Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2012 Cisco and/or its affiliates. All rights reserved. 1
CIN Webinar Series
Part I: Cisco BYOD System Overview
May 23, 2012
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 © 2011 Cisco and/or its affiliates. All rights reserved.
Neil Anderson Director , Cisco Systems Development Unit (SDU) Enterprise Infrastructure Systems
Maurice Robertson Product Manager, Cisco Advanced Services
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 © 2011 Cisco and/or its affiliates. All rights reserved.
Customer Challenges Solving the Problem: BYOD Smart Solution Proving the Solution: Cisco Validated Design (CVD) Getting Started: Services for BYOD Smart Solution References
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 © 2011 Cisco and/or its affiliates. All rights reserved. 4
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 © 2011 Cisco and/or its affiliates. All rights reserved. 5
What is ‗Bring your Own Device‘?
• Bring Your Own Device enables end users to securely use devices they choose to increase their productivity and mobility
• These can be devices purchased by the employer or the employee; ownership is no longer a critical policy factor.
―BYOD means any device, with any ownership, used anywhere‖
Source: Cisco IT
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
15 billion new networked mobile
devices by 2015
3/4 of employees uses
MULTIPLE DEVICES for work
56% of information workers
spend time working OUTSIDE THE OFFICE
100% of IT staff
STRUGGLE to keep up with mobile needs
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 © 2011 Cisco and/or its affiliates. All rights reserved.
Consumer Devices on the Corporate Network Security & Compliance Concerns
Today: corporate and personal devices Tomorrow: personal devices expected to be majority IT Consumption and Support Models become self-support, IT assisted Guest networks become critical production networks Transform how every business provides IT to its employees, interacts with its customers, and provides IT services
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Trusted
WiFi
Authenticate User
Fingerprint Device
Apply Corporate
Config
Enterprise Apps
Automatic Policies
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Trusted
WiFi
Electronic Medical Records
Mobile TelePresence
Instant Messenger
Yes No
Access: FULL
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Untrusted WiFi
Access: Limited
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Access: Limited
Filtered EMR
Internet
Patient visit tracking Trusted WiFi
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
IMG_2301 IMG_2302 IMG_2303 IMG_2304
Add to Client File?
YES NO
WiFi Hotspot
Access: Limited
My Policy
Internet access
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
WiFi Hotspot
Access: Limited
Internet
Account History
Specials
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Environment Requires Tight Controls
Corp Only Device
Manufacturing Environment
Trading Floor
Classified Government Networks
Traditional Enterprise
Focus on Basic Services,
Easy Access
Broader Device Types
but Internet Only
Educational Environments
Public Institutions
Simple Guest
Enable Differentiated Services, On-Boarding
with Security—Onsite/Offsite
Multiple Device Types +
Access Methods
Early BYOD Enterprise Adopters
Corp Native Applications, New Services,
Full Control
Any Device, Any
Ownership
Innovative Enterprises
Retail on Demand
Mobile Sales Services (Video, Collaboration, etc.)
LIMITED ACCESS ADVANCED ENHANCED BASIC
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Manage &
Deploy
Dynamic
Policy
Context
SIO
Conte
xt A
ware
Enfo
rcem
ent
Conte
xt A
ware
Enfo
rcem
ent
Inte
gra
ted
O
ve
rla
y
Clo
ud
Cloud/SaaS
DC/VDI
Websites
Web Apps
Services
Social
Storage
Comprehensive View
What? Tools,
Content, Data
Secure, Personalized, and Contextual Service Experience
Seamless - Fast - Reliable
Mobile
3G/4G
Wi-Fi
Wired
At home
On the road
At work
Intelligent Network
• Managed
• Un-managed
• Corp Owned
• Personal
EMPLOYEE
CONTRACTOR
GUEST
Who?
When? How? Where?
Device?
VM Client
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Enforcing Different Policies for Corporate and Personal Devices
IDENTITY PROFILING
VLAN 10
VLAN 20
Wireless LAN Controller
DHCP
RADIUS
SNMP
NETFLOW
HTTP
DNS
ISE
Unified Access Management
Single SSID
802.1x EAP
User
Authentication
HQ
2:38pm
Profiling to
identify device
Full or partial access granted
Personal asset
Company asset
Posture
of the device
Policy
Decision
4
5
6
Enforce policy
in the network
Corporate
Resources
Internet Only
1
2
3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 © 2011 Cisco and/or its affiliates. All rights reserved. 17
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Validated „bring your own device‟ solution
• Turn-key solution from planning through implementation
• Modular building block approach
• Unified policy for secure access to data, applications and systems across the entire organization
• Uncompromised experience with leading collaboration tools and mission-critical wireless
• Simplified operations so IT organizations can focus on innovation
• Integrated roadmap to drive solution value and protect customer investment
Core Infrastructure
Policy Management
Collaboration Apps
Workspace
Management
Secure Mobility
One Network, One Policy, One Management
Building Blocks
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Integrated Device Profiling and Posture Assessment
Profiling of wired and wireless devices Integrated and built into ISE policy
Consistent Policy for Device Categories
System-wide Visibility with Cisco Prime NCS and ISE
Troubleshoot and Monitoring Consolidated Data
Guest Lifecycle Management
Provide Guest Access in a seamless, secure manner
Policy
Employee
Simplified Role-Based Access
Keep Existing Logical Design Manage Security
Group Access
Policy Public Private
Employee Permit Permit
Contractor Permit Deny
Consolidated Contextual Information
Real-Time Awareness Track Active Users
and Devices
USER ID ACCESS RIGHTS
DEVICE (and
IP/MAC)
LOCATION
Consolidated Services Software Packages
ISE
ACS
NAC Profiler
NAC Guest
NAC Manager
NAC Server
Identity
and Policy
Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
No other solution brings all the context together
Device Type Location User Posture Time Access Method Custom
Identity
and Policy
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 © 2011 Cisco and/or its affiliates. All rights reserved. 21
BEFORE Separated Policy Management
AFTER Context-Based Policy for
Employees and Guests Across Network
Wired | VPN | Wireless Simple | Unified | Automated
Who? What? When? Where? How?
Unified
Policy
Identity
and Policy
Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Evolving Roles of ISE and MDMs
Enterprise
App Distribution
& Mgmt
Inventory/Cost
Management
Data
Backup
Classification/Profilin
g Enrollment &
Registration Secure Network Access
(Wireless, Wired, VPN)
Context-Aware Access
Control (Role, Location,
etc.)
Cert + Supplicant
Provisioning
Network Policy
Enforcement
Policy
Compliance
(Jailbreak,
PIN Lock, etc.)
Data Loss
Prevention
(Container,
encryption, wipe)
ISE MDM
Enterprise
App Policy
Identity
and Policy
Management
Native ISE
functionality
• Profiling
• Authentication
• Policy Enforcement
• etc.
ISE 1.0 & 1.1
Native ISE
functionality
•
Enrollment/Registration
• Self-Enroll Portal
• Certificate Enrollment
• Blacklisting
ISE 1.1MnR (Jun ‗12)
ISE – MDM API
• Additional device data
• Policy compliance
• Data wipe
•
Local/Internationalizati
on
ISE 1.2 (Fall ‗12)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
ISE Self Registration Portal Identity
and Policy
Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
ISE 1.2 & MDM Integration High Level Goals of Integration
• On-prem MDM Device Registration
o Non registered clients redirected to MDM registration page
• Restricted Access
o Non compliant clients will be given restricted access based on MDM posture state
• Augment Endpoint Data
o Update data from endpoint which cannot be gathered by profiling
• Ability to Initiate Device Action from ISE
o Device stolen -> need to wipe data on client
Identity
and Policy
Management
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Cisco Mobility Technology for High Performance Wireless Network
CleanAir ClientLink 2.0 VideoStream
Improved Performance
Proactive and automatic interference
mitigation
AP 3600
Improved Performance
Proactive and automatic beam
forming for 802.11n and legacy clients
Improved Performance
Wired multicast over a wireless
network
Access Point Innovation
The Tablet AP, enhanced throughput
and coverage for advanced applications for tablets and smart
devices
Core Network
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Exceptional Control Through the Network
Identity
and Policy
Source Group Access Unrestricted for
Group users
independent of IP
address and location
Packets are
“tagged” based on user
role and context
Scalable Enforcement
independent of network
topology
The Solution
Scalable and simplified
management with a
single policy per group
Deployment Scenario with Security Group Access (SGA)
Partners
Employees
Unified
Infrastructure
Employee
Partner
Guest Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 © 2011 Cisco and/or its affiliates. All rights reserved. 27
BEFORE Many Windows, Fragmented View
AFTER Comprehensive User and Access Visibility Unified
Managemen
t Wireless
Wired
Policy
Simple Find and solve user problems fast
Unified View of all devices by user, across networks
Lower Opex More efficient use of IT resources
Siloed Inefficient Operational Model
Repetitive Manual correlation of data
Error Prone Consumes time and resources
Wireless
Identity
Wired
Management
Find and Solve Problems Quickly
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 © 2011 Cisco and/or its affiliates. All rights reserved. 28
BEFORE Unsecured Data
AFTER Simple Access, Seamless
Security
Automatic VPN connection
Identity-based access control
Data loss protection and acceptable use policy
Difficult to use
Inconsistent access
Risk of Malware and misuse
Secure
Mobility
Security and
Remote Access
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ASA, AnyConnect, WSA, ScanSafe for Remote Access and Web Security
Experience
Connectivity that is intelligent, simple, and
always on
Security
Highly secure mobility across the rapidly increasing number of managed and unmanaged
mobile devices
Enforcement
Security policy enforcement that is context-aware, comprehensive, and
preemptive
Security and
Remote Access
Social Networking
Enterprise SaaS
News
Cisco Web
Security
Appliance
Information Sharing
Between ASA and WSA
Corporate AD
Users Outside
the Network ASA
Cisco Cloud
and Web Security
ScanSafe
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Win, Mac iPad, Cius Smartphone Web
Collaboration
Best User Experience Across Broadest Range of Platforms
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Unified Access Wireless and wired policy and management
Identity-based access control
Security/Policy Data loss and threat prevention
Context aware access to data
Management Single system for wired / wireless / VPN
Provisioning and Mobile Device Management
Experience Uncompromised video, voice in any deployment mode
Consistent, portable across platforms
Applications Native or virtual application delivery
Collaborative and corporate applications
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 © 2011 Cisco and/or its affiliates. All rights reserved. 32
• SP and Enterprise
• Across 5 Cisco Priorities
• Major Cisco Investment Labs in RTP, SJC, BXB 200+ staff $100M+ lab investment
• Systems under development include: UA/BYOD, SCC, Cloud/VMDC, DCI, HCS, MPC, Cloud Orch, S+CC, Telepresence • Industry Unique Asset
Centralized Systems Development within Engineering/CDO
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 * Note: ScanSafe validated in a future phase
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Full customer
representative
network
Wired, Wireless,
Remote, Mobile
access
Campus, Branch*,
Home Office*,
Mobile
4,000 wired and
4,000 wireless
clients
Scale and
Performance End-
to-End
* Note: Limited Branch and Home Office testing
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• Cisco ISE 1.1MnR for certificate enrollment and provisioning
• Cisco AnyConnect for workstations
• Wired, Wireless and Remote devices
• Android, iOS, Windows, Mac
• Devices are identified by Profiling, and by maintaining a whitelist
• All devices are authenticated by digital certificates
• Users and devices are authenticated
• Lost or Stolen Devices
• Guest Access
• Cisco NCS Prime for management
• Scalability, Load Balancing
Expected release – June 2012
Management Mobility Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 © 2011 Cisco and/or its affiliates. All rights reserved. 37
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• How do I take advantage of the BYOD trend and translate it into a business case my company can support?
• How do I assess the readiness of my organization to work from any where, on any device?
• What impacts of moving to a Unified Workspace model do I need to consider?
• How do I protect my company‟s assets and intellectual property in this environment?
• How do I manage my costs?
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Delivered by Cisco and Partners
Architecture Assessment Evaluate application, security, mobility, desktop virtualization and network
infrastructures to identify gaps and support architecture design
Architecture Strategy Workshop – Start here!
Identify objectives, business requirements, and share uses cases to guide the IT
strategy for an end-to-end solution
Architecture Design Develop a detailed design, pilot and implementation plan that addresses end-to-
end solution requirements to mitigate risk and facilitate smooth deployment
Optimization Improve visibility and insight into the state of the architecture and provide device,
application and infrastructure management to continue delivering a superior end-
user experience and manage TCO
Technical Support Operate, maintain and support your architecture efficiently with smart services
capabilities including network discovery, event correlation, and prioritization
39
Enable the “Work, Your Way” experience to support BYOD
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
• Capture and review business requirements and IT strategy at a high level
• Explore improvement opportunities, use cases and business impact potential
• Create the conceptual network architecture to enable use cases
• Two day collaborative session with IT and business leaders
“WYW” Architecture
Strategy
And Recommendations
Services, Products
identification
High level next steps
Understand
Business
Challenges and
Priorities
Prioritize Potential Use Cases Share Strategy and
Architecture Framework
Create Business
and Technical Use
Cases
Conceptual
Reference
Architecture
Brainstorm
Improvement
Opportunities
Architecture Strategy Workshop
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Architecture
Assessment
Architecture
Design
Design and
Validated
Solution
(Partner- and
Cisco – Led)
Optimization and
Technical Support
Plan Build Manage
Architecture
Strategy
Workshop
Start here
Cisco or Partner - Led
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Realize the Full Business Value of Your Technology Investments
Offer a Superior Experience
Deliver a consistent, portable experience and support emerging work styles with BYOD Smart Solutions
Accelerate Business Agility Speed the roll out of your BYOD Smart Solution and ensure scalable support for the large number of mobile devices and applications
Holistic Approach
Design and build a scalable, comprehensive, and secure BYOD Smart Solution
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
BYOD Smart Solution www.cisco.com/go/byod
DesignZone www.cisco.com/go/designzone
www.cisco.com/go/byoddesign
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Learn the design details, best practices, and validation test
results provided in the BYOD Cisco Validated Design (CVD).
June 20, 2012
Register Now http://www.cisco.com/go/semreg/tdw160/217743_1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Thank you.