MobileIron PLUS Webinar: Adding Value in the Security Stack
Webinar transcript - View the full webinar
Cynthia Ryan: Good morning, and welcome to MobileIron PLUS, "Adding Value in the Security Stack." This is the first in a series of webinars under the MobileIron PLUS umbrella that will discuss the value that partners, prospects, and customers can gain from combining MobileIron's solutions with those of our ecosystem partners. Let's get started. First, let's meet our presenters.
My name is Cynthia Ryan, and I am the Solutions Marketing Manager focusing on promoting ecosystem partners and solutions at MobileIron. I've spent over 15 years in the tech industries, but not as an engineer. I come to the industry as an MBA [inaudible 0:37] .
I've also worked in consulting, direct sales, and partner management during my career in tech at companies such as Accenture, Hewlett Packard, and Amazon Web Services. I recently took a break from my tech career to return to the San Francisco Conservatory of Music, where I earned a master's and a post‑graduate degree in playing viola.
Now, I'm back at MobileIron in a new role that was created specifically to help people understand the value that we can bring together with our ecosystem partners as well as with our strategic partnerships.
Also joining us this morning is James Plouffe. He's a strategic technologist here at MobileIron. He's got over 20 years of experience in the industry around doing IT and info security services from mid‑sized enterprises all the way to the global tent‑size organizations.
At MobileIron, he's responsible for setting technology integration strategy, identifying strategic technology partners, and implement joint technology solutions to help customers be successful in making modern end‑points a seamless part of their IT and info security strategies.
Prior to MobileIron, he spent a decade as a network and security architect for Toyota Motor North America, where he was responsible for designing and building the LAN, WAN, and perimeter security infrastructure for North American facilities.
One of the funnest facts about James is the fact that he was a technical consultant for seasons one through three of the award‑winning hacker drama, "Mr. Robot," on USA Networks. Also joining us this morning is Kurt Westphal. Kurt is a partner solutions architect here at MobileIron.
He's a mobile architect and developer who's created several large‑scale ecommerce iOS, and Android apps. He's also worked on back‑end Web services for large retailers such as Macy's and Bloomingdale's as well as Western Union.
At MobileIron, Kurt is the business and corporate development liaison into products and engineering, so he's a very important bridge for our team as we work in the ecosystem with our partners.
He works with partners and companies on developing transformational native, SDK based iOS and Android apps, and rest Web Services integrations with MobileIron technologies, platforms and frameworks.
Before we go on, a little bit of housekeeping. A recording of this webinar will be available shortly. It will include the transcripts, a replay and the slides, as well as some additional supporting documentation will be able to provide about some of the topics we're discussing here this morning.
Additionally, we welcome your questions. We will pause for Q&A in between topics and please input your questions using the Q&A panel in WebEx. As a public company, we do need to make a disclaimer about the fact that anything we're discussing here should not be used as the basis of any purchasing decisions or any financial decisions.
These are discussions of some things that are in progress, but also some things that we already have done. Again, as a public company, we need to make this disclaimer. Let's talk about why we're here.
Partners said in the recent UEM Magic Quadrant, that leaders in this quadrant, in the UEM Magic Quadrant, demonstrates broad integration with channel and other technology providers. Organizations that want an up to date, scalable and proven UEM solution that integrates with a large security ecosystems should consider MobileIron.
As I mentioned at the top of the presentations, MobileIron Plus is the umbrella under which we're going to be talking about the kinds of choice flexibility and best of breach security solutions that are available to our customers when combining MobileIron with our ecosystem partners.
There's a lot of goodness here in the ecosystem that we really haven't been talking about much. Today, for example, you'll hear about a new configuration options for using your existing security solutions in terms of IDP. Also, we're going to talk about existing integration with Cisco iOS for network access control.
Finally, we will be talking about a new integration, we're very pleased to announce at the end of July, that MobileIron became the first UEM vendor to integrate with the industry standard McAfee e‑policy orchestrator solutions.
We're not just here to tell you about all the great things that we're doing and all the value that's out there for you to capture with these solutions, we also would like to establish a dialogue. We're here every day and we care very much about the ecosystem and how it can serve MobileIron customers and partners.
We'll start telling you more about what's going on, and you can start telling us by what you'd like to see, by emailing us at firstname.lastname@example.org.
With that, I'm going to turn it over to James Plouffe, who will set a little context and background for our discussion today. James?
James Plouffe: Thank you, Cynthia. For those of you that have been around MobileIron a little while, you are no stranger to the fact that mobility can be subject to trends. Certainly, that makes it very much like what we see here, in fashion. I think it's fair to say is that, over time, that notion of just getting secure access to email on mobile devices has gotten a little out of date.
These days, folks are a lot more interested in ways that they can achieve anytime, anywhere access to the business applications that they're using, and really changing their business processes around these new endpoints, in a way that helps folks become more flexible and more productive.
In ecosystem team, we're looking for things that are a little bit more, I guess you could say, fashion‑forward. As we think about ways that folks are reinventing these business processes, we realize that security is table stakes.
Providing that in a transparent way, that is not adding a lot of operational burden to the folks who already have a lot to do, is one of the key goals, as we look at how we integrate with partners, and which partners we integrate with.
As a UEM admin, you've got some great visibility into what's happening on this very important new endpoint. The device‑to‑EMM relationship is a unique one, that gives you a lot more visibility than you could get on traditional laptop and desktop operating systems.
You can see the user identity, you have a good view into what the state of the device is, in terms of its ownership, its current configuration, its application inventory. You've also got a lot of visibility into the access policies, and the compliance and enforcement actions you can take on that device.
The trouble is that security, for better or worse, is not an island. In many cases, this data can just live in a silo. Where the real value comes from, is unlocking that and exposing it to other systems.
When you start to look at your MobileIron infrastructure, it can take several different roles, depending on the context and the way it is integrating with the rest of your security infrastructure. Specifically, there's a notion of a policy decision point, which we think of as any entity where you can define and evaluate policies.
For those of you that work on MobileIron day‑in, day‑out, you do this a lot, with the different security configurations that you set up, the rules that you may implement in Sentry, and so on and so forth.
There's also the notion of a policy information point, so something in the infrastructure, that has some data that it can share with some other piece of the infrastructure, to make that piece of the infrastructure make a better security decision.
A lot of your MobileIron infrastructure can also play this role. MobileIron Core and Cloud know a lot about what's going on with the device. In a little bit, Kurt's going to tell you about how that information can feed into things like network access control systems, to improve the decisions that they're able to make.
Lastly, we have the notion of a policy enforcement point, which is really, if the policy information point is the club owner, the policy enforcement point is the bouncer. You can do all sorts of evaluation, but if you can't take any sort of an action to remediate conditions, then it doesn't do you a lot of good. All of these things play together holistically, to provide value throughout this entire chain.
For us, at MobileIron, with the ecosystem in particular, and our technology partners, it really is about silo‑busting and helping to provide additional awareness, and align different security tools and infrastructure across an entire life cycle, whether you're talking about asset management, all the way on through security operations, our goal is to help share data, so that you have coordinated control of all the endpoints in your fleet.
With that, I'd actually like to turn it over to Kurt Westphal. Oh, I'm sorry, I'm not turning it over to Kurt yet, I'm going to spend a minute more talking about identity.
One of the recent changes that Cynthia mentioned is the fact that we have made some changes in the way that we integrate with certain of our technology partners. For those of you that are familiar with MobileIron Access. That's our solution to help provide secure cloud services on mobile devices by protecting business data, simplifying authentication, and giving you some additional visibility into the services your customers and users are using.
The goal of course of MobileIron Access is to ensure that trusted users are using trusted devices and trusted applications to access your cloud services, and prevent that nightmare data loss scenario that results in a breach and other untoward outcomes in circumstances.
Traditionally, when we have implemented MobileIron Access, we have deployed the MobileIron Access platform as an IDP proxy. If you look at the diagram here on the left hand side of the slide, you can see that essentially what happened was all authentication traffic was authenticated through MobileIron Access, redirected to an identity provider, and then based on the outcome of the authentication and authorization decisions passed on to the cloud service in question.
Now, this is certainly an excellent way to deploy a MobileIron Access, but many customers had actually already deployed their identity provider infrastructure, they'd already configured their staff services to take advantage of the identity provider that they were using.
Going back, and reconfiguring all of these services was a non‑trivial exercise and required a lot of effort, a lot of change controls, and anyone who sat through any of those meetings knows you want to avoid them at all costs.
What we're proud to announce is a new deployment model, which allows identity providers to connect to MobileIron Access. You can maintain your existing configuration and still get that additional context that MobileIron Access provides for mobile devices and mobile applications, and ensure that you're still only granting access to those authorized users on appropriate devices but without having to do all of those traffic redirects and reconfiguration through MobileIron Access.
This is available today for Microsoft Active Directory Federation services and Okta. We are in process testing with Ping identity, so regardless of which IDP you have chosen, you have a lot of options and flexibility and deployment.
If you need more information about how any of this works, please don't hesitate to reach out to us at ask‑ecosystem@ mobileiron.com or contact your MobileIron account rep.
Now, I would like to turn it over to Kurt so that he can tell you a little bit about access control.
Kurt Westphal: Thank you James. Hi. I'm Kurt Westphal. Good morning, everyone. Let's talk about access control.
All right, so when we talk about network admission control or network access control, it's useful for us to frame the conversation using some questions. One, the first question we might ask ourselves is how many endpoints are in the network.
When a administrator or Nike line of business has, or maybe the CIO start doing an inventory across their enterprise and starts to consolidate all their endpoints, one of the things they discover in this modern mobile universe with universal endpoint is while there's a lot of endpoints that I have to consider. A lot more than I even thought at the outset.
Second question we might consider is, OK, so now that we know we have tons of different kinds of endpoints, what kinds are they? What's the distribution? Are they the kind of endpoints you would expect to be in your network?
A lot of the growth and networks who bring their own devices is organic. Often the line of business, the admin, or the security team, when they start to do some discovery on this, they realize, "Wow, the mix of endpoints is vastly different than we thought. There's a ton of devices a lot more than we have ever expected."
That leads naturally to a third question, how do I when I'm making a network access control decision, and I want to implement network access control in my enterprise, how do I know that I have enough information or to grant access?
Can I be certain that the net profiles that I've assembled for my different kinds of endpoints contain enough detail for me to make realistic and secure access policy decisions? Let's consider what a network access control topology looks like when we don't use MobileIron.
In this case, we notice the gatekeeper serves the role of the net provider policy engine. To refer back to James's description about the policy decision point, and the policy enforcement point, then the net provider is serving those roles in this diagram.
A net profile is constructed given the device information and decisions can be made by the net provider as to whether to grant access or not in the back‑end services.
The gatekeeper or the net provider does the authentication, he looks at the net profile and makes a determination about whether to allow that application, that device to connect to the back‑end service.
Now, let's consider this scenario where we include MobileIron into the picture. Then in MobileIron, the MobileIron enterprise serves as a single point of trust. The knack role is the same as the gatekeeper. Still makes the policy decision the execution decisions or the control decisions.
The MobileIron is able to...the EMM provider like MobileIron is able to do the configuration provisioning and monitoring of all the universal access points. The device profiles that it can yield end up providing some additional information that's being used to populate the net profile with some context‑rich information.
In this scenario, the authentication and process is the same. It goes to the net system. The aquarius [inaudible 17:54] to the MobileIron EMM and the rich context information is used to elaborate on the existing net profile.
The very rich policy decisions can be made and controlled to the back‑end service whether it's cloud or on premise can be made.
In this model the MobileIron system is working as the policy information point where we're providing this rich context data back to the net provider to supplement the existing net profile.
The next thing that I want to talk about is we're showing in this diagram here the integration of the marriage of the MobileIron EMM and the net provider.
Two people that we've done and have existing integration with are the Aruba ClearPass Mac system as well as the Cisco ISE. On the MobileIron side, MobileIron is able to extract device security attributes.
It gets configuration data and is able to provide some rich context and aware policy information that can be used in order to allow the Mac provider to do things like provide dynamic authorization.
Provide a much more granular and extensible enforcement of the different kinds of policies that the net provider wants to provide inside the enterprise. The EMM system itself can manage all the automated user enrollment configurations in the provisioning operations.
Then the information that can be provided for doing granting access and yielding a device posture to build a rich net profile that the network access control provider can use in order to make their granular policy decisions.
I would like to pass the talk over to James Plouffe again who's going to speak about Web security and security operations.
James: This is our last topic of the webinar. As we look at the webinar that's taken place with the way that end points behave and where they live it's become apparent that things like Web security and security operations can get a little bit more challenging.
In particular, when it comes to Web security, we're very accustomed to having a choke point somewhere in the network infrastructure where we can do things like enforce an acceptable use policy, or do deep packet inspection or, block things like button that command and control sites, and so forth.
In the mobile and cloud world, when things by definition move outside the network perimeter, many of those things get a good deal more challenging. As we look at solutions to address that, one area where we have partnered is with Cisco on their security connector, which is something that's available for iOS 11.3 and newer.
Allows you to tie your iOS devices to Cisco's umbrella content security, which entails both URL and content filtering as well as their Cloudlock, CASB. It also connects to their clarity anti‑malware solution.
What's really involved here is a scenario where you need to have an iOS 11.3 or newer supervised device. You generate configuration profiles from the respective Cisco consoles, whether you're talking about umbrella, or clarity.
You deploy those configuration files through MobileIron Core or MobileIron Cloud. Then you have the ability to apply policies consistently regardless of the type of endpoint. This gives you a new level of visibility into the mobile endpoints, and the ability to enforce an identical policy across your endpoints irrespective of what type of operating system they're using.
Another area where we look at content security is through an integration with McAfee SecureWeb Gateway. We actually have a couple of different deployment options that you can implement for the McAfee SecureWeb Gateways.
The first actually is to use SecureWeb Gateway as an upstream proxy from Sentry. For folks who are taking advantage of mobile and tunnel and back hauling traffic from their mobile devices to some data center, you can configure McAfee Web Gateway as an upstream proxy from Sentry and apply your content filtering policies in that way.
One of the advantages, of course, of relying on mobile and tunnel is that it is a Per‑App VPN. It allows you to send back only that traffic which is generated by apps managed by the enterprise.
This is good for a lot of reasons, it helps conserve bandwidth at the head end and it also actually helps maintain user privacy because you don't have to redirect a bunch of personal traffic that might ultimately get blocked on something like a BYO device.
Another deployment option for SecureWeb Gateway is actually to use the VPN capabilities of the device to backhaul the traffic directly to SecureWeb Gateway from the mobile device.
This is just another option that's available to you, depending on what your deployment requirements are, and the make‑up of your fleet. One of the things that we want to highlight, of course, is both the deployment flexibility and the ability to apply a consistent policy across all of your endpoints, regardless of operating the system.
One of the other things that we're very excited to announce, is an integration between MobileIron and McAfee ePolicy Orchestrator. It probably sounds like I'm really beating the drum hard on unified policy, but a lot of what we do in the ecosystem team, is devoted to helping mobile devices become first‑class IT citizens.
As more and more users rely on these for more and more of their work, it becomes more and more important to be able to treat them just like any other endpoint.
For those of you that are not familiar with ePolicy Orchestrator, it's McAfee's endpoint management tool, which they use to apply policies across traditional OSs ‑‑ the Windows, the Linuxes, desktop and server editions of both of those ‑‑ and maintaining the endpoint security policy, as well as monitor it for violations.
It also is part of their data exchange layer, or DXL fabric, which is central to providing a framework for passing notifications between different infrastructure.
As I mentioned at the beginning of this presentation, MobileIron has access to a lot of interesting information about a mobile device, things that may be interesting to someone who is responsible for endpoint security, or someone in the security operations center.
Unfortunately, without connecting to external systems, the SOC admin or the endpoint security admin, may need to log in to a MobileIron console. What we've done with our integration with McAfee ePolicy Orchestrator, is to give admins the ability to extract that information from MobileIron, and display it in the ePO console, in pursuit of that wily and elusive single pane of glass.
What we've got as part of this integration, is a new ePO plugin that works with MobileIron Core, that allows an admin to select the different attributes that they'd like to monitor for a mobile device.
The presentation here, I suppose, is a little bit of an iChart, but you can see you have a series of checkboxes where you can go through, select the attributes that you're most interested in, and then import the devices and the corresponding values for those attributes.
That lets you, then, display the different devices, according to different criteria, so you can build policies around that. If you look carefully in the lower left‑hand corner of this particular screenshot, you can also see that admins have the ability to take EMM actions, based on the different policies that are set up, and the different alerting that takes place inside the ePO console.
That's it for us at this point. I think we can open it up for Q&A.
Cynthia: Thank you, James. Yes, we have had a couple of questions come in on the Q&A line.
The first question comes from Chris, and he says, "I know mobile..." Chris, I don't know if it's he or she, [laughs] Chris says, "I know with MobileIron's integration with ServiceNow, the IT ServiceNow administrator can take MDM action directly from within ServiceNow. Does that similar functionality exist within the ePO integration?"
James: Great question, Chris. The answer is, yes. That's exactly what we just saw in the previous slide, in the lower‑left corner. Taking steps like Lock, Wipe, and so forth, are things that an ePO admin can initiate directly from the console, without having to log into MobileIron separately, or without having to get a MobileIron admin involved.
Cynthia: Great, thanks. The next question comes from John, "Is the SecureWeb Gateway only being used for apps that are specified, but will a user that is accessing a personal app, be sent to the Internet?"
James: Like so many questions in IT, the answer to that question, John, is it depends. Fortunately, the configuration options that are available to you, do allow you to only send enterprise traffic.
In that first slide that I showed, which highlighted using MobileIron Tunnel, and using the SecureWeb Gateway as an upstream proxy from Sentry, you have the ability to make sure that all of your personal traffic and enterprise traffic are totally segmented, and you never have to see the personal side of things.
Cynthia: Excellent, thank you so much.
Our next question comes from Steven, and it looks like it's a two‑part question. It says, "If we have McAfee already, how hard is to integrate into the systems" and then Steven adds, "Let me clarify, we have the McAfee gateway."
James: I will take two stabs at answering that question.
The first I'll actually do with the McAfee ePO plugin, even though that is not what was specifically being asked. It is an API‑level integration on ePO. You have to install the plugin, which you get from the McAfee download site, and it's installed as a zip file. Folks who are familiar with ePO will be very familiar with that process, it's very straightforward.
Then all that you need to connect it to, is User Account on your MobileIron server, with the API privileges and the fully qualified domain name of your MobileIron Core server, and you're off to the races.
On the SecureWeb Gateway side, it's also a fairly straightforward configuration. You have to go in to the properties on Sentry, and just configure an upstream proxy. If you are doing any of, what we call the Advanced Traffic Control or ATC rules, you may have some customization to do there, but generally speaking, all you need to know is the fully qualified domain name of your SecureWeb Gateway, and the port you've got the proxy set‑up to listen to, and you can configure that in the Sentry settings extremely easily.
Cynthia: Great. Thanks for that, James.
Now, our final question comes from Toby, "Does the ePO integration work with both McAfee's cloud solution, as well as on‑prem?"
James: Yes, it does. For those of you who probably don't have McAfee in your Google News alerts, you may have seen very recently that they announced something called MVISION ePO, which is a SaaS version of ePO. I'm pleased to report that this plugin works with both the on‑premises and the SaaS versions.
Cynthia: Excellent. Thanks so much. That concludes our Q&A session, as well as our presentation.
In closing, if we can move to the next slide, I'd like to remind you a little bit about what I said at the beginning, in terms of the value of our integrated ecosystem.
The value we bring to the operating system and device manufacturers, is to drive device adoption. Application vendors will integrate with MobileIron to containerize their apps, and provide greater security controls to the customers.
For traditional infrastructure providers, we provide mobile intelligence and enforcement, we make them mobile‑aware. For example, the CISCO ISE solution for advanced access control, uses compliance information from MobileIron, to make access decisions for the network.
Finally, for our channel, especially telecom operators, having MobileIron in place lets themselves 3 to 10 times as much as value as other providers.
Finally, I'll wrap‑up with a couple of resources for you. The first one is, if you're a developer, you want to know about developer.mobileiron.com. When developers build, they need a place to get the tools and resources to secure their apps, and that's what this developer.mobileiron.com site was set up for.
Then, finally, if you need additional information from people who are buying our solutions, they often need a place to find the best apps and security technologies that are integrated with MobileIron. That's where we have our marketplace, at marketplace.mobileiron.com.
Again, thank you so much for joining us today, and for your time, and your questions. We will be sending thank‑you notes and other information, with supporting information around ePO integration, and Okta integration document, and our configuration guides, and also some additional documentation with our integration with CISCO network access controls.
Again, thank you so much for joining us for this inaugural MobileIron PLUS Webinar. We look forward to seeing you next time.