Contenu connexe
Similaire à Airheads main conference slideshare v1.0 (20)
Airheads main conference slideshare v1.0
- 2. © 2013 Beyond Mobile Ltd June 5, 2013
INTRODUCTION
2
An
IT
infrastructure
specialist
with
over
20
years
in
the
financial
services
sector.
11
years
with
Credit
Suisse
and
6
with
Chase
(JP
Morgan)
Tough
environment
in
Financial
services
and
deparGng
a
role
as
Director
in
IT
for
Credit
Suisse
to
start
Beyond
Mobile.
Beyond
Mobile
offers
Strategy,
Product
and
Sales
advice
to
technology
companies
in
the
early
stage
of
their
business
plans.
- 5. © 2013 Beyond Mobile Ltd June 5, 2013
DeclaraGon
NX
Sovereign
circa
2130s
April
16,
2151
October
30,
2372
52,000
metric
tonnes
998,000
metric
tonnes
3,250,000
metric
tonnes
300
metres
225
metres
685.7
metres
<
Warp
2
Warp
5.2
Warp
9.995
None
Photonic
torpedoes
Phase
cannons
Arrays
Phasers
USS
Enterprise
(XCV
330)
NX01
NCC-‐1701-‐E
5
COMPARISON STAR TREK ENTERPRISE
- 6. © 2013 Beyond Mobile Ltd June 5, 2013
Enterprise
1
(Financial)
Case
Study
(Financial)
Enterprise
3
(consulGng)
COMPARISON OF AN ENTERPRISE
6
120,000
65,000
20,000
143,000
80,000
2,000
28,000
15,000
20,000
170,000
120,000
2,500
Yes
Yes
No
“dirty
network”
“clean
network”
“clean
network”
- 7. © 2013 Beyond Mobile Ltd June 5, 2013
EVIL INTERNET & WIRELESS
7
Wi-Fi BANNED
Custom laptops with Wi-Fi cards
removed
Ethernet ports and drivers locked
down
Remote access restricted to dial up
Almost impossible to be productive
unless in the office
- 8. © 2013 Beyond Mobile Ltd June 5, 2013
EVOLUTION NOT REVOLUTION
8
- 9. © 2013 Beyond Mobile Ltd June 5, 2013
NETWORK PERIMETER SECURITY
9
2007
- 10. © 2013 Beyond Mobile Ltd June 5, 2013
NETWORK PERIMETER SECURITY
10
- 11. © 2013 Beyond Mobile Ltd June 5, 2013
NETWORK STRATEGY
11
DEPERIMITISATION
- 12. © 2013 Beyond Mobile Ltd June 5, 2013
2007 – 1ST GEN WI-FI
12
CISO concedes some Wi-Fi allowed
“Managed” endpoints only
Guest internet access allowed
No employee personal devices allowed
User experience not considered
Wi-Fi Design poor
Global inconsistency
- 13. © 2013 Beyond Mobile Ltd June 5, 2013
2007 – 1ST GEN WI-FI
13
Un-provisioned
Device
Provisioned
Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage
Firewall
Cisco DMZ
anchor
Controller
DMZ Bluecoat
Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
APAC CPPM
AAA servers
EMEA CPPM
AAA Servers
Amigopod Appliance for
remote cloud provisioning
of BYOD and guest self
registration
Cisco Intranet
Controller
Guest traffic
Cisco Access
Point
- 14. © 2013 Beyond Mobile Ltd June 5, 2013
2009 CHALLENGERS
14
“Why can’t I use the corporate
Wi-Fi to sync my work email”
“Cellular coverage is so bad in my
building and it’s crazy employee’s
cant use the Corporate Wi-Fi on
their personal devices”
Crumbling of IT Walled gardens
- 15. © 2013 Beyond Mobile Ltd June 5, 2013
2011 THE GAME CHANGED
15
Real estate smart strategies
Wi-Fi shifted to a core “enabling” technology
and business enabler.
BYOD strategy was built demanding better
services
CIO – build it quick but I wouldn’t start from
there, if I was you
Poor coverage, low contention, IT vs. Business
- 16. © 2013 Beyond Mobile Ltd June 5, 2013
THE BEGINNING OR THE END?
16
Requirements
Stakeholder Management
Buy as a Service vs Build
Technical Design
Build
Lesson’s learnt
- 17. © 2013 Beyond Mobile Ltd June 5, 2013
REQUIREMENTS
17
Guest Standard Employee Complex Employee
Standard Complex
- 18. © 2013 Beyond Mobile Ltd June 5, 2013
Guest
Standard
Employee
Complex
Employee
REQUIREMENTS
18
Medium
Medium
High
Low
Med
High
/
Regulated
Personal
Mixed
Corporate
Yes
Yes
Yes
&
Corporate
None
MAM
MDM
&
MAM
No
Yes
Yes
- 19. © 2013 Beyond Mobile Ltd June 5, 2013
STAKEHOLDER MANAGEMENT
19
Clean
vs.
dirty
wireless
=
same
On
campus
=
enterprise
policed
Keep
out
of
trouble
with
the
regulator
Employee
traffic
content
filtered
Info
Sec,
HR/Legal
- 20. © 2013 Beyond Mobile Ltd June 5, 2013
STAKEHOLDER MANAGEMENT
20
Apply
IT
policy
Same
quality
as
LAN
Wi-‐Fi
as
a
commodity
Protect
data
vs.
network
BYOD
Don’t
compromise
usability
for
security
Container
(s)
vs
MAM
- 21. © 2013 Beyond Mobile Ltd June 5, 2013
BUY VS BUILD
Corporate
IT
in
Financial
Services
idenGty
crisis
Case
Study
=
Buy
as
a
service
>
Build
Market
not
Mature
Result
was
a
Build
&
Buy
project
One
name
stood
out
in
access
control
and
provisioning
=
Aruba
- 23. © 2013 Beyond Mobile Ltd June 5, 2013
TECHNICAL DESIGN
Data
with
some
voice,
small
amount
of
Desktop
Video
conferencing
growing
Cloud
based
guest
provisioning
soluGon
SegregaGon
IT
Polies
mean
no
direct
connecGon
to
AcGve
Directory
Guest
registraGon
–
sponsor
approved
Employee
Device
enrolment
process
to
be
lightweight
(email
address)
Employee
content
filtered
on
BYOD
devices*
Improve
scale
of
deployment
Single,
global
wireless
soluGon
to
employees.
- 24. © 2013 Beyond Mobile Ltd June 5, 2013
Wi-‐Fi
1st
Gen
Wi-‐Fi
2nd
Gen
Wi-‐Fi
FUTURE
REQUIREMENTS
24
802.11a/b/g
802.11
n
to
ac
802.11ac
Data
Data
/
Voice
Data
/
Voice
/
Video
Manual
Online
registraGon
&
Sponsor
approval
Federated
B2B
Build
Build
&
Buy
Buy
None
non-‐criGcal
service
severity
4
SLA
Clearpass
CPPM
6.x
Aruba
end
to
end
ParGally
supported
Cisco
BBSM
4.x
CriGcal
service
LAN
replacement
- 25. © 2013 Beyond Mobile Ltd June 5, 2013
TECHNICAL DESIGN
Internet
Un-provisioned
Device
Provisioned
Device
LAN DMZ
BYOD
MDPS
FWFW
EXT DMZ FWEXT DMZ FW
Wage
Firewall
Cisco DMZ
anchor
Controller
DMZ Bluecoat
Proxy
EoIP
PWR ENET 11A/N 11B/G/N
105
BYOD User traffic
EoIP
Radius Auth
HTTPS
Publisher
Subscriber
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
APAC CPPM
AAA servers
EMEA CPPM
AAA Servers
Amigopod Appliance for
remote cloud provisioning
of BYOD and guest self
registration
Cisco Intranet
Controller
Guest traffic
Cisco Access
Point
Internet
EXT DMZ FWEXT DMZ FW
DMZ Bluecoat
Proxy
Publisher
Subscriber
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
APAC CPPM
AAA servers
EMEA CPPM
AAA Servers
Amigopod Appliance for
remote cloud provisioning
of BYOD and guest self
registration
ccess
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
Un-provisioned
Device
Provisioned
Device
BYOD
MDPS
Cisco DMZ
anchor
Controller
PWR ENET 11A/N 11B/G/N
105
Publisher
Amigopod Appliance for remote
cloud provisioning of BYOD and
guest self registration
EMEA CPPM
AAA Servers
Cisco Intranet
Controller
Cisco Access
Point
- 26. © 2013 Beyond Mobile Ltd June 5, 2013
LESSONS LEARNT
Don’t
under
esGmate
the
amount
of
tesGng
required
BYOD
footprint
for
tesGng
can
be
never
ending
Amount
&
complexity
of
devices
leads
to
issues
with
tools
for
troubleshooGng
Process
engineering
important
Support
specialists
too
thin
on
ground
–
Mobility
support
is
a
specialist
skillset
Web
content
filtering
!=
control
- 27. © 2013 Beyond Mobile Ltd June 5, 2013
LESSONS LEARNT
Certain
CONTENT
FILTER
RULES
did
not
make
sense
for
employee
BYOD
we
had
to
lobby
for
changes;
Chat/Instant
Messaging
–
Whole
category
originally
blocked.
• Allow
clients
that
connect
to
corporate
IM
plarorms
as
would
be
monitored.
• Block
all
other
IM
plarorms.
But
Allow
messaging
for
services
Ged
to
SMS
(e.g.
iMessage)
VOIP
clients
&
Online
Storage
-‐
–
Whole
category
originally
blocked.
• Allow
all
–
these
were
from
personal
devices
and
corporate
data
was
“contained”
• Provides
a
beser
experience
around
apps
that
sync
to
dropbox
etc
Remote
Access
Tools
-‐
–
Whole
category
originally
blocked.
• Allow
–
Only
personal
devices
can
connect
to
Wi-‐Fi
then
there
is
no
company
data
at
risk
of
loss.
Sotware
Downloads
• Allow
–
Provides
a
beser
user
experience
as
this
would
allow
App
store
downloads
to
personal
device
to
work
on
campus
- 28. © 2013 Beyond Mobile Ltd June 5, 2013
LESSONS LEARNT
Credit'Suisse'Employee
Aruba
Clearpass
Cloud'Service
Access'Point
Intranet'Controller
DMZ'Controller
BYOD
SSID
Guest'&'
Provisioning
SSID
Internet
Bluecoat'DMZ
Proxy
1
2
5
7
8
9
6
10
CS'BYOD'Device
CS'Desktop
4
3
Processes
are
important
Help
stakeholders
understand
them
by
walking
them
through
various
scenarios
-‐ Guest
registraGon
-‐ Employee
registraGon
-‐ Employee
day
to
day
use
-‐ Support
- 29. © 2013 Beyond Mobile Ltd June 5, 2013
YOUR PATH TO BYOD IN FINANCIALS
29
ObjecGves
Design
ExecuGon
•
Have
clear
business
objecGves.
•
Senior
stakeholders
briefings.
•
Mature
requirements
&
early
engagement
necessary
with
IT
suppliers
•
What
are
your
security
policy
objecGves
• Think
about
process
&support
design
as
well
as
the
technology
• Translate
the
risk
posture
to
security
controls
• Don’t
compromise
usability
for
security
(impact
of
security
discussions)
• Select
technology
plarorms
and
suppliers
• Build
in
compliance
from
the
beginning
• Test,
Test
and
test
some
more
And finally …. Celebrate a success !