ClearPass Security Campaign Messaging Platform

Aruba designs and delivers Mobility-Defined Networks™ that empower a new generation of tech-savvy users who rely on their mobile devices for every aspect of work and personal communication. Known as #GenMobile, they demand to stay connected to everything all the time, no matter where they are.

If #GenMobile wants to be trusted to securely connect from anywhere using any device, they’ve got to earn it. And if IT is going to protect the enterprise network and its resources, it must adapt to the way #GenMobile works – starting from the inside out.

To do this, IT must leverage known, trusted contextual data – a person’s role inside an organization, the devices and apps they can use, and their location – to create policies that fortify network security and adapt to the way #GenMobile works.

This approach is known as adaptive trust and it essentially turns the zero-trust approach inside out. An adaptive-trust approach solves critical network access security challenges:

Adaptive policies – The use of contextual data ensures that all users and devices are assessed before they connect and access enterprise network resources. Enforcement is centrally managed whether a user connects via wireless, wired or VPN.
Compliance – All devices must meet security and posture guidelines before connecting. Devices not in compliance are denied access or required to remediate.
Secure workflows – Users onboard their own devices through an access management system that ensures only authorized users can initiate a workflow. Integration with third-party systems extends access security to MDM/EMM, firewalls and IDS/IPS systems.

An adaptive-trust approach lets IT make smarter decisions about how users and devices connect and how their access privileges are enforced. Consequently, a centralized policy enforcement engine becomes the central nervous system for everything that connects.

The #GenMobile risks

It’s all too common. More and more Wi-Fi-enabled mobile devices are connecting inside and outside of your enterprise security perimeter.

The rise of #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. And those same mobile devices are subject to a rising tide of theft, loss, malware, and data leakage.

Where’s my #!%$#! phone? *

3.1 million Americans had their smartphones stolen in 2013.
1.4 million smartphones were lost and never recovered.
Only 36% took the time to set a four-digit PIN. 64% didn’t want to dirty their screens.
Only a pathetic 8% installed software that could erase the contents of the phone.

* Consumer Reports 2014 survey

To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security. From firewalls to traffic inspection to MDM, the new catchphrase is trust no one, verify everyone.

Unfortunately, the zero-trust approach has some serious flaws. First, it can only scrutinize users, devices and traffic after they connect. That’s like allowing a burglar into your home and then calling the police.

Zero trust also treats everyone as adversaries – executives, longtime employees, hospital patients, and students in their final year of school. Little attention is paid to their roles within an organization, the devices they regularly use, or the network resources they routinely access.

There’s got to be a better way.

The best defense: Adaptive trust

This approach is known as adaptive trust and it essentially turns the zero-trust approach inside out. An adaptive-trust approach solves critical network access security challenges:

Adaptive policies – The use of contextual data ensures that all users and devices are assessed before they connect and access enterprise network resources. Enforcement is centrally managed whether a user connects via wireless, wired or VPN.
Compliance – All devices must meet security and posture guidelines before connecting. Devices not in compliance are denied access or required to remediate.
Secure workflows – Users onboard their own devices through an access management system that ensures only authorized users can initiate a workflow. Integration with third-party systems extends access security to MDM/EMM, firewalls and IDS/IPS systems.

The Aruba difference

Only the Aruba ClearPass Access Management System™ leverages an adaptive-trust approach to centrally control and enforce access policies based on roles, device attributes, and other contextual policies on any multivendor network.

This unique adaptive-trust approach ensures secure access to the enterprise infrastructure, accommodates how #GenMobile works, and prevents insider data leakage, malware threats, and other potential vulnerabilities.

Why ClearPass matters

Legacy AAA offers little to no policy enforcement or device profiling. The contextual data utilized by ClearPass is essential to enforcing policies as users move and devices change.
In addition to impeding outside threats, firewall vendors like Palo Alto Networks can now strengthen access-layer security by extracting contextual data from ClearPass.
MDM solutions that offer application controls across 3G/4G networks can now leverage ClearPass to do the same across enterprise wireless networks.
Device onboarding is no longer a manual IT process. ClearPass makes it easy to onboard your own device and uses a built-in certificate authority instead of logins and passwords.

**Top-level ClearPass product message**

Securing the #GenMobile experience

The best mobility experience. The strongest network security.

Consistently identify and classify every user and device for enhanced visibility. Learn more
Contextual-based policies enforced across any multivendor network. Learn more
Automated workflows allow users to securely configure personal devices without IT involvement. Learn more
Role-based policy enforcement rules that adapt to unpredictable mobility behavior.

The IT dilemma and challenges

You can’t fix what you can’t see – Open your eyes. Today, IT can only guess what devices are connected to the network and who they belong to. Without granular visibility into who and what’s connected, there’s no way to create policies that meet the needs of specific groups, proactively troubleshoot problems or ensure security compliance.

Stuck in the Stone Age – Even the Flintstones know that legacy AAA is too primitive for secure mobility. It has left IT with static business rules that can’t possibly meet the new demands of #GenMobile. Flexible work habits require dynamic policies that are based on contextual data like user roles, device types, ownership, location, and app usage.

Just go with the flow – As Columbus noted upon reaching the New World, the IT helpdesk is being overwhelmed by requests from employees and guests to configure and onboard their personal devices for Wi-Fi access. The lack of self-service workflows also leaves users standing on the sidelines or seeking alternative ways to connect.

VLANs? That’s soooo ’90s – The notion of VLANs breaks down as #GenMobile connects from anywhere and uses work apps on mobile devices for data, voice and video. IT has no choice but to deny services or create complicated enforcement rules. News Flash: It’s the 21st century! Get rid of static VLANs and start using role-based policy enforcement.

**ClearPass product value-proposition**

The ClearPass Access Management System delivers secure enterprise mobility by integrating AAA with policy management, guest access, automated onboarding workflows, device health checks, and other self-service capabilities – all from one platform – on any multivendor network.

Enhanced visibility – The ability to dynamically profile devices as they connect provides IT with valuable information that can be used within policies and for troubleshooting. Policies based on real-time contextual data allow security and network teams to allow or restrict access to internal resources based on user, device type and their assumed risk level.

Enterprise-ready contextual policies – Built-in policy services within the ClearPass Policy Manager delivers where legacy AAA solutions fail. Secure enterprise mobility can now be managed from a single platform regardless of access method- wired, wireless or VPN. Contextual-data like location, time of day and device type provide flexible policy enforcement attributes for today’s mobility-centric #GenMobile environments.

Self-service workflows – ClearPass leverages user and device attributes to offload routine IT tasks through the use of intuitive self-service workflows. Employees and guests are allowed to self-configure personal devices, manage certificates and request guest access, which reduces IT helpdesk tickets while increasing IT and user productivity.

Enforcement built for mobility – Mobility makes managing separate VLANs to enforce network privileges for – user groups, work-spaces and traffic types – complex and burdensome. Mobility requires role-base policies that leverages roles, contextual data and directs users to appropriate resources automatically as users connect from anywhere and voice, video and data apps originate from the same device.

**Secondary-level ClearPass product messages**

Beyond single sign-on – With ClearPass’ Auto Sign-On capability, once users sign-on to the network, they don’t need to repeatedly login again to use their mobile apps. ClearPass validates a user’s network login and automatically authenticates the user to their mobile apps so they can get right to work – no need to tap out usernames and passwords over and over again on tiny mobile-device keyboards.

Third-party integration without the hassle – Using ClearPass Exchange, IT can leverage mobility intelligence from ClearPass and third party solutions. Exchange lets IT can easily share critical information with third-party systems – MDM, helpdesk, SIEM and threat-defense – through RESTful APIs and data feeds like syslog to enhance security and business workflows, without complex scripting languages and vendor involvement.

End-to-end device management – In today’s #GenMobile world, mobile devices and apps have evolved well beyond email. Integrating EMM with a network access management system to address today’s popular device operating systems and apps for secure mobility is key, regardless if the device is on the cellular or enterprise network.

Top-level competitive differentiation

Awesomely scalable

ClearPass is purpose-built to scale up to 1 million endpoints.
Unique clustering capabilities ensure the highest availability.
Every ClearPass application license scales across the entire cluster.

Built-in certificate authority

Eliminates the need for a costly and complicated public key infrastructure (PKI).
Device certificates include domain, user and device-type information for stronger security.
IT or users can easily remove or revoke certificates for lost or stolen devices.

Connect multiple Active Directory domains and identity stores

Manage policies for different domains due to mergers or acquisitions for consistent user mobility experience.
No need to duplicate Active Directory credentials across multiple environments.
Leverage separate authentication and authorization sources within a single policy.

Industry-leading guest services

Only guest portal that can be branded and deliver advertising aimed at any user.
Unprecedented scale and flexibility to support network access for hundreds of thousands of guests.
Self-registration and sponsor workflows eliminate the burden on IT staff and improve the guest experience.

Target audience

Chief security officers, CIOs and VPs of infrastructure – Make every effort to call high-up in the IT chain of command within the Global 2000. Chief security officers, CIOs and VPs of infrastructure are critical stakeholders when it comes to enterprise-wide perimeter security and data leakage prevention – issues that ClearPass is instrumental in solving.

Network security engineers – At a lower level in the Global 2000, network security engineers have in-depth technical knowledge about implementation, maintenance and integration of the enterprise security infrastructure for wireless, wired and VPNs. They understand hardware and software for AAA, Active Directory, NAC, MDM/EMM and firewalls.

ClearPass is a leader in the Gartner Magic Quadrant

In December 2013, ClearPass placed Aruba in the coveted leadership spot in Gartner’s Magic Quadrant for network access control (NAC). Gartner cited the overall strong growth of ClearPass and a demonstrated ability to win large opportunities. „Aruba’s customers and any enterprise that needs a NAC solution capable of supporting heterogeneous endpoints and heterogeneous networks should consider ClearPass,“ wrote Gartner analyst Lawrence Orans.

Other ClearPass strengths highlighted by Gartner include:

Aruba’s 802.1X innovations include a built-in certificate authority to ClearPass, which eases BYOD implementations by not requiring an external certificate authority. The ClearPass Onboard module provides the ability to revoke and delete certificates (for example, when devices are lost or stolen).
ClearPass offers a strong guest network application. Guest portals can be customized with a wide range of options, including localized language support. Granular policies allow guests to share printers and projectors that use Apple’s Bonjour protocol.
Aruba provides detailed diagnostic information to assist network administrators in troubleshooting failed 802.1X authentications.

Get the Gartner Magic Quadrant for NAC

The NAC competitive landscape

What ClearPass can replace today
Cisco Secure Access Control Server (ACS) – Cisco’s legacy AAA solution is at the end of its useful life and Cisco is now pushing its Identity Services Engine (ISE) for mobility deployments. The window of opportunity to replace ACS with ClearPass is wide open as ACS does not support role-based or contextual policies, guest access, device onboarding or profiling.

Microsoft Network Policy Server for Windows Server 2008 – Limited to primarily Windows environments, Microsoft’s AAA and policy solution does not scale to meet today’s influx of popular mobile devices. Scalability is very limited and not conducive to remote deployments. The interface is difficult to manage and does not provide templates like ClearPass does.

Juniper Steel-Belted RADIUS (SBR) – SBR is near its end-of-life and Juniper was pushing its Unified Access Control (UAC) solution as the heir-apparent, but Juniper is now pushing their Pulse solution. Juniper relied heavily on third-party NAC products to bulk-up its bare-bones feature set with UAC, so they decided to go in a new direction with Pulse and their client for supporting mobile devices. Additional bullets:

Juniper is now recommending Aruba Wi-Fi to their customers which makes ClearPass a logical choice for network access security.
Profiling requires a separate MAG SM360-PROFILER module. Profiling is built into base ClearPass software.

What ClearPass competes with today
Cisco ISE – Cisco’s answer to network access control delivers similar functionality to ClearPass minus support for TACACS+, a built-in CA, full guest portal customization, AirGroup device registration and management, over 100 RADIUS dictionaries for multivendor support, and a host of other mobility related features. According to Gartner, Cisco ISE is very expensive, complicated to deploy, and in many cases will require IT „to update hundreds or thousands of devices.“ Additional silver bullets against ISE:

Not optimized for multivendor environments; is optimized to lock you into a Cisco-only infrastructure.
Weak, lackluster onboarding capabilities with no way to distribute device certificates.
A horrifically anemic guest access feature-set with virtually no customization or advertising capabilities.

ForeScout CounterACT – CounterACT was designed for wired NAC with a heavy emphasis on traffic inspection. They are trying to keep up in a wireless world as their solution requires a client for non Windows based devices and they had marketed an agentless solution. ForeScout also lacks experience with AAA and 802.1X as their RADIUS implementation is less than a year old. Other silver bullets against CounterACT:

Its unwieldy approach to policy enforcement requires constant reconfiguration of network switches.
Weak, lackluster onboarding capabilities with no way to distribute device certificates.
Very expensive to scale, requiring separate threat-protection appliances at all remote locations.