Airheads main conference slideshare v1.0
-
Upload
jason-boud -
Category
Technology
-
view
114 -
download
0
description
Transcript of Airheads main conference slideshare v1.0
© 2013 Beyond Mobile Ltd June 5, 2013
© 2013 Beyond Mobile Ltd June 5, 2013
INTRODUCTION
2
An IT infrastructure specialist with over 20 years in the financial services sector. 11 years with Credit Suisse and 6 with Chase (JP Morgan) Tough environment in Financial services and deparGng a role as Director in IT for Credit Suisse to start Beyond Mobile. Beyond Mobile offers Strategy, Product and Sales advice to technology companies in the early stage of their business plans.
© 2013 Beyond Mobile Ltd June 5, 2013 3
WHAT IS AN ENTERPRISE
© 2013 Beyond Mobile Ltd June 5, 2013 4
ALL THE SAME RIGHT !
© 2013 Beyond Mobile Ltd June 5, 2013
DeclaraGon NX Sovereign
circa 2130s April 16, 2151 October 30, 2372
52,000 metric tonnes 998,000 metric tonnes 3,250,000 metric tonnes
300 metres 225 metres 685.7 metres
< Warp 2 Warp 5.2 Warp 9.995
None Photonic torpedoes Phase cannons
Arrays Phasers
USS Enterprise (XCV 330)
NX01 NCC-‐1701-‐E
5
COMPARISON STAR TREK ENTERPRISE
© 2013 Beyond Mobile Ltd June 5, 2013
Enterprise 1 (Financial)
Case Study (Financial)
Enterprise 3 (consulGng)
COMPARISON OF AN ENTERPRISE
6
120,000 65,000 20,000
143,000 80,000 2,000
28,000 15,000 20,000
170,000 120,000 2,500
Yes Yes No
“dirty network” “clean network” “clean network”
© 2013 Beyond Mobile Ltd June 5, 2013
EVIL INTERNET & WIRELESS
7
Wi-Fi BANNED Custom laptops with Wi-Fi cards removed Ethernet ports and drivers locked down Remote access restricted to dial up Almost impossible to be productive unless in the office
© 2013 Beyond Mobile Ltd June 5, 2013
EVOLUTION NOT REVOLUTION
8
© 2013 Beyond Mobile Ltd June 5, 2013
NETWORK PERIMETER SECURITY
9
2007
© 2013 Beyond Mobile Ltd June 5, 2013
NETWORK PERIMETER SECURITY
10
© 2013 Beyond Mobile Ltd June 5, 2013
NETWORK STRATEGY
11
DEPERIMITISATION
© 2013 Beyond Mobile Ltd June 5, 2013
2007 – 1ST GEN WI-FI
12
CISO concedes some Wi-Fi allowed “Managed” endpoints only Guest internet access allowed No employee personal devices allowed User experience not considered Wi-Fi Design poor Global inconsistency
© 2013 Beyond Mobile Ltd June 5, 2013
2007 – 1ST GEN WI-FI
13 Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
© 2013 Beyond Mobile Ltd June 5, 2013
2009 CHALLENGERS
14
“Why can’t I use the corporate Wi-Fi to sync my work email” “Cellular coverage is so bad in my building and it’s crazy employee’s cant use the Corporate Wi-Fi on their personal devices” Crumbling of IT Walled gardens
© 2013 Beyond Mobile Ltd June 5, 2013
2011 THE GAME CHANGED
15
Real estate smart strategies Wi-Fi shifted to a core “enabling” technology and business enabler. BYOD strategy was built demanding better services CIO – build it quick but I wouldn’t start from there, if I was you Poor coverage, low contention, IT vs. Business
© 2013 Beyond Mobile Ltd June 5, 2013
THE BEGINNING OR THE END?
16
Requirements Stakeholder Management Buy as a Service vs Build Technical Design Build Lesson’s learnt
© 2013 Beyond Mobile Ltd June 5, 2013
REQUIREMENTS
17
Guest Standard Employee Complex Employee
Standard Complex
© 2013 Beyond Mobile Ltd June 5, 2013
Guest Standard Employee Complex Employee
REQUIREMENTS
18
Medium Medium High
Low Med High / Regulated
Personal Mixed Corporate
Yes Yes Yes & Corporate
None MAM MDM & MAM
No Yes Yes
© 2013 Beyond Mobile Ltd June 5, 2013
STAKEHOLDER MANAGEMENT
19
Clean vs. dirty wireless = same
On campus = enterprise policed
Keep out of trouble with the regulator
Employee traffic content filtered
Info Sec, HR/Legal
© 2013 Beyond Mobile Ltd June 5, 2013
STAKEHOLDER MANAGEMENT
20
Apply IT policy
Same quality as LAN
Wi-‐Fi as a commodity
Protect data vs. network
BYOD Don’t compromise usability for security
Container (s) vs MAM
© 2013 Beyond Mobile Ltd June 5, 2013
BUY VS BUILD
Corporate IT in Financial Services idenGty crisis Case Study = Buy as a service > Build Market not Mature Result was a Build & Buy project One name stood out in access control and provisioning = Aruba
© 2013 Beyond Mobile Ltd June 5, 2013
BUY VS BUILD
!
© 2013 Beyond Mobile Ltd June 5, 2013
TECHNICAL DESIGN
Data with some voice, small amount of Desktop Video conferencing growing Cloud based guest provisioning soluGon SegregaGon IT Polies mean no direct connecGon to AcGve Directory Guest registraGon – sponsor approved Employee Device enrolment process to be lightweight (email address) Employee content filtered on BYOD devices* Improve scale of deployment Single, global wireless soluGon to employees.
© 2013 Beyond Mobile Ltd June 5, 2013
Wi-‐Fi 1st Gen Wi-‐Fi 2nd Gen Wi-‐Fi FUTURE
REQUIREMENTS
24
802.11a/b/g 802.11 n to ac 802.11ac
Data Data / Voice Data / Voice / Video
Manual Online registraGon & Sponsor approval
Federated B2B
Build Build & Buy Buy
None non-‐criGcal service severity 4 SLA
Clearpass CPPM 6.x Aruba end to end ParGally supported Cisco BBSM 4.x
CriGcal service LAN replacement
© 2013 Beyond Mobile Ltd June 5, 2013
TECHNICAL DESIGN
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
Internet
Un-provisioned Device
Provisioned Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage Firewall
Cisco DMZ anchor Controller
DMZ Bluecoat Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
PublisherSubscriber
Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration
APAC CPPM AAA servers
EMEA CPPM AAA Servers Amigopod Appliance for
remote cloud provisioning of BYOD and guest self registration
Cisco Intranet Controller
Guest traffic
Cisco Access Point
© 2013 Beyond Mobile Ltd June 5, 2013
LESSONS LEARNT
Don’t under esGmate the amount of tesGng required BYOD footprint for tesGng can be never ending Amount & complexity of devices leads to issues with tools for troubleshooGng Process engineering important Support specialists too thin on ground – Mobility support is a specialist skillset Web content filtering != control
© 2013 Beyond Mobile Ltd June 5, 2013
LESSONS LEARNT
Certain CONTENT FILTER RULES did not make sense for employee BYOD we had to lobby for changes; Chat/Instant Messaging – Whole category originally blocked. • Allow clients that connect to corporate IM plarorms as would be monitored. • Block all other IM plarorms. But Allow messaging for services Ged to SMS (e.g. iMessage) VOIP clients & Online Storage -‐ – Whole category originally blocked. • Allow all – these were from personal devices and corporate data was “contained” • Provides a beser experience around apps that sync to dropbox etc Remote Access Tools -‐ – Whole category originally blocked. • Allow – Only personal devices can connect to Wi-‐Fi then there is no company data at risk of
loss. Sotware Downloads • Allow – Provides a beser user experience as this would allow App store downloads to
personal device to work on campus
© 2013 Beyond Mobile Ltd June 5, 2013
LESSONS LEARNT
Credit'Suisse'Employee
ArubaClearpass
Cloud'Service
Access'Point
Intranet'Controller
DMZ'Controller
BYODSSID
Guest'&'Provisioning
SSID
Internet
Bluecoat'DMZProxy
1
25
7
8
9
6
10
CS'BYOD'Device
CS'Desktop
4
3
Processes are important Help stakeholders understand them by walking them through various scenarios -‐ Guest registraGon
-‐ Employee registraGon
-‐ Employee day to day use
-‐ Support
© 2013 Beyond Mobile Ltd June 5, 2013
YOUR PATH TO BYOD IN FINANCIALS
29
ObjecGves
Design
ExecuGon
• Have clear business objecGves. • Senior stakeholders briefings. • Mature requirements & early engagement necessary with IT suppliers • What are your security policy objecGves
• Think about process &support design as well as the technology • Translate the risk posture to security controls • Don’t compromise usability for security (impact of security discussions)
• Select technology plarorms and suppliers • Build in compliance from the beginning • Test, Test and test some more
And finally …. Celebrate a success !
© 2013 Beyond Mobile Ltd June 5, 2013