Embracing BYOD with MDM and NAC

3,547 views

Published on

Learn how to embrace bring your own device (BYOD) in the enterprise with mobile device management (MDM) and network access controls (NAC). Special guests from Forescout featured.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,547
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
228
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Use cases: Automate Registration Real-time Compliance Testing
  • MDM is a natural addition – new type of device => new pluginFlexible Plugin Model – Integration is delivered by a plugin that adds properties and actions.The properties and actions are tied into the flexible policy engine Properties are joined into condition that automatically classify all the network into groupsEach group can be tied to an action – automate security.
  • Use cases: Automate Registration Real-time Compliance Testing
  • MDM products can only secure devices that they manage, they do not address unmanaged, personal mobile devices and are typically focused on smartphones and tablet devices. NAC can identify and associate users and their mobile devices which could qualify for MDM installation, NAC can be used to automate MDM enrollment processes versus more manual MDM enrollment processes.NAC products have fingerprinting technology which can allow them to identify mobile devices, MAC and IP addresses in order to apply access policy, but they require agent or MDM technology in order to gain comparably strong identity and device configuration details. However, as a network-based control, NAC can restricted network resources access of MDM managed devices such as an iPAD accessing SOX-relevant file servers.MDM products have polling frequencies from which they can scan and assess if a managed mobile device is secure and following policy. The greater the polling frequency, the shorter the battery charge left for the device. As such, there is a security risk should a device deviate from policy between policy while accessing network resources. Integration offers the means for NAC to initiate a command for the MDM to initiate a mobile device scan as the device attemps to access the network.Security and network operations teams typically manage NAC products. Security plays an active roll in MDM selection and policy development, but depending on the size of the company, MDM daily operation is usually with a different department such as communications, applications or desktop teams. NAC integration would allow the security operator to gain mobile security visibility and control across mobile and non-mobile devices.MDM products provide more than just device level security. These products also provide provisioning, expense management, data containerization and application management, which are outside the scope of NAC solutions.MDM policies assessment does not provide flexibility to allow users to use their device outside of policy. Depending on the policy, certain data and applications of the mobile device NAC would be deactivated or wiped. NAC would be able to quarantine a non-complying mobile device on a corporate network while allowing the user to modify the handheld configuration and initiate an MDM re-check – which would be a less disruptive response.
  • MDM products can only secure devices that they manage, they do not address unmanaged, personal mobile devices and are typically focused on smartphones and tablet devices. NAC can identify and associate users and their mobile devices which could qualify for MDM installation, NAC can be used to automate MDM enrollment processes versus more manual MDM enrollment processes.NAC products have fingerprinting technology which can allow them to identify mobile devices, MAC and IP addresses in order to apply access policy, but they require agent or MDM technology in order to gain comparably strong identity and device configuration details. However, as a network-based control, NAC can restricted network resources access of MDM managed devices such as an iPAD accessing SOX-relevant file servers.MDM products have polling frequencies from which they can scan and assess if a managed mobile device is secure and following policy. The greater the polling frequency, the shorter the battery charge left for the device. As such, there is a security risk should a device deviate from policy between policy while accessing network resources. Integration offers the means for NAC to initiate a command for the MDM to initiate a mobile device scan as the device attemps to access the network.Security and network operations teams typically manage NAC products. Security plays an active roll in MDM selection and policy development, but depending on the size of the company, MDM daily operation is usually with a different department such as communications, applications or desktop teams. NAC integration would allow the security operator to gain mobile security visibility and control across mobile and non-mobile devices.MDM products provide more than just device level security. These products also provide provisioning, expense management, data containerization and application management, which are outside the scope of NAC solutions.MDM policies assessment does not provide flexibility to allow users to use their device outside of policy. Depending on the policy, certain data and applications of the mobile device NAC would be deactivated or wiped. NAC would be able to quarantine a non-complying mobile device on a corporate network while allowing the user to modify the handheld configuration and initiate an MDM re-check – which would be a less disruptive response.
  • Joe to cover
  • Embracing BYOD with MDM and NAC

    1. 1. Embracing BYODwith MDM and NAC Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout1
    2. 2. Today’s Agenda • The BYOD Landscape • Network Access Control (NAC) 101 • Embracing BYOD with MDM and NAC • Use Cases 2
    3. 3. The BYOD LandscapeHow are you managing employee-owned devices today? 26% 31% Mobile device management (MDM) solution Native email controls No controls in place What are your biggest concerns with BYOD support? 43% 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Having Securing Potential Inability to Additional Requests to visibility into corporate employee blacklist help desk support new all devices data on the privacy applications support devices used for device issues work 3
    4. 4. The BYOD Landscape Unmanaged and Non-Compliant Tablets & Smartphones BYOD iOS Apps Android BlackBerry Windows Customer Experience Compliance & Regulations Data Security End User Privacy 4
    5. 5. Embracing BYOD with MDM and NACGil Friedrich, VP of Technology, ForeScoutJune 8, 2012 © 2012 ForeScout, Page 5
    6. 6. What is Network Access Control (NAC)? Technology that identifies users and network-attached devices and automatically enforces security policy. LIMITED FIXED© 2012 ForeScout, Page 6
    7. 7. NAC Architecture Visibility and control of everything on your network Appliance Packet DB Policy Engine Engine Windows Mac/Linux MobileNAC Switch VPN Wi-Fi User Dir SEIM ePO Plugin Plugin & MDM Plugin Plugin Plugin Plugin Plugin PluginWhat is this machine? Who’s the person behind the keyboard? How is it connected? © 2012 ForeScout, Page 7
    8. 8. What Is Network Access Control (NAC) See Grant Fix Protect Real-time network asset intelligence • Device type, owner, login, location • Applications, security profile ForeScout CounterACT Appliance / Virtual Appliance(((((© 2012 ForeScout, Page 8
    9. 9. What Is Network Access Control (NAC) See Grant Fix Protect Real-time network asset intelligence Network access controls • Device type, owner, login, location • Grant access, register guests • Applications, security profile • Limit or deny access Web Email CRM ForeScout CounterACT Sales Appliance / Virtual Appliance Employee Guest(((((© 2012 ForeScout, Page 9
    10. 10. What Is Network Access Control (NAC) See Grant Fix ProtectManual to automated response• Remediate OS• Fix security agents• Fix configuration• Start/stop applications• Disable peripherals• Block worms, attacks© 2012 ForeScout, Page 10
    11. 11. Mobile Security and NAC NAC can serve as the BYOD enabler Most companies will use various technical control mechanisms… • Block all of the BYOD devices • VDI - Virtual Desktop Infrastructure • MAW – Mobile Application Wrapper • WAP – Wireless Access Point • MDM - Mobile Device Management • NAC – Network Access Control© 2012 ForeScout, Page 11
    12. 12. Network Access Control Foundational for BYOD • No matter what [BYOD] strategy is selected, the ability to detect when unmanaged devices are in use for business purposes will be required — and that requires NAC. • NAC policies can be used in combination with other approaches to implement the four strategies outlined in the framework — Contain, Embrace, Block and Disregard • NAC helps to protect the network, but it is only one component of a broader BYOD security strategy. Other solutions, such as MDM and HVDs [VDIs], are needed to secure mobile endpoints.Gartner, ―NAC Strategies for Supporting BYODEnvironments‖, December 2011, Lawrence Orans and John Pescatore © 2012 ForeScout, Page 12
    13. 13. Layered Security Options© 2012 ForeScout, Page 13
    14. 14. Poll Question • Describe your organization’s plans for implementing a NAC solution a) Already implemented a NAC solution b) Plans to evaluate and purchase a NAC solution in the next 6 months c) Will implement a NAC solution in next 12 months d) No NAC solution; no plans for implementation 14
    15. 15. NAC+MDM Synergies: 1+1=3 Unify visibility, compliance and access control NAC focus is on MDM focus is on the network the mobile device MDM Alone NAC Alone NAC+MDM Visibility Full info on Basic OS info on Complete managed only. all devices Access Control For managed Partial (Missing Complete and email only endpoint info) Compliance Managed only Very limited Complete Deploy Agent Pre-registration Network based Both© 2012 ForeScout, Page 15
    16. 16. Why Consider a NAC and MDM Combination? BYOD requires network, device, data and application controls• MDM products can only secure • NAC can identify new/unmanaged devices that they manage mobile devices, protect the network and automate MDM enrollment• NAC products can identify mobile • MDM technology is needed to gain devices – but lack deep inspection deep inspection and compliance details• MDM lacks network access • NAC can restricted network resources control, exposes your network and according to policy data to attack by unknown devices• MDM device inspection is strong, • NAC/MDM integration can initiate a but based on polling frequency new inspection at the time of network access © 2012 ForeScout, Page 16
    17. 17. Why Consider a NAC and MDM Combination? BYOD requires network, device, data and application controls• MDM provides rich mobile lifecycle • Mobile device lifecycle management is management: provisioning, apps, data outside the scope of core NAC containerization… capabilities• MDM policies assessment may not be • NAC could temporarily quarantine a flexible to allow users to use their non-complying mobile device on a device outside of policy corporate network• MDM daily operation is usually run by • NAC/MDM integration allows security communications, applications or operators to gain visibility and control desktop teams across all devices © 2012 ForeScout, Page 17
    18. 18. Automate Registration: How It Works Device connects to the network – a. Classify its type: Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC ForeScout (Windows, Mac, Linux)  b. Check if it has the mobile agent ? If the agent is missing – a. Quarantine the mobile device b. Register and install relevant MaaS360 agent on the mobile device (via HTTP Redirection) ))))))) Once installed with an agent – a. Allow access based on policy b. Continue monitoring the agent’s operation© 2012 ForeScout, Page 18
    19. 19. Automate Registration: How It Works Device connects to the network – a. Classify its type: Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC ForeScout (Windows, Mac, Linux) b. Check if it has the mobile agent If the agent is missing –  a. Quarantine the mobile device b. Register and install relevant MaaS360 agent on the mobile device (via HTTP Redirection) ))))))) Once installed with an agent – a. Allow access based on policy b. Continue monitoring the agent’s operation© 2012 ForeScout, Page 19
    20. 20. Automate Registration: How It Works Device connects to the network – a. Classify its type: Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC ForeScout (Windows, Mac, Linux)  b. Check if it has the mobile agent If the agent is missing –  a. Quarantine the mobile device b. Register and install relevant MaaS360 agent on the mobile device (via HTTP Redirection) ))))))) Once installed with an agent – a. Allow access based on policy b. Continue monitoring the agent’s operation© 2012 ForeScout, Page 20
    21. 21. Real-time Compliance Testing: How It Works Device connects to the network – Has a mobile agent but is jail broken ForeScout Force a compliance test a. CounterACT informs MaaS360 to ? assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message Enable a compliance recheck ))))))) a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent’s operation© 2012 ForeScout, Page 21
    22. 22. Real-time Compliance Testing: How It Works Device connects to the network – Has a mobile agent but is jail broken ForeScout Force a compliance test  a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message Enable a compliance recheck ))))))) a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent’s operation© 2012 ForeScout, Page 22
    23. 23. Real-time Compliance Testing: How It Works Device connects to the network – Has a mobile agent but is jail broken ForeScout Force a compliance test a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT  c. CounterACT quarantines the mobile device and sends informative message Enable a compliance recheck ))))))) a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent’s operation© 2012 ForeScout, Page 23
    24. 24. Real-time Compliance Testing: How It Works Device connects to the network – Has a mobile agent but is jail broken ForeScout Force a compliance test a. CounterACT informs MaaS360 to ? assess configuration attributes b. If in violation, inform ForeScout CounterACT  c. CounterACT quarantines the mobile device and sends informative message Enable a compliance recheck ))))))) Recheck a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent’s operation© 2012 ForeScout, Page 24
    25. 25. Real-time Compliance Testing: How It Works Device connects to the network – Has a mobile agent but is jail broken ForeScout Force a compliance test  a. CounterACT informs MaaS360 to ? assess configuration attributes b. If in violation, inform ForeScout CounterACT  c. CounterACT quarantines the mobile device and sends informative message Enable a compliance recheck ))))))) a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent’s operation© 2012 ForeScout, Page 25
    26. 26. MDM, NAC Integration Example Complimentary Hybrid Cloud and On-Premise Implementation Apple iOS MDM API Android AgentBlackBerry Symbian Management, Policy, Monitoring Windows Application and Data Catalog webOS • Unified visibility • Unified access policy • Unified reporting • Automated MDM enrollment • On-access assessment • Block malicious activity ForeScout CounterACT© 2012 ForeScout, Page 26
    27. 27. About ForeScout ForeScout is the leading global provider of automated security control solutions for Global 2000 enterprises and government organizations. • Founded 2000, Cupertino, CA – 115 employees worldwide, 200 partners worldwide • Largest independent vendor of Network Access Control (NAC) – Leader ranking by Gartner, Forrester and Frost&Sullivan – Fastest growing #2 market share, second to Cisco • Innovative, proven worldwide – Global deployments across multiple vertical industries – Very large implementation (> 250,000 endpoints)© 2012 ForeScout, Page 27
    28. 28. NAC Market Leadership ―Magic Quadrant for Network Access ―Forrester Wave Network Access Control‖, Control‖, December 8, 2011; Lawrence Q2-2011 Forrester Research, Inc. Orans and John Pescatore; Gartner, Inc.*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and * Forrester Wave NAC Q2- 20111The Forrester Wave™ is copyrighted by Forrestershould be evaluated in the context of the entire report. The Gartner report is available upon request from Research, Inc. Forrester and Forrester Wave™ are trademarks of ForresterForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research Research, Inc. The Forrester Wave™ is a graphical representation of Forresters callpublications, and does not advise technology users to select only those vendors with the highest ratings. on a market and is plotted using a detailed spreadsheet with exposedGartner research publications consist of the opinions of Gartners research organization and should not scores, weightings, and comments. Forrester does not endorse anybe construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect vendor, product, or service depicted in the Forrester Wave. Information is based onto this research, including any warranties of merchantability or fitness for a particular purpose. best available resources. Opinions reflect judgment at the time and are subject to change. © 2012 ForeScout, Page 28
    29. 29. Thank you. Questions? gil@forescout.com© 2012 ForeScout, Page 29
    30. 30. Questions or follow-up?Wrap Up cisbrecht@fiberlink.com gil@forescout.com• Upcoming Webinars (Registration Link in Chat Window) – Crushing 6 BYOD Risks: Policy Guidance from a Legal Expert • Thursday, June 21st @ 2:00 PM Eastern – Getting Started with MaaS360 • Tuesday, June 26th @ 2:00 PM Eastern• Past Webinars (http://links.maas360.com/webinars) – The Cloud-Enabled Social Mobile Enterprise – Android in the Enterprise: Piecing Together Fragmentation – BYOD: Striking a Balance—Employee Privacy and IT Governance• Plus lots of How-To content on our website – The Ten Commandments of Bring Your Own Device • http://links.maas360.com/wp_tenCommandments – Mobile Device Management: Your Guide to the Essentials and Beyond • http://links.maas360.com/ebook_mdmEssentials 30

    ×