IT Security Forum London ballintrae 240913 final
•Download as PPTX, PDF•
0 likes•853 views
Presentation on the path to pervasive wireless - An enterprise journey.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to IT Security Forum London ballintrae 240913 final
Similar to IT Security Forum London ballintrae 240913 final (20)
Recently uploaded
Recently uploaded (20)
IT Security Forum London ballintrae 240913 final
- 1. © 2013 Beyond Mobile Ltd 25 September 2013 THE PATH TO A PERVASIVE WIRELESS SERVICE
- 2. © 2013 Beyond Mobile Ltd 25 September 2013 CUSTOMER POLL 2 Quick show of hands • Does your company offer any type of Wi-Fi solution in their premises ? Keep it up if you allow • employees on company laptops to use it ? • guest access to the internet via it ? • employee’s to use their personal devices on it?
- 3. © 2013 Beyond Mobile Ltd 25 September 2013 AGENDA 3 Wireless Networking – the changing landscape The path to a pervasive wireless service Q&A
- 4. © 2013 Beyond Mobile Ltd 25 September 2013 INTRODUCTION 4 An IT infrastructure specialist with over 20 years in the financial services sector. 11 years with Credit Suisse and 6 with Chase (JP Morgan) Earlier this year I left Director in IT role for Credit Suisse to start Beyond Mobile. Beyond Mobile offers Strategy, Product and Sales advice to technology companies in the early stage of their business plans and firms looking to buy enterprise mobility technology.
- 5. © 2013 Beyond Mobile Ltd 25 September 2013 Enterprise 1 (Financial) Enterprise 2 (Financial) Enterprise 3 (consulting) THE ANATOMY OF AN ENTERPRISE 5 140,000 65,000 20,000 150,000* 80,000 2,000 35,000* 15,000 20,000 200,000+ * 120,000 2,500 Yes Yes No “dirty network” “clean network for employees” “clean network”
- 6. © 2013 Beyond Mobile Ltd 25 September 2013 EVIL INTERNET & WIRELESS 6 Wi-Fi BANNED Custom laptops with Wi-Fi cards removed Ethernet ports and drivers locked down Remote access restricted to dial up Almost impossible to be productive unless in the office
- 7. © 2013 Beyond Mobile Ltd 25 September 2013 EVOLUTION NOT REVOLUTION 7
- 8. © 2013 Beyond Mobile Ltd 25 September 2013 NETWORK PERIMETER SECURITY 8
- 9. © 2013 Beyond Mobile Ltd 25 September 2013 NETWORK STRATEGY 9 DEPERIMITISATION
- 10. © 2013 Beyond Mobile Ltd 25 September 2013 2007 – 1ST GEN WI-FI 10 CISO concedes someWi-Fi allowed “Managed” endpoints only Guest internet access allowed No employee personal devices allowed User experience not considered Wi-Fi Design poor Global inconsistency
- 11. © 2013 Beyond Mobile Ltd 25 September 2013 2007 – 1ST GEN WI-FI 11 Un-provisioned Device Provisioned Device LAN DMZ BYOD MDPS FWFW EXT DMZ FWEXT DMZ FW Wage Firewall Cisco DMZ anchor Controller DMZ Bluecoat Proxy EoIP PW R EN ET 11A /N 11B/G/N 105 BYOD User traffic EoIP Radius Auth HTTPS Publisher Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration APAC CPPM AAA servers EMEA CPPM AAA Servers Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration Cisco Intranet Controller Guest traffic Cisco Access Point
- 12. © 2013 Beyond Mobile Ltd 25 September 2013 2009 CHALLENGERS 12 “Why can’t I use the corporate Wi-Fi to sync my work email” “Cellular coverage is so bad in my building and it’s crazy employee’s cant use the CorporateWi-Fi on their personal devices” Crumbling of ITWalled gardens
- 13. © 2013 Beyond Mobile Ltd 25 September 2013 2011 THE GAME CHANGED 13 Real estate smart strategies Wi-Fi shifted to a core “enabling” technology and business enabler. BYOD strategy was built demanding better services CIO – build it quick but I wouldn’t start from there, if I was you Poor coverage, low contention, IT vs. Business
- 14. © 2013 Beyond Mobile Ltd 25 September 2013 14 COMPARING ENTERPRISE APPROACHES Projects requirements vs. long term strategy How to define policies for different user groups Skills you need to support the service
- 15. © 2013 Beyond Mobile Ltd 25 September 2013 PROJECT REQUIREMENTS 15 Guest Employee 1 Employee 2 Standard Complex
- 16. © 2013 Beyond Mobile Ltd 25 September 2013 Guest Employee 1 - Standard Employee 2 – complex POLICIES FOR DIFFERENT GROUPS 16 Medium Medium High Low Med High / Regulated Personal Corporate or Personal Corporate Yes Yes Yes & Corporate None MAM MDM & MAM No Yes Yes
- 17. © 2013 Beyond Mobile Ltd 25 September 2013 Guest Policy Network Access Untrusted / DMZ Authentication Username/password Content Filtered No Posture checked No Accept Use policy Yes 17 POLICIES FOR DIFFERENT COMPANIES Emp. Personal Policy Network Access Untrusted / DMZ Authentication Tied into AD Content Filtered Yes Posture checked None Accept Use policy Yes & Web Redirect Enterprise 1 Enterprise 2 Guest Policy Network Access Untrusted / DMZ Authentication Username/password Content Filtered No Posture checked No Accept Use policy Yes Emp. Personal Policy Network Access Untrusted / DMZ Authentication SSL VPN Content Filtered Yes Posture checked Downloadable client Accept Use policy Re-registered 90 days
- 18. © 2013 Beyond Mobile Ltd 25 September 2013 18 POLICIES FOR DIFFERENT COMPANIES Corporate Device Policy Network Access Secure 802.1x / EAP TLS Authentication Mutual auth certificates Content Filtered Yes Posture checked Trusted build Accept Use policy Yes / Annual IT Policy Enterprise 1 Enterprise 2 Corporate Device Policy Network Access Untrusted / DMZ Authentication VPN with Smartcard Content Filtered Yes Posture checked Trusted build Accept Use policy Yes /
- 19. © 2013 Beyond Mobile Ltd 25 September 2013 Is your Wi-Fi initiative IT driven vs. business driven? Do you have you a regular dialogue with stakeholders to understand their risk posture? Does your organisation get additional funding for building Wi-Fi access? What are the skills required to support your BYOD & wireless strategy? What else is important? Q & A / ROUNDTABLE
- 20. © 2013 Beyond Mobile Ltd 25 September 2013 THE PATH TO A PERVASIVE WIRELESS SERVICE
Editor's Notes
- This presentation is a story of how one company started their journey 8 years ago with the CISO banning ALL Wi-Fi to today where it’s a major part of their strategy to maintain profitability
- The changing landscape wireless technology being pervasive, being an anchor technology for lots of enterprise initiativesInthe path to a pervasive wireless network we’ll comparison 2 enterprise approaches looking at Architecture Best Practice & security postureSkills you need to support the serviceHow do define Access Policies – Guest, Corp user (mgd), Corp (BYOD)
- My background is an an infrastructure guy with experience in large enterprise & financial services recently as a Director in IT at Credit Suisse.Fin Svc is a tough place to be at the moment and this led to my decision to leave the the financial services IT industry Earlier this year I formed my own consulting company offering strategy, product management & development and sales services to businesses in the STARTUP or early phase of their Life.
- Employees, DesktopsLaptops,LAN ports, Content filtering,Wi-Fi architectureBarclaycard10,300Investment Bank 25,500Retail, wealth and business banking 100,000 (40% of retail have laptops, 10%in wealth, wealth total is only 7k)TODAY view but trend is an increasing number of devices today being used as secondary device but ROI is in desktop replacement .EAP-TLS mutual authentication– Linked into AD
- So in our case study were things straight forward … wellThis is how bad it was. LESS THAN 8 years ago- Wireless was banned by CISO- laptop were custom ordered with the WLAN card removed from the standard product. - Corporate devices had drivers removed and the ethernet port locked down to "internal network" addresses- remote access limited to dial up
- IT’S A PRETTY LOW BASE THAT we start our journey WITH but it’s more about Evolution that REVBut I’m going to take you through the transformation from the worried guy (CISO) , Through the frustrated one (the END USER) Through to a nirvana like momentChanging the view of Wi-Fi became more akin to religion that an orderly set of tasks and projects AND I’m glad to say I was a believer in the FAITH.
- This lead to some pretty excessive perimiter security strategies being played outDILBERT§Well we stopped short of the DEFENSIVE WEDGIE SYSTEM But we did build a MAC based LAN access system , where each new workstation had to be registered into the DB before it could be assigned a DHCP address. I think our LAN MAC system was about as effective as DILBERTS.
- Our NETWORK STRATEGY SAW THE Move away from SECURITY ON THE NETWORK to a model with SECURITY AT THE PERMITER , the NEW perimeter being DATACENTRE client networks become untrusted over time The On campus Wireless was treated as a dirty networkThis desire to deperimitise the network was a KEY part of our network strategy A term coined by the Jericho group.That strategy was a key aspect in allowing the Wi-Fi journey to start
- THE WORRIED GUY … TYPICALLY AN INFO SECURITY TYPETerminating the wi-fi connections on the dirty side of the DMZ convinced the CISO that Wi-Fi could be provided with minimal risk to the companies data or network. BUT THE STATE WAS FAR FROM PERFECT Endpoint has to be corporate owned & managed or Guest.No employee personal devices allowed due to concerns over data leakage and liability.Guest provisioning processes were designed to be high touch (managed meeting locations) and therefore manual, costly and often took longer that the meeting to provision.CORE INFRALow coverage, contention and IT floors prioritzed above businessGlobal inconsistency – one specific country had a paid for Wi-Fi network from a local Telco which was completely open to employee’s
- THIS IS OUR WIRELESS ARCHITECUTRE The access points connect to a local controller which backhauls to a DMZ located anchor controller via Ether over IP. Traffic from wireless clients egresses the DMZ controller Guest traffic would be send to A DMZbased captive portal managed devices VPN back into the corporate data centre
- Consumerisation began to challenge thisThis company reduced the blackberry estate from 25,000 endpoints to less that 12,000 with GOOD mobile email on consumer devices followed by other containerised appsdriving the question “Why can’t I use the corporate Wi-Fi to sync my email”“Cellular coverage is so bad in my building and it’s crazy employee’s cant use the Corporate Wi-Fi on their personal devices”
- A COUPL E OF YEAR ONReal estate and IT strategy mandated a flexible / smart working environment aiming to bring the 1:1 ratio of desks:staff down to 1:1.3 (that was 15,000 potential desks saved) AS A RESULTWi-fi shifted to a core technology as AND a business enabler upon which a BYOD and APP management platform was to be built..... IN 2011 (when the wireless standardisation project started) what was the landscape likeAmerica’s 40% WiFi coverage, APAC 71% and EMEA 45%802.11a/b/g , low contention, RF planned for occasional use, spotty coverage (not all floors, no canteen coverage or coffee areas). IT floors prioritized over business floors
- How do you define Policies forGuest, Corp user (mgd), Corp (BYOD) Those policies effectArchitecture & security postureWhatSkills you need to support the service
- When we get intor requirements analysis it’s important to remember who is the user? And ask them what they need, but clearly you cannot ask 65000 individuals in a firmBASICALLYdont get too complex in user needs analysis, we looked through these 3 viewsclient, Internal user - standard, Internal user - high needs e.g external facing M&A department).
- As we look at these 3 user groups, let’s look at some of their key requirements and how they might differPERFORMANCE (guest and standard users – knowledge worker, voice/data mixed occasional use and for short period, employee 2 adds voice/video in high volume to the set)CONTROL (make sure the guest doesn’t damage the reputation of the firms ISP connectivity – but not much else, whereas the employees have the HR or regulators policies to consider)DEVICE TypeWhere they ALLOWED to use BYODFor BYOD what type of Security would we put in place….And FINALLY WOULD THERE browsing be content Filtered
- Trusteer End Point Protection used by cReditsuisse
- Clear business objectives are. Most firms have cost reduction programs Senior project stakeholders with regular briefings needed Mature requirements & early engagement necessary with IT suppliers Which flavour of device enterprise only/corporate owned, personally enabled , pure BYODThink about process &support design as well as the technologyTranslate the risk posture to required security controls (MDM, MAM, app vs. network security)Don’t compromise usability for security (impact of security discussions)
- Add a slide at the end for Q&ADo organisations get over the top funding for Wi-Fi access IT driven vs. business driven