1

Embracing BYOD with MDM and

NACChris Isbrecht, Fiberlink Gil Friedrich, ForeScout

2

Today’s Agenda

• The BYOD Landscape

• Network Access Control (NAC) 101

• Embracing BYOD with MDM and NAC

• Use Cases

3

The BYOD Landscape

0%20%40%60%80%

100%

What are your biggest concerns with BYOD support?

26%

43%

31%

How are you managing employee-owned devices today?

Mobile device management (MDM) solutionNative email controlsNo controls in place

4

The BYOD Landscape

BYOD

iOSAndroidBlackBerryWindows

Unmanaged and Non-CompliantTablets & Smartphones

Apps

Data SecurityCompliance & Regulations

End User Privacy

Customer Experience

© 2012 ForeScout, Page 5

Embracing BYOD with MDM and NACGil Friedrich, VP of Technology, ForeScout

June 8, 2012

© 2012 ForeScout, Page 6

Technology that identifies users and network-attached devices and automatically enforces security policy.

What is Network Access Control (NAC)?

GRANTED

LIMITED BLO

CKED

FIXED

© 2012 ForeScout, Page 7

Appliance

Policy EnginePacket Engine

Switch Plugin

VPNPlugin

Wi-FiPlugin

User DirPlugin

SEIMPlugin

WindowsPlugin

Mac/LinuxPlugin

MobileNAC & MDM

DB

ePOPlugin

NAC ArchitectureVisibility and control of everything on your network

What is this machine? Who’s the person behind the keyboard? How is it connected?

© 2012 ForeScout, Page 8

What Is Network Access Control (NAC)See Grant Fix Protect

Real-time network asset intelligence

• Device type, owner, login, location

• Applications, security profile

ForeScout CounterACTAppliance / Virtual Appliance

( ( ( ( (

© 2012 ForeScout, Page 9

What Is Network Access Control (NAC)See Grant Fix Protect

Real-time network asset intelligence

• Device type, owner, login, location

• Applications, security profile

Email CRMWeb

Guest

Employee

Guest

Sales

Network access controls

• Grant access, register guests

• Limit or deny access

ForeScout CounterACTAppliance / Virtual Appliance

( ( ( ( (

© 2012 ForeScout, Page 10

What Is Network Access Control (NAC)See Grant Fix Protect

Manual to automated response

• Remediate OS

• Fix security agents

• Fix configuration

• Start/stop applications

• Disable peripherals

• Block worms, attacks

© 2012 ForeScout, Page 11

Mobile Security and NACNAC can serve as the BYOD enabler

Most companies will use various technical control mechanisms…

• Block all of the BYOD devices

• VDI - Virtual Desktop Infrastructure

• MAW – Mobile Application Wrapper

• WAP – Wireless Access Point

• MDM - Mobile Device Management

• NAC – Network Access Control

© 2012 ForeScout, Page 12

Network Access Control Foundational for BYOD

• No matter what [BYOD] strategy is selected, the ability to

detect when unmanaged devices are in use for business

purposes will be required — and that requires NAC.

• NAC policies can be used in combination with other approaches to

implement the four strategies outlined in the framework — Contain,

Embrace, Block and Disregard

• NAC helps to protect the network, but it is only one component of a

broader BYOD security strategy. Other solutions, such as MDM

and HVDs [VDIs], are needed to secure mobile endpoints.Gartner, “NAC Strategies for Supporting BYOD Environments”, December 2011, Lawrence Orans and John Pescatore

© 2012 ForeScout, Page 13

Layered Security Options

14

Poll Question

• Describe your organization’s plans for implementing a NAC solutiona) Already implemented a NAC solution

b) Plans to evaluate and purchase a NAC solution in the next 6 months

c) Will implement a NAC solution in next 12 months

d) No NAC solution; no plans for implementation

© 2012 ForeScout, Page 15

NAC+MDM Synergies: 1+1=3Unify visibility, compliance and access control

NAC focus is on the network

MDM focus is on the mobile device

MDM Alone NAC Alone NAC+MDM

Visibility Full info on managed only.

Basic OS info on all devices

Complete

Access Control For managed and email only

Partial (Missing endpoint info)

Complete

Compliance Managed only Very limited Complete

Deploy Agent Pre-registration Network based Both

© 2012 ForeScout, Page 16

• MDM products can only secure devices that they manage

• NAC products can identify mobile devices – but lack deep inspection

• MDM lacks network access control, exposes your network and data to attack by unknown devices

• MDM device inspection is strong, but based on polling frequency

Why Consider a NAC and MDM Combination?BYOD requires network, device, data and application controls

• NAC can identify new/unmanaged mobile devices, protect the network and automate MDM enrollment

• MDM technology is needed to gain deep inspection and compliance details

• NAC can restricted network resources according to policy

• NAC/MDM integration can initiate a new inspection at the time of network access

© 2012 ForeScout, Page 17

• MDM provides rich mobile lifecycle management: provisioning, apps, data containerization…

• MDM policies assessment may not be flexible to allow users to use their device outside of policy

• MDM daily operation is usually run by communications, applications or desktop teams

Why Consider a NAC and MDM Combination?BYOD requires network, device, data and application controls

• Mobile device lifecycle management is outside the scope of core NAC capabilities

• NAC could temporarily quarantine a non-complying mobile device on a corporate network

• NAC/MDM integration allows security operators to gain visibility and control across all devices

© 2012 ForeScout, Page 18

ForeScout

Device connects to the network – a. Classify its type:

Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC (Windows, Mac, Linux)

b. Check if it has the mobile agent

If the agent is missing – a. Quarantine the mobile deviceb. Register and install relevant MaaS360 agent

on the mobile device (via HTTP Redirection)

Once installed with an agent – c. Allow access based on policy d. Continue monitoring the agent’s operation

) ) ) ) ) ) )

?

Automate Registration: How It Works

© 2012 ForeScout, Page 19

Automate Registration: How It Works

ForeScout

) ) ) ) ) ) )

Device connects to the network – a. Classify its type:

Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC (Windows, Mac, Linux)

b. Check if it has the mobile agent

If the agent is missing – a. Quarantine the mobile deviceb. Register and install relevant MaaS360 agent

on the mobile device (via HTTP Redirection)

Once installed with an agent – c. Allow access based on policy d. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 20

Automate Registration: How It Works

ForeScout

) ) ) ) ) ) )

Device connects to the network – a. Classify its type:

Mobile device and its type (Android, iPhone iOS, Blackberry OS) or PC (Windows, Mac, Linux)

b. Check if it has the mobile agent

If the agent is missing – a. Quarantine the mobile deviceb. Register and install relevant MaaS360 agent

on the mobile device (via HTTP Redirection)

Once installed with an agent – c. Allow access based on policy d. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 21

Real-time Compliance Testing: How It Works

ForeScout

) ) ) ) ) ) )

?

Device connects to the network – Has a mobile agent but is jail broken

Force a compliance test a. CounterACT informs MaaS360 to

assess configuration attributes b. If in violation, inform ForeScout

CounterACTc. CounterACT quarantines the mobile device

and sends informative message

Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto

network if violation no longer existsf. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 22

Real-time Compliance Testing: How It Works

ForeScout

) ) ) ) ) ) )

Device connects to the network – Has a mobile agent but is jail broken

Force a compliance test a. CounterACT informs MaaS360 to

assess configuration attributes b. If in violation, inform ForeScout

CounterACTc. CounterACT quarantines the mobile device

and sends informative message

Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto

network if violation no longer existsf. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 23

Real-time Compliance Testing: How It Works

ForeScout

) ) ) ) ) ) )

Device connects to the network – Has a mobile agent but is jail broken

Force a compliance test a. CounterACT informs MaaS360 to

assess configuration attributes b. If in violation, inform ForeScout

CounterACTc. CounterACT quarantines the mobile device

and sends informative message

Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto

network if violation no longer existsf. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 24

Real-time Compliance Testing: How It Works

ForeScout

) ) ) ) ) ) )

?

Recheck

Device connects to the network – Has a mobile agent but is jail broken

Force a compliance test a. CounterACT informs MaaS360 to

assess configuration attributes b. If in violation, inform ForeScout

CounterACTc. CounterACT quarantines the mobile device

and sends informative message

Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto

network if violation no longer existsf. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 25

ForeScout

) ) ) ) ) ) )

?

Real-time Compliance Testing: How It Works

Device connects to the network – Has a mobile agent but is jail broken

Force a compliance test a. CounterACT informs MaaS360 to

assess configuration attributes b. If in violation, inform ForeScout

CounterACTc. CounterACT quarantines the mobile device

and sends informative message

Enable a compliance recheck d. CounterACT informs MaaS360 to teste. Upon re-assessment, allows onto

network if violation no longer existsf. Continue monitoring the agent’s operation

© 2012 ForeScout, Page 26

MDM, NAC Integration ExampleComplimentary Hybrid Cloud and On-Premise Implementation

Apple iOSMDM API

AndroidAgent

BlackBerrySymbianWindowswebOS

Management, Policy, Monitoring Application and Data Catalog

ForeScout CounterACT

• Unified visibility• Unified access policy• Unified reporting• Automated MDM enrollment• On-access assessment• Block malicious activity

© 2012 ForeScout, Page 27

• Founded 2000, Cupertino, CA– 115 employees worldwide, 200 partners worldwide

• Largest independent vendor of Network Access Control (NAC)– Leader ranking by Gartner, Forrester and Frost&Sullivan

– Fastest growing #2 market share, second to Cisco

• Innovative, proven worldwide– Global deployments across multiple vertical industries

– Very large implementation (> 250,000 endpoints)

About ForeScout

ForeScout is the leading global provider of automated security control solutions for Global 2000 enterprises and government organizations.

© 2012 ForeScout, Page 28

NAC Market Leadership

“Magic Quadrant for Network Access Control”, December 8, 2011; Lawrence Orans and

John Pescatore; Gartner, Inc.

*This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from ForeScout. Gartner does not endorse any vendor, product or service ]depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

* Forrester Wave NAC Q2- 20111The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

“Forrester Wave Network Access Control”, Q2-2011 Forrester Research, Inc.

© 2012 ForeScout, Page 29

Thank you.Questions? gil@forescout.com

30

Wrap Up

• Upcoming Webinars (Registration Link in Chat Window)

– Crushing 6 BYOD Risks: Policy Guidance from a Legal Expert• Thursday, June 21st @ 2:00 PM Eastern

– Getting Started with MaaS360• Tuesday, June 26th @ 2:00 PM Eastern

• Past Webinars (http://links.maas360.com/webinars)

– The Cloud-Enabled Social Mobile Enterprise– Android in the Enterprise: Piecing Together Fragmentation– BYOD: Striking a Balance—Employee Privacy and IT Governance

• Plus lots of How-To content on our website – The Ten Commandments of Bring Your Own Device

• http://links.maas360.com/wp_tenCommandments

– Mobile Device Management: Your Guide to the Essentials and Beyond• http://links.maas360.com/ebook_mdmEssentials

Questions or follow-up?cisbrecht@fiberlink.com

gil@forescout.com