adaptive trust security
TRANSCRIPT
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Adaptive Trust Security
Policies for Today’s Enterprise Mobility
Trent Fierro – Product & Solutions Mgr., @Trentf_CA
Don Meyer - Product & Solutions Mgr., @Tofly4wifi
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The New Normal - GenMobile
BRANCH
HOME
ENTERPRISE
PUBLIC VENUES
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Emerging Mobility Concerns
1. Who and what can connect to enterprise resources2. Loss of data, excessive phone charges, lost productivity3. Employees on open Wi-Fi networks
2. Device Loss / Theft 3. Unsecured Networks1. BYOD
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The Changing Security Perimeter
Traditional security focused on a fixed perimeter
GenMobile dilutes the notion of a fixed perimeter
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Perimeter Defense
IDS/IPS
Firewalls
Adaptive Trust Security
Firewalls
IDS/IPS/AV Web gateways
EMM/MDM
Physical
Webgateways
A/V
Time for a New Mobile Defense Model
Policy needed for central point of control
Access Policy Management
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Sharing of Contextual Awareness
ClearPass
FIREWALLS
IDS/IPS WEB GATEWAYS
EMM/MDM
The Building Blocks of Adaptive Trust
Granular control with user and device data
Identity, IP address
Network controls using device attributes
Highly credible user and device data
Visibility into user and device OS
Central repository
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Example - Context for Accurate Firewall Policies
• Frederik• Mac OS 10.9.3• Marketing• 10.0.1.12User and Device
FW policy adapts to need
User and device context accuracy Works with AD, LDAP, ClearPass dB, SQL dB No agents/clients required
ClearPass
Context SharedEmployee Access
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Growing User Demands on IT
Policies for connecting
personal devices
Onboarding
Works regardless ofrole, device, location
Always-On Access
Access doesnot require
going throughIT
Guest Credentials
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
The ClearPass Solution for Secure Mobility
Guest
ClearPass
Onboard OnGuard
Baseline Hardware or VM Appliances(500, 5,000 or 25,000) Remote Location
Expandable Applications
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Why Policy vs. AAA
Policy with built-in AAA: RADIUS and TACACS
Per user access to network and resources
Use of context:Users, device profiles, location
Note: Optimized for multivendor Wi-Fi, wired and VPN
ClearPass Policy Manager
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Adaptive Policy Driven by Device Ownership
Enterprise Tablet BYOD Tablet
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet Only
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Adaptive Policy Driven by Device Ownership
Enterprise Tablet BYOD Tablet
Authentication EAP-TLS
SSID CORP-SECURE
Authentication EAP-TLS
SSID CORP-SECURE
Internet Only
1. Uses same identity store and EAP type2. Leverages profiling, onboarding data3. No need for separate SSIDs4. Works at the office and over VPN
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Differentiation of Access and Device Limits
Authentication using Unique Device Certificates
User’s device detected& redirected to portal
1
Settings and cert configuredafter credentials entered
2
Automatically places user on proper network segment
3
Doctor
• Easy • No Passwords• Secure
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Differentiation of Access and Device Limits
Authentication using Unique Device Certificates
User’s device detected& redirected to portal
1
Settings and cert configuredafter credentials entered
2
Automatically places user on proper network segment
3
Doctor
• Easy • No Passwords• Secure
1. Uses same identity store for nurse & doctors2. IT creates policy for who can onboard3. Role determine # of devices per user4. All context collected can be used in policy
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Secure Guest Access
Portals deter users from just hopping on
Complete customization:Sponsors, portals, usable data & enforcement
Ensures guests receive their own credentials
Note: PEAP-Public for secure guest accessClearPass Guest
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Secure Guest Access
Deter users from just hopping on
Complete customization:Usable policy data & enforcement
Ensures guests receive their own credentials
Note: Sponsor access for convenience and controlClearPass Guest
1. Uses internal identity store – no AD needed2. Policy determines guest type, access, time, BW 3. Self-serve and sponsor capabilities4. Onboard context keeps employees off guest
network
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Guest Access Services
• Fully customizable
– Sponsor privileges with access verification
– Self-service
– Per session controls
– Automated SMS/email credential delivery
– Little IT involvement
– Mac caching
No more wide-open SSIDs and shared keys!
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Leader in Network Access Control
Strong growth and abilityto win large opportunities
• Streamlined onboarding of personal devices
• Highly customizable guest access
• Unique support of Bonjour capable devices
• Detailed diagnostic and visibility features
Gartner NAC Magic Quadrant 2013 & 2014
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
New Guidance, Overviews and More
Definitive Guide to Secure Mobility
2pg Executive Briefs (x3)Partner Solution Briefs(PAN, MobileIron, etc.)
AAA Migration to Policy (PPT)
Secure Mobility Landing Page
Adaptive TrustWhitepaper (coming)
ClearPass Exchange Recipes Web Site
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
POLICY
Profiler
EMM / MDM
NAC
TACACS
RADIUS
Guest
Device Registration
ClearPass
Automated security workflows
Context-based policy enforcement
Integration with Third Party Solutions
WIRELESS and WIRED SECURITY
MDM/EMM
Exchange
Auto Sign On
Single Sign On
Onboarding
AirGroup
SIEM Support
Key Points
ANY MULTIVENDOR NETWORK