Embed Size (px)
Citation preview
ClearPass Access Management System Solution Overview
THE CLEARPASS ACCESS MANAGEMENT SYSTEM™
Remember when IT planned corporate-wide end-user technology roll-outs? Distributing company-owned, IT-managed devices was a very controlled process. Employees had to get IT approval to use an unauthorized device, even if it was useful and increased productivity.
IT was the gatekeeper of everything enterprise and it ruled the network with a combination of strict policies, purpose-built technologies, and a fully-contained technology ecosystem. Those days are long gone.
Today, billions of Wi-Fi-enabled smartphones and tablets are pouring onto enterprise networks. Each user is armed with more than three mobile devices and each mobile device is loaded with over 40 apps. According to ABI Research, over 9 billion Wi-Fi-enabled devices have shipped since 2009, and Gartner predicts mobile app downloads will hit 310 billion by 2016.
Consequently, IT is struggling to stay in control. Users have far more latitude – freely connecting their own smartphones and tablets to the corporate network, downloading their own apps, and co-mingling work and personal information.
Redefining the IT mission
It’s clear that BYOD has redefined IT’s mission and extended the boundaries of IT operations beyond the infrastructure to mobile devices and apps. The new IT mission demands a reliable mobile work experience for users without sacrificing privacy, security and control.
However, some big challenges remain. How does IT maintain visibility and control of new devices that connect? What devices are being used, how many, and can IT support all the operating systems? What apps are users downloading over the enterprise network?
IT organizations must also contend with some formidable onboarding challenges. It’s not realistic to rely on already-strapped IT helpdesks to manually provision network access settings, certificates, and enterprise apps on every mobile device.
Another serious challenge involves safeguarding company data. IT has to deal with the risk and compliance implications of confidential data residing on personal devices. Not only are these devices easily misplaced or stolen, they also have different security capabilities.
Until now, IT has addressed this problem by taking control over the entire device. But end users have rejected this big-brother approach to device security. What IT really needs is multiple approaches that address the entire spectrum of BYOD and its use cases.
As a result, a litany of siloed point-products have made their way onto enterprise networks to narrowly address some specific aspects of BYOD – network access control, mobile device management, mobile application management, guest management, and content management.
Unfortunately, stringing together a multitude of loosely integrated point-products can lead to more complexity, higher costs and compromised security controls. This approach also fails to streamline and automate time-consuming onboarding tasks.
And now IT organizations are the ones demanding a better way to do BYOD.
One place to manage all things BYOD
The ClearPass Access Management System from Aruba Networks takes a fresh and innovative approach to solving the BYOD challenge – one that gives IT unprecedented control and a simpler way to rollout BYOD.
Instead of a siloed technique, ClearPass integrates every critical aspect of BYOD – network access control (NAC), mobile device management (MDM) and mobile application management (MAM) – into a single platform.
From this single ClearPass platform, policies based on contextual data are extended across the network to devices and applications. By contextual data, we mean user roles, device types, application use, location, motion, and time-of-day.
With ClearPass, IT can manage network policies, onboard and manage devices, admit guest users, assess device health – even secure, distribute and manage work apps – through a single pane of glass, on any network and without changing your current infrastructure.
Equally compelling, ClearPass automates many of the time-consuming tasks that the IT helpdesk had to do manually. ClearPass makes BYOD so simple that users can now securely onboard their own devices and provision network access for their own guests.
NETWORK ACCESS MANAGEMENT
APPLICATION MANAGEMENT
DEVICE MANAGEMENT
VISITOR MANAGEMENT
DEVICE HEALTH
NETWOR
K
EMPLOYEES
CONTRACTORS
GUESTS
BYOD CLEARPASS
POLICY MANAGER
ClearPass Access Management System Solution Overview
The ClearPass advantage
• Users provision their own devices with the right security settings and the right apps without helpdesk assistance.
• Users register their own devices, like projectors, printers and Apple TVs, by simply filling out an online form.
• Network access privileges automatically extend to devices and applications using contextual data – user roles, device types, application use, location, motion, and time-of-day.
• Application updates and security controls are automatic and applied from the integrated ClearPass policy management platform.
There’s significant upside for IT organizations that adopt ClearPass and its integrated approach to deploying BYOD. For starters, it eliminates the cost and complexity associated with integrating dissimilar, siloed point-products for NAC, MDM and MAM.
ClearPass also automates the most formidable tasks associated with BYOD and actually simplifies and offloads to users the process of onboarding their own devices and provisioning network access for their guests.
Finally, in the struggle to overcome the challenges of BYOD, ClearPass provides the all-important visibility and control by extending context-based policies from the network access infrastructure all the way to devices and mobile apps.
MANAGE NETWORK ACCESS
Take Control of the Network
BYOD starts with knowing how users and their devices connect – wired, wireless or VPN – and access corporate resources. User roles and device risk-profiles are just a few criteria that must be considered when determining differentiated access policies.
ClearPass makes network policy definition and enforcement simple, handling every aspect of user and device connectivity from a single policy management platform. It also performs comprehensive authentication and enforcement without changing the existing infrastructure.
ClearPass integrates important network access capabilities for BYOD:
• Role-based policy engine.• Enterprise-grade AAA, including RADIUS/TACACS+, 802.1X
and non-802.1X services.• A full suite of customizable captive portal options for BYOD and
guest access.• Discover and categorize devices and maintain detailed device
profiling information.
A wide range of network-based policies are enforced by ClearPass, including dynamic role-based access, VLAN and access control list (ACL) assignments, and application-aware quality of service (QoS).
ClearPass is also capable of leveraging multiple identity stores, including Microsoft Active Directory, LDAP-compliant directories, ODBC-compliant SQL databases, token servers and internal databases.
Using multiple identity stores enables IT to manage and enforce network access across multiple levels and domains. Identity stores additionally can be used for authentication and continuous authorization of users and devices.
The result is consistent, automated and secure network access that meets today’s evolving BYOD and IT-managed mobile device requirements – delivered from a single, extensible platform with capabilities that grow and adapt to changing business needs.
ClearPass makes it easy for IT to ensure that everyone has the right access privileges based on who they are and the devices they use.
MANAGE AND ONBOARD MOBILE DEVICES
In addition to controlling what devices can do on the network, ClearPass gives IT organizations a serious arsenal to manage and secure devices and even control how they can be used.
By integrating MDM capabilities into ClearPass, IT can securely onboard devices, configure and update device settings, monitor compliance with corporate policies, and remotely wipe or lock IT-managed devices.
For example, with ClearPass, IT can remotely locate an iOS device, monitor risk factors of that device, such as jailbreak status and application catalog, wipe or lock the device, and enforce passcodes.
With MDM integrated with ClearPass, IT can leverage rich contextual information about users and devices to automatically enforce policies on a device. So if a device moves to a location that IT has defined as confidential, a policy can be triggered to lock that device’s camera.
ClearPass Access Management System Solution Overview
Device onboarding
ClearPass features a device onboarding portal that requires users to adhere to known BYOD requirements. With ClearPass, users that are accustomed to circumventing security compliance must now onboard their devices through this portal.
A self-guided menu makes it easy for users to configure and provision secure network access for their own devices with no helpdesk assistance. In return, IT collects valuable information for policy, troubleshooting and planning purposes.
ClearPass lets IT define who can onboard devices, the type of devices they can onboard, and how many devices each person can onboard. A built-in certificate authority also lets IT publish unique credentials that include certificate information as well as user and device data.
Furthermore, easy-to-use search and menu-driven capabilities ensure the rapid revocation and deletion of certificates for specific mobile devices if a user leaves an organization or the mobile device is lost or stolen.
Register devices for collaboration
Consumer devices that support collaboration across a network – like Apple AirPlay or AirPrint enabled printers, Apple TVs, and Wi-Fi projectors – can be registered and shared between users through the Aruba WorkSpace mobile app.
Non-Apple devices used for gaming, network printing, and entertainment streaming can also be registered by approved users. All registered devices provide IT with a comprehensive set of usable data that can be used for policies based on device type, location and time-of-day.
User-driven device registration is a resourceful and inexpensive way for users to share information contained in their iPhones and iPads. And the benefits of doing so extend across a variety of industries and vertical markets.
For example, students who live in dorms can register gaming consoles for network access and register Apple TVs and choose who can share them. Or doctors can project digital PACS images from their iPads to a larger screen.
Assess device health
As a standard networking practice, AAA ensures that users and devices are accurately identified and that they can access the right resources. AAA is also instrumental in logging sessions to assist in helpdesk resolving incidents and performing audits.
During the authorization process, some devices can be accurately identified but may face additional scrutiny to ensure that they adhere to corporate anti-virus, anti-spyware and firewall policies.
ClearPass features built-in NAC and network access protection (NAP) capabilities and performs posture-based health checks that eliminate vulnerabilities across a wide range of computer operating systems and versions.
ClearPass provides advanced health checks that strengthen corporate security posture:
• Specify how to handle peer-to-peer applications, services and registry keys.
• Determine whether USB storage devices or virtual machine instances are allowed.
• Decide if bridged network interfaces are permitted.
Whether using persistent or dissolvable health checks, ClearPass can also centrally identify compliant endpoints on wireless, wired and VPN infrastructures.
Getting more out of MDM
As an alternative to its native device management functions, ClearPass can seamlessly integrate with many of the industry’s leading MDM solutions, including AirWatch, FiberLink, JAMF Software, MobileIron and SOTI.
This is ideal for customers who already have MDM or prefer a stand-alone MDM solution. ClearPass provides the added benefit of extending context-based network policies to devices and applications as well as automated device onboarding and security provisioning.
ClearPass polls MDM systems for a variety of device information:
• Device manufacturer and model.• Universally unique identifier (UUID) and international mobile
station equipment identity (IMEI).• Encryption status.• Blacklisted and whitelisted applications.• Jailbroken status.
The ability to use ClearPass to leverage MDM-collected attributes allows IT to enforce device-specific access policies from the very same platform that is used to manage BYOD and other IT-issued devices.
ClearPass Access Management System Solution Overview
Visitor management
BYOD isn’t just about employee devices. It’s about any visitor whose device requires network access – wired or wireless. An integrated BYOD solution must automate and simplify the provisioning of network access for guests.
ClearPass visitor management capabilities make it easy and efficient for employees, receptionists, event coordinators and other non-IT staff to create temporary network access accounts for hundreds of thousands of guests.
Guests can also self-register for network access. Once registered, ClearPass delivers login credentials to users via print, SMS text or email. Visitor credentials are stored in ClearPass and accounts can be set to expire automatically after a specific number of hours or days.
ClearPass also enhances the guest experience by enabling organizations to create a branded look and feel on captive portals. You can post customized ads, news updates, discount offers, and other targeted content to create a unique experience for all guests.
With ClearPass, IT has complete visibility into each visitor’s network access activities, which makes it effortless to measure and audit network usage, identify Wi-Fi coverage requirements, and meet corporate and industry compliance mandates.
MANAGE MOBILE APPLICATIONS
Proper visibility and control of devices that connect to the network are a vital part of any BYOD rollout. But no BYOD deployment is complete without also considering how to effectively manage mobile apps on personal devices.
The MAM capability in ClearPass known as WorkSpace lets IT secure, distribute and manage enterprise apps on mobile devices. A companion WorkSpace mobile app is provisioned on a user’s device to enforce policies, encrypt data and provide a single sign-on for all work apps.
Secure your apps
ClearPass with WorkSpace makes it easy to create contextual policies that control how work apps are used and data is secured. VPN sessions can be initiated automatically whenever work apps are launched on public and untrusted networks.
There are many more security capabilities. ClearPass with WorkSpace enables IT to add Active Directory authentication to apps, geo-fence apps, lockdown apps on jailbroken devices, and prevent cutting-and-pasting between work and personal data.
To facilitate this level of control, ClearPass with WorkSpace wraps work apps with these security controls, allowing IT to create application-specific policies per user or per group. These wrapped apps are then pushed to devices or made available through an internal app store.
Unlike other MAM solutions, ClearPass with WorkSpace implements per-application policies that consider real-time device and network information available from the rest of the ClearPass system – another benefit of having a truly integrated BYOD solution.
ClearPass Access Management System Solution Overview
© 2013 Aruba Networks, Inc. Aruba Networks’ trademarks include AirWave®, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, and Green Island®. All rights reserved. All other trademarks are the property of their respective owners. The scale may vary depending upon the deployment scenario and features enabled. SO_ClearPass_041013
1344 Crossman Avenue. Sunnyvale, CA 94089
1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | [email protected]
www.arubanetworks.com
Privacy and other app issues
ClearPass also solves enduring liability issues related to privacy by preventing IT access to a user’s personal information. IT can only wipe or lock enterprise apps and data – anything controlled by WorkSpace – while personal information stays private.
If it’s true that MAM solutions are only as good as the apps they support, then ClearPass with WorkSpace is a winner. It supports one of the largest ecosystems of enterprise mobile apps in the industry – over 40 leading third-party productivity apps as well as internally-developed apps.
BYOD SOLVED
BYOD is the single largest disruptive force in networking today and it has created a host of challenges for IT.
ClearPass solves these challenges by integrating NAC, MDM and MAM into one cohesive solution and by extending the enforcement of contextual policies across the network to devices and applications.
From one integrated platform, ClearPass lets IT manage network policies, onboard and manage devices, admit guest users, assess device health – even secure, distribute and manage mobile work apps.
ClearPass can be cost-effectively deployed on any network and requires no changes to your current infrastructure. Fully integrated, ClearPass also eliminates the cost and complexity associated with managing a multitude of dissimilar BYOD point-products.
It also automates many of the time-consuming tasks that the IT helpdesk used to do manually. In fact, ClearPass is so simple that users can securely onboard their own devices and provision network access for their own guests.
ClearPass is simply the best way to rollout and manage BYOD in enterprise networks.
Control how users connect. You get the context of the connection
to deliver the right level of access and keep the network safe.
NETWORK ACCESSMANAGEMENT
WIRELESS WIRED VPN
Device management for iOS. Automated device onboardingfor all major mobile devices. Goodbye help desk tickets.
DEVICE ONBOARDINGAND MANAGEMENT
Distribute and manage work apps. WorkSpace assigns usage policies to every app and pushes
them out to the right user.
MOBILE APPMANAGEMENT
iOS/MAC OS X ANDROID WINDOWS
A BETTER BYOD EXPERIENCE
With the WorkSpace mobile app, users haveeverything they need for work on their own device.
Now that your users can do more, you don’t have to.
CLEARPASS WITH WORKSPACE
APPSDEVICESNETWORK
ON ANYNETWORK
FASTER DEVICEDEPLOYMENTS
NOW IT’SPERSONAL
MASSIVE APPECOSYSTEM
