Думаете о BYOC? Опасайтесь периметра!
В маркетинговых презентациях Citrix и других вендоров часто проскакивает аббревиатура BYOC. Что это такое? Bring Your Own Computer, или по-русски ПРИходи СО Своим Компьютером (ПРИСОСКО J)). Про проблемы использования личных ПК (или iPad-ов) пользователей для доступа к корпоративным приложениям, и о том, как технически правильноих решать, расскажет Rick Dehlinger
6. Global specialty pharmaceuticals manufacturer Design, test, manufacture, and sell specialty pharmaceuticals @10,000 users WW R&D, Manufacturing, Sales, Administrative Services, Contractors, etc. HQ on West Coast USA, offices/users in over 40 countries Highly competitive market Highly regulated industry Who are they? What do they do?
7. Primary datacenter in Oregon, variety of other resources scattered everywhere Small IT team, operational support provided by a global MSP XP on the desktop, data everywhere, SMS for basic management Complex Active Directory structure Snapshot: IT Environment (today)
8. @10,000 users worldwide Large percentage of remote users (40%+) Large percentage of ‘contingent’ workers Snapshot: User Environment
9. Complex IT environment Slow time to market with new services User satisfaction level – too low! M&A, sale of business units costly and complex HIGH risks/impact of industrial espionage, compliance breaches, legal actions Problems…!
11. User perspective: “What you want, when you want it, where you want it.” IT perspective: Major IT transformation project Touches almost every component of their infrastructure THE opportunity to do things RIGHT! What is the ‘Universal Workplace’?
12. Users: “…all you need is a browser and an Internet connection!!!” “…dynamically adjust to provide you with everything you need!” “…use any device you want!” IT/Management: “…service non-managed machines without managing them” “…we’ll be dancing in fields, as carefree as birds!!” ‘Single Pane of Glass’ - Universal Access
13. Datacenter, data, system consolidation AD, application rationalization Desktop refresh (Win7/x64) SMS to SCCM, Exchange upgrades SAN upgrades Network Perimeter Hardening/Transparency What’s in scope?
24. Problem: no layer 1-3 access control No device differentiation, health checking, etc. Find a plug, have fun! (full network access) Today: Simple Certificate check for wireless network access, some wired network access (conference rooms) Cisco Clean Access implemented, torn out on main campus Primary ‘filter’ today: facility security, escort policies Challenge One: Access Control, Managed Networks
25. 802.1X now a critical dependency Switch/router upgrades Enterprise PKI deployment Note: Gartner/Burton feedback… Solution: 802.1X PNAP
26. …implementing a NAC architecture is not simple… the promise… is still mostly in the future. Burton Group, 2008 Analyst Report
27. Problem: 40%+ field employeesrarely connect to corporate managed network Goal: seamless user (AND it management) experience on and off managed network Challenge 2: Managing Off-Network Devices
28. Don’t manage them! (shot down) Establish SSL VPN connection at logon (an option… but not desired – more complex user experience) DirectAccess (current leading option…!) Open Source Openswan Options to Consider…
29. Upsides of DirectAccess Seamless user experience Seamless management experience Challenges IPv4 resources!!! No-go without NAT64/DNS64 services – must have UAG Robust PKI required Complexity Unknown quantity No internal/3rd party expertise identified More on DirectAccess…
31. The fear… Keyloggers on unmanaged devices capturing username/password, compromising other externally published applications (OWA, SharePoint, etc.) Potential solutions: Computer Associates UCG visionapp’s vSL Risks: ‘Honey Pot’ (reverse encrypt-able credentials database) Agents on each AD Domain Controller Challenge 3: No Passwords Outside the Perimeter
32. Accept the risk! …and move critical services behind new perimeter w/OTP Solution?
34. Rick Dehlinger - Independent Technologist/Consultant Citrix Technology Professional/Public Speaker rick@rickdehlinger.com | @rickd4real | LinkedIn rick.dehlinger@clarossystems.com About Claros:Claros Systems is an independent professional services organization intensely focused on building world class, change friendly Delivery Systems. It’s owned by Rick Dehlinger and 2 other managing partners.