility
• Persistent connectivity for
ASA upgrade to AnyConnect and Cisco Secure Mobility solution
Identify customers who purchased ASA without VPN/ AnyConnect and sell AnyConnect and Cisco IronPort WSAs with Cisco Secure Mobility License
• Persistent connectivity for
Targeting Licensing Options Trigger Questions Objection Handling Calls to Action
Key Selling Point today’s secure mobility challenges
in-office experience
• Choice of platform for end users
• Ability to extend to web security
in-office experience
• Choice of platform for end users
• Ability to extend to web security
• No new client: Integrated secure mobility
Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning
AnyConnect Essentials to AnyConnect Premium up-sell
Identify AnyConnect Essentials customers and up-sell
Define customers who have AnyConnect Essentials protection and up-sell to premium features, such as clientless AnyConnect SSL VPN, Cisco Secure Desktop, and a shared license model to eliminate wasted licenses. (For more information about the benefits, see the solution description below.)
US Partner Playbook
The tiered licensing for the Cisco AnyConnect VPN Client provides an opportunity to upgrade customers from a basic Essentials license to a richer Premium license. AnyConnect Essentials client customers who are looking for a rich SSL VPN remote access solution should look more closely at the AnyConnect Premium client. The following are some of the advantages of AnyConnect Premium licenses for clients: • The AnyConnect Premium license enables customers to provide highly secure, granular, and flexible client and IPsec VPN or clientless SSL access to their remote users and business partners. Deployments benefit from an incremental level of security with the Cisco Secure Desktop suite of features: Secure Vault, Host Scan, Keystroke Logger Detection, and Cache Cleaner. • The Cisco AnyConnect client is a new-generation, highly secure access client that provides full tunnel connectivity on fixed and mobile devices. It is a versatile, lightweight, and user-friendly client enabling an in-office experience to virtually any application or resource. Unlike earlier remote access clients, AnyConnect is always up to date and remains so without requiring the end user to have administrative rights. • The AnyConnect client provides an optimized VPN connection for latency-sensitive traffic, such as voice over IP (VoIP) traffic or TCPbased application access. • The AnyConnect client can be pushed initially by the ASA appliance, as long as the end user has administrative rights. The installation package can also be manually installed as a Windows MSI or similar package for other operating systems. • AnyConnect Premium licensing is based on number of simultaneous users and is available as a single device or shared license.
Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
8
Cisco AnyConnect Secure Mobility Licensing Options Overview
This diagram illustrates the benefits of the AnyConnect Secure Mobility license options.
Sales Opportunity
Determining the License
Solution Description Targeting Licensing Options
SECURE MOBILITY (WSA or ScanSafe) $$ $
ESSENTIALS Client-Based VPN
Extend Web Security to Remote Workers (Always-on security)
Dynmaic Access Policies Trusted Network Detection
Allow Phone Sync
Cisco Secure Mobility for ScanSafe
• For use with ScanSafe SaaS web security services • Extends real-time protection and policy enforcement to roaming employees
AnyConnect Essentials
• Network Access Manager • Telemetry • Highly secure remote access connectivity • Single license per device model • Full tunneling access to enterprise applications
AnyConnect Premium
• Includes IPsec, clientless SSL VPN, Cisco Secure
Always-On VPN
Connect Failure Policy
independent of where the user is located
• For use with Cisco IronPort Web Security
Platform Licenses
Always-On VPN
Captive Portal Detection Local LAN Access
Clientless VPN
Endpoint Assessment
Optimal Gateway Selection
Objection Handling
All Essentials Features
• Enforce security policy in every transaction, Appliance license and optional AnyConnect Premium license, or standalone with AnyConnect Premium license
PREMIUM $$$
Description
Secure Mobility Licenses Cisco Secure Mobility
Session Persistence
Trigger Questions
License Option
US Partner Playbook
Connect Failure Policy
Calls to Action Product Offers
Desktop capabilities (including Host Scan), and support for Cisco AnyConnect Secure Mobility. Provides Essentials capabilities, including full tunneling access to enterprise applications • License is based on number of simultaneous users, and is available as a single device or shared license
Optional Feature Licenses
Cisco Service and Cisco Capital Offers
AnyConnect Mobile
• Enables mobile OS platform compatibility • Required per device, in addition to Essentials or Premium licenses
Competitive Positioning Additional Resources
Advanced endpoint assessment
• Enables advanced endpoint assessment capabilities (such as auto-remediation)
• Required per device, in addition to Premium
licenses (not available with AnyConnect Essentials)
FIPS 140-2 Level 1 compliance
• ASA license allows use of a FIPS-compliant version of AnyConnect
Why Cisco
Cisco AnyConnect Secure Mobility with either the AnyConnect Essentials or AnyConnect Premium license also requires either Cisco IronPort Web Security Appliance or ScanSafe Web Security license This document is Cisco Confidential. For Partner Use Only.
9
Cisco AnyConnect Secure Mobility Overview Sales Opportunity
Advanced AnyConnect Secure Mobility solution features, network and license requirements, and supported VPN endpoints using AnyConnect 2.5 and higher. Client Feature
Requirements
OS Supported
Clientless access lets you use a browser to establish a VPN session and lets specific applications use the browser to access that session.
AnyConnect Premium SSL VPN Edition license
Windows 7, Vista, and XP Mac OS 10.5 and 10.6 Red Hat Enterprise Linux 5 Desktop Ubuntu 9.x
Simultaneous AnyConnect client and clientless connections. Each connection has its own tunnel.
Both of the following:
Windows 7, Vista, and XP Mac OS 10.5 and 10.6 Red Hat Enterprise Linux 5 Desktop Ubuntu 9.x
SSL VPN support for touch-screen devices running Windows Mobile.
Both of the following:
Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
US Partner Playbook
• ASA 8.0(x) or later • AnyConnect Premium SSL VPN Edition license
• AnyConnect Mobile license • AnyConnect Essentials or AnyConnect Premium
Windows Mobile OS touch-screen devices. For the supported device list, see the Release Notes for Cisco AnyConnect Secure Mobility Client, Release 2.5.
SSL VPN Edition license
Endpoint assessment for laptops and desktops ensures that your choice of antivirus software versions, antispyware versions, associated update definitions, firewall software versions, and corporate property verification checks comply with policies to qualify a session to be granted access to the VPN.
All of the following:
Endpoint assessment for Windows Mobile supports the configuration of dynamic access policies that check for the following:
All of the following:
• OS version • Device lock • Device policy for secondary storage encryption and password strength
• ASA 8.0(x) or later • Cisco Secure Desktop Host Scan • AnyConnect Premium SSL VPN Edition license
Windows 7, Vista, and XP Mac OS 10.5 and 10.6 Red Hat Enterprise Linux 5 Desktop Ubuntu 9.x Windows Mobile
• ASA 8.0(x) or later • Cisco Secure Desktop 3.5 Host Scan • AnyConnect Premium SSL VPN Edition license • Advanced Endpoint Assessment license • Cisco Secure Mobility license
• SIM lock • GPS • Application policy • Bluetooth • ARM microprocessor
Endpoint remediation attempts to resolve endpoint failures to satisfy corporate requirements for antivirus, antispyware, firewall software, and definitions file requirements
All of the following:
• ASA 8.0(x) or later • Cisco Secure Desktop Host Scan • AnyConnect Premium SSL VPN Edition license • Advanced Endpoint Assessment license
Windows 7, Vista, and XP Mac OS 10.5 and 10.6 Red Hat Enterprise Linux 5 Desktop Ubuntu 9.x
This document is Cisco Confidential. For Partner Use Only.
10
Cisco AnyConnect Secure Mobility Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action
US Partner Playbook
Client Feature
Requirements
OS Supported
Post-log-in always-on VPN establishes a VPN session automatically after the user logs in to a computer. It includes the following features:
Either of the following:
Windows 7, Vista, and XP Mac OS 10.5 and 10.6
• Connect failure policy • Captive portal hotspot remediation to relax a
connect failure closed policy to let the user satisfy hotspot requirements for network access • Exemption of certain VPN users from an always-on VPN deployment. Note: Requires ASA 8.3(1) to exempt users. Malware defense, acceptable use policy enforcement, and data leakage prevention for the web
• AnyConnect Premium SSL VPN Edition license • AnyConnect Essentials or AnyConnect Premium
SSL VPN Edition license, and Cisco IronPort Web Security license coupled with a Cisco Secure Mobility license
All of the following:
• ASA 8.3(1) or later • WSA 7.0 or later • AnyConnect Essentials or AnyConnect Premium SSL VPN Edition license
• Cisco IronPort Web Security license • Cisco Secure Mobility license Business continuity increases the number of licensed Both of the following: remote access VPN sessions to prepare for tempo• AnyConnect Premium SSL VPN Edition license rary spikes in usage during cataclysmic events such • Flex license. Each flex license is ASA-specific and as pandemics. provides support for 60 days. The count can consist of both contiguous and noncontiguous days.
Windows 7, Vista, and XP Mac OS 10.5 and 10.6 Red Hat Enterprise Linux 5 Desktop Ubuntu 9.x Windows Mobile
Windows 7, Vista, and XP Mac OS 10.5 and 10.6 Red Hat Enterprise Linux 5 Desktop Ubuntu 9.x Windows Mobile
Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
11
Cisco AnyConnect Secure Mobility
US Partner Playbook
AnyConnect Secure Mobility Trigger Questions Overview
Question
Background
General Secure Mobility
Sales Opportunity
What percentage of your workers work remotely occasionally? Permanently?
Background: Most information workers do some sort of remote work, whether it is on a mobile device or working at a dedicated location. The Cisco AnyConnect Secure Mobility solution provides a consistent, highly secure connection without getting in the way of flexibility. Please use the Teleworking and Mobility Advisor Tool for further guidance.
What percentage of your mobile workers use their own devices to access the corporate network?
Background: The consumerization of IT has caused individual users to purchase mobile devices of their choice and request corporate access on their personal mobile device. This can cause challenges for the IT department as it seeks to provide consistent security without compromising user choice. Cisco AnyConnect Secure Mobility is a lightweight solution that enforces security without getting in the way of productivity or choice.
Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action
AnyConnect Secure Mobility Are you aware that you can extend your web security policies and enforcement to workers on the go (on laptops and smartphones)?
Background: Many companies simply consider providing VPN access to their remote workers. They cannot enforce web usage policies for remote workers. The Cisco AnyConnect Secure Mobility solution, with either a web security appliance or ScanSafe, can help enforce web security for mobile workers, consistent with the protection given to office-based workers.
Would you like to make VPN easier for your remote workers Background: You can protect your workers when they are connected to the network. However, what by providing them an “always on” connection? about when they are not connected? Will they become infected and, in turn, infect the rest of the network? The Cisco AnyConnect Secure Mobility Client provides an always-on connection to help ensure that remote workers have a seamless, secure connection.
Product Offers
How important is data loss to your organization? What are you doing to safeguard your remote users when they are downloading information to and from sources outside the corporate network?
Background: No company wants to lose data. Therefore, they must ensure that security is consistent for both remote users and in-office users.
Cisco Service and Cisco Capital Offers
Do you use software as a service (SaaS) applications? If yes, are you able to control your employees’ access to corporate data stored in these applications?
Background: With the prevalence of hosted applications, such as Salesforce.com and others, you must ensure that users can easily navigate from the intranet to the hosted application securely. Cisco AnyConnect Secure Mobility has a feature known as SaaS Access Control. The Cisco SaaS Access Control solution, built into Cisco IronPort Web Security Appliances S Series, addresses the challenges presented by the adoption of SaaS solutions and provides IT managers with the controls necessary for managing access to SaaS applications and enforcing security policies. The SaaS Access Control solution uses Security Assertion Markup Language (SAML) to authorize access to SaaS applications.
What are your URL filtering and web security capabilities? How does your current solution protect against an employee who doesn’t log in to the corporate network when using corporate devices? What percentage of employees do you think does this? (Have the customer provide their own estimate.)
Background: You can protect your workers when they are connected to the network. However, what about when they are not connected? Will they become infected and, in turn, infect the rest of the network? The Cisco AnyConnect Secure Mobility solution provides an always-on connection through the client and web security enforcement with a web security appliance or ScanSafe to help ensure that remote workers have a seamless, highly secure connection and consistent enforcement of security policies.
Competitive Positioning Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
12
Cisco AnyConnect Secure Mobility Question
Overview
AnyConnect Secure Mobility
Sales Opportunity
Are your remote worker solutions tied to a strategic plan that ensures that incremental investments will remain relevant as you evolve your network and add more solutions? Are the solutions you’re deploying tested and validated to work as a system?
Solution Description Targeting
US Partner Playbook
Background
Background: SBA prescriptive blueprints can help you reduce your operating costs and protect your investments by:
• Lowering the total cost of ownership: Pretested/third-party-validated architectures help ensure an
architectural build that will work across architectures and scale as you add more solutions. This cuts troubleshooting time, reduces costly changes, and reduces the risk from aging equipment. • Protecting IT investments: A modular approach is linked to a long-term strategic network design that scales with the business and supports future deployments. • Enabling faster implementation of AnyConnect and other solutions with a standardized, repeatable process.
Web Security
Licensing Options
(IronPort/ScanSafe Web Security question) Are you concerned about web threats, such as users visiting infected sites?
Cisco IronPort Web Security, ScanSafe Web Security
What are your URL filtering and web security capabilities? Are you concerned about web threats, such as users visiting infected sites?
Cisco IronPort Web Security, ScanSafe Web Security
How do you enforce acceptable use policies, such as which websites your users are permitted to visit?
Cisco IronPort Web Security or ScanSafe
Do you support location-based policy?
The WSA and ScanSafe implementation defines different policies per user or group when the connection is coming from off the corporate network than on it.
Do you need granular application control?
The WSA fingerprinting technology allows it to look inside web traffic at deeper level and make policy decisions on web applications based on the user’s identity. For example, with the WSA a marketing user may have the right to use a web-based application such as gmail but a policy could be instituted to block a file upload. Note that ScanSafe will be able to support this feature in mid-2011.
Do you need data security through integrated Data Loss Prevention (DLP)?
In addition to the data security enabled by granular application control as described above, the IronPort WSA and ScanSafe has an on-box integration with the RSA enterprise class DLP solution, enabling deeper DLP content inspection than the Cisco cloud-based web security services today.
Competitive Positioning
Are you looking to avoid the cost of backhauling Internet bound traffic through your VPN?
ScanSafe
Additional Resources
Are you looking to provide a faster web solution for your mobile workers by using a cloud service with global datacenter footprint?
ScanSafe
Are you looking to utilize SaaS or cloud services?
ScanSafe
Are you looking to minimize the volume of hardware deployed around your network related to web security?
ScanSafe
Are you looking to protect roaming users from malware even when they are not connected with VPN?
ScanSafe
Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers
Why Cisco
This document is Cisco Confidential. For Partner Use Only.
13
Cisco AnyConnect Secure Mobility
US Partner Playbook
Objection Handling Overview
Objection
Response
Common Objections
Sales Opportunity Solution Description
I don’t backhaul my web traffic to a central location. How can AnyConnect Secure Mobility help me with that configuration? What else do you provide besides alwayson connection for clients?
The Cisco AnyConnect VPN Client provides flexible mobile device support to facilitate consistent security enforcement for your mobile workforce. At the same time, with AnyConnect 3.0, the Secure Mobility solution plugs into ScanSafe hosted web security to be able to provide web security in the cloud if you do not backhaul web traffic to a central location. Cisco Smart Business Architecture offers step-by-step instructions for quick and simplified deployment in your central location.
Targeting
What if my PDA is already secured by the service provider?
On-device security is great. However, your service provider’s security enforcement requirements may be different than your company’s policies. Having the AnyConnect Secure Mobility solution ensures that the security policies are enforced no matter where you are or what device you are using.
My IPsec client already works great. Is what you are offering me any easier?
Cisco AnyConnect version 3.0 will also support the IPsec you are familiar with, with consistent policy enforcement using web security from the web security appliance or ScanSafe. At the same time, Cisco AnyConnect has the widest support for mobile devices, including Apple mobile devices running IOS 4.1 or later, Windows Mobile devices, and other mobile devices planned for the future. Cisco is also making it easier for you by providing a series of prescriptive, step-by-step guides that will make deploying your mobile workforce solutions easier and will help you implement solutions using a modular approach.
Objection Handling
How many customers are using Cisco AnyConnect Secure Mobility now?
We are currently working with a number of customers to roll out the full AnyConnect Secure Mobility solution.
Calls to Action
I already have protection from my hosted intrusion prevention system (IPS). What does Cisco AnyConnect Secure Mobility provide that it does not?
Cisco AnyConnect Secure Mobility and hosted IPS are very different security devices. AnyConnect Secure Mobility provides security enforcement based on the network, not the end device. Therefore, the security enforcement can be consistent whether you are in the office or mobile.
I already have a Cisco ASA and AnyConnect client, but I use web security from another vendor. Will Cisco AnyConnect Secure Mobility work with the other web security provider?
The Cisco AnyConnect Secure Mobility solution is built to work with the Cisco Web Security Appliance or ScanSafe (with AnyConnect 3.0).
Licensing Options Trigger Questions
Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
14
Cisco AnyConnect Secure Mobility Calls to Action Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning
1. Download the following SBA guides, which provide step-by step instructions for implementing AnyConnect. –– Foundation Deployment Overview for Midsize Organizations –– Configuration Files Guide for Midsize Organizations –– Internet Edge Deployment Guide for Enterprise –– Internet Edge Configuration Guide for Enterprise 2. Upgrade the existing VPN client (examples include older versions of AnyConnect, Cisco IPsec VPN client, and competitive products) to AnyConnect version 2.5 or later for a highly secure remote access/VPN solution. This includes upgrading AnyConnect Essentials licenses to AnyConnect Premium. Once the AnyConnect client is upgraded, the following up-sell opportunities are available: –– For AnyConnect Essentials customers, help them evaluate their remote access needs by informing them of the advantages of Premium (Secure Desktop, clientless VPN). –– For IPsec VPN customers, help them evaluate the advantages of version 3.0 of the AnyConnect client. 3. Next, up-sell the new AnyConnect VPN client customers to Secure Mobility with web security enforcement: –– Help them evaluate the total cost of ownership of a Cisco AnyConnect Secure Mobility solution with the new Teleworking and Secure Mobility Advisor Tool. –– Up-sell the AnyConnect client to include a complete AnyConnect Secure Mobility solution with on-premises web security with the web security appliance and Secure Mobility licenses or hosted web security with ScanSafe
Additional Resources
4. Up-sell the VPN client to include a complete AnyConnect Secure Mobility solution with hosted web.
Why Cisco
5. Introduce the ASA Shine Offer as appropriate. Your customer may receive a 30 percent discount on the most recent offering of Cisco AnyConnect Premium licenses and added security with Security Plus licenses. Encourage customers to act now; the ASA Shine promotion will expire on July 31, 2011.
This document is Cisco Confidential. For Partner Use Only.
US Partner Playbook
In addition, the competitive replacement discount has been increased to up to 25 percent, giving your customers even more incentive to trade in security appliances from other vendors.
AnyConnect Premium: Conversation Starter Use this conversation starter to take advantage of the discount on AnyConnect Premium licenses: Hello, (PROSPECT NAME), this is _______, calling on behalf of (PARTNER NAME). There is no better time for you to learn the benefits of Cisco SecureX and an upgrade to the Cisco AnyConnect Premium license, which will strengthen your remote access security capabilities and flexibility. AnyConnect Premium is ideal for those customers who are looking for a richer SSL VPN experience for users connecting remotely, whether the devices are owned by the employee or the business. With an AnyConnect Premium license, you can provide highly secure, granular, and flexible client and clientless SSL VPN access to your remote users and business partners while helping ensure that your data stays secure. You can also benefit from an incremental level of security with the Cisco Secure Desktop suite of features: Secure Vault, Host Scan for posture checking, Keystroke Logger Detection, and Cache Cleaner.
Product Offers ASA Shine Offer Your customer may receive a 30 percent discount on the most recent offering of Cisco AnyConnect Premium licenses and added security with Security Plus licenses. Encourage customers to act now; the ASA Shine promotion will expire on July 31, 2011. (View the customer-facing web page at www.cisco.com/web/offers/borderlessnetwork/ security/shine_promotion.html.) In addition, the competitive replacement discount has been increased to up to 25 percent, giving your customers even more incentive to trade in security appliances from other vendors. For additional information and the eligible SKUs, see the Network Security Shine Field and Partner Overview. Also, see the Cisco Services and Cisco Capital Offers.
15
Cisco AnyConnect Secure Mobility Cisco Services and Cisco Capital Offers Overview Sales Opportunity Solution Description Targeting Licensing Options
Cisco Services Call to Action Cisco and its partners offer professional services to help customers plan, build, and run end-to-end solutions and incorporate network services onto that platform. Sharing knowledge and leading practices, Cisco and its partners support customers’ success every step of the way as they deploy, absorb, manage, and scale comprehensive security across their wired and wireless networks. Smart Care Three-Year Promotion—The Cisco Smart Care ThreeYear Promotion offers a fixed discount to eligible Smart Care-certified partners who purchase a new service contract for three years of Smart Care support services
Calls to Action
Collaborative Professional Services Portfolio—a portfolio of services that includes Cisco’s expertise and helps partners to build or add to your managed and professional services practices. Cisco Smart Care Service—An innovative new service offered by Cisco certified partners that combines network-wide technical support with proactive network monitoring, assessments and remote repairs for small and medium-sized businesses.
Product Offers
You have the opportunity to offer services to help customers realize the full value of their secure Borderless Networks investment.
Trigger Questions Objection Handling
Cisco Services help customers to: Cisco Service and Cisco Capital Offers
Enable the Secure Borderless Network Architecture • Cisco Security Architecture Assessment Service
Competitive Positioning
Enable business solutions • Cisco ASA Migration Services
Additional Resources
Enable a smart network • Cisco SMARTnet Total Care • Cisco Smart Care Service
Why Cisco
• Cisco Technical Services
US Partner Playbook
Through Cisco Capital, low-rate financing is available for Cisco Services. Customers can lock in pricing and save on overall costs with below-market financing rates on Cisco Services. Offers vary by theater; for complete details, please visit: www.cisco.com/go/ ciscocapital
Cisco Capital Offers Cisco Capital combines expertise in flexible, competitive financing with a comprehensive knowledge of Cisco technology. It brings unique value and insight to Cisco customers by building a strategic acquisition plan for their technology and equipment lifecycle management. Cisco Capital has the following unique customer advantages: • Alternative source of funds: Obtain available and affordable funding for Cisco solutions. • Ability to preserve cash: Spread costs over time, preserve credit, and avoid a large cash investment. • One solution, predictable payments: Combine Cisco hardware, software, services, and complementary third-party equipment into one strategic acquisition. • Lower costs: Benefit from competitive rates and residual values to reduce TCO and accelerate ROI. • Equipment lifecycle management: Manage costs, meet business demands, and avoid obsolescence with flexible migration options and simplified equipment disposal. • Maximum flexibility: Receive further investment protection with the right payment schedule, term duration, and end-of-lease options, including an outright purchase, capped and market-value residuals, and like-for-like equipment returns. Take advantage of one team dedicated to your success. Visit the following website to identify your financial solutions manager: www.cisco.com/go/ciscocapital
• Cisco Network Optimization Service
This document is Cisco Confidential. For Partner Use Only.
16
Cisco AnyConnect Secure Mobility Competitive Positioning Overview Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions
Cisco Differentiation Against Secure Web Gateways
There are competitors to the Cisco AnyConnect Secure Mobility solution, but they cluster around either VPN technology or web security technology. There is no single nonproprietary competitor. The Cisco Smart Business Architecture (SBA) offers an additional competitive edge. SBA is based on fully tested and validated solutions to help you purchase and deploy with confidence while realizing a lower total cost of ownership. Some competitors include: • VPN competitors, such as Juniper, Citrix, Check Point, and others. These provide secure connectivity using SSL VPN technology, but they do not include any web security policy enforcement. There is no integration with a web security technology. Microsoft Direct Access is homogeneous, providing support only for Microsoft endpoints and focusing more on access than on security.
Objection Handling
• Web security appliance competitors such as Blue Coat, Websense, McAfee, and others. These provide web security but are missing the secure VPN connectivity to enforce security for mobile workers.
Calls to Action
• Mobility vendors such as RIM have a closed, proprietary system that cannot support all mobile devices or applications.
Cisco Service and Cisco Capital Offers
Microsoft
Competitive Positioning Juniper
Additional Resources
Best-of-Class Building Blocks; Complete Solution
Citrix
Why Cisco
VPNs
This document is Cisco Confidential. For Partner Use Only.
3
3
URL filtering for remote users
3
3
3
Malware scanning, SSL decryption, and web DLP for remote users
3
8
8
Authentication; remote-user policies and reports
3
No authentication of remote users
Authentication, but no location-based policy
Integrated client
3
8
8
Secure SaaS
3
8
8
XP, Vista, Windows 7, Mac, Linux, Smartphones
XP, Vista
XP, Vista, Windows 2000
Platform support
Cisco Differentiation Against VPNS Microsoft
WEBSENSE Blue Coat
Juniper
Direct Access
Network Connect/ Pulse
Classic remoteaccess capabilities
3
3
3
Always-on connectivity
3
3
8
Optimal gateway selection
3
8
8
Integrated client with NAC + Layer 2 supplicant
3
3
3
Converted SSL and IPSec
3
8
8
XP, Vista, Windows 7, Mac, Linux, Smartphones
Windows 7
Similar to AnyConnect
Platform support Secure Web Gateways
WEBSENSE
3
AnyConnect
Transport Secure Mobility
Blue Coat Classic web security for in-office users
How Does Cisco Stack Up Against Secure Mobility Competitors Mobility
Product Offers
US Partner Playbook
Security
17
Cisco AnyConnect Secure Mobility Additional Resources Overview
• www.cisco.com/go/security • Cisco AnyConnect Secure Mobility Solution
Sales Opportunity
• www.cisco.com/go/asm • www.cisco.com/go/anyconnect
Solution Description Targeting Licensing Options Trigger Questions Objection Handling Calls to Action Product Offers
• Lippis Report: Cisco AnyConnect Is a New Mobile Security Model
Cisco is the leader in IT security, having been recognized by Gartner, Infonetics, and many other third-party companies. The following figures show Cisco’s recognized leadership in security, as well as Cisco’s leadership in wireless.
Demonstrated Network Security Leadership 4Q’09 Market Share, 3x the Next Competitor 40%
• Cisco SaaS Access Controls
35%
• AnyConnect Flash demo
30%
• AnyConnect iPhone video
25%
• www.cisco.com/go/sba
20%
• Cisco AnyConnect in the Apple App Store
15%
Why Cisco? Cisco offers best-in-class technologies that are designed to work on their own and as part of a system. This end-to-end approach and the step-by-step guidance provided by SBA let you build a network architecture for mobility and security in a modular fashion, allowing you to take short-term tactical steps that are tied to a longer-term strategic plan.
US Partner Playbook
10%
36%
12%
5%
12% 7%
0
Source: Infonetics Network Security Marketshare, 4QCY09
Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
This document is Cisco Confidential. For Partner Use Only.
18
Cisco AnyConnect Secure Mobility
US Partner Playbook
Magic Quadrant Leadership Overview
SSL VPN
Secure Web Gateway
Secure Email Gateway
December 2010
January 2010
April 2010
Sales Opportunity Solution Description Targeting Licensing Options Trigger Questions
Network Access Control July 2010
Objection Handling
Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report.
Calls to Action Product Offers Cisco Service and Cisco Capital Offers Competitive Positioning Additional Resources Why Cisco
The Gartner Magic Quadrant is copyrighted 2009 and 2010 by Gartner, Inc., and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner.
Source Gartner: Magic Quadrant for SSL VPNs,15 December 2009, John Girard, Gartner RAS Core Research Note G00172407 Magic Quadrant for Secure Web Gateway, 8 January 2010, Peter Firstbrook, Lawrence Orans, Gartner RAS Core Research Note G00172783 Magic Quadrant for Secure E-Mail Gateways, 27 April 2010, Peter Firstbrook, Eric Ouellet, Gartner RAS Core Research Note G00175396 *Magic Quadrant for Network Access Control, 2 July 2010, Lawrence Orans, John Pescatore,Gartner RAS Core Research Note G00201432
SC Magazine 2011 Awards Best Enterprise Firewall Winner: Cisco Systems for Cisco ASA 5585-X Best IPsec/SSL VPN Winner: Cisco Systems for Cisco ASA Secure Remote Access solution
This document is Cisco Confidential. For Partner Use Only.
Best Policy Management Winner: Cisco Systems for Cisco Network Admission Control Appliance
Copyright © 2011 Cisco Systems, Inc. All rights reserved. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. C96-654645-00 03/11
19
