Upload
maas360-by-fiberlink
View
1.497
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Learn how to embrace bring your own device (BYOD) in the enterprise with mobile device management (MDM) and network access controls (NAC). Special guests from Forescout featured.
Citation preview
1
Embracing BYOD with MDM and
NACChris Isbrecht, Fiberlink Gil Friedrich, ForeScout
2
Today’s Agenda
• The BYOD Landscape
• Network Access Control (NAC) 101
• Embracing BYOD with MDM and NAC
• Use Cases
3
The BYOD Landscape
0%20%40%60%80%
100%
What are your biggest concerns with BYOD support?
26%
43%
31%
How are you managing employee-owned devices today?
Mobile device management (MDM) solutionNative email controlsNo controls in place
4
The BYOD Landscape
BYOD
iOSAndroidBlackBerryWindows
Unmanaged and Non-CompliantTablets & Smartphones
Apps
Data SecurityCompliance & Regulations
End User Privacy
Customer Experience
© 2012 ForeScout, Page 5
Embracing BYOD with MDM and NACGil Friedrich, VP of Technology, ForeScout
June 8, 2012
© 2012 ForeScout, Page 6
Technology that identifies users and network-attached devices and automatically enforces security policy.
What is Network Access Control (NAC)?
GRANTED
LIMITED BLO
CKED
FIXED
© 2012 ForeScout, Page 7
Appliance
Policy EnginePacket Engine
Switch Plugin
VPNPlugin
Wi-FiPlugin
User DirPlugin
SEIMPlugin
WindowsPlugin
Mac/LinuxPlugin
MobileNAC & MDM
DB
ePOPlugin
NAC ArchitectureVisibility and control of everything on your network
What is this machine? Who’s the person behind the keyboard? How is it connected?
© 2012 ForeScout, Page 8
What Is Network Access Control (NAC)See Grant Fix Protect
Real-time network asset intelligence
• Device type, owner, login, location
• Applications, security profile
ForeScout CounterACTAppliance / Virtual Appliance
( ( ( ( (
© 2012 ForeScout, Page 9
What Is Network Access Control (NAC)See Grant Fix Protect
Real-time network asset intelligence
• Device type, owner, login, location
• Applications, security profile
Email CRMWeb
Guest
Employee
Guest
Sales
Network access controls
• Grant access, register guests
• Limit or deny access
ForeScout CounterACTAppliance / Virtual Appliance
( ( ( ( (
© 2012 ForeScout, Page 10
What Is Network Access Control (NAC)See Grant Fix Protect
Manual to automated response
• Remediate OS
• Fix security agents
• Fix configuration
• Start/stop applications
• Disable peripherals
• Block worms, attacks
© 2012 ForeScout, Page 11
Mobile Security and NACNAC can serve as the BYOD enabler
Most companies will use various technical control mechanisms…
• Block all of the BYOD devices
• VDI - Virtual Desktop Infrastructure
• MAW – Mobile Application Wrapper
• WAP – Wireless Access Point
• MDM - Mobile Device Management
• NAC – Network Access Control
© 2012 ForeScout, Page 12
Network Access Control Foundational for BYOD
• No matter what [BYOD] strategy is selected, the ability to
detect when unmanaged devices are in use for business
purposes will be required — and that requires NAC.
• NAC policies can be used in combination with other approaches to
implement the four strategies outlined in the framework — Contain,
Embrace, Block and Disregard
• NAC helps to protect the network, but it is only one component of a
broader BYOD security strategy. Other solutions, such as MDM
and HVDs [VDIs], are needed to secure mobile endpoints.Gartner, “NAC Strategies for Supporting BYOD Environments”, December 2011, Lawrence Orans and John Pescatore
© 2012 ForeScout, Page 13
Layered Security Options
14
Poll Question
• Describe your organization’s plans for implementing a NAC solutiona) Already implemented a NAC solution
b) Plans to evaluate and purchase a NAC solution in the next 6 months
c) Will implement a NAC solution in next 12 months
d) No NAC solution; no plans for implementation
© 2012 ForeScout, Page 15
NAC+MDM Synergies: 1+1=3Unify visibility, compliance and access control
NAC focus is on the network
MDM focus is on the mobile device
MDM Alone NAC Alone NAC+MDM
Visibility Full info on managed only.
Basic OS info on all devices
Complete
Access Control For managed and email only
Partial (Missing endpoint info)
Complete
Compliance Managed only Very limited Complete
Deploy Agent Pre-registration Network based Both
© 2012 ForeScout, Page 16
• MDM products can only secure devices that they manage
• NAC products can identify mobile devices – but lack deep inspection
• MDM lacks network access control, exposes your network and data to attack by unknown devices
• MDM device inspection is strong, but based on polling frequency
Why Consider a NAC and MDM Combination?BYOD requires network, device, data and application controls
• NAC can identify new/unmanaged mobile devices, protect the network and automate MDM enrollment
• MDM technology is needed to gain deep inspection and compliance details
• NAC can restricted network resources according to policy
• NAC/MDM integration can initiate a new inspection at the time of network access
© 2012 ForeScout, Page 17
• MDM provides rich mobile lifecycle management: provisioning, apps, data containerization…
• MDM policies assessment may not be flexible to allow users to use their device outside of policy
• MDM daily operation is usually run by communications, applications or desktop teams
Why Consider a NAC and MDM Combination?BYOD requires network, device, data and application controls
• Mobile device lifecycle management is outside the scope of core NAC capabilities
• NAC could temporarily quarantine a non-complying mobile device on a corporate network
• NAC/MDM integration allows security operators to gain visibility and control across all devices
© 2012 ForeScout, Page 18
ForeScout
Device connects to the network – a. Classify its type:
Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC (Windows, Mac, Linux)
b. Check if it has the mobile agent
If the agent is missing – a. Quarantine the mobile deviceb. Register and install relevant MaaS360 agent
on the mobile device (via HTTP Redirection)
Once installed with an agent – c. Allow access based on policy d. Continue monitoring the agent’s operation
) ) ) ) ) ) )
?
Automate Registration: How It Works
© 2012 ForeScout, Page 19
Automate Registration: How It Works
ForeScout
) ) ) ) ) ) )
Device connects to the network – a. Classify its type:
Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC (Windows, Mac, Linux)
b. Check if it has the mobile agent
If the agent is missing – a. Quarantine the mobile deviceb. Register and install relevant MaaS360 agent
on the mobile device (via HTTP Redirection)
Once installed with an agent – c. Allow access based on policy d. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 20
Automate Registration: How It Works
ForeScout
) ) ) ) ) ) )
Device connects to the network – a. Classify its type:
Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC (Windows, Mac, Linux)
b. Check if it has the mobile agent
If the agent is missing – a. Quarantine the mobile deviceb. Register and install relevant MaaS360 agent
on the mobile device (via HTTP Redirection)
Once installed with an agent – c. Allow access based on policy d. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 21
Real-time Compliance Testing: How It Works
ForeScout
) ) ) ) ) ) )
?
Device connects to the network – Has a mobile agent but is jail broken
Force a compliance test a. CounterACT informs MaaS360 to
assess configuration attributes b. If in violation, inform ForeScout
CounterACTc. CounterACT quarantines the mobile device
and sends informative message
Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto
network if violation no longer existsf. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 22
Real-time Compliance Testing: How It Works
ForeScout
) ) ) ) ) ) )
Device connects to the network – Has a mobile agent but is jail broken
Force a compliance test a. CounterACT informs MaaS360 to
assess configuration attributes b. If in violation, inform ForeScout
CounterACTc. CounterACT quarantines the mobile device
and sends informative message
Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto
network if violation no longer existsf. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 23
Real-time Compliance Testing: How It Works
ForeScout
) ) ) ) ) ) )
Device connects to the network – Has a mobile agent but is jail broken
Force a compliance test a. CounterACT informs MaaS360 to
assess configuration attributes b. If in violation, inform ForeScout
CounterACTc. CounterACT quarantines the mobile device
and sends informative message
Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto
network if violation no longer existsf. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 24
Real-time Compliance Testing: How It Works
ForeScout
) ) ) ) ) ) )
?
Recheck
Device connects to the network – Has a mobile agent but is jail broken
Force a compliance test a. CounterACT informs MaaS360 to
assess configuration attributes b. If in violation, inform ForeScout
CounterACTc. CounterACT quarantines the mobile device
and sends informative message
Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto
network if violation no longer existsf. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 25
ForeScout
) ) ) ) ) ) )
?
Real-time Compliance Testing: How It Works
Device connects to the network – Has a mobile agent but is jail broken
Force a compliance test a. CounterACT informs MaaS360 to
assess configuration attributes b. If in violation, inform ForeScout
CounterACTc. CounterACT quarantines the mobile device
and sends informative message
Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto
network if violation no longer existsf. Continue monitoring the agent’s operation
© 2012 ForeScout, Page 26
MDM, NAC Integration ExampleComplimentary Hybrid Cloud and On-Premise Implementation
Apple iOSMDM API
AndroidAgent
BlackBerrySymbianWindowswebOS
Management, Policy, Monitoring Application and Data Catalog
ForeScout CounterACT
• Unified visibility• Unified access policy• Unified reporting• Automated MDM enrollment• On-access assessment• Block malicious activity
© 2012 ForeScout, Page 27
• Founded 2000, Cupertino, CA– 115 employees worldwide, 200 partners worldwide
• Largest independent vendor of Network Access Control (NAC)– Leader ranking by Gartner, Forrester and Frost&Sullivan
– Fastest growing #2 market share, second to Cisco
• Innovative, proven worldwide– Global deployments across multiple vertical industries
– Very large implementation (> 250,000 endpoints)
About ForeScout
ForeScout is the leading global provider of automated security control solutions for Global 2000 enterprises and government organizations.
© 2012 ForeScout, Page 28
NAC Market Leadership
“Magic Quadrant for Network Access Control”, December 8, 2011; Lawrence Orans and
John Pescatore; Gartner, Inc.
*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
* Forrester Wave NAC Q2- 20111The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
“Forrester Wave Network Access Control”, Q2-2011 Forrester Research, Inc.
30
Wrap Up
• Upcoming Webinars (Registration Link in Chat Window)
– Crushing 6 BYOD Risks: Policy Guidance from a Legal Expert• Thursday, June 21st @ 2:00 PM Eastern
– Getting Started with MaaS360• Tuesday, June 26th @ 2:00 PM Eastern
• Past Webinars (http://links.maas360.com/webinars)
– The Cloud-Enabled Social Mobile Enterprise– Android in the Enterprise: Piecing Together Fragmentation– BYOD: Striking a Balance—Employee Privacy and IT Governance
• Plus lots of How-To content on our website – The Ten Commandments of Bring Your Own Device
• http://links.maas360.com/wp_tenCommandments
– Mobile Device Management: Your Guide to the Essentials and Beyond• http://links.maas360.com/ebook_mdmEssentials
Questions or [email protected]