Cisco® Enterprise Policy Manager helps application-development teams implement fine-grained security at a fraction of the time and cost of custom development. On an enterprise wide basis, Cisco helps security teams deliver consistent policy while helping risk and audit teams review and change policy to meet with compliance requirements. It comprises three distinct but transparently integrated components:
• Cisco Policy Administration Point provides centralized administration, management, and monitoring of entitlement policies, and delegation and integration with enterprise information repositories.
• Cisco Policy Decision Point (PDP) provides run-time resolution of role-based and rule-based authorization policies.
• Policy enforcement points enforce policy decisions made by the PDPs.
• Streamline Application Security: Untangle authorization controls from applications and cut your project schedules and budget by up to 30% while enhancing security.
• Assure Persistent Compliance: Gain centralized control and visibility over fine-grained access policies and instantly remediate audit exceptions.
• Empower New Business Scenarios: Enable a more agile, extended and service-oriented enterprise, with business users empowered via self-service and delegation.
Features and Benefits
• Streamline application security:
– Consistently define and enforce fine-grained access control per application, across the infrastructure, and across the enterprise.
– Rich, rule-based contextual entitlements take advantage of multiple distributed roles, rules, and attribute repositories.
– The solution offers snap-on integration with existing identity and authentication management infrastructure.
– Powerful delegation and modeling capabilities (subject and resource hierarchies, inheritance, exceptions, and scoping) offer ease of administration.
– There is no need to serialize behind identity management, single sign-on, or corporate role reconciliation initiatives.
• Assure consistent compliance:
– The solution offers centralized and automated audit review across applications regardless of enforcement mechanism.
– The solution offers audit capabilities within applications and across the enterprise.
– The solution provides real-time reports and alerts on who can access what, who accessed what, and who made what administration change.
– You can easily create "Chinese Walls", and enforce and audit segregation of duties.
– Forecast "What If?" scenarios to help security administrators understand the ramifications of policy changes.
• Empower new business scenarios:
– Rich entitlement policies are configured, deployed, and updated without application modification - allowing organizations to begin reaping the benefits of a service-oriented architecture (SOA).
– Maximum flexibility is achieved through central and application-specific role-based, attribute-based, and rule-based entitlements.
– Increased organizational agility is achieved through delegation to business users, removing IT as the bottleneck for urgent business-process changes.
– The solution offers time- and cost-effective deployment, including 45-minute installation and rapid realization of return on investment (ROI).
1. Centralized policy administration point
a. Browser-based, point-and-click UI for creation of granular entitlement policies (based on subject, resource, message content, action, and other environmental attributes)
b. Ability to set per-application as well as enterprise wide policies
c. Ability to view and audit security policies for all applications - regardless of enforcement mechanism
d. Ability to administer entitlements including ability to group users and resources, clone and inherit entitlements, and delegate the administration of the entitlement policies
e. Ability to administer the distributed entitlement management solution from one virtually central location
2. High-performance, highly available, distributed policy decision points (PDPs)
a. High performance resolution of role-based and rule-based policies and management of distributed decision caches
b. Snap-on integration with user information repositories (LDAP, Active Directory) and existing Identity Management solutions
c. Flexibility in deploying the decision points to be local or remote to the resources for which they resolve the entitlement policies
d. Standards-based solution with native support for XACML, SOAP, and SAML
3. Fine-grained, optimized policy enforcement points (PEPs)
a. XACML compliant enforcers plug into J2EE and .NET servers while also supporting portals, content management, email, IM, web, and FTP servers
b. Optimized performance and availability through optional pre-fetching and local caching of entitlement policy decisions
c. Extensive logging capabilities for audit
Figure 1. Product Architecture
Service and Support
For More Information
For more information about Cisco Enterprise Policy Manager, please go to http://www.cisco.com/go/policy.