Aruba designs and delivers Mobility-Defined Networks™ that empower a new generation of tech-savvy users who rely on their mobile devices for every aspect of work and personal communication. Known as #GenMobile, they demand to stay connected to everything all the time, no matter where they are.
If #GenMobile wants to be trusted to securely connect from anywhere using any device, they’ve got to earn it. And if IT is going to protect the enterprise network and its resources, it must adapt to the way #GenMobile works – starting from the inside out.
To do this, IT must leverage known, trusted contextual data – a person’s role inside an organization, the devices and apps they can use, and their location – to create policies that fortify network security and adapt to the way #GenMobile works.
This approach is known as adaptive trust and it essentially turns the zero-trust approach inside out. An adaptive-trust approach solves critical network access security challenges:
An adaptive-trust approach lets IT make smarter decisions about how users and devices connect and how their access privileges are enforced. Consequently, a centralized policy enforcement engine becomes the central nervous system for everything that connects.
It’s all too common. More and more Wi-Fi-enabled mobile devices are connecting inside and outside of your enterprise security perimeter.
The rise of #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. And those same mobile devices are subject to a rising tide of theft, loss, malware, and data leakage.
Where’s my #!%$#! phone? *
* Consumer Reports 2014 survey
To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security. From firewalls to traffic inspection to MDM, the new catchphrase is trust no one, verify everyone.
Unfortunately, the zero-trust approach has some serious flaws. First, it can only scrutinize users, devices and traffic after they connect. That’s like allowing a burglar into your home and then calling the police.
Zero trust also treats everyone as adversaries – executives, longtime employees, hospital patients, and students in their final year of school. Little attention is paid to their roles within an organization, the devices they regularly use, or the network resources they routinely access.
There’s got to be a better way.
If #GenMobile wants to be trusted to securely connect from anywhere using any device, they’ve got to earn it. And if IT is going to protect the enterprise network and its resources, it must adapt to the way #GenMobile works – starting from the inside out.
To do this, IT must leverage known, trusted contextual data – a person’s role inside an organization, the devices and apps they can use, and their location – to create policies that fortify network security and adapt to the way #GenMobile works.
This approach is known as adaptive trust and it essentially turns the zero-trust approach inside out. An adaptive-trust approach solves critical network access security challenges:
An adaptive-trust approach lets IT make smarter decisions about how users and devices connect and how their access privileges are enforced. Consequently, a centralized policy enforcement engine becomes the central nervous system for everything that connects.
Only the Aruba ClearPass Access Management System™ leverages an adaptive-trust approach to centrally control and enforce access policies based on roles, device attributes, and other contextual policies on any multivendor network.
This unique adaptive-trust approach ensures secure access to the enterprise infrastructure, accommodates how #GenMobile works, and prevents insider data leakage, malware threats, and other potential vulnerabilities.
Why ClearPass matters
Securing the #GenMobile experience
The best mobility experience. The strongest network security.
You can’t fix what you can’t see – Open your eyes. Today, IT can only guess what devices are connected to the network and who they belong to. Without granular visibility into who and what’s connected, there’s no way to create policies that meet the needs of specific groups, proactively troubleshoot problems or ensure security compliance.
Stuck in the Stone Age – Even the Flintstones know that legacy AAA is too primitive for secure mobility. It has left IT with static business rules that can’t possibly meet the new demands of #GenMobile. Flexible work habits require dynamic policies that are based on contextual data like user roles, device types, ownership, location, and app usage.
Just go with the flow – As Columbus noted upon reaching the New World, the IT helpdesk is being overwhelmed by requests from employees and guests to configure and onboard their personal devices for Wi-Fi access. The lack of self-service workflows also leaves users standing on the sidelines or seeking alternative ways to connect.
VLANs? That’s soooo ’90s – The notion of VLANs breaks down as #GenMobile connects from anywhere and uses work apps on mobile devices for data, voice and video. IT has no choice but to deny services or create complicated enforcement rules. News Flash: It’s the 21st century! Get rid of static VLANs and start using role-based policy enforcement.
The ClearPass Access Management System delivers secure enterprise mobility by integrating AAA with policy management, guest access, automated onboarding workflows, device health checks, and other self-service capabilities – all from one platform – on any multivendor network.
Enhanced visibility – The ability to dynamically profile devices as they connect provides IT with valuable information that can be used within policies and for troubleshooting. Policies based on real-time contextual data allow security and network teams to allow or restrict access to internal resources based on user, device type and their assumed risk level.
Enterprise-ready contextual policies – Built-in policy services within the ClearPass Policy Manager delivers where legacy AAA solutions fail. Secure enterprise mobility can now be managed from a single platform regardless of access method- wired, wireless or VPN. Contextual-data like location, time of day and device type provide flexible policy enforcement attributes for today’s mobility-centric #GenMobile environments.
Self-service workflows – ClearPass leverages user and device attributes to offload routine IT tasks through the use of intuitive self-service workflows. Employees and guests are allowed to self-configure personal devices, manage certificates and request guest access, which reduces IT helpdesk tickets while increasing IT and user productivity.
Enforcement built for mobility – Mobility makes managing separate VLANs to enforce network privileges for – user groups, work-spaces and traffic types – complex and burdensome. Mobility requires role-base policies that leverages roles, contextual data and directs users to appropriate resources automatically as users connect from anywhere and voice, video and data apps originate from the same device.
Beyond single sign-on – With ClearPass’ Auto Sign-On capability, once users sign-on to the network, they don’t need to repeatedly login again to use their mobile apps. ClearPass validates a user’s network login and automatically authenticates the user to their mobile apps so they can get right to work – no need to tap out usernames and passwords over and over again on tiny mobile-device keyboards.
Third-party integration without the hassle – Using ClearPass Exchange, IT can leverage mobility intelligence from ClearPass and third party solutions. Exchange lets IT can easily share critical information with third-party systems – MDM, helpdesk, SIEM and threat-defense – through RESTful APIs and data feeds like syslog to enhance security and business workflows, without complex scripting languages and vendor involvement.
End-to-end device management – In today’s #GenMobile world, mobile devices and apps have evolved well beyond email. Integrating EMM with a network access management system to address today’s popular device operating systems and apps for secure mobility is key, regardless if the device is on the cellular or enterprise network.
Awesomely scalable
Built-in certificate authority
Connect multiple Active Directory domains and identity stores
Industry-leading guest services
Chief security officers, CIOs and VPs of infrastructure – Make every effort to call high-up in the IT chain of command within the Global 2000. Chief security officers, CIOs and VPs of infrastructure are critical stakeholders when it comes to enterprise-wide perimeter security and data leakage prevention – issues that ClearPass is instrumental in solving.
Network security engineers – At a lower level in the Global 2000, network security engineers have in-depth technical knowledge about implementation, maintenance and integration of the enterprise security infrastructure for wireless, wired and VPNs. They understand hardware and software for AAA, Active Directory, NAC, MDM/EMM and firewalls.
ClearPass is a leader in the Gartner Magic Quadrant
In December 2013, ClearPass placed Aruba in the coveted leadership spot in Gartner’s Magic Quadrant for network access control (NAC). Gartner cited the overall strong growth of ClearPass and a demonstrated ability to win large opportunities. „Aruba’s customers and any enterprise that needs a NAC solution capable of supporting heterogeneous endpoints and heterogeneous networks should consider ClearPass,“ wrote Gartner analyst Lawrence Orans.
Other ClearPass strengths highlighted by Gartner include:
Get the Gartner Magic Quadrant for NAC
What ClearPass can replace today
Cisco Secure Access Control Server (ACS) – Cisco’s legacy AAA solution is at the end of its useful life and Cisco is now pushing its Identity Services Engine (ISE) for mobility deployments. The window of opportunity to replace ACS with ClearPass is wide open as ACS does not support role-based or contextual policies, guest access, device onboarding or profiling.
Microsoft Network Policy Server for Windows Server 2008 – Limited to primarily Windows environments, Microsoft’s AAA and policy solution does not scale to meet today’s influx of popular mobile devices. Scalability is very limited and not conducive to remote deployments. The interface is difficult to manage and does not provide templates like ClearPass does.
Juniper Steel-Belted RADIUS (SBR) – SBR is near its end-of-life and Juniper was pushing its Unified Access Control (UAC) solution as the heir-apparent, but Juniper is now pushing their Pulse solution. Juniper relied heavily on third-party NAC products to bulk-up its bare-bones feature set with UAC, so they decided to go in a new direction with Pulse and their client for supporting mobile devices. Additional bullets:
What ClearPass competes with today
Cisco ISE – Cisco’s answer to network access control delivers similar functionality to ClearPass minus support for TACACS+, a built-in CA, full guest portal customization, AirGroup device registration and management, over 100 RADIUS dictionaries for multivendor support, and a host of other mobility related features. According to Gartner, Cisco ISE is very expensive, complicated to deploy, and in many cases will require IT „to update hundreds or thousands of devices.“ Additional silver bullets against ISE:
ForeScout CounterACT – CounterACT was designed for wired NAC with a heavy emphasis on traffic inspection. They are trying to keep up in a wireless world as their solution requires a client for non Windows based devices and they had marketed an agentless solution. ForeScout also lacks experience with AAA and 802.1X as their RADIUS implementation is less than a year old. Other silver bullets against CounterACT: