Conquering todays bring-your-own-device challenges

Aruba White Paper

Conquering todays bring-your-own-device challenges

Conquering todays bring-your-own-device challenges

Aruba White Paper

Table of Contents
A framework for deploying successful BYOD initiatives Shortcomings of current solutions The vision for BYOD access management Differentiated, secure access for all users and devices Identify and remediate compromised devices Organization-wide policy management The Aruba ClearPass BYOD solution ClearPass Policy Manager ClearPass QuickConnect Meeting the BYOD challenge with Aruba About Aruba Networks, Inc. 3 4 5 6 8 9 10 10 11 11 12

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

A framework for deploying successful BYOD initiatives

Todays growing demand for anytime, anywhere network access to enterprise resources has expanded to include the use personal mobile devices such as laptops, tablets, smartphones, e-readers and more. From the executive who purchased an iPhone to boost personal productivity to the college professor who re-designed his curriculum to take advantage of new tablet-based education applications, users in all types of organizations are bringing a myriad of consumer devices to work. And when they do, they expect access to business applications and content, not just the Internet. In response to this consumerization of IT, many organizations are allowing employees to choose their laptops and use their own smartphones and tablets at work in support of bring-your-own-device (BYOD) initiatives. While organizations may still require access to confidential resources via a company-owned device, they are creating more flexible policies that also allow access via personally-owned devices. As a result, the number of devices per employee is growing from a one-to-one relationship to a one-to-many relationship. A single user today will interchangeably connect to the network using a laptop, smartphone and tablet throughout the day. The benefits to organizations that embrace BYOD initiatives include the ability to quickly respond to user needs, boost user productivity, and in many cases, reduce expenses. Yet granting enterprise access to personal devices has direct implications on security, network control and even helpdesk resources. Security challenges range from understanding who and what is on the network to keeping the network malware-free, and include proper enforcement of access policies and maintaining compliance and audit requirements. Similarly, helpdesk resources can be quickly overwhelmed as IT struggles to find the time to configure user devices for secure network authentication and corporate use. Network access solutions that fail to adequately simplify the use of personally-owned devices make it very difficult for IT to fully embrace BYOD. What organizations need is a simplified framework for deploying secure BYOD that can accommodate all device types and work with existing infrastructure. A BYOD solution should automate the device onboarding process for employees and guests, as well as the administration and enforcement of policies, by gathering information about the context of the device, user and connection. BYOD also requires real-time visibility and reporting to quickly measure, enforce, and meet compliance mandates.
Galaxy Tab MacBook

Any Device

iPhone

iPad

Droid

Any Network

VPN

The Aruba BYOD Solution

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

To address these challenges, Aruba developed the ClearPass Access Management System. A key part of the Aruba Mobile Virtual Enterprise (MOVE) architecture, ClearPass provides a user- and device-independent framework that tackles any BYOD initiative, large or small, by providing: Consistent policy enforcement across multivendor wired, wireless and virtual private network (VPN). Device identification as a basis for grooming traffic and improving network security. Self-service provisioning for all major mobile devices. Controlled access and remediation for compromised devices. Secure guest network access with simplified workflows. Enhanced security, reporting and regulatory compliance.

Shortcomings of current solutions

Numerous network access products are available today, many of which are being positioned as BYOD solutions. However, most fall short of providing the necessary scope of coverage required to span wired, wireless, and VPN infrastructures and to support employees, contractors and guests and the myriad of devices they own. Solutions from infrastructure vendors, for example, ignore the multivendor nature of most enterprise networks, leaving gaps in coverage that may require additional point solutions. A number of BYOD security solutions are point products, providing one solution for laptops, one for mobile devices, and so on. This siloed approach to network access policy management and BYOD is complex and costly to implement, requiring IT to purchase and support multiple components that may not interoperate well with the existing network infrastructure. Such complexity can also be an impediment to users by requiring manual device provisioning, which often results in a flurry of helpdesk calls. Provisioning must be simple for users in order to discourage them from attempting to circumvent it. Users need the flexibility to securely self-provision a device or utilize a sponsor role within the guest access process, making it easy for any user to onboard with little or no IT intervention. IT needs the flexibility to define policies based on multiple variables, including: When and where a given type of device such as a smartphone can be used. What resources that specific user is allowed to access via that device. What services and applications they can run. How much bandwidth a given device or application is allowed to consume. Only with such a breadth of control can IT, for example, enable students at a university to access the same Wi-Fi network across campus, while differentiating their access privileges from a professor or administrator. Another use case within an enterprise environment involves dynamic control of a tablet or smartphone that roams from Wi-Fi to 4G. In this case, organizations need to maintain security and control over that device if it accesses corporate resources. Just as importantly, IT needs a solution that provides visibility into and reporting on corporate-owned and BYOD devices after they are admitted onto the network. Real-time visibility, including device profiling is a prerequisite for granular access control as well as for reporting, planning, auditing and compliance. Only with these tools in place can IT verify that the chief financial officers lost smartphone hasnt been used to gain access to sensitive data, for example. Simplicity and automation are also keys to IT productivity, enabling the organization to spend more time on business-critical projects and less time performing manual troubleshooting and diagnostics. While it may seem daunting to support BYOD, organizations can embrace this trend by taking a holistic approach that automates processes and takes into consideration IT and user requirements and work habits.

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

The vision for BYOD access management

No two organizations are exactly alike, so BYOD has different connotations depending on who you talk to. To some users like a doctor, it means they can bring their laptop or tablet to work and access confidential information, such as patient records. For other users, like an account executive, it means being able to access the Internet and customer-related sales information from anywhere on a smartphone, while to a professor, it may mean being able to host a conference, easily acquiring guest access for each user and providing secure access regardless of the type of device. An effective BYOD access management solution must have the flexibility to satisfy the majority of use cases that organizations want to support, and give them the ability to allow or disallow BYOD based on user role or device type. It must be vendor neutral, based on open standards, and leverage an enterprises existing security, identity, and network infrastructure.

ClearPass Policy Manager dashboard

While BYOD initiatives can encompass many aspects, organizations should look for BYOD solutions with the following characteristics: 1. An open architecture that can be deployed on any vendors wireless, wired and remote infrastructure and support a broad array of fixed and mobile devices. 2. Device provisioning capabilities that automate the configuration of security and productivity settings on the device and provide easy-to-use revocation services. 3. A policy system that ensures consistent enforcement of access privileges based on trust, user roles and device types, while providing continuous device risk assessment and remediation.

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

A solution with these characteristics will provide the flexibility to address a range of BYOD use cases. For instance, a university can centrally manage access privileges for students, faculty and guests across a geographically dispersed campus network, regardless of device type and operating system. In the aforementioned example, policies can be enforced across any network wireless, wired and VPN identity stores, user-roles, and authentication methods, and updated as the policy system receives real-time profiling and visibility information. Similarly, enterprise finance and human resources staffs can be given differentiated access based on their roles, the specific devices theyre using, and where, how, and when they connect to the network in the office via wireless or remotely through a VPN connection, during normal business hours working hours or on the weekend.

Differentiated, secure access for all users and devices

To date, most network access solutions have used device- or user-focused authentication to provide differentiated access. However, in a BYOD environment where users have multiple devices, it is no longer sufficient to have a blanket policy that applies to everyone. Whether devices are issued by IT or BYOD, different policies will likely be needed. And these policies will be based on a users role, where and how they connect, and what device theyre using. To enforce this level of differentiated access in a BYOD environment, the ideal solution will include these capabilities: Dynamic device provisioning and management. To unburden IT from manual provisioning, a BYOD solution must support dynamic device onboarding that automates user enrollment and credential assignments, while enabling IT to easily and automatically revoke device privileges and certificates. A comprehensive BYOD solution will include features that address device profiling, provisioning, enrollment and onboarding, and revocation. Provisioning tools should simplify the configuration of service-set identifiers (SSIDs), extensible authentication protocol (EAP) type, distributing certificates and enabling posture settings. Enrollment or device registration mechanisms should let users upload information, such as media access control (MAC) addresses and operating system versions, into a policy management system. In some cases, such as high-security government environments, IT will need to maintain control over device onboarding. But for most use cases, dynamic provisioning allows users to self-configure devices for secure access. Robust device profiling. A BYOD solution should be able to identify each device, to understand where it connects to the network, and to determine who is using it. At the same time, IT should be able to create unique access policies for an employees corporate-issued laptop computer and the same employees iPad. Given the variety of consumer devices available and the rate at which they change, dynamic device profiling provides the visibility to determine whether a new device or operating system version is causing problems.

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

Dynamically capturing device information also provides comprehensive device attributes that can be used to create more granular policies than what is possible using MAC addresses alone. Methods should include baseline dynamic host-configuration protocol (DHCP) fingerprinting and browser detection, as well as collecting detailed information from sources such as agents, RADIUS authentication servers, and Active Directory data.

~100% Accuracy
iPad iOS 5.0.1
Provisioning Plus

(Onboard, QuickConnect, OnGuard)

Identity-based Proling
(AD, ActiveSync)

Identi ed as iOS devices

Network Heuristics Proling

(RADIUS, Web Auth)

Identi ed as Apple devices

(SNMP Traps & Queries, IF-MAP)

Events Fingerprinting

(DHCP, MAC OUI, Browser Detection)

BaselineFingerprinting

ClearPass profile accuracy

By grooming traffic and implementing unique security parameters that are tailored to specific devices, an enterprise has far greater control of the network. Likewise, the ability to instantly profile devices can be a boon to the IT helpdesk. This includes the ability to tell if a device is an iPhone, Windows laptop or Kindle Fire and whether the operating system is iOS, Mac OS X, Windows 7 or Android. Guest Wi-Fi access. The definition of guest user is much more complex now and could mean anything from a temporary contract employee to a shopper in a retail environment. As a result, the network demands of guests have changed, and a BYOD access management solution must provide the same capabilities for guests as for employees, including dynamic provisioning, profiling and role differentiation, which are needed to ensure that compliance requirements are met. Many organizations restrict guests to an isolated network segment, such as using a separate SSID from the corporate SSID, and provide Internet access only. However, the BYOD access solution should give IT the flexibility to create different access rules for different types of visitors. In addition, a BYOD access solution must be easy to use, support multi-tiered administration and sponsor capabilities, and automate the ability to include contextual elements within policies that take into account time-ofday and day-of-week privileges. For example, when a guest enters information requesting access, the BYOD access solution must have the ability to create an account that sits in a disabled state until an approved sponsor has verified and approved the request. Automated methods must exist that deliver access credentials once the approval has been received by the system. Aruba Networks, Inc. 7

Conquering todays bring-your-own-device challenges

Aruba White Paper

Identify and remediate compromised devices

The provisioning of endpoint devices should include the ability to turn on posture and health checks during the configuration process to identify any devices that have been compromised and pose a security threat. Ideally, this should be a one-time automated process that uses an IT-generated provisioning package rather than requiring the manual configuration of each device. A BYOD access solutions should provide enterprise-class posture assessment and remediation thats a cut above ordinary network access control (NAC) offerings, going beyond traditional health checks to also examine a devices runtime configuration and applications, or whether USB storage devices are allowed.

Successful Authentication

Failed Policy

Automated posture and health remediation

The ability to push a full-featured supplicant or agent to the device is also important during provisioning of endpoints for BYOD because native supplicants only allow for basic antivirus, antispyware and firewall software checks. The ability to perform posture assessments in a BYOD environment using permanent and dissolvable agents is important as many of these devices will be administratively managed by the user. Dissolvable agents for BYOD reduce administrative overhead as they are downloaded during a captive portal login and removed once the web page is closed. In addition, enterprise-class posture assessment solutions typically compare the posture/health information against policies defined in a centralized policy decision point (PDP). For a BYOD access management solution to be effective, the PDP must have the ability to automatically quarantine non-compliant BYOD and IT-issued devices using role-based mechanisms or VLAN steering methods. As part of a total posture assessment, a BYOD access solution should: Perform automated checks via persistent and dissolvable agents. Check for up-to-date antivirus, antispyware, and firewall software. Check for USB storage and peer-to-peer applications and services, such as Skype and BitTorrent. Provide control options, including protected network access, manual and auto-remediation via directed URLs, and denial of service. Finally, tying posture information with identity-related and other contextual data allows organizations to enforce differentiated policies as business needs dictate.

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

Organization-wide policy management

Enterprise-class policy management capabilities are essential to a BYOD deployment. Unifying policies across wired, wireless and VPN infrastructures lets IT consolidate multiple silos of policy management solutions into a single platform. This ensures greater consistency in managing enterprise-wide policies and meeting compliance requirements. An effective BYOD access management solution must deliver large-scale policy deployment, enforcement, and management capabilities, including: Centralized policy management. IT needs to define and manage policies from a central location while keeping the user experience consistent, regardless of where they log into the network. For example, IT staff in Los Angeles should be able to define policies for remote workers in India or China. The time and cost savings are easily recognized resources and travel budgets are not required to support new users and use cases or to perform troubleshooting. In addition, a centralized policy management system must provide access to multiple identity stores and databases in order to perform authentication and authorization independently. For example, for security reasons, a company may store user information in Active Directory and device information in a SQL database. Multiple administration levels and role-based access. While policy management must be centralized to ensure consistency, organizations need the flexibility to administer policy management in a distributed fashion. A BYOD access solution must support a range of administration levels and role-based administration across the security, IT and helpdesk organizations. Web-based management. Providing IT staff with web-based access to the entire policy management system without requiring dedicated appliances or licenses ensures ease of use and a lower total cost of ownership. Tiered administrative privileges allow IT and helpdesk staff to see and manage certain aspects of the system within their area of responsibility without compromising system-wide security. Access analytics and reporting. Visibility into access activity is crucial for meeting compliance requirements and for enhancing the effectiveness of network access policies. A BYOD access solution must provide IT with advanced reporting capabilities that allow them to monitor current and archived access activity, generate a variety of reports and analyze data based on access parameters, including by role, class of device and access location. IT also needs the ability to aggregate data, as well as apply filters and drill down for in-depth views. Hardware and virtual machine (VM) options. A BYOD solution should give organizations flexibility in the form factor they choose and the ability to mix-and-match hardware-based appliances and VM implementations with no discrepancy in features or functionality. Using VMs, for example, can reduce cost and complexity by lowering power and cooling requirements and simplifying cabling. Similarly, hardware appliances may be the best choice in larger data centers, while the VM option can be added to a server in remote offices when cost is a concern. Redundancy and failover. High availability is mandatory for an enterprise-wide policy server. Rather than dedicating a fully redundant appliance to passive standby in an active/passive model, the ideal access management solution should support fault tolerance using a publisher-subscriber model. In this model, a primary server replicates or publishes all changes to one or more secondary servers. This approach is more flexible than other clustering models.

Aruba Networks, Inc.

Conquering todays bring-your-own-device challenges

Aruba White Paper

The Aruba ClearPass BYOD solution

Aruba Networks understands the challenges that organizations face when implementing an access solution that is robust yet flexible enough to handle the burgeoning BYOD trend. Aruba ClearPass is the only standards-based BYOD solution that provides access control as a non-disruptive overlay to an organizations existing network. As a result, an organization can leverage its existing network, identity, and security infrastructure and simply turn on ClearPass functionality as needed. Its a very cost effective and adaptable approach that enables organizations to implement a BYOD solution thats tailored to their particular needs. The ClearPass Access Management System includes the ClearPass Policy Manager and ClearPass QuickConnect. ClearPass Policy Manager is a centralized platform that defines and controls network access policies that are based on user identity and device types across wired, wireless and VPNs. ClearPass QuickConnect makes it easy for users to configure 802.1X authentication on their Windows, Mac OS X, iOS, Android and Linux devices for more secure network access.

ClearPass Policy Manager

The ClearPass Policy Manager combines all the capabilities of a robust BYOD solution on one platform. This central policy server provides differentiated, context-based access control, along with operational utilities designed to reduce IT overhead. With ClearPass Policy Manager, IT can easily automate and extend authentication and authorization policies across the entire organization for wireless, wired, VPN or guest access applications. In addition to its integrated RADIUS and TACACS+ servers for AAA support, the ClearPass Policy Manager can read from multiple identity stores and databases, including those based on Microsoft Active Directory, LDAP, SQL, and Kerberos, providing a unified policy model that ensures access controls are applied consistently across the organization. ClearPass Policy Manager offers differentiated access based on a variety of attributes, including user role, device, time, and location. To address compliance and regulatory requirements, it also collects transactional data for each user session and offers IT and business managers a variety of reporting options. The ClearPass Policy Manager platform supports many additional capabilities through feature-rich software modules that address BYOD: ClearPass Onboard. The enterprise provisioning software module for ClearPass Policy Manager fully automates device onboarding for IT via a built-in administration interface. ClearPass Onboard offers full self-service provisioning for Windows, Mac OS X, iOS, and Android devices that includes configuration of 802.1X settings as well as the distribution and revocation of unique device credentials.
ClearPass Onboard

Aruba Networks, Inc.

10

Conquering todays bring-your-own-device challenges

Aruba White Paper

Additional features include the ability to push required applications, and configuration settings for mobile email with Exchange ActiveSync and VPN clients for some device types. ClearPass Profile. The device profiling software module for ClearPass Policy Manager uses a five-tiered system that includes DHCP and other advanced methods as well as end-user and device fingerprinting and profile information. Device-level information includes details such as operating system version, manufacturer and device category. This contextual information is then stored and used to enhance policy decisions and to identify changes in a devices profile to dynamically change authorization privileges. For example, policies can be used to differentiate access for an employees company-issued device versus the same employees personally-owned device. ClearPass Guest. The ClearPass Guest software module for ClearPass Policy Manager enables IT and nontechnical personnel to manage guest Wi-Fi accounts and onboarding tasks related to network access requirements for visitors in large and small environments. In addition to allowing employees and guests to self-register their own devices, ClearPass Guest supports rolebased access controls, activity tracking for compliance and auditing, and unique features such as advertising and commercial-grade hotspot services. ClearPass OnGuard. The ClearPass OnGuard software module for ClearPass Policy Manager enables comprehensive posture assessments that minimize the risk of viruses and the misuse of applications and services before devices connect to the network. Supporting persistent and dissolvable agents, including vendor-specific agents such as Microsoft Windows native supplicants, ClearPass OnGuard performs posture assessments on devices running Windows, Mac OS X and Linux operating systems, checking for the presence of anti-virus, anti-spyware, and firewall software from more than 80 vendors. In addition, ClearPass OnGuard checks for allowable services, processes, peer-to-peer applications like Skype, USB storage devices, VM clients, and hot spots, and provides auto-remediation or quarantine as organization policies require.

ClearPass QuickConnect
ClearPass QuickConnect is a cloud-based service that provides simple self-service 802.1X configuration for Windows, Mac OS X, iOS and Android devices, reducing the burden on IT. IT configures endpoint variables to create network authentication packages, while users are presented with a configuration wizard via a captive web portal, Active Directory group policy object (GPO), USB device or CD. Users simply start the wizard, enter their credentials and connect to the network in just a few minutes.

Meeting the BYOD challenge with Aruba

As BYOD initiatives proliferate, organizations are under pressure to simplify the process of connecting new users and devices while maintaining strong security. Arubas ClearPass Access Management System is the industrys first BYOD security solution that takes a mobile user and device approach, providing a comprehensive standards-based, vendor-neutral solution that can enforce access policies across any network, any device, and any user.

Aruba Networks, Inc.

11

Enabling High-Performance for Apple iPads in the Enterprise

Aruba White Paper

From automating device onboarding and enforcing device posture checks to applying differentiated access policies and generating audit-ready reports, Arubas ClearPass provides a simple, cost-effective approach to connecting and securing BYOD and IT-managed users and devices. Features such as self-registration reduce the burden on IT, empower users and accelerate the consumerization of IT in support of BYOD. Organizations benefit from the ability to leverage their existing infrastructure, as well as the flexibility to implement BYOD strategies in a phased approach, based on their business needs and use case requirements.

About Aruba Networks, Inc.

Aruba Networks is a leading provider of next-generation network access solutions for the mobile enterprise. The companys Mobile Virtual Enterprise (MOVE) architecture unifies wired and wireless network infrastructures into one seamless access solution for corporate headquarters, mobile business professionals, remote workers and guests. This unified approach to access networks dramatically improves productivity and lowers capital and operational costs. Listed on the NASDAQ and Russell 2000 Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, and Asia Pacific regions. To learn more, visit Aruba at www.arubanetworks.com. For real-time news updates follow Aruba on Twitter and Facebook.

www.arubanetworks.com 1344 Crossman Avenue. Sunnyvale, CA 94089 1-866-55-ARUBA | Tel. +1 408.227.4500 | Fax. +1 408.227.4550 | info@arubanetworks.com

2012 Aruba Networks, Inc. Aruba Networks trademarks include AirWave, Aruba Networks, Aruba Wireless Networks, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System, Mobile Edge Architecture, People Move. Networks Must Follow, RFProtect, and Green Island. All rights reserved. All other trademarks are the property of their respective owners. WP_BYOD_120210