Downloaded 42 times
Uploaded byAruba, a Hewlett Packard Enterprise company
Adaptive Trust Security
This document discusses the need for adaptive trust security policies to address challenges from increased enterprise mobility and BYOD trends. It promotes the Aruba ClearPass policy management platform as a solution. ClearPass provides centralized identity management, device profiling, and context-aware access policies. It can integrate with firewalls, MDM solutions, and other security tools to enable adaptive, risk-based access control based on user, device, app, and location attributes. ClearPass supports a range of use cases including secure BYOD access, differentiated guest access, and migration from AAA to context-based policy models.
More Related Content
Similar to Adaptive Trust Security
More from Aruba, a Hewlett Packard Enterprise company
Adaptive Trust Security
- 1. Adaptive Trust Security Policies for Today’s Enterprise Mobility Trent Fierro – Product & Solutions Mgr., @Trentf_CA Don Meyer - Product & Solutions Mgr., @Tofly4wifi CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
- 2. The New Normal- GenMobile ENTERPRISE CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved BRANCH HOME PUBLIC VENUES
- 3. Emerging Mobility Concerns 1. BYOD 2. Device Loss / Theft 3. Unsecured Networks 1. Who and what can connect to enterprise resources 2. Loss of data, excessive phone charges, lost productivity 3. Employees on open Wi-Fi networks CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
- 4. The Changing SecurityPerimeter Traditional security focused on a fixed perimeter CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved GenMobile dilutes the notion of a fixed perimeter
- 5. Time for aNew Mobile Defense Model Perimeter Defense Firewalls IDS/IPS A/V CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Adaptive Trust Security Firewalls EMM/MDM Access Policy Management IDS/IPS/AV Web gateways Physical Web gateways Policy needed for central point of control
- 6. The Building Blocksof Adaptive Trust Sharing of Contextual Awareness ClearPass FIREWALLS IDS/IPS WEB GATEWAYS CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved EMM/MDM Granular control with user and device data Network controls using device attributes Identity, IP address Highly credible user and device data Visibility into user and device OS Central repository
- 7. Example - Contextfor Accurate Firewall Policies • Frederik • Mac OS 10.9.3 • Marketing • 10.0.1.12 User and Device ClearPass Employee Access Context Shared CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved FW policy adapts to need User and device context accuracy Works with AD, LDAP, ClearPass dB, SQL dB No agents/clients required
- 8. Adaptive Trust –The Starting Point
- 9. Growing User Demandson IT Onboarding Always-On Access Policies for connecting personal devices Works regardless of role, device, location CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Guest Credentials Access does not require going through IT
- 10. The ClearPass Solutionfor Secure Mobility Guest ClearPass Onboard OnGuard Baseline Hardware or VM Appliances (500, 5,000 or 25,000) Remote Location CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Expandable Applications
- 11. Why Policy vs.AAA CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Policy with built-in AAA: RADIUS and TACACS Use of context: Users, device profiles, location Per user access to network and resources Note: Optimized for multivendor Wi-Fi, wired and VPN ClearPass Policy Manager
- 12. Adaptive Policy Drivenby Device Ownership Enterprise Tablet BYOD Tablet Authentication EAP-TLS SSID CORP-SECURE CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Authentication EAP-TLS SSID CORP-SECURE Internet Only
- 13. Adaptive Policy Drivenby Device Ownership Enterprise Tablet BYOD Tablet Authentication EAP-TLS 1. Uses same identity store and EAP type 2. Leverages profiling, onboarding data 3. No need for separate SSIDs 4. Works at the office and over VPN SSID CORP-SECURE CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Authentication EAP-TLS SSID CORP-SECURE Internet Only
- 14. Differentiation of Accessand Device Limits Authentication using Unique Device Certificates 1 User’s device detected & redirected to portal 2 Settings and cert configured after credentials entered CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 3 Automatically places user on proper network segment Doctor • Easy • Secure • No Passwords
- 15. Differentiation of Accessand Device Limits Authentication using Unique Device Certificates 1 User’s device detected & redirected to portal 2 Settings and cert configured after credentials entered 1. Uses same identity store for nurse & doctors 2. IT creates policy for who can onboard 3. Role determine # of devices per user 4. All context collected can be used in policy CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 3 Automatically places user on proper network segment Doctor • Easy • Secure • No Passwords
- 16. Secure Guest Access Portals deter users from just Ensures guests receive their CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved hopping on own credentials Complete customization: Sponsors, portals, usable data & enforcement Note: PEAP-Public for secure ClearPass Guest guest access
- 17. Secure Guest Access Deter users from just hopping 1. Uses internal identity store – no AD needed 2. Policy determines guest type, access, time, BW 3. Self-serve and sponsor capabilities 4. Onboard context keeps employees off guest Ensures guests receive their network CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved on own credentials Complete customization: Usable policy data & enforcement Note: Sponsor access for ClearPass Guest convenience and control
- 18. Guest Access Services CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved • Fully customizable – Sponsor privileges with access verification – Self-service – Per session controls – Automated SMS/email credential delivery – Little IT involvement – Mac caching No more wide-open SSIDs and shared keys!
- 19. Leader in NetworkAccess Control Gartner NAC Magic Quadrant Strong growth and ability to win large opportunities • Streamlined onboarding of personal devices • Highly customizable guest access • Unique support of Bonjour capable devices • Detailed diagnostic and visibility features CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved 2013 & 2014
- 20. Industry-wide Deployments CONFIDENTIAL© Copyright 2014. Aruba Networks, Inc. All rights reserved
- 21. New Guidance, Overviewsand More Definitive Guide to Secure Mobility Partner Solution Briefs 2pg Executive Briefs (x3) (PAN, MobileIron, etc.) AAA Migration to Policy (PPT) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Secure Mobility Landing Page Adaptive Trust Whitepaper (coming) ClearPass Exchange Recipes Web Site
- 22. POLICY Profiler EMM/ MDM NAC TACACS RADIUS Guest Device Registration ClearPass Single Sign On Auto Sign On Exchange CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Context-based policy enforcement Integration with Third Party Solutions Automated security workflows WIRELESS and WIRED SECURITY MDM/EMM Onboarding AirGroup SIEM Support Key Points ANY MULTIVENDOR NETWORK
- 23.
Editor's Notes
- #2 The increasing number of people that work from anywhere and carry personal devices is changing how organizations need to protect their networks. It’s time to look at existing infrastructure to see how centrally managed policies, secure BYOD and guest access workflows can help you securely deliver enterprise-class mobility that minimizes risks.
- #3 Even though wired connections still exist, faster and more reliable wireless and cellular networks have increased a users ability to work from anywhere, at any time. While increasing productivity and user satisfaction, IT must now plan for and tackle new security concerns that comes with mobile users and mobile devices. Stress that each location, device type and access method used can pose new challenges.
- #4 A study regarding mobile phones revealed that only 50% of people who find phones try to return them and 96% made an attempt to view the data on the phones. Besides potential data loss, most phones are used for long distance calls when found. Devices without VPN clients used on open Wi-Fi networks are another target for unsuspecting users. Hackers use rogue APs and other methods. And the popularity of mobile devices and apps is leading to an upsurge in malware and other attacks.
- #5 Customers and other vendors have acknowledged that security at the fixed perimeter is not enough when deploying mobility. Security needs to address individual users carrying multiple devices, regardless of location or time.
- #6 While IT has busily deployed a number of physical and software security mechanisms like Palo Alto , MobileIron, and others for protecting the perimeter, #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security. Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs.
- #7 Aruba calls the use of contextual data across exchanged between all security components an Adaptive Trust approach for secure mobility. Aruba ClearPass acts as a centralized gatekeeper and contextual store for all user authentication and device profiling data. This data can then be pulled from EMM and MDM solutions and shared with firewalls, IDS/IPS appliances and web gateways for more granular policy enforcement.
- #8 As ClearPass sees and authenticates the user and device when they connect, a network policy enforces a trust based rule set that grants the user access privileges. ClearPass also sends the Palo alto firewall context regarding the user and device, so that the firewall policy can accurately enforce app-based rules. In the example, the user is carrying an IT-issued laptop and receives access to YouTube. A separate policy may deny access if the same user is trying to reach YouTube on a smart phone.
- #10 Mobile devices also changes the traditional model of IT managing everything that goes onto a laptop. The Network team must work with the security team, desktop services team and their users to ensure that users are as productive as possible, but policies ensure a high level of security controls.
- #11 The baseline ClearPass appliance delivers policy management, RADIUS, TACACS, profiling, reporting and small number of licenses that support Guest, Onboard and OnGuard health checks. Licensing for larger Guest, Onboard and OnGuard are optional and can be purchased in increments that work for any size deployment. Appliances can be deployed in hardware or VM in a central or distributed model. Scalability and redundancy is as simple as adding a new device to an active cluster.
- #12 What’s needed is a policy solution as your foundation that includes RADIUS and TACACS, is built to handle a variety of operating systems, device types, identity stores, and provides the flexibility for how users work today – from anywhere, at any time. The same solution should also support guest access, profiling, and device configuration from a single pane of glass. IT can create, manage and monitor policies from a central entity with less complexity. The ability to leverage context and data from multiple identity stores, or auth methods is important as well. This lets IT treat IT-managed and personal devices differently and use more granular enforcement. Something that legacy AAA solutions do not support.
- #15 Self-provisioning is a secure way for employees to setup their devices for use on your protected network segments. Wi-Fi and wired. When a new device attempts to connect to the network, ClearPass Onboard guides your users through a simple process that asks them for credentials and sets up the device for certificate authentication. A built-in certificate authority installs a unique certificate on each device. This not only simplifies the user experience when they connect but your IT team now has visibility into who and what is being used on your network. Separate policies based on user roles or other context can then be used to differentiate access. The database certs for known onboarded devices – BYOD in many cases - can the be used to revoke access for specific devices in the event they’re lost, stolen or have been replaced.
- #16 Self-provisioning is a secure way for employees to setup their devices for use on your protected network segments. Wi-Fi and wired. When a new device attempts to connect to the network, ClearPass Onboard guides your users through a simple process that asks them for credentials and sets up the device for certificate authentication. A built-in certificate authority installs a unique certificate on each device. This not only simplifies the user experience when they connect but your IT team now has visibility into who and what is being used on your network. Separate policies based on user roles or other context can then be used to differentiate access. The database certs for known onboarded devices – BYOD in many cases - can the be used to revoke access for specific devices in the event they’re lost, stolen or have been replaced.
- #17 The solution is to leverage a policy management system that includes built-in features for securing guest access. Policies then help determine the steps guests must use to acquire credentials and how devices are handled. Using a captive portal ensures that each guest receives separate credentials and can help keep unwanted guests off the network. The use of Sponsor acknowledgement adds extra protection and can even be used to keep employees off of the guest network. Sponsors can also be used to let employees onto a guest network. Something new is an EAP method that lets IT distribute common login and paswords
- #18 The solution is to leverage a policy management system that includes built-in features for securing guest access. Policies then help determine the steps guests must use to acquire credentials and how devices are handled. Using a captive portal ensures that each guest receives separate credentials and can help keep unwanted guests off the network. The use of Sponsor acknowledgement adds extra protection and can even be used to keep employees off of the guest network. Sponsors can also be used to let employees onto a guest network. Something new is an EAP method that lets IT distribute common login and paswords
- #20 Aruba ClearPass is a recognized leader in the NAC mobility market. Strong multivendor, policy and guest features ensure that organizations of any size can protect their network resources as needed. ClearPass adapts to your organization instead of forcing you to change your business processes to adapt to the solution.
- #21 Customers in over 20 industries - ranging from large enterprises and financial organizations to small and medium size retail environments - are making the move. Based on today’s daily changing mobile threats these and over 3000 others customers have replaced their legacy AAA solutions for scalable, easy to deploy policy management.
- #23 Aruba ClearPass addresses the needs of the ever-changing policy landscape, replacing the point solutions and management headache with one comprehensive, secure, robust Policy Management Platform. This not only lowers CAPEX/OPEX but allows the creation of finely tuned security policies with the emphasis on simplicity and an enhanced user experience.