byod – bring your own device
DESCRIPTION
BYOD – Bring Your Own Device. Employees, Hackers and Protesters – Everybody has a smartphone, a tablet AND a laptop…. Enterprise IT – State Government…. Enterprise Data Center(s) 1100 Servers 90% virtualization 12 firewalls 2 load balancers Enterprise VPN Mainframe Wide Area Network - PowerPoint PPT PresentationTRANSCRIPT
Employees, Hackers and Protesters – Everybody has a smartphone, a tablet AND a laptop…
BYOD – Bring Your Own Device
• Enterprise Data Center(s)• 1100 Servers 90% virtualization• 12 firewalls• 2 load balancers• Enterprise VPN• Mainframe• Wide Area Network• 800 routers
Enterprise IT – State Government…
• Local Area Network• 1200 switches• 6 firewalls• Wireless• 80 Wireless access points• 30 Wireless bridges• Network Staff• Manager, Team Lead, 16 staff• 26 State Agencies• LAN Support for DOC, DNR, DHS, DOA, DSPS,
Gov’s Office and DATCP (continued growth)
Enterprise IT – State Government…
• What types of devices are we talking about
• Protest Stories• Concerns• Mobile Device Management• What’s Next• Questions
BYOD – What we’ll cover
• Smart Phones – iOS, Android, Blackberry• Ipods (Touch)• Tablets – Android, iOS, Microsoft• eReaders – Kindle etc• Handheld Gaming Systems - • Laptops, MacBooks, Chromebooks etc• Google Glass• Toddler Grade devices…
Types of Devices
Protest Stories
• IP Management• URL Filtering• Troubleshooting• My iPhone can’t
connect to the wireless network
• Productivity – These are amazing tools• Security• Where is corporate data• Dangerous productivity tools• Google Drive, Drop Box, SkyDrive, One Note,
LogMeIn Ignition• Network Access Control• Anti-Virus, Patched, Malicious Code
• Auditability – who did what when• Authorization• Stolen devices – email, contacts, data, access…
Concerns
• Network Access Control (Cisco ISE, etc)• Policy of Intolerance• Mobile Device Management• Develop a Use Policy• Implement Security• Select Product• Deploy• Future –• Content Management and File Access
How do we manage the Concern…
• What did we do, Wisconsin Enterprise• How did we decide• When will we implement• Issues
Mobile Device Management MDM
• Assemble multi-agency team for review
• Built requirements• Met with vendors for demos• Eliminated those that didn’t meet the
requirements• Refined the list through Q and A,
selected a vendor• Air Watch
MDM – selecting a product
• Implement before 1 Jul 2013• Issues – MDM cloud implementation
MDM -
Air Watch – Cloud Service
F5
PROXY/
INTERNET
INTERNET
PROD EIS ServersEnterprise Integration
Servers
Airwatch firewall
AirWatch Datacenter
PROD CAS 2007
Wisconsin MDM Prod
PROD Exchange 2007
PROD AD
PROD ADCS
Airw
atch
fire
wal
l
c1.) Client first
time connect
to AW /443
c2.) AW compliance
check / 443
1.) AW ldap query
1.) AW sends ldap query To EIS VIP / 443
Mobile users
Agency Admins
A1.) Add locations, users, policies
443
EIS VIP
LDAP VIP
2.) EIS sends to LDAP VIP
2.) VIP routes req. to AD DC
3.) AD DC responds thru VIP
5.)
/636 between
EIS and AD
3.) AD responst to EIS
4.) EIS sends response thru VIP
4.) VIP routes response to AW
SEG VIP
devmobile.wi.gov
C4.)VIP routes
ID/PW to SEG
c3.)
C3.) Client sendsActivation info
to AW
C4.) Client sends
ID/PW to SEG
C5.) SEG sends
ID/PW to CAS
CAS VIP C5.) CAS VIP routes to CAS
C6.) mail request to Exchg.
C7.) mail to mobile user
C6.) CAS sends ldap auth
request to AD for verification
/636AD sends
response back
LDAP VIP
AW sends clientand policies
C7.) mail to mobile user
C7.) mail to mobile userC7.) m
ail to mobile user
PROD SEG ServersSecure Email GatewayRequired for Exch2007
The SEG is required if you have Exchange 2007. We have two of them primarily for redundancy, ActiveSync traffic is funneled through the SEG.
EIS is required if you want to use your company AD accounts to manage it. If you want everyone to have a separate userID and password to use for enrollment, you don’t need it. We obviously want to use our email AD accounts and not make everyone have another ID and password. It is really just a small web service.
• More devices connecting for productivity and convenience (professional and personal)
• Expectation of availability everywhere, no understanding of the SECURITY, NETWORK, SERVER and APPLICATION that makes it all work – and makes them vulnerable
What’s next?
Rob KeisEnterprise Network Team LeadDepartment of AdministrationDivision of Enterprise Technology
Questions -