clearpass access management solution sales guide … · access from mobile devices (smartphones,...

CLEARPASS ACCESS MANAGEMENT SoLuTioN SALES GuidE

ClearPass Access Management Solution Sales Guide – Confidential – Aruba Networks and Partners only

A fully integrated and complete solution for access security policy management, enabling organizations to centrally enforce and refine policy to meet the requirements of the business.

Confidential – Internal and partner use only

Contents Page

OPPOrtunity Overview Why sell ClearPass Access Management? 1

SOlutiOn Overview Solution description 2

Using ClearPass to benefit the business 3

the MARKET target markets 4

Market needs 5

the SOlutiOn how ClearPass meets customer needs 6

The competitive landscape 8

How to beat the competition 9

Success stories 10

The financial business case 12

the SAleS PrOCeSS Qualification 13

Dealing with objections 14

Typical deals 15

Sales tactics 15

A typical sales cycle 16

Contacts and resources 17

CLEARPASS ACCESS MANAGEMENT SoLuTioN SALES GuidE

the OPPOrtunity in BrieFClearPass Access Management Solution:• Provides a centralized point of policy management• Allows mobile devices to be used easily and securely within an organization• Creates an attractive working environment for employees and contractors• Helpsorganizationsenhancetheuserexperienceandinteractmoreeffectivelywithguests• Enables customers to contain the costs of managing network access

1

Why it is worth your customers’ time Many customers want to open up their networks to access from mobile devices (smartphones, laptops, tablets etc.), owned by the organization or by the end user. They are responding to a growing expectation by employees and visitors that they should be able to use mobile devices for work and for interacting with the organization.

#GenMobile, people that have a preference for all things mobile, are an increasing proportion of the workforce. Organizations need to attract this talent pool to remain competitive.

ClearPass offers organizations the opportunity to centrally develop, automate, enforce and audit an access security policy that will enable them to meet business requirements and comply with regulations and legislation, while enhancing the user experience.

What are ClearPass’ key advantages?ClearPass is the only access management solution that:

• Works efficiently and cost-effectively across multi-vendor wired and wireless networks

• Is highly scalable, managing access security in very large deployments, across multiple sites, and handling high density authentication requests

• Delivers policy management, policy enforcement, guest functionality, device profiling and onboarding from a single platform

• Has workflow and interoperability to provide automation and self-service which improves user experience and reduces IT costs

• Enables contextual policy management to a location, device and user level

Why SELL CLEARPASS ACCESS MANAGEMENT?

value of a typical sale

Small deal: $15-35k (to gain entry into a new account)Medium deal: $50-75kLarge deal: $100k+Very large deal: $250k up to $1M+

time to close

For a small deal, can be as short as 8-10 weeksMore typical (e.g. where budget is needed): 3-12 months

Other benefits

• Consultancy business: Professional Services can be up to 20% of the deal• Support revenues: generate 12-15% in annual spend • Enables you to talk wider within your customer’s organization (e.g. to the CMO’s team)• Unlock a single vendor stronghold; create opportunity to talk about other (Aruba WLAN) solutions• ClearPass upsell: sell additional capacity and module licences as users and devices increase• As a partner, you can cross-sell other Aruba products, and other vendors’ products and applications (via

integration), such as MDM, Security Information and Event Management (SIEM), Palo Alto firewall

Why this opportunity is worth your time


oPPoRTuNiTy oVERViEW


Confidential – Internal and partner use only2

SoLuTioN oVERViEW

ClearPass Access Management SolutionClearPass enables customers to control access to wired, wireless and remote (VPN) networks. The solution provides capability for an organization to:

• Develop, automate, enforce and audit access security policy

• Manage and refine policy from a centralized location

With ClearPass the customer has a single point of policy implementation at a device and individual level which better protects the network against threats, and the organization’s information assets against improper use. For example, accessing accounts data from a laptop at HQ can be allowed, but not via a wired port in a branch office, unless it is by the CFO.

ClearPass Policy Manager The core of the solution is an enterprise RADIUS/TACACS+ hardware appliance or virtual machine (VM) server with advanced policy control. It includes:

• Profiler – identifies and classifies devices on the network

• Insight – reporting, analytics, alerts, compliance verification

• ClearPass Exchange – RESTful based APIs for integration with other systems, including but not limited to third-party MDM, firewalls and SIEM

• AirGroup Registration portal – makes plug-and-play network services for media management (e.g. Apple AirPrint/AirPlay, DLNA, UPnP) controllable and secure within an enterprise network

Advanced featuresAdditional features, enabled through purchase of perpetual or subscription licences, are delivered in three modules:

• ClearPass Guest – providing secure wired and wireless access for guests and contractors, with self-registration, social login and linkage to credit card billing, plus an optional advertising module

• ClearPass Onboard – automates device configuration and enables customizable self-provisioning of target devices with unique credentials for secure access

• ClearPass OnGuard – assesses the health of connecting devices, and provides automatic remediation workflows and device compliance reporting

Aruba and partner services• Customization – Aruba Professional Services deliver

support for customizing the look and feel of guest and employee portals

• Design and deployment – delivered by Aruba or specialist partners

• Support – delivered via the partner or direct to Aruba

• Security policy development

• End user training

SoLuTioN dESCRiPTioN

Confidential – Internal and partner use only 3

CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > SOLUTION OVERVIEW

• Build/Improve AccessSecurity Policy

• Easily enrol guests and onboard devices – relieve IT burden

• Apply policy• Control access• Check device health

• Re-profile• Check compliance• Analyse usage

• Simulate policy change

• Enhance user experience

6 MANAGE AND REFINE

2 DEVELOP

3 AUTOMATE

REFIN

E POLICY

4 ENFORCE

What network access policy do we

need for the business?

5 AUDIT

Do we need to modify the

policy?

• Profile users and device types

1

uSiNG CLEARPASS To bENEfiT ThE buSiNESS

MAin CUSTOMER bEnEfiTS• visibility: the ClearPass platform provides centralized visibility of and control over access to all iT

networks, ensuring that security policy is applied consistently across the whole organization• Security: enforcement, auditing and reporting features enable customers to comply with relevant

regulations and legislation, demonstrate compliance, and mitigate the risk of a breach of access security• Workflow: users are able to connect securely and easily from tablets, smartphones etc., delivering an

improved mobility experience across both corporate-owned and user-owned devices (e.g. byod)• Mobility:employeesgiventheflexibilitytoworkfromtheirpreferredlocationsanddevicesaremore

productive• Cost: the reduced number of appliances required, automated enrolment and device onboarding, and a reductioninIThelpticketsthroughworkflowenabledself-servicemaketheClearPasssolutionefficientandcost-effective

ClearPass enables the business requirements for resource access and security policy to be implemented directly using a complete end-to-end process


Which of my customers shall i target?A ‘YES’ answer to some of the following questions mean they are a good prospect.

yeS nO1 Has the prospect or another organization in the same industry sector recently suffered a security breach?

2 Is a large proportion of the prospect’s workforce using mobile devices?

3 Do they hire contractors, or work collaboratively with partners/agencies?

4 Do they have frequent and large numbers of guests?

5 Do they have distributed offices?

6 Are they moving into a new building, or consolidating sites?

7 Have they recently been or are they about to be involved in a merger or acquisition?

8 Are they a public sector organization that is being encouraged by government to share resources?

9Are they in an industry where new regulations or legislation have recently been or are about to be introduced, which relate to information security or operational risk?

10 Do they have a heterogeneous (multi-vendor) network?

TARGET MARkETS

Why customers need ClearPassAcross all verticals and sizes of organization, there is a growing requirement to allow access to corporate networks from mobile devices. These devices may be corporate-owned, or owned by the end user (e.g. BYOD, or for guest access).

Until recently, the Network Access Control (NAC) function has largely been targeted at enforcing access security policies for Windows PCs. Now control is being extended to mobile devices running a variety of operating systems, across wired and wireless networks, and for remote access via VPNs.

ClearPass meets this extended NAC requirement, but can also do a lot more for the customer’s business. So, although many opportunities might arise from a need for improved network access control, it is important to explain to your customer what else can be achieved with ClearPass, because it is this complete capability that sets ClearPass apart.

WHy THE MARKET iS ATTRACTivE nOw• There has been rapid and widespread

growth in types and models of mobile devices,whichpeoplefindconvenientandwant to use

• The availability of apps and services (including cloud) has made mobile devices indispensable, so owners expect to be able to use them for work and for interacting with organizations, from any location

• The ‘consumerization of iT’ is now a reality: giving employees a choice about how theyworkhasbecomeessentialforstaffrecruitment and retention

• Competitive pressures continue to drive organizations to look for ways to enhance customer experience while containing costs

• iT departments are being outpaced by user demand: they need tools that accelerate the onboarding of new devices and reduce workload through self-service, while enforcing security and providing visibility

ThE MARkET


General market needsvisibility and control: customers in all verticals want visibility of how their network is being accessed – from where, by whom and using what device. They need to be sure that only authorized users are allowed access, and that unsecure or compromised devices are either denied access or removed from the network.

Compliance: organizations must comply with mandatory security requirements, regulations and legislation, and protect networks against data loss and cyber-attacks.

Productivity: many organizations are looking to improve employee productivity by providing staff with secure access from any device, so that users have a wider range of options to get work done.

user engagement: this is of growing importance, especially in Finance (retail banking), Retail and Hospitality. Being able to deliver targeted information to users based on context (user profile, location etc.) is a major driver for fostering customer loyalty.

Cost containment: reduce the burden on already overstretched IT resources and avoid/lower the costs of owning and replacing devices.

Mobility: many organizations are frustrated by the difficulties of using mobile devices for business and enforcing an appropriate access security policy. They wish to improve the mobility experience for their customers, staff, contractors and partners.

business drivers in selected verticalshealthcare• Enable patient and hospital visitor guest access

• Allow doctors, nurses and admin staff to self-configure their own devices

• Enable clinicians to securely access patient data, regardless of location

• Securely transfer patient data based on user privileges and/or device profile

finance• Use mobile devices for enhanced customer

interaction (e.g. electronic signatures)

• Implement sponsored visitor guest access for regulators, auditors, consultants

• Phase out corporate-owned devices by allowing staff to purchase and use their own replacements

• Deploy improved access security to comply with the latest industry regulations (Basel III)

Retail and hospitality• Attract customers by offering guest Wi-Fi

• Engage with customers (including advertising and loyalty marketing) using contextual information

• Improve customers’ experience with Wi-Fi that remembers them on their next visit

• Enforce PCI requirements with secure access

Education• Enable students to use personal devices for

interactive learning

• Allow non-IT specialists to securely grant guest access to students, parents and authorized visitors

• In schools, save money by allowing pupils to purchase and use their own devices

MARkET NEEdS

CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE MARKET

Source: Aruba view, based on reports from Frost & Sullivan and Gartner

ClearPass worldwide addressable market size

1200

1000

800

600

400

200

02014 2015 2016 2017 2018

$M

MARKET TREnDSAnalysts like frost & Sullivan and Gartner are forecasting that organizations worldwide will spend a growing amount on network accessmanagementsolutionsoverthefiveyears to 2018. from a worldwide market worth $uS 350 million in 2014, the forecast is for demand to steadily increase at a rate of almost 31% per year to break $1 billion by 2018. This is a major opportunity for partners to work with Aruba to establish ClearPass as a primary source of revenue generation.


What are the business needs of key people in your customer’s organization? Here’s how ClearPass addresses each need.

CiO: ACCESS MAnAgEMEnT nEEDS

need How the business need is addressed

Provide a good service− executives wanting to use own

devices− employees using multiple

devices− employees bringing their own

devices (i.e. BYOD)− simple guest access

• ClearPass OnGuard protects against unsecure and compromised devices, enabling organizations to allow use of employee-owned devices without putting the business at undue risk

• ClearPass Onboard enables employees and contractors to easily and securely onboard their newly-supplied or own devices – by provisioning 802.1X settings and issuing certificates

• Onboard provides the ability to customize the portal and workflow for each user group and device

• ClearPass Guest provides customizable portals, plus support for guest sponsors and IT-controlled guest privileges, to make self-registration by guests straightforward

Reduce the risk of a security breach− guard against malicious attacks− maintain the trust of customers

and partners

• With ClearPass, network access security policy can be defined centrally, then implemented consistently across all wired and wireless network access points, minimizing the risk of leaving a vulnerability that can be exploited

• User authentication, context and role-based profiling guard against unauthorized users gaining access to sensitive areas of the network and data

CFO: FinAnCiAl needS


Contain the costs of network access security management− implementation− network equipment upgrades− hardware− licence fees− administration costs− multiple device support− dealing with visitors

• Automated device configuration and provisioning reduce the cost of access security, especially when introducing 802.1X into a wired network or moving to a new site

• A single ClearPass Policy Manager appliance can handle up to 25,000 unique endpoints across multiple networks, so even with a redundant architecture the amount of server hardware required is relatively small

• Optional advanced feature modules mean customers pay only for the functionality they actually need

• ClearPass Exchange ensures functionality of other investments is exploited to increase security, reduce support costs, and improve customer experience

• IT staff no longer need be involved in onboarding new devices, or registering and assisting contractors and guests, significantly reducing ongoing administration costs

• Users can use their own devices, reducing the cost of provision and replacement

Predictability of costs over lifetime of solution− scalability and linear growth− availability of perpetual licences− licensing flexibility

• ClearPass provides a single integrated system that can adapt as the organization grows and changes; it can scale to very large deployments and provide centralized control for new sites, without the need to rip and replace hardware or software

• Aruba operates a licence overrun scheme to lessen the cost impact when usage grows, and to allow organizations to meet short-term higher demand for access (e.g. during special events or unexpected peaks in user activity)

• Organizations have the option of a perpetual or subscription licensing format, whichever better suits their business model

• Enterprise licences can be shared across the Guest, Onboard and OnGuard modules

hoW CLEARPASS MEETS CuSToMER NEEdS

ThE SoLuTioN


CSO: SeCurity needS


Secure network access− user identification− role-based profiling− certificate of authority− accreditation

• ClearPass provides granular access security management which enables contextual access control to a location, device and user level

• ClearPass Policy Manager (CPPM) supports advanced user and device authentication based on 802.1X, non-802.1X and web portal access methods

• Guest access workflow can require confirmation by a trusted sponsor• Embedded Certificate Authority (CA) support allows ClearPass to interwork with

existing Public Key Infrastructure (PKI) or act as its own CA• CPPM is accredited as compliant to FIPS 140-2 for cryptographic modules

Protection against malware− device health checks− remediation− post-access removal

• ClearPass OnGuard performs advanced endpoint posture assessments before devices connect

• Automatic remediation workflows can be applied to non-compliant devices• Certificates and profiles can be issued to devices to allow for easy removal from

the network if required (e.g. if devices are compromised, lost or stolen)

Compliance to regulations and relevant legislation− appropriate level of security− reports and audit trails

• ClearPass provides the ability to develop, automate and enforce an access security policy that meets the organization’s business requirements, then refine that policy as new regulations come into force or business needs change

• Audit and reporting allow customers to check and demonstrate compliance

CMO: USER EngAgEMEnT nEEDS


Improve the mobility experience of users− attract and retain staff− allow network access from and

manage mobile devices− wide choice of devices− simple registration

• ClearPass allows customers to modernize their infrastructure to cater for and attract the #GenMobile employee

• ClearPass works with a wide range of mobile platforms, including iOS, Android, Windows Mobile, Windows Phone 8, Mac and Symbian OS

• ClearPass Exchange makes it easy to integrate with third-party solutions such as MDM, so organizations can manage mobile and other devices

• Self-registration speeds network access, while MAC caching makes sign-on straightforward for returning users

• Single sign-on to the network and applications makes mobile working quicker and easier

Enhance the experience of guest users− customized portals− social login− text messaging− relevant communication

• Portals can be customized with a wide range of options, including localized language support and location-specific information

• If desired, guests can use social networking identities to gain access, and receive login instructions and other information via SMS

• Using the optional advertising module, context-based messages can be sent to the user (e.g. special offers in stores)

iT/nETWORK DiRECTOR: infRASTRUCTURE nEEDS


Simple implementation− minimal new hardware− no change to existing infrastructure− automated assistance to reduce IT

effort involved

• ClearPass requires fewer physical appliances than other solutions, and can be run as a virtual machine on existing hardware

• There is no need to change out or upgrade existing network infrastructure• Automatic device profiling and self-registration relieve the IT burden of

onboarding• Detailed diagnostic information assists network administrators (e.g. in

troubleshooting failed 802.1X authentications)

System performance− reliability− scalability− effect on the network

• ClearPass solutions have proven reliability in ‘live’ customer networks• Solutions scale easily to manage up to a million endpoints from a single cluster,

and can handle a high density of authentication requests• Unlike other offerings, CPPM does not operate ‘in line’, and so has minimal

effect on network performance and no consequent scaling issues

CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SOLUTION

Jan Brown

Cross-Out


ThE CoMPETiTiVE LANdSCAPE


How does the competition rate and who are they?

Use this table to identify Aruba’s strengths and for guidance on how to beat the competition.

Scoring: 0 = No capability 1 = Very weak 5 = Exceptionally strong ? = No information

CLEARPASS COMPETiTORS

Capabilities Arub

a Cl

earP

ass

Cisc

o (IS

E/AC

S)

Fore

Scou

t

Brad

ford

Net

wor

ks

Juni

per N

etw

orks

HP

Smal

ler n

iche

Wi-F

i pl

ayer

s (e

.g. M

eru,

Ae

rohi

ve, E

xtre

me)

Solution for multi-vendor networks 5 2 4 3 2 ? 2

Interoperability 4 3 3 ? 2 1 2-4

Vendor’s Wi-Fi knowledge 5 5 0 0 3 2 4

Proven, stable solution 4 4 3 2 3 1-2 1-2

Scalability 5 3 2 3 3 3 2-4

Completeness of solution 5 4 3 3 3-4 3 2

Ease of deployment 3 2 4 2 3 ? 2-4

Capabilities: refer to the next page for a detailed explanation.

OUR MAjOR STREngTHS ARE ...• Solution for multi-vendor networks• interoperability• Proven, stable solution• Scalability• Completeness of solution

… EMPHASiZE THESE POinTS!

hOw tO win

we win if …• We tie down the scope of the requirements early

in the sales cycle

• The customer has an Aruba WLAN, and is implementing a refresh

• The network is wholly Aruba or multi-vendor

• The requirements are biased towards access for contractors/guests

• The customer agrees to a demo

• When an evaluation is needed, we sign off targeted success criteria in advance

we lose if …• The prospect has too few users/devices or has too

simple a business model to benefit from access security policy management

• We try to compete with smaller niche vendors by offering only a subset of ClearPass

• There is a strong ‘Cisco only’ attitude, across both wired and wireless


hoW To bEAT ThE CoMPETiTioN

CAPABility CAPABility exPlAined SuPPOrtinG FACtS And PrOOF POintS

Solution for multi-vendor networks

• Across multi-vendor networks, ability to develop, automate, enforce and audit an access security policy

• Applicable to wired and wireless networks

• In many deployments ClearPass manages access to Cisco, Avaya and HP networks

• We have customers with both wired and wireless deployments (e.g. SAP)• Other vendors’ offerings don’t provide centralized visibility and control

from a single, integrated system across heterogeneous networks: for example, Cisco ISE is difficult to administer in non-Cisco (e.g. WLAN) environments

Interoperability • Standards based• Integration with enterprise

applications• Connectivity to other

management systems (e.g. MDM)

• Provision of APIs• Flexibility of vendor

• ClearPass employs standards-based protocols and interfaces (e.g. using standard web APIs to receive context data from new sources)

• The solution is integrated with hundreds of commonly used enterprise tools (e.g. Palo Alto Networks firewalls, McAfee anti-malware)

• Aruba works with 5+ MDM partners (including AirWatch, MobileIron and Citrix)

• We can deploy ClearPass into any vendor environment, and support most smart mobile devices

Vendor’s Wi-Fi knowledge

• Experience in Wi-Fi• Business focus• Market leadership• Technical competence• Skilled staff

• Aruba has been delivering Wi-Fi networks for 13 years• We are a Gartner magic quadrant leader in Wired and Wireless LAN

Access Infrastructure• We have many SEs trained in wireless technology, and run the Airheads

community of engineers professionally engaged with wireless LANs etc.

Proven, stable solution

• References• In service solutions• Number of licences• User community• Partner community

• ClearPass is in service globally across many verticals, whereas Cisco’s references are nearly all for ACS (not its replacement, ISE)

• ForeScout is locally strong (e.g. in ME) for small to mid-size deployments, but weak elsewhere

• Juniper’s deployment numbers have plummeted since 2012

Scalability • Ability to add new users easily

• Policy enforcement across multiple sites

• High density authentication

• ClearPass successfully manages network access security in very large scale deployments (e.g. SAP with 66,000 users worldwide, Barclays, Los Angeles Schools)

• ClearPass customers can enforce policy across multiple sites from a centralized location. ForeScout works ‘in line’ and requires many appliances

• The World Trade Center Exhibition in Dubai 2013 is a prime example of the capability of ClearPass to handle high density authentication requests

Completeness of solution

• Policy management• Policy enforcement• Guest functionality• Device profiling and

onboarding• Automation• Trouble-shooting tools etc

• ClearPass uniquely delivers a complete set of functionality for managing network access security in a single, integrated system

• Optional modules include guest self-registration and advertising, device onboarding, and device posture validation

• Workflow and ClearPass Exchange enable complete automation of processes such as quarantining devices

• ClearPass comes complete with tools for investigating problems (e.g. diagnostics for trouble-shooting failed authentications)

Ease of deployment

• Automated tasks• Policy simulation• Test deployment• Accredited engineers• Partners that can deploy

• ClearPass automated device profiling and onboarding simplify setting up devices and implementing policy

• With ClearPass, customers can trial changes to policy offline and test their effects, prior to rolling them out

• We have Professional Services Partners with the accredited skills to assist customers with design and deployment



Enterprise: SAP selects ClearPass over iSE to replace Cisco ACS

• Multi-national SAP installation

• ClearPass preferred to Cisco ISE

The challengeHeadquartered in Walldorf, Germany, SAP AG is a global leader in enterprise software, with locations in more than 130 countries. Having experienced stability issues with ACS, the company investigated Cisco ISE, but found that administration was complex, the GUI was not intuitive, and there were maintenance and upgrade issues.

The responseSAP is a long-term major customer for Aruba WLAN. The account team has a close relationship with key decision makers, meeting on a regular basis, and so was able to pick up on SAP’s concerns about ISE and propose ClearPass as an alternative. An evaluation was rapidly arranged, demonstrating to SAP that ClearPass access management solution could address the issues it was experiencing with Cisco. SAP’s infrastructure and service teams were particularly impressed with the solution’s ease of use and deployment, which had been missing from Cisco ACS and ISE.

The resultClearPass is now servicing SAP’s 66,000 employees worldwide, with 8 ClearPass appliances in Germany, 4 in Singapore and 4 in Philadelphia in the US, all managed from SAP HQ. The ClearPass Guest module, which replaced an internally developed system, is also regularly providing secure SAP-branded access to 15,000 visitors and consultants.

SuCCESS SToRiES

Healthcare: A hospital moves to a new site and implements lAn security

• Hospital securing LAN and mobile devices

• ClearPass preferred for single platform and interoperability

The challengeOur WLAN customer, the University Hospital of Toulouse in France, had plans to consolidate from multiple sites to a new building of 600 beds. At the same time, it wished to add 802.1X to its unsecured Cisco LAN. With only three people in its network team, the new wired network would have to automate the configuration of the 18,000 ports.

The responseWhen the hospital approached Cisco, it discovered that Cisco’s ISE proposition would make the network complicated, with working across both fixed and wireless being particularly difficult. Further, as well as the high number of appliances required, Cisco did not offer perpetual licences, which would make the ISE solution costly. Our network integration partner, Orange, proposed a dual lab trial, to compare ISE to ClearPass.

The resultCHU Toulouse realized that the profiling available with ClearPass would enable it to onboard all peripherals on time. These included those within the control of the Building Management System, and not well known by the network team, such as IP cameras, alarms, door-locking mechanisms etc. Two ClearPass 25,000 user appliances (one for redundancy), together with 300 licences each for Onboard and OnGuard, were sufficient to ensure that the hospital could improve network security, as well as move to its new site promptly and cost-effectively.



Finance: upselling ClearPass capability to a major bank

• Large bank needing flexibility

• ClearPass provided better guest/device functionality and user experience

The challengeEmirates NBD (ENBD) is one of the leading banks in the United Arab Emirates (UAE). A Cisco-supplied NAC, first deployed in 2007, was too rigid for the bank’s needs. ENBD wanted more flexibility in the way it handled network access requests. It also wanted users to be able to work with their own devices, and to allow guest access. Further, the bank had recently acquired some Avaya equipment, so needed a solution that would work across a multi-vendor network.

The responseAfter investigating Cisco ISE and finding it unable to meet requirements, ENBD considered ForeScout and Aruba ClearPass. ForeScout had a better cross-vendor offering than Cisco, but required an appliance at every node. There were also limitations in ForeScout’s ‘own device/guest’ functionality. Hence the bank selected ClearPass to replace the ailing Cisco NAC function.

The resultThe Aruba account team took the opportunity to explain the wider capability of ClearPass and secured a meeting with the CMO and other key influencers. ENBD’s marketing people recognized the potential of the solution to help them engage more meaningfully with customers and visitors. Additionally, after the NAC project is completed, ENBD will migrate from Cisco ACS to ClearPass, primarily to save costs. As a result of the account team selling ‘high and wide’, what was originally a NAC-replacement deal grew into a sale of CPPM appliances and Guest and Onboard licences worth $500k, to be rolled out over two years across the entire ENBD network, with appliances to be based in UAE, Saudi Arabia, Singapore, London and Egypt.

Retail: Sainsbury’s values the completeness of the ClearPass solution

• Large retailer with 1000+ stores

• ClearPass’ single platform, superior features and improved end customer experience won the deal

The challengeSainsbury’s is the UK’s third-largest supermarket chain. The retailer has been an Aruba customer for over three years and is currently rolling out Wi-Fi to all its 1,000+ stores and warehouses. Sainsbury’s decided to add value to its wireless network by offering guest access in stores. In addition, it wished to be able to onboard and provide NAC capabilities to a number of corporate-owned devices. A further business driver the company is exploring is the possibility of offering location-based services to shoppers in-store.

The responseSainsbury’s considered NAC vendor NetScout, but our main competitor was Cisco, supplier of the Sainsbury’s wired infrastructure. We ran an evaluation offline to demonstrate the full ClearPass capability. The Sainsbury’s people were impressed by the way ClearPass combined different areas of functionality within one integrated platform, compared to Cisco ISE, which required different units and systems. They also preferred the richer feature set offered by ClearPass.

The resultClearPass is now being deployed across the whole of the Sainsbury’s estate, to occupy the same footprint as the WLAN. The ClearPass sale gave us the opportunity to talk to the Director of Digital Marketing at Sainsbury’s, to explain how the functionality of ClearPass and the data collected by the system could be used to improve customer experience in stores. It has positioned Aruba as a more strategic vendor to Sainsbury’s, opening up new opportunities for us, including a possible future sale of Meridian, Aruba’s location-aware content management solution, for in-store device location.



ClearPass iT off-load vs. increase staff resourcesSupporting network access from employees, contractors and guests can use up significant IT and administration resources. This business case shows how labour costs can be saved through adopting ClearPass.

For this example business case we have used the scenario of an organization with a limited number of contractors and a growing number of guests, and whose employees are to be enabled to use their own devices. Also, there are wired ports that need to be secured and managed (for moves and changes). The areas of cost savings shown here are applicable to many types of organization.

ThE fiNANCiAL buSiNESS CASE

year 1 year 2 year 3forecast costs without ClearPass $k $k $kiT staff time Wired ports (securing, adds, moves) 59.8 59.8 59.8 Employee devices (onboarding, audit, help etc.) 59.8 69.8 79.8 Contractors (onboarding, audit, help etc.), plus waiting time 24.9 24.9 24.9 Guests (resolving issues etc.) 4.3 8.6 13.0Administration staff time Contractors and guests (registration, issuing login details etc.) 10.4 20.7 31.1 Total costs 159.2 183.8 208.6 forecast costs with ClearPassPurchase, deployment and maintenance ClearPass system, including redundancy and optional modules 140.8 71.3 9.2 Professional services cost (delivered by partner) 10.0 5.0 5.0 System maintenance 19.3 29.0 29.9 Internal IT deployment, training and management costs 25.0 25.0 25.0iT staff time Wired ports (securing, adds, moves) 10.0 10.0 10.0 Employee devices (onboarding, audit, help etc.) 8.1 9.5 10.9 Contractors (onboarding, audit, help etc.), plus waiting time 2.1 2.1 2.1 Guests (resolving issues etc.) 1.4 2.9 4.3Administration staff time Contractors and guests (registration, issuing login details etc.) 0.0 0.0 0.0 Total costs 216.7 154.8 96.4

Cost saving –57.5 29.0 112.2THE bOTTOM LinE• Total savings over three years $83.7k• Net Present Value (NPV) at 10% $56.0k• internal Rate of Return (iRR) 67%

AdditiOnAl CleArPASS SOlutiOn BeneFitS• ClearPass server with RAdiuS/TACACS+ and advanced policy control saves the cost of replacing or

upgrading existing appliances such as NAC• improved guest experience – generating repeat business and enhanced brand value• better guest management and employee/contractor removal reduces/eliminates unauthorized Wi-fi use• No need for multiple Wi-fi networks (e.g. separate networks for employees and guests) • Wired ports can be protected and an audit trail produced, reducing the risk of a security breach• Futureproof–growthinmobilityandcollaborationwillnotincreaseITstaffoverhead

Main assumptions year1 year 2 year 3Wired ports: 6 changes per year to 20% of the ports Wired ports 1,500 1,500 1,500Employees: average of 2 devices each, replacing 1 every year Employees* 3,000 3,500 4,000Contractors: connect 1 device for an average 2 months contract Contractors* 200 200 200Guests: connect 1 device every visit for an average of 7 days Guests* 250 500 750

StaffcostsassumetypicalWesternEuropeworkingconditionsandsalariesforITandadministrationstaff.* - Maximum number of users of mobile devices in any 24 hour period


Over 3 years, ClearPass reduces iT resource requirement by 2.7 man years.


Deal discovery guidance

A prospect meeting should identify the following:

1 The number of devices currently connected to the network

2 The maximum number of guests per day

3 The number of devices requiring health checks (OnGuard)

4 The type of devices allowed onto the network

5 Total number of devices/endpoints to be authenticated

6 The identity stores that are employed for user and device authentication

7 Existing policies for guest access, remote access, certificates etc.

8 Alternative solutions that the prospect is considering

QuALifiCATioN

Key qualification factorsThe more questions you can answer ‘YES’ to, the better.

yeS nO1 Will the prospect be looking to control network access for more than 500 devices?

2 Do they want to open up their network to new types of devices, or have a need to improve security as a result of a growing number of mobile devices?

3 Have they recently made a large investment in mobile devices (e.g. smartphones, tablets)?

4 Are they insourcing either IT or their network?

5 Are they looking to replace Cisco ACS?

6 Do they have a problem with limited IT support, in terms of number of people, locally at remote sites, or skills (especially with regard to handling requests from devices connecting to the network)?

ThE SALES PRoCESS

Gain visibility of how the network is being accessed . . . . .

Comply with mandatory security requirements . . . . . . . . .

Implement a BYOD policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Enhance user engagement . . . . . . . . . . . . . . . . . . .

Contain the costs of access security . . . . . . . . . . .

Improve the mobility experience of users . . . . .

What business problem is the prospect trying to solve? [Tick all those that apply]

Use the questions on this page to help you capture information about the prospect and qualify the sale, before committing more resources.


OBJECTION We’re a Cisco house.

REAL CONCERN Your system might not be compatible. Why should I risk my reputation buying non-Cisco?

ANSWER The fact that you have heavily invested in Cisco is not a problem. Aruba has successfully deployed ClearPass into many Cisco environments, including SAP worldwide, major bank Emirates NBD in the Middle East, and Sainsbury’s retail in the UK. Our customers tell us that ClearPass is much easier to deploy and manage than the equivalent Cisco offering, and it also costs a lot less. May I organize a demo for you, so that you can see why others have chosen ClearPass over Cisco?

OBJECTION You’re a Wi-Fi only company.

REAL CONCERN I don’t want to risk putting this into my wired network.

ANSWER It’s true that Aruba has built its reputation on providing enterprise-class Wi-Fi networks. However, ClearPass was designed from the outset to work across both wired and wireless multi-vendor networks. We have successfully deployed ClearPass into many wired environments, including enterprises, hospitals, retail outlets and schools, and have been recognized by Gartner as a magic quadrant leader in the provision of Network Access Control, as well as for Wired and Wireless LAN Access Infrastructure.

OBJECTION We don’t need a complete solution.

REAL CONCERN I don’t want to spend money on functionality I don’t need.

ANSWER The great thing about ClearPass is that it is a modular solution, so you only have to buy what you actually need. Built-in is all the functionality you require to be able to deploy a consistent access security policy across both wired and wireless networks, extended to mobile devices. If you decide later that you want additional functionality, such as guest access, or more capacity, then this is easily added. Let me organize a demo for you, so that you can decide which modules you would require to support your business.

OBJECTION We’re happy with what we’ve got.

REAL CONCERN I don’t want to buy extra security I don’t need.

ANSWER The primary reason that organizations like yours are investing in improving their network access control is to allow secure access from mobile devices. Many customers tell us that their employees, contractors, partners and guests all now expect to be able to use mobile devices for work, and for interacting with the organization. ClearPass offers you a way to meet this demand from a single integrated platform, while delivering many other benefits, such as providing visibility, enabling compliance, improving employee productivity and containing costs. Can I run through an example business case with you, to show you how ClearPass could actually save you money?

dEALiNG WiTh objECTioNS

CLEARPASS ACCESS MANAGEMENT SOLUTION SALES GUIDE > THE SALES PROCESS


Examples of customer pricing and product mix for deals of different size and complexity. The table below shows figures for the first year. Upselling will generate revenues in the second year that can be 50-100% of first year revenues.

SOLUTiOn SiZing SMALL MEDiUM lArGe very lArGeEndpoints 100-500 500-2,000 5,000+ 25,000

Guest licences 100 500 2,000+ 5,000+

Onboard or OnGuard licences 100 2,000 5,000+ 25,000+

SAleS revenue $k $k $k $kHardware/VM appliances 8.0 25.0 50.0 75.0

Software licences 5.0 20.0 45.0 100.0

Integration and customization 5.5 9.5 17.5 27.5

Other services 1.0 2.0 6.0 12.0

Maintenance and support 2.5 10.0 19.0 35.0

First year Gross Sales value 22.0 66.5 137.5 249.5

SALES TACTiCS

Use these tactics to start a conversation, differentiating ClearPass from the competition.If you already have a lead, or a customer has come to you with a specific problem, use these tactics to upsell the complete ClearPass solution. If your prospect’s primary concern is not in the table, use the information in this Sales Guide to create your own questions and ideal outcome.

iF the PrOSPeCt iS COnCerned ABOut…

THEn ASK yOUR COntACtS ABOut…

HELP THEM TO… EMPHASiZE…

NAC or AAA/RADIUS upgrades

• Any issues or limitations?• Future upgrades• How users authenticate• The number of devices connecting

Understand the importance of linking policy management to security solutions

Scalability and workflows

Securing employees and guests connecting to the network with their own devices

• Critical areas of network security• Any recent breaches or attacks?• Types of devices connecting• Number and type of guests per day

Describe the ideal access management solution, providing robust security across all devices and users

Completeness of security solution covering all scenarios

How to manage guests and onboard employee devices with limited IT resources

• Number and type of guests• The registration process• How devices are onboarded• The time IT spends today

See how onboarding and policy management can be automated with self-service and visibility

Employees are not guests, and have different needs

How to implement a single Mobile Device/Application Management framework

• Which departments want this?• Who has concerns?• Is there demand from users?• Has MDM been deployed?• Any privacy or compliance issues?

Appreciate how they can manage a mix of devices without compromising security, privacy or compliance

MDM needs network security

TyPiCAL dEALS



A TyPiCAL SALES CyCLE

The diagram below shows the steps and key sales activities for identifying an opportunity and taking it through to a won deal.


PRoSPECTINg (2-8 WEEkS)

SoLUTIoN DEVELoPMENT (6-16 WEEkS)

CLoSE (2-6 WEEkS)

QualificationSector•Size•Need

DiscoveryAssessment survey

Security policy

ProposalDesign•Sizing•Licences

Redundancy

Implementationui Customization

Professional ServicesAruba advice

Case StudyWin flash Report

UpsellGuest

onboardonGuard

Sales Presentationbusiness level

how Aruba addresses the painuser experience

deployment strategyProfessional Services

RFPLead

generation

Lead generation

SaleTerms

Partner with Aruba support Aruba with Partner supportPartner Aruba

KEy fACTORS fOR A SUCCESSfUL SALES CyCLE• Evaluation (or exceptionally, PoC) must be preceded by signed success criteria• All sales cycles must involve a ClearPass Professional Services Partner• AllsalescyclesmustincludeaProfessionalServicesofferfordesignanddeployment

*By exception. Only offer a POC after approval from Aruba

DemonstrationSales demo

Technical demo

Evaluation or Proof of Concept*Success criteria

Reference Call


CoNTACTS ANd RESouRCES

Key Aruba contacts

reSPOnSiBility nAME EMAiL telePhOneEMEA Sales and Marketing

Vice President EMEA Wolfram Fischer [email protected] +49 151 40712477

Director EMEA Channel Frederic Saint-Joigny [email protected] +33 64 275 8621

Senior Director EMEA Marketing Chris Kozup [email protected] +44 750 005 8848

Channel Marketing EMEA Bart Hulst [email protected] +31 6 13589223

Regional Channel Sales – Channel Account Managers (CAMs)

Benelux Thierry van Haverbeke [email protected] +32 479817282

Eastern Europe, Russia Zbigniew Skurczynski [email protected] +49 176 31499711

France, Northern Africa Mathieu Richard [email protected] +33 635 128 291

germany, Switzerland, Austria Peter Buhmann [email protected] +49 174 346916

Italy Marco Olivieri [email protected] +39 3474675956

Middle East Osama AlHaj-Issa [email protected] +966 55 449 9516

Middle East – UAE Ahmed Elsayed [email protected] +971 563702027

Nordics Neil Bronsdon [email protected] +46 70 936 74 25

South Africa, Sub Sahara Africa Mark Esslemont [email protected] +27 83452 4873

Spain, Portugal Pablo Collantes Palomino [email protected] +34 661 848 756

Turkey Bora Yuksel [email protected] +90 5309773806

Uk, Ireland Andrew Clark [email protected] +44 7767205548

Uk, Ireland Richard Leadbetter [email protected] +44 7585 707938

Demos and evaluationsTo arrange a demo or evaluation for your customer, contact your CAM (see list above), who will organize SE support. In very exceptional cases a Proof Of Concept may be authorized. Again, contact your CAM in the first instance to request further information.

Partners with ClearPass Certification can obtain a free NFR licence of ClearPass from Channel Marketing EMEA at [email protected].

Other enquiriesSend an email with your detailed question(s) to [email protected].

Online resourcesAruba Networks PartnerEdge Program http://www.arubanetworks.com/pdf/partners/channel/Aruba_PartnerEdge_

EMEA_Brochure.pdf

How to Become an Aruba Networks Channel Partner in EMEA

http://partners.arubanetworks.com

ClearPass Certification and Specialization (Login required)

https://sso.arubanetworks.com/idp/startSSO.ping?PartnerSpId=https://aruba.my.salesforce.com&TargetResource=/PartnerEdge_EMEA

ClearPass Access Management Solution overview

http://www.arubanetworks.com/products/clearpass/

System Engineering Enablement Lab (SEEL) https://afp.arubanetworks.com/afp/index.php/SEEL_Live_Demo_Program

Partner trainingTraining in ClearPass is available for partners, including free-of-charge online sales training.

Confidential.Allrightsreserved.Documentstructure©ExpertekConsultantsLtd,2014. TheinformationcontainedhereinisconfidentialandthepropertyofArubaNetworks,Inc. No liability is accepted for errors or omissions. www.expertek.co.uk. EMEA version: V1.0


©2014ArubaNetworks,Inc.ArubaNetworks®, Aruba The Mobile Edge Company® (stylized), Aruba Mobility Management System®, People Move. Networks Must follow.®, Mobile Edge Architecture®, RfProtect®, Green island®, ETiPS®, ClientMatch®, bluescanner™ and The All Wireless Workspace is open for business™ are all marks of Aruba Networks, inc. in the united States and certain other countries. The preceding list may not necessarily be complete and the absence of any mark from this list does not mean that it is not an Aruba Networks, inc. mark. All rights reserved. Aruba Networks,Inc.reservestherighttochange,modify,transfer,orotherwiserevisethispublicationandtheproductspecificationswithoutnotice.WhileArubaNetworks,Inc.usescommerciallyreasonableeffortstoensuretheaccuracyofthespecificationscontainedinthisdocument,ArubaNetworks,inc. will assume no responsibility for any errors or omissions. No material may be reproduced for any purpose, private or commercial, without prior permission from Aruba Networks.

www.arubanetworks.comAruba Networks International Limited, Building 1000, City gate, Mahon, Cork, Ireland