Case Study

1
Case Study

• Migration to ade-perimeterised environment
• Paul DoreyBP Jericho Forum Board

2
Desktop Migration Strategy

• Previous Environment
• Drivers for Change
• Business
• Technology
• Security
• Migration strategy

3
Current Architecture

• Flat Architecture
• Heterogeneous
• Barriers Chokepoints
• Us andThem

• Solutions?
• Wireless
• VPNs
• IDS/IPS
• Discovery
• Push Patch/Cfg.
• NAC/NAP

4
Business Drivers (BP)

• Significant operations in 135 countries
• Many users on the road, globally
• Large and increasing home-working
• Much use of outsourcers contractors
• Many JVs, often with competitors
• Opening up to customers
• The architypical virtual enterprise
• Wasting money on private networks
• Create barriers to legitimate 3rd parties
• Hard to define what is inside vs. outside?

5
Technology Drivers

• Exploding connectivity and complexity (embedded
  Internet, IP convergence)
• Peer to peer,sensory networks, mesh,grid, mass
  digitisation
• Machine-understandable information(Semantic Web)
  
• De-fragmentation of computersinto networks of
  smaller devices
• Wireless, wearable computing

6
Security Drivers

• Insiders
• Outsiders inside
• Port 80 and Mail traffic get in anyway
• Hibernating or rogue devices
• Firewall rule chaos
• VOIP P2P
• Stealth attackers
• Black list vs. white list
• False sense of security

7
Migration to the new model
2.
1.
2
Net
1
4.
1. Internal Managed. 2. Managed VPN 3.
Self Managed Gateway 4. Commodity/Allowance
8
In the Cloud Security Services

• Automated Patching
• Anti-malware - heuristic
• Trusted Device Certification
• Clean mail, IM, Web
• Federated Identity/Access
• Provisioning
• Alert (Shields Up)
• Protection of atomic data
• Trusted agent introduction
• (White Listing)

Can be in the cloud or provided internally to
cloud resident 'devices
9
In the Cloud Security Services

• Automated Patching
• Anti-malware - heuristic
• Trusted Device Certification
• Clean mail, IM, Web
• Federated Identity/Access
• Provisioning
• Alert (Shields Up)
• Protection of atomic data
• Trusted agent introduction
• (White Listing)

Can be in the cloud or provided internally to
cloud resident 'devices
10
Desktop Strategy Vision

• consolidated
• Data Centres

• 450
• Data Centres

Apps
Virtual Bus Apps
Internet accessible Bus Apps
Internet hosted services
Apps
Apps
x450

• Beyond PassPort
• seamless,
• secure access

• PassPort
• good
• apps access

BP
2006 Delivery Maximise value during transition
to vision

• expose app
• not network

• full network
• access

• wired
• wireless access

• choice of
• Device
• Connectivity
• Support

• Explorer
• internet based
• simplify client
• wireless access

Apps
Apps
BP maintained BP provided BP supported
User maintained BP provided Self supported
lt

11
Desktop Strategy Delivery of Vision

• no local
• servers

• consolidated
• Data Centres

BP
BP
Apps
Internet hosted services
Virtual Bus Apps
Internet accessible Bus Apps
Apps
Apps
x450

• Beyond PassPort
• seamless,
• secure access

• Delivery of Vision
• Single, consumer-style
• client environment

Access Security
BP
BP
Net

• expose app
• not network

• Seamless, secure connectivity

Strategic
Tactical
Living on the web

• Enhanced
• functionality,
• freedom and
• choice

• choice of
• Device
• Connectivity
• Support

Device Network Security
Auto-maintaining User provided Support choice
ltlt
12
Access Strategy
- Scenarios
no client software device and location
agnostic firewall friendly connects at the
application layer only requires access
security no direct contribution to single
sign-on Requires generic Infrastructure Access
Service (ie. SSL gateway or per app ISA)
Outlook 2003 (RPC/HTTP)
Access to applications from the Internet
New business application
SSL
SharePoint
per app
2008 (SRA)
Q207 (RDP/HTTP)
clientless and/or on-demand client
software device and location agnostic firewall
friendly connects at the application
layer in-built device and access security direct
contribution to single sign-on Requires generic
Infrastructure Access Service (ie. SSL gateway)
Legacy business application
Legacy business application (offline use)
SSL VPN
BP Services - File
BP Services - Intranet - WTS
Shrink-wrap application (offline use)
Remote Virtual App
Local Virtual App
Local Virtual App
Current
installed client software device and location
specific non-firewall friendly connects at the
network layer requires additional device and
access security no direct contribution to single
sign-on Requires proprietary Infrastructure
Access Services (ie. VPN gateway)
IPSec VPN
Timeframe is now unless otherwise stated
Timeframe stated is Microsoft native feature
13
Application Strategy
- Scenarios
Exposure of applications to clients (independent
of underlying access mechanism)
New business application
Browser
browser client only direct SSL access to web app
SharePoint
Smart Client
smart client, self-updating client direct SSL
access to Smart application
Legacy business application
Remote Client
remote client, self-updating client, no offline
capability access via Infrastructure Access
Service
virtualisation technology
eliminate compatibility issues provide software
update capability
Remote Virtual App
lt
Outlook 2003 (RPC/HTTP)
Legacy business application (offline use)
Shrink-wrap application (offline use)
Thick Client
on-demand client, self-updating client, offline
capability access via Infrastructure Access
Services
Current
virtualisation technology
eliminate compatibility issues provide software
update capability
Local Virtual App
Local Virtual App
Local Virtual App
lt
Thick Client
full thick client, non-self-updating,
compatibility testing required access via
Infrastructure Access Services (ie. VPN gateway)
14
Beyond PassPort The Activities
BP PassPort
BP PassPort Explorer
Beyond PassPort