Cisco Systems SF300-24P, SG30052PK9NA, SRW2024PK9NA, SRW224G4K9AR, SRW224G4PK9NA, SRW248G4PK9NA SSD Rules

Security: Secure Sensitive Data Management

SSD Rules

361 Cisco Small Business 300 Series Managed Switch Administration Guide

SSD grants read permission to sensitive data only to authenticated and authorized users, and

according to SSD rules. A device authenticates and authorizes management access to users

through the user authentication process.

Whether or not SSD is used, it is recommended that an administrator should

secure the authentication process by using the local authentication database, and/

or secure the communication to external authentication server (RADIUS and

TACACS) used in the user authentication process.

In summary, SSD protects sensitive data on a device with SSD rules, SSD properties, and user

authentication. And SSD rules, SSD properties, and user authentication configurations of the

device are themselves sensitive data protected by SSD.

SSD management includes a collection of configuration parameters that define

the handling and security of sensitive data. The SSD configuration parameters

themselves are sensitive data and are protected under SSD.

All configuration of SSD is performed through the SSD pages that are only

available to users with the correct permissions (see SSD Rules).

SSD Rules

SSD rules define the read permissions and default read mode given to a user

session on a management channel.

An SSD rule is uniquely identified by its user and SSD management channel.

Different SSD rules might exist for the same user but for different channels, and

conversely, different rules might exist for the same channel but for different users.

Read permissions determine how sensitive data can be viewed: in only encrypted

form, in only plaintext form, in both encrypted or plaintext, or no permission to view

sensitive data. The SSD rules themselves are protected as sensitive data.

A device can support a total of 32 SSD rules.

A device grants a user the SSD read permission of the SSD rule that best matches

the user identity/credential and the type of management channel from which the

user is/will access the sensitive data.

A device comes with a set of default SSD rules. An administrator can add, delete,

and change SSD rules as desired.

Cisco Systems manual SSD Rules