Embracing BYOD with MDM and NAC. Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout

Embracing BYOD with MDM and NAC Chris Isbrecht, Fiberlink Gil Friedrich, ForeScout 1

Today s Agenda The BYOD Landscape Network Access Control (NAC) 101 Embracing BYOD with MDM and NAC Use Cases 2

The BYOD Landscape How are you managing employee-owned devices today? 31% 26% Mobile device management (MDM) solution Native email controls No controls in place What are your biggest concerns with BYOD support? 43% 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Having visibility into all devices used for work Securing corporate data on the device Potential employee privacy issues Inability to blacklist applications Additional help desk support Requests to support new devices 3

The BYOD Landscape BYOD ios Android BlackBerry Windows Unmanaged and Non-Compliant Tablets & Smartphones Apps Customer Experience Compliance & Regulations End User Privacy Data Security 4

Embracing BYOD with MDM and NAC Gil Friedrich, VP of Technology, ForeScout June 8, 2012 2012 ForeScout, Page 5

What is Network Access Control (NAC)? Technology that identifies users and network-attached devices and automatically enforces security policy. LIMITED FIXED 2012 ForeScout, Page 6

NAC Architecture Visibility and control of everything on your network Appliance DB Policy Engine Packet Engine Windows Plugin Mac/Linux Plugin MobileNAC & MDM Switch Plugin VPN Plugin Wi-Fi Plugin User Dir Plugin SEIM Plugin epo Plugin What is this machine? Who s the person behind the keyboard? How is it connected? 2012 ForeScout, Page 7

What Is Network Access Control (NAC) See Grant Fix Protect Real-time network asset intelligence Device type, owner, login, location Applications, security profile ForeScout CounterACT Appliance / Virtual Appliance ( ( ( ( ( 2012 ForeScout, Page 8

What Is Network Access Control (NAC) See Grant Fix Protect Real-time network asset intelligence Device type, owner, login, location Applications, security profile Network access controls Grant access, register guests Limit or deny access Web Email CRM ForeScout CounterACT Appliance / Virtual Appliance Sales Employee Guest ( ( ( ( ( 2012 ForeScout, Page 9

What Is Network Access Control (NAC) See Grant Fix Protect Manual to automated response Remediate OS Fix security agents Fix configuration Start/stop applications Disable peripherals Block worms, attacks 2012 ForeScout, Page 10

Mobile Security and NAC NAC can serve as the BYOD enabler Most companies will use various technical control mechanisms Block all of the BYOD devices VDI - Virtual Desktop Infrastructure MAW Mobile Application Wrapper WAP Wireless Access Point MDM - Mobile Device Management NAC Network Access Control 2012 ForeScout, Page 11

Network Access Control Foundational for BYOD No matter what [BYOD] strategy is selected, the ability to detect when unmanaged devices are in use for business purposes will be required and that requires NAC. NAC policies can be used in combination with other approaches to implement the four strategies outlined in the framework Contain, Embrace, Block and Disregard NAC helps to protect the network, but it is only one component of a broader BYOD security strategy. Other solutions, such as MDM and HVDs [VDIs], are needed to secure mobile endpoints. Gartner, NAC Strategies for Supporting BYOD Environments, December 2011, Lawrence Orans and John Pescatore 2012 ForeScout, Page 12

Layered Security Options 2012 ForeScout, Page 13

Poll Question Describe your organization s plans for implementing a NAC solution a) Already implemented a NAC solution b) Plans to evaluate and purchase a NAC solution in the next 6 months c) Will implement a NAC solution in next 12 months d) No NAC solution; no plans for implementation 14

NAC+MDM Synergies: 1+1=3 Unify visibility, compliance and access control NAC focus is on the network MDM focus is on the mobile device Visibility Access Control MDM Alone NAC Alone NAC+MDM Full info on managed only. For managed and email only Basic OS info on all devices Partial (Missing endpoint info) Complete Complete Compliance Managed only Very limited Complete Deploy Agent Pre-registration Network based Both 2012 ForeScout, Page 15

Why Consider a NAC and MDM Combination? BYOD requires network, device, data and application controls MDM products can only secure devices that they manage NAC can identify new/unmanaged mobile devices, protect the network and automate MDM enrollment NAC products can identify mobile devices but lack deep inspection MDM technology is needed to gain deep inspection and compliance details MDM lacks network access control, exposes your network and data to attack by unknown devices MDM device inspection is strong, but based on polling frequency NAC can restricted network resources according to policy NAC/MDM integration can initiate a new inspection at the time of network access 2012 ForeScout, Page 16

Why Consider a NAC and MDM Combination? BYOD requires network, device, data and application controls MDM provides rich mobile lifecycle management: provisioning, apps, data containerization Mobile device lifecycle management is outside the scope of core NAC capabilities MDM policies assessment may not be flexible to allow users to use their device outside of policy NAC could temporarily quarantine a non-complying mobile device on a corporate network MDM daily operation is usually run by communications, applications or desktop teams NAC/MDM integration allows security operators to gain visibility and control across all devices 2012 ForeScout, Page 17

Automate Registration: How It Works Device connects to the network a. Classify its type: Mobile device and its type (Android, iphone ios, Blackberry OS) or PC (Windows, Mac, Linux) b. Check if it has the mobile agent? ForeScout If the agent is missing a. Quarantine the mobile device b. Register and install relevant MaaS360 agent on the mobile device (via HTTP Redirection) Once installed with an agent a. Allow access based on policy b. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 18

Automate Registration: How It Works Device connects to the network a. Classify its type: Mobile device and its type (Android, iphone ios, Blackberry OS) or PC (Windows, Mac, Linux) b. Check if it has the mobile agent ForeScout If the agent is missing a. Quarantine the mobile device b. Register and install relevant MaaS360 agent on the mobile device (via HTTP Redirection) Once installed with an agent a. Allow access based on policy b. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 19

Automate Registration: How It Works Device connects to the network a. Classify its type: Mobile device and its type (Android, iphone ios, Blackberry OS) or PC (Windows, Mac, Linux) b. Check if it has the mobile agent ForeScout If the agent is missing a. Quarantine the mobile device b. Register and install relevant MaaS360 agent on the mobile device (via HTTP Redirection) Once installed with an agent a. Allow access based on policy b. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 20

Real-time Compliance Testing: How It Works Device connects to the network Has a mobile agent but is jail broken Force a compliance test a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message? ForeScout Enable a compliance recheck a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 21

Real-time Compliance Testing: How It Works Device connects to the network Has a mobile agent but is jail broken Force a compliance test a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message ForeScout Enable a compliance recheck a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 22

Real-time Compliance Testing: How It Works Device connects to the network Has a mobile agent but is jail broken Force a compliance test a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message ForeScout Enable a compliance recheck a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 23

Real-time Compliance Testing: How It Works Device connects to the network Has a mobile agent but is jail broken Force a compliance test a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message? ForeScout Enable a compliance recheck a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent s operation ) ) ) ) ) ) ) Recheck 2012 ForeScout, Page 24

Real-time Compliance Testing: How It Works Device connects to the network Has a mobile agent but is jail broken Force a compliance test a. CounterACT informs MaaS360 to assess configuration attributes b. If in violation, inform ForeScout CounterACT c. CounterACT quarantines the mobile device and sends informative message? ForeScout Enable a compliance recheck a. CounterACT informs MaaS360 to test b. Upon re-assessment, allows onto network if violation no longer exists c. Continue monitoring the agent s operation ) ) ) ) ) ) ) 2012 ForeScout, Page 25

MDM, NAC Integration Example Complimentary Hybrid Cloud and On-Premise Implementation Apple ios MDM API Android Agent BlackBerry Symbian Windows webos Management, Policy, Monitoring Application and Data Catalog ForeScout CounterACT Unified visibility Unified access policy Unified reporting Automated MDM enrollment On-access assessment Block malicious activity 2012 ForeScout, Page 26

About ForeScout ForeScout is the leading global provider of automated security control solutions for Global 2000 enterprises and government organizations. Founded 2000, Cupertino, CA 115 employees worldwide, 200 partners worldwide Largest independent vendor of Network Access Control (NAC) Leader ranking by Gartner, Forrester and Frost&Sullivan Fastest growing #2 market share, second to Cisco Innovative, proven worldwide Global deployments across multiple vertical industries Very large implementation (> 250,000 endpoints) 2012 ForeScout, Page 27

NAC Market Leadership Magic Quadrant for Network Access Control, December 8, 2011; Lawrence Orans and John Pescatore; Gartner, Inc. Forrester Wave Network Access Control, Q2-2011 Forrester Research, Inc. *This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2012 ForeScout, Page 28 * Forrester Wave NAC Q2-20111The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

Thank you. Questions? gil@forescout.com 2012 ForeScout, Page 29

Wrap Up Questions or follow-up? cisbrecht@fiberlink.com gil@forescout.com Upcoming Webinars (Registration Link in Chat Window) Crushing 6 BYOD Risks: Policy Guidance from a Legal Expert Thursday, June 21 st @ 2:00 PM Eastern Getting Started with MaaS360 Tuesday, June 26 th @ 2:00 PM Eastern Past Webinars (http://links.maas360.com/webinars) The Cloud-Enabled Social Mobile Enterprise Android in the Enterprise: Piecing Together Fragmentation BYOD: Striking a Balance Employee Privacy and IT Governance Plus lots of How-To content on our website The Ten Commandments of Bring Your Own Device http://links.maas360.com/wp_tencommandments Mobile Device Management: Your Guide to the Essentials and Beyond http://links.maas360.com/ebook_mdmessentials 30