RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter


Published on

Думаете о BYOC? Опасайтесь периметра!
В маркетинговых презентациях Citrix и других вендоров часто проскакивает аббревиатура BYOC. Что это такое? Bring Your Own Computer, или по-русски ПРИходи СО Своим Компьютером (ПРИСОСКО J)). Про проблемы использования личных ПК (или iPad-ов) пользователей для доступа к корпоративным приложениям, и о том, как технически правильноих решать, расскажет Rick Dehlinger

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

RUCUG: 11. Rick Dehlinger BYOC: Beware the Perimeter

  1. 1. Entertaining BYOC?Beware the Perimeter<br />Rick Dehlinger, Independent Technologist/Consultant<br />Citrix Technology Professional/Public Speaker<br /> | @rickd4real | LinkedIn<br />
  2. 2. RickD – 1992 to 2010<br />Desktop and<br />Application<br />Delivery<br />
  3. 3. What are you talking about Rick???<br />New!!!<br />Proven<br />
  4. 4. Introduce “PharmaCo”<br />Solution Overview – Universal Workspace<br />Challenges…!<br />Summary/Review<br />Closure<br />Agenda<br />
  5. 5. Case Study – ‘PharmaCo’<br />
  6. 6. Global specialty pharmaceuticals manufacturer<br />Design, test, manufacture, and sell specialty pharmaceuticals<br />@10,000 users WW<br />R&D, Manufacturing, Sales, Administrative Services, Contractors, etc.<br />HQ on West Coast USA, offices/users in over 40 countries<br />Highly competitive market<br />Highly regulated industry<br />Who are they? What do they do?<br />
  7. 7. Primary datacenter in Oregon, variety of other resources scattered everywhere<br />Small IT team, operational support provided by a global MSP<br />XP on the desktop, data everywhere, SMS for basic management<br />Complex Active Directory structure<br />Snapshot: IT Environment (today)<br />
  8. 8. @10,000 users worldwide<br />Large percentage of remote users (40%+)<br />Large percentage of ‘contingent’ workers<br />Snapshot: User Environment<br />
  9. 9. Complex IT environment<br />Slow time to market with new services<br />User satisfaction level – too low!<br />M&A, sale of business units costly and complex<br />HIGH risks/impact of industrial espionage, compliance breaches, legal actions<br />Problems…!<br />
  10. 10. The ‘Universal Workplace’<br />
  11. 11. User perspective: “What you want, when you want it, where you want it.”<br />IT perspective: <br />Major IT transformation project<br />Touches almost every component of their infrastructure<br />THE opportunity to do things RIGHT!<br />What is the ‘Universal Workplace’?<br />
  12. 12. Users:<br />“…all you need is a browser and an Internet connection!!!”<br />“…dynamically adjust to provide you with everything you need!”<br />“…use any device you want!”<br />IT/Management:<br />“…service non-managed machines without managing them”<br />“…we’ll be dancing in fields, as carefree as birds!!”<br />‘Single Pane of Glass’ - Universal Access<br />
  13. 13. Datacenter, data, system consolidation<br />AD, application rationalization<br />Desktop refresh (Win7/x64)<br />SMS to SCCM, Exchange upgrades<br />SAN upgrades<br />Network Perimeter Hardening/Transparency<br />What’s in scope?<br />
  14. 14. (not much!)<br />IPv6…<br />What’s not in scope?<br />
  15. 15. Desktop/Delivery Services Focus<br />Solution Overview<br />
  16. 16. Solution Stack (subset)<br />
  17. 17. Dynamic Composition / Statelessness / Layering<br />
  18. 18. Componentized Resources<br />
  19. 19. Policy Evaluation/Enforcement<br />
  20. 20. Perimeter Services<br />
  21. 21. Execution and Presentation<br />
  22. 22. Composition at Runtime<br />
  23. 23. BYOC – Perimeter…<br />Challenges and Solutions<br />
  24. 24. Problem: no layer 1-3 access control<br />No device differentiation, health checking, etc.<br />Find a plug, have fun! (full network access)<br />Today:<br />Simple Certificate check for wireless network access, some wired network access (conference rooms)<br />Cisco Clean Access implemented, torn out on main campus<br />Primary ‘filter’ today: facility security, escort policies<br />Challenge One: Access Control, Managed Networks<br />
  25. 25. 802.1X now a critical dependency<br />Switch/router upgrades<br />Enterprise PKI deployment<br />Note: Gartner/Burton feedback…<br />Solution: 802.1X PNAP<br />
  26. 26. …implementing a NAC architecture is not simple… the promise… is still mostly in the future.<br />Burton Group, 2008 Analyst Report<br />
  27. 27. Problem: 40%+ field employeesrarely connect to corporate managed network<br />Goal: seamless user (AND it management) experience on and off managed network<br />Challenge 2: Managing Off-Network Devices<br />
  28. 28. Don’t manage them!<br />(shot down)<br />Establish SSL VPN connection at logon<br />(an option… but not desired – more complex user experience)<br />DirectAccess<br />(current leading option…!)<br />Open Source<br />Openswan<br />Options to Consider…<br />
  29. 29. Upsides of DirectAccess<br />Seamless user experience<br />Seamless management experience<br />Challenges<br />IPv4 resources!!! No-go without NAT64/DNS64 services – must have UAG<br />Robust PKI required<br />Complexity<br />Unknown quantity<br />No internal/3rd party expertise identified<br />More on DirectAccess…<br />
  30. 30. Moving slowly…<br />MSFT engaged for POC<br />Major uncertainty (and RISK!)<br />Status…<br />
  31. 31. The fear…<br />Keyloggers on unmanaged devices capturing username/password, compromising other externally published applications (OWA, SharePoint, etc.)<br />Potential solutions:<br />Computer Associates UCG<br />visionapp’s vSL<br />Risks:<br />‘Honey Pot’ (reverse encrypt-able credentials database)<br />Agents on each AD Domain Controller<br />Challenge 3: No Passwords Outside the Perimeter<br />
  32. 32. Accept the risk!<br />…and move critical services behind new perimeter w/OTP<br />Solution?<br />
  33. 33. Session Review<br />
  34. 34. Rick Dehlinger - Independent Technologist/Consultant<br />Citrix Technology Professional/Public Speaker<br /> | @rickd4real | LinkedIn<br /><br />About Claros:Claros Systems is an independent professional services organization intensely focused on building world class, change friendly Delivery Systems. It’s owned by Rick Dehlinger and 2 other managing partners.<br />