airheads main conference slideshare v1.0


INTRODUCTION

2

An IT infrastructure specialist with over 20 years in the financial services sector. 11 years with Credit Suisse and 6 with Chase (JP Morgan) Tough environment in Financial services and deparGng a role as Director in IT for Credit Suisse to start Beyond Mobile. Beyond Mobile offers Strategy, Product and Sales advice to technology companies in the early stage of their business plans.

© 2013 Beyond Mobile Ltd June 5, 2013 3

WHAT IS AN ENTERPRISE

© 2013 Beyond Mobile Ltd June 5, 2013 4

ALL THE SAME RIGHT !


DeclaraGon NX Sovereign

circa 2130s April 16, 2151 October 30, 2372

52,000 metric tonnes 998,000 metric tonnes 3,250,000 metric tonnes

300 metres 225 metres 685.7 metres

< Warp 2 Warp 5.2 Warp 9.995

None Photonic torpedoes Phase cannons

Arrays Phasers

USS Enterprise (XCV 330)

NX01 NCC-‐1701-‐E

5

COMPARISON STAR TREK ENTERPRISE


Enterprise 1 (Financial)

Case Study (Financial)

Enterprise 3 (consulGng)

COMPARISON OF AN ENTERPRISE

6

120,000 65,000 20,000

143,000 80,000 2,000

28,000 15,000 20,000

170,000 120,000 2,500

Yes Yes No

“dirty network” “clean network” “clean network”


EVIL INTERNET & WIRELESS

7

Wi-Fi BANNED Custom laptops with Wi-Fi cards removed Ethernet ports and drivers locked down Remote access restricted to dial up Almost impossible to be productive unless in the office


EVOLUTION NOT REVOLUTION

8


NETWORK PERIMETER SECURITY

9

2007


NETWORK PERIMETER SECURITY

10


NETWORK STRATEGY

11

DEPERIMITISATION


2007 – 1ST GEN WI-FI

12

CISO concedes some Wi-Fi allowed “Managed” endpoints only Guest internet access allowed No employee personal devices allowed User experience not considered Wi-Fi Design poor Global inconsistency


2007 – 1ST GEN WI-FI

13 Internet

Un-provisioned Device

Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW

EXT DMZ FWEXT DMZ FW

Wage Firewall

Cisco DMZ anchor Controller

DMZ Bluecoat Proxy

EoIP

PWR ENET 11A/N 11B/G/N

105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber

Amigopod Appliance for remote cloud provisioning of BYOD and guest self registration

APAC CPPM AAA servers

EMEA CPPM AAA Servers Amigopod Appliance for

remote cloud provisioning of BYOD and guest self registration

Cisco Intranet Controller

Guest traffic

Cisco Access Point


2009 CHALLENGERS

14

“Why can’t I use the corporate Wi-Fi to sync my work email” “Cellular coverage is so bad in my building and it’s crazy employee’s cant use the Corporate Wi-Fi on their personal devices” Crumbling of IT Walled gardens


2011 THE GAME CHANGED

15

Real estate smart strategies Wi-Fi shifted to a core “enabling” technology and business enabler. BYOD strategy was built demanding better services CIO – build it quick but I wouldn’t start from there, if I was you Poor coverage, low contention, IT vs. Business


THE BEGINNING OR THE END?

16

Requirements Stakeholder Management Buy as a Service vs Build Technical Design Build Lesson’s learnt


REQUIREMENTS

17

Guest Standard Employee Complex Employee

Standard Complex


Guest Standard Employee Complex Employee

REQUIREMENTS

18

Medium Medium High

Low Med High / Regulated

Personal Mixed Corporate

Yes Yes Yes & Corporate

None MAM MDM & MAM

No Yes Yes


STAKEHOLDER MANAGEMENT

19

Clean vs. dirty wireless = same

On campus = enterprise policed

Keep out of trouble with the regulator

Employee traffic content filtered

Info Sec, HR/Legal


STAKEHOLDER MANAGEMENT

20

Apply IT policy

Same quality as LAN

Wi-‐Fi as a commodity

Protect data vs. network

BYOD Don’t compromise usability for security

Container (s) vs MAM


BUY VS BUILD

Corporate IT in Financial Services idenGty crisis Case Study = Buy as a service > Build Market not Mature Result was a Build & Buy project One name stood out in access control and provisioning = Aruba


BUY VS BUILD

!


TECHNICAL DESIGN

Data with some voice, small amount of Desktop Video conferencing growing Cloud based guest provisioning soluGon SegregaGon IT Polies mean no direct connecGon to AcGve Directory Guest registraGon – sponsor approved Employee Device enrolment process to be lightweight (email address) Employee content filtered on BYOD devices* Improve scale of deployment Single, global wireless soluGon to employees.


Wi-‐Fi 1st Gen Wi-‐Fi 2nd Gen Wi-‐Fi FUTURE

REQUIREMENTS

24

802.11a/b/g 802.11 n to ac 802.11ac

Data Data / Voice Data / Voice / Video

Manual Online registraGon & Sponsor approval

Federated B2B

Build Build & Buy Buy

None non-‐criGcal service severity 4 SLA

Clearpass CPPM 6.x Aruba end to end ParGally supported Cisco BBSM 4.x

CriGcal service LAN replacement


TECHNICAL DESIGN

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point

Internet


Provisioned Device

LAN DMZ

BYOD

MDPS

FWFW


Wage Firewall


DMZ Bluecoat Proxy

EoIP


105

BYOD User traffic

EoIP

Radius Auth

HTTPS

PublisherSubscriber






Guest traffic

Cisco Access Point


LESSONS LEARNT

Don’t under esGmate the amount of tesGng required BYOD footprint for tesGng can be never ending Amount & complexity of devices leads to issues with tools for troubleshooGng Process engineering important Support specialists too thin on ground – Mobility support is a specialist skillset Web content filtering != control


LESSONS LEARNT

Certain CONTENT FILTER RULES did not make sense for employee BYOD we had to lobby for changes; Chat/Instant Messaging – Whole category originally blocked. •  Allow clients that connect to corporate IM plarorms as would be monitored. •  Block all other IM plarorms. But Allow messaging for services Ged to SMS (e.g. iMessage) VOIP clients & Online Storage -‐ – Whole category originally blocked. •  Allow all – these were from personal devices and corporate data was “contained” •  Provides a beser experience around apps that sync to dropbox etc Remote Access Tools -‐ – Whole category originally blocked. •  Allow – Only personal devices can connect to Wi-‐Fi then there is no company data at risk of

loss. Sotware Downloads •  Allow – Provides a beser user experience as this would allow App store downloads to

personal device to work on campus


LESSONS LEARNT

Credit'Suisse'Employee

ArubaClearpass

Cloud'Service

Access'Point

Intranet'Controller

DMZ'Controller

BYODSSID

Guest'&'Provisioning

SSID

Internet

Bluecoat'DMZProxy

1

25

7

8

9

6

10

CS'BYOD'Device

CS'Desktop

4

3

Processes are important Help stakeholders understand them by walking them through various scenarios -‐  Guest registraGon

-‐  Employee registraGon

-‐  Employee day to day use

-‐  Support


YOUR PATH TO BYOD IN FINANCIALS

29

ObjecGves

Design

ExecuGon

•  Have clear business objecGves. •  Senior stakeholders briefings. •  Mature requirements & early engagement necessary with IT suppliers •  What are your security policy objecGves

• Think about process &support design as well as the technology • Translate the risk posture to security controls • Don’t compromise usability for security (impact of security discussions)

• Select technology plarorms and suppliers • Build in compliance from the beginning • Test, Test and test some more

And finally …. Celebrate a success !

airheads main conference slideshare v1.0

Technology

mobile oers strategy

service build market

buy vs buildcorporate

byod devices

byod strategy

network perimeter security10

metres warp

metric tonnes