2. Mobile IAM
MO BILE IAM™ - “BY OD D ONE RI GHT™ ”
Addressing the true scope of mobility imperatives
Employees in your enterprise are expecting to access the corporate network from their personal
tablets and smartphones. Higher education long ago conceded to students’ demand to use
their own devices on campus networks. Health care institutions have adapted to employee
Bottom-line Benefits owned devices to achieve gains in workforce effectiveness and they still ensure network security,
• Embrace the BYOD opportunity and device performance and compliance. Why are you hesitating to fully embrace BYOD?
cost savings
Without doubt the sheer numbers of the types and quantities of the devices are staggering.
• Increase workforce productivity and morale, Industry data count 2 billion devices in use by 2015 with 75% of them used for both business
engage young new-hires and personal use. Already 75% of all trouble tickets are generated by mobile users. Management
• Monitor and manage risk end-to-end isn’t talking about opening reqs for help desk staff. Nor do you want to be distracted from the
critical strategic business initiatives requiring IT support. What are the costs of deploying a BYOD
• Gain control without adding IT staff,
program and how can they be controlled once this Pandora’s box is opened? In addition, like other
keep OpEX under control
IT professionals, your worries probably include maintaining the security of your network, controlling
• Guarantee application delivery to unauthorized access and managing more risk from new threats and vulnerabilities.
mobile devices
However a conservative response, avoid embracing BYOD and simply contain non-corporate owned
devices, means the enterprise is squandering opportunities for significant competitive benefits.
Using their own devices, staff has choice, flexibility and can more easily collaborate. Workforce
productivity and morale increase. IT reduces costs by saving the expenses of procuring and
maintaining corporate owned devices for every staff person.
The only answer is to implement a comprehensive BYOD solution - one that addresses all your
requirements: network security, seamless user experience, end-to-end visibility and control,
leverage existing staff and predictable costs over the short and long term.
Enterasys Mobile IAM is BYOD Done Right™. It is a comprehensive solution for all classes of
users, on any consumer or corporate mobile device. It delivers the highest user experience and
security by controlling access to the right set of connections and resources at the right times.
3. Solution
“The Enterasys system is so easy to use for students that this is something we do not have to worry
about trouble shooting,” said McHugh. The faculty is taking advantage of the wireless network, and
the students, with their own devices, are enjoying having more accessibility to the network.
4. BYO D DONE RI GHT
BYOD
Total security, IT simplicity with total control, seamless user experience
“Bring your own device” (BYOD) has become an industry mega trend. However, typical BYOD solutions
are seriously incomplete. They only focus on devices and the management of non-corporate owned
devices. But, devices are just one part of the control problem. The most effective solution encompasses
devices, types and identity, and adds attributes associated with users, locations and applications.
Enterasys BYOD Done Right means total security, IT simplicity with full control and a predictable
network experience for users. It provides the complete set of capabilities and features that meet
the market’s real need for a secure and comprehensive solution. Enterasys Mobile IAM, BYOD
Done Right, is comprised of seven core capabilities: auto-discovery, multi-level device profiling,
flexible onboarding, advanced context-based policy management, guest access, virtual desktop
Addressing Today’s Challenges
infrastructure (VDI) and mobile device management integration (MDM).
• Enable employee choice and flexibility
The solution is enabled by OneFabric Security, a distinctive security framework. OneFabric Security
• Deliver predictive user experience
treats the infrastructure as a whole and is purpose-built to ensure that every security component
• Prohibit unauthorized access is integrated and communicates with every other component. This cohesive approach provides
• Manage threats and vulnerabilities visibility, threat detection, automated response and enforcement end-to-end.
• Ensure network availability and performance Purpose built for campuses and enterprises, Enterasys Mobile IAM is simple: one BYOD solution
• Predictive costs appliance and choice from a set of Enterasys service offerings. Your BYOD program success
is assured with the engagement of Enterasys service professionals, seasoned experts who have
successfully done hundreds of these implementations. Done Right means visibility and policy
enforcement, end-to-end, simply and flexibly, without an army of new IT staff.
5. Done Right
T H E E NTE RASY S DIFF ERE NCE
Unified Management, Automatic Policy, Service Guarantee
Mobile IAM provides important unique advantages which translate into greater IT control and a
better user experience. It provides granular wireless-wired network bandwidth allocation, and
specific quality of service priorities for devices by device, user, location and application. This
means, for example, that in a lecture or presentation setting the teacher can have the highest
priority quality of service (QoS), higher bandwidth may be allotted for essential applications and
only limited bandwidth allocated for irrelevant applications. Mobile IAM enforces policies at
the entry point into the infrastructure eliminating resource wastage and optimizing wireless and
wired network bandwidth. Enforcing policy at the entry point also frees up network resources for
increased device scalability without having to add or overprovision network resources. Mobile IAM
simplifies IT operations with its intelligent automated provisioning and policy enforcement. In
contrast, alternative BYOD solutions are a complex array of separately priced products and product
sub-components for a more expensive solution that is not integrated to this sophisticated level of
unified wired/wireless visibility and control.
The value of Enterasys Mobile IAM, BYOD Done Right is the ability to embrace BYOD with
the knowledge that your solution is secure, scalable and delivers a demonstrably superior user
experience. Users experience simple one-step onboarding, predictable application delivery and
the flexibility to use any device. No flood of tickets to the help desk. Enterasys BYOD Done
Right does not require any additional IT resources to manage it. It scales easily to grow as devices
increase. No matter what device they bring, the enterprise infrastructure is secure with Enterasys’
industry leading capabilities: discovery, profiling and authentication; advanced context-based
policy enforcement; and predictive threat management.
6. MO BILE IAM APPLIANCE
Purpose built Purpose built solution for a secure campus and enterprise
Enterasys Mobile IAM addresses IT challenges being driven by today’s enterprise and campus
mobility imperatives providing end-to-end visibility and control over individual users, devices and
applications, in multi-vendor infrastructures. It provides complete software for: identity, access and
inventory management, context-based policy enforcement, end-to-end management from a single,
easy-to-use management application, auditing and reporting.
Policy management is the most granular in the industry including per port, per device layer 2-4
access control, QoS/priority, rate limit/shape and more. Real time tracking and unique state change
notification for over 50 attributes per device and user give IT maximum visibility into all network
activity. It offers an open architecture for assessment (MDM integration) and threat response
(Next Generation Firewall (NGFW), Security Information and Event Management (SIEM), Intrusion
Prevention System (IPS)). Mobile IAM can scale up to 100,000 devices, depending on the
configuration, for the flexibility to meet current and future needs without having to buy components
that are excessive at the start. The Mobile IAM Appliance is available as a physical or virtual
appliance to best meet your deployment needs.
7. Advanced Context-Based Policy Management
Mobile IAM’s advanced context-based policy engine is the most flexible in the industry. The
attributes available for policy rule definition include authentication type, device type, user, role,
location, time, and assessment status. Within each attribute, specific classifications enable the
most fine-grained discriminations. It integrates with authentication services and provides unified
wired, wireless and VPN enforcement.
Auto Discovery
Auto Discovery automatically detects end systems and users and creates a hardware inventory
for all attached end systems. The multiple methods provided for user detection include network
authentication using 802.1X, Kerberos and RADIUS snooping, portal-based registration and
authentication and external user-IP mapping technologies. Multiple methods are used for device
detection with MAC authentication followed by IP resolution and reverse DNS lookup and multi-
level device profiling. Auto discovery can discover and track 50 attributes per end system and user
pair – a level of detail that is unmatched in the industry.
Multi-Level Device Profiling
Mobile IAM provides a comprehensive set of profiling capabilities and API’s for integrations
to extend these capabilities even further. Features include OUI based profiling, DHCP option
fingerprinting with the ability to customize, captive portal, user agent profiling and network-
based and agent-based assessment. With MDM integration granular device type and capability
information is identified. With the Mobile IAM Fusion API information from external profilers that
are behavior based can be incorporated.
Zero Effort and Secure Onboarding and Authentication
With Mobile IAM, end users experience Zero Effort™ onboarding. Not even portal registration is
required with the transparent web cache/proxy redirect functionality. For flexibility portal based and
automated onboarding are two additional approaches that are provided. Portal based registration
with back end integration into LDAP and RADIUS means zero effort for IT. With automated
onboarding Web Services are used to allow external systems, such as student management, dorm
management, registration and enrollment portals to provision access.
Managed Guest Access Control with Sponsorship
Guess access management provides accountability, tracking and control. It is fully integrated
with Mobile IAM. There are no additional software modules to purchase and maintain. Guest
access is through a voucher, pre-registration, authenticated or sponsored access. It is highly
automated, including, for example, web-based guest registration with automatic workflow for a
sponsor’s validation and approval. No matter which vendors populate the infrastructure, Mobile
IAM automated guest services provide unified wired/wireless access control for all non-employees.
Partners, contractors, visitors or conference attendees are productive while critical business systems
and resources are protected from misuse or compromise.
8. MO BILE IAM SERV ICES
Quickest time Quickest time to value
Enterasys is confident of the value we deliver. Take advantage of Enterasys’ award-winning services
by choosing from four implementation options. This portfolio enables you to choose the service
that best fits your needs and priorities. The benefit for you is the ability to utilize expert resources to
deploy your optimal solution most efficiently. Mobile IAM Professional Services include everything
needed to effectively implement the solution including: auto discovery of existing infrastructure;
integration with existing wired and wireless LAN; access policy definition and deployment; and ‘as
built’ documentation.
The Fusion MDM Connect Service enables enterprises to extend the value and simplicity of Mobile
IAM by integrating the MDM functions of a mobile device management product. Gain simplified
management with one interface and enhance Mobile IAM’s capabilities with the additional device-
specific attributes and health status information available from the MDM.
9. Fusion SDN Connect Integration Service provides integration with a variety of IT systems such as
Palo Alto NG-FW, IF-MAP, student onboarding systems, SEN OpenScape, Polycom and others. The
integration automates context-based policy provisioning of network services for user, device and
application for enhanced IT efficiency. IT also gains additional visibility into all devices, users and
applications enabling more control.
Some enterprises in highly regulated industries turn to virtual desktop infrastructure (VDI)
as a method to securely deliver applications for BYOD or other mobile devices. There is no
data on the device in a VDI implementation eliminating the problem of lost sensitive data if a
device is lost or stolen. But, there are important challenges with a VDI approach. How do you
automatically provision the correct access roles for each user in the data center? How can you
visualize and track who is using your VDI instances at any point in time and with which access
roles? Enterasys VDI Data Center Integration Service provides a solution in a single architecture
for the edge and data center.
10. MO BILE IAM V ERTICAL M ARKETS
Education + Mobile IAM for K-12 Education
Pressure for Bring-Your-Own-Device has been especially strong among K-12 schools. Cost
pressures, parent and student demand, new styles of teaching, and on-line testing have all had
an important role in driving this need. At the same time, insuring compliance with Acceptible
Use Policy (AUP) and the Children’s Internet Protection Act (CIPA), as well as maintaining
security and preventing inequities without taxing the school’s limited IT resources, present major
challenges in implementing BYOD for K-12 schools.
Enterasys Mobile IAM controls access based on user, device, location, application – in fact,
it can take into account up to 50 different considerations. So a teacher using video for
classroom instruction can get high bandwidth, while students in the cafeteria may be limited
in their YouTube viewing. High bandwidth can also be provided for VDI use by the staff, while
entertainment devices such PlayStation Portable may be barred from the network entirely.
All this is easily managed by the IT staff without additional resources. Mobile IAM provides a
single pane of glass for network management including BYOD device management. Teachers and
students can be automatically provisioned when they first bring their devices to school. Network
usage is simply monitored by user, device, location, and application to insure full compliance
with AUP and CIPA.
11. Healthcare
Mobile IAM for Higher Education
Higher Education has some of the highest demand for Bring Your Own Device, but also faces the
greatest risks and challenges in implementing it. Faculty, staff, students, and parents all demand
permission to bring and use personal wireless devices on campus. The typical college student
today has between two and five personal devices, including smartphone, music player, pc, tablet,
and portable game console. In the face of this device invasion, the valuable campus network
resources and data must be protected from unauthorized and malicious use.
Enterasys Mobile IAM enables BYOD with complete security for the campus network and data.
The context-based policy engine controls network usage based on up to 50 factors including user,
device, location, and application. So high bandwidth can be provided to staff and students using
VDI. High bandwidth can also be allocated to video for instructional use. Global classrooms on
remote campuses as well as distance learning in general are fully supported. But administrative
information is fully protected.
Enterasys guarantees the Mobile IAM implementation; it is smooth to install and won’t require
any additional staffing to the already-stretched higher education IT department. The network and
all devices are managed with a single pane of glass. Devices can be automatically provisioned
based on the pre-determined policy.