CLEARPASS ACCESS MANAGEMENT SYSTEM
advertisement
sales selling guide CLEARPASS ACCESS MANAGEMENT SYSTEM A fully integrated and complete solution for access security and policy management, which enables IT to centrally define and enforce policies that meet organizational requirements. CONFIDENTIAL – for Aruba Networks employees and Authorized Partners only A fully integrated and complete solution sales selling guide clearpass access management system Table of Contents opportunity overview solution overview the market the solution the sales process 3 4 6 9 18 2 sales selling guide clearpass access management system OPPORTUNITY OVERVIEW Why sell the ClearPass Access Management System? Why this opportunity is worth your time Value of a typical sale Small deal: $15,000-$35,000 USD (to gain entry into a new account). Medium deal: $50,000-$75,000 USD. Large deal: $100,000+ USD. Very large deal: $250,000 up to $1 million USD. Time to close For a small deal, closing can be as short as 8-10 weeks. More typical (e.g. where budget is needed): 3-12 months. Other benefits • Consultancy business: Professional services can be up to 20% of the deal. • Support revenues: Generate 12-15% in annual service. • Enables you to talk wider within your customer’s organization (e.g. to the CMO’s team). • Unlock a single vendor stronghold; create opportunity to talk about other (Aruba WLAN) solutions. • Upsell: Sell additional capacity and module licenses as users and devices increase. • As a partner, you can cross-sell other Aruba products, and other vendors’ products and applications (via integration), such as MobileIron enterprise mobile management (EMM), Security Information and Event Management (SIEM), Palo Alto Networks firewalls. Why it is worth your customers’ time Many enterprise IT organizations want to allow employees, contractors and guests to connect their own mobile devices to the corporate network to get work done. They are responding to the growing expectations of a new generation of users who consider it their birthright to use mobile devices for every aspect of work, collaboration and personal communication. Known as #GenMobile, they represent a majority of today’s workforce and are continuing to grow. The onus is now on IT to attract and retain these tech-savvy workers in a highly competitive job market. And the only way to do this is to adapt to the way they want to work. ClearPass gives IT the opportunity to centrally develop, automate, enforce and audit network access policies that enable them to meet organizational and industry compliance requirements, while creating a memorable user experience. What are key advantages of ClearPass? ClearPass is the one access management solution that: • Works efficiently and cost-effectively across multivendor wired and wireless networks. • Is highly scalable and manages access security in very large deployments across multiple sites. It also handles authentication requests in environments with high densities of devices. • Delivers AAA with policy management, self-service guest network access, device onboarding, device health checks from a single platform. • Automates and simplifies every aspect of BYOD to improve the user experience and reduce IT costs. • Enables all your business and IT systems – MDM, helpdesk, SIEM and threat-defense – to be network-fluent through RESTful APIs and data feeds that orchestrate workflows. • Let’s you create context-aware policies – based on user roles, device types, location, application use, and time of day – for differentiated access to network resources. THE OPPORTUNITY IN BRIEF ClearPass Access Management System: • Provides a central point for policy management. • Allows mobile devices to securely connect to the network and roam with very little IT intervention. • Creates an attractive work environment for #GenMobile employees and contractors. • Let’s enterprise IT enhance the user experience for employees and guests. • Enables customers to reduce network operating costs. 3 sales selling guide clearpass access management system solution OVERVIEW Solution description The ClearPass Access Management System – ClearPass enables customers to control access via automated policies for wired, wireless and remote (VPN) networks. The solution provides an organization the capability to: • Efficiently develop, automate, enforce and audit access security policies. • Manage and refine policy from a central location. With ClearPass, the customer has a single point of policy implementation at a device and user level, which better protects the network against threats, and the organization’s assets against improper use. For example, accessing account data from a laptop at HQ can be allowed, but accessing account data from a wired port in a branch office can be prevented using ClearPass Policy Manager. ClearPass Policy Manager – The core of the solution is an enterprise RADIUS/TACACS+ hardware appliance or virtual machine (VM) server with advanced policy control. It includes: • Profiling: Identifies and classifies devices on the network. • Advanced reporting (Insight): Reporting, analytics, alerts, and compliance verification. • ClearPass Exchange: RESTful based Application Program Interfaces (API) for integration with other systems, including but not limited to third-party Mobile Device Management (MDM), firewalls and Security Incident and Event Manager (SIEM). • AirGroup registration portal: Makes plug-and-play network services for media management (e.g. Apple AirPrint/AirPlay, DLNA, UPnP) controllable and secure within an enterprise network. Advanced features Additional features for managing guest access, device configuration and assessments are delivered via three separate modules. Available through purchase of perpetual or subscription licenses: • ClearPass Guest: Simplifies workflow processes, allowing receptionists, employees and other non-IT staff to create temporary accounts for Wi-Fi access. Once registered, ClearPass Guest delivers account login credentials to users via SMS text message or email. Accounts can be set to expire automatically after a specific number of hours or days. • ClearPass Onboard: Fully automates device provisioning for IT via a built-in administration interface. ClearPass Onboard offers full selfservice provisioning for Windows, Mac OSX, iOS, and Android devices that include configuration of 802.1X settings as well as the distribution of unique device credentials. IT can revoke credentials for devices that have been lost/stolen/sold by deleting them from the database. • ClearPass OnGuard: Aruba’s Network Access Control (NAC) solution. ClearPass OnGuard enables organizations to run advanced endpoint assessments, as well as baseline health checks to ensure compliance and safeguards before devices connect to a secure network. Aruba and partner services • Guest portal customization: Aruba Professional Services deliver support for customizing the look and feel of guest portals. • Design and deployment: Delivered by Aruba or specialist partners. • Support: Delivered via the partner or direct from Aruba. • Security policy development. • End-user training. 4 sales selling guide clearpass access management system Using ClearPass to benefit the business ClearPass enables the organization to directly access and implement security policies using Access Management in a complete end-to-end process. 1 2 MAIN CUSTOMER BENEFITS • Visibility: The ClearPass platform provides ability to capture device information across all networks, ensuring that security policies leverage device attributes and ownership for all authentication services. 3 • Security: Enforcement, auditing and reporting features enable customers to comply with relevant regulations and legislation, demonstrate compliance, and mitigate the risk of a breach in access security. • Workflow: Users are able to connect securely and easily from tablets, smartphones, and laptops delivering an improved mobility experience across both corporateowned and user-owned devices (e.g. BYOD). • Mobility: Employees given the flexibility to work from their preferred locations and devices while maintaining security posture. WHAT NETWORK ACCESS POLICY DO WE NEED FOR THE BUSINESS? DEVELOP • PROFILE USERS AND DEVICE TYPES • BUILD/IMPROVE ACCESS SECURITY POLICY AUTOMATE • EASILY ENROLL GUESTS AND ONBOARD DEVICES – RELIEVE IT BURDEN 4 5 • Cost: The automated workflows, reduction in IT help tickets through self-service and the reduced number of appliances required to secure enterprise mobility, make the ClearPass solution efficient and cost-effective. ENFORCE • APPLY POLICY • CONTROLL ACCESS • CHECK DEVICE HEALTH AUDIT • RE-PROFILE • CHECK COMPLIANCE • ANALYZE USAGE DO WE NEED TO CHANGE THE POLICY? 6 MANAGE AND REFINE • SIMULATE POLICY CHANGE • ENHANCE USER EXPERIENCE 5 sales selling guide clearpass access management system THE MARKET Target markets Why customers need ClearPass Across all verticals and organizations, there is a growing need to allow access to corporate networks from mobile devices. These devices may be corporate-owned, or owned by the end user (e.g. BYOD, or for guest access). Until recently, the NAC function has largely been targeted at enforcing access security policies for Windows PCs. Aruba employs a software approach that extends enterprise mobility intelligence across wired and wireless networks, all the way to users, devices, and apps. Now control is being extended to mobile devices running a variety of operating systems. ClearPass meets the extended NAC requirement, but also does a lot more for the customer’s business than previous network security or AAA solutions. So, although many opportunities might arise from a need for improved Network Access Control, it is important to explain to your customer what else can be achieved with ClearPass. It is this complete capability that sets ClearPass apart. WHY THE MARKET IS ATTRACTIVE NOW • There has been rapid and widespread growth in types and models of mobile devices, which people find convenient in regards to business application. • The availability of apps and services (including cloud) has made mobile devices indispensable. Owners expect to be able to use them for work and for interacting with organizations, from any location. • The ‘consumerization of IT’ is now a reality. Giving employees a choice about how they work has become essential for staff recruitment and retention. • Competitive pressures continue to drive organizations to look for ways to enhance customer experience while containing costs. • IT departments are being outpaced by user demand. They need tools that accelerate the onboarding of new devices and reduce workload by employing self-service, while enforcing security and providing visibility. Which of my customers shall I target? A “yes” answer to some of the following questions mean they are a good prospect. YES 1 Has the prospect or another organization in the same industry sector recently suffered a security breach? 2 Is a large proportion of the prospect’s workforce using mobile devices? 3 Do they hire contractors, or work collaboratively with partners/agencies? 4 Do they have a frequent or large numbers of guests? 5 Do they have distributed offices? 6 Are they moving into a new building, or consolidating sites? 7 Have they recently been or are they about to be involved in a merger or acquisition? 8 Are they a public sector organization that is being encouraged by a government entity to share resources? 9 Are they in an industry where new regulations or legislation have recently been or are about to be introduced, which relate to information security or operational risk? 10 Do they have a heterogeneous (multi-vendor) network? NO 6 sales selling guide clearpass access management system Market needs General market needs and ClearPass’ response Visibility and control Organizations in all verticals want visibility of how their network is being accessed – from where, by whom and using what device. They need to be sure that only authorized users are allowed access, and that unsecure or compromised devices are either denied access or removed from the network. ClearPass offers a crystal-clear picture of whom and what is connecting to your network, when they connect and where. ClearPass provides the all-important visibility and reporting needed to implement controls based on users’ mobility habits. Compliance: Organizations must comply with mandatory security requirements, regulations and legislation, and protect networks against data loss and cyber-attacks. ClearPass provides Enterprise-grade AAA, RADIUS/TACACS+, 802.1X and non-802.1X services. The full suite of customizable captive portal options for guest access, BYOD, and resource sharing meets, and surpasses industry security standards. Productivity Many organizations are looking to improve employee productivity by providing staff with secure access from any device, so that users have a wider range of tools to get work done. ClearPass’ support for third-party mobile device management (MDM) promotes BYOD and allows staff and guests to access the network from any number of personal or company devices. This empowers network users to engage with each other on a multitude of platforms. User engagement This is of growing importance, especially in finance (retail banking), retail and hospitality. Being able to deliver targeted information to users based on context (user profile, location) is a major driver for fostering customer loyalty. Cost containment Organizations want to reduce the burden on already overstretched IT resources and avoid/lower the costs of owning and replacing devices. ClearPass provides a cost-effective solution that can be deployed on any network and requires no changes to your current infrastructure. Self-service onboarding allows users to join the network without needing IT assistance, representing a company savings upwards of $500 USD per personal device onboarded. Mobility Many organizations are frustrated by the difficulties of using mobile devices for business and enforcing an appropriate access security policy. They wish to improve the mobility experience for their customers, staff, contractors and partners. ClearPass is cost-effective, secure, and provides ease of deployment. It is simply the best way to rollout and manage mobility as the #GenMobile workforce connects to enterprise networks. Business drivers in selected verticals Healthcare • Enable guest access for patients and hospital visitors. • Allow doctors, nurses, and admin staff to self-configure their own devices. • Enable clinicians to securely access patient data, regardless of location. • Securely transfer patient data based on user privileges and/or device profile. Finance • Use mobile devices for enhanced customer interaction (e.g. electronic signatures). • Implement visitor guest access for regulators, auditors, and consultants. • Phase out corporate-owned devices by allowing staff to purchase and use their own devices. • Deploy improved Access Management to comply with the latest industry regulations (Basel III). 7 sales selling guide clearpass access management system Retail and Hospitality • Attract customers by offering guest Wi-Fi. • Engage with customers by pushing tailored advertisements to personal devices using contextual information. • Improve customers’ experience with Wi-Fi that remembers them on their next visit, and automatically logs them into Wi-Fi. • Enforce PCI requirements with secure access. Education • Enable students to use personal devices for interactive learning. • Allow non-IT specialists to securely grant guest access to students, parents, and authorized visitors. • Save money in schools by promoting BYOD and allowing students to use their own devices. ClearPass worldwide addressable market size MARKET TRENDS Analysts like Frost & Sullivan and Gartner are forecasting that organizations worldwide will spend a growing amount on NAC solutions over the next four years. From a worldwide market worth of $350 million USD in 2014, market analysts forecast that demand will steadily increase at a rate of almost 31% per year, and estimate that market worth will surpass $1 billion USD by 2018. This represents a major opportunity for partners to work with Aruba to establish ClearPass as a primary source of revenue generation. $M 1200 1000 800 600 400 200 0 2014 2015 2016 2017 2018 Source: Aruba view, based on reports from Frost & Sullivan and Gartner 8 sales selling guide clearpass access management system The solution How ClearPass meets customer needs What are the business needs of key people in your customer’s organization? Here’s how ClearPass addresses each need. CIO: ACCESS MANAGEMENT NEEDS Need How the business need is addressed Provide good network service • ClearPass OnGuard protects against unsecure and compromised devices, enabling organizations to allow use of employee-owned devices without putting the business at unnecessary risk. • ClearPass Onboard automatically configures and provisions mobile devices, enabling employees and guests to easily and securely connect to enterprise networks. • Employees and guests are given permission to self-configure their own devices. The ClearPass Onboard portal detects a device’s operating system and guides the user through the appropriate configuration package. • ClearPass Guest delivers account login credentials to users via SMS text message or email. Accounts can be set to expire automatically after a specific number of hours or days. • Executives want to use their own devices • Employees use multiple devices • Employees bring their own devices (i.e. BYOD) • Simple guest access Reduce the risk of a security breach • Guard against malicious attacks • Maintain the trust of customers and partners • With ClearPass, network access security policies can be defined centrally, then implemented consistently across all wired and wireless network access points, minimizing the risk of leaving a vulnerability that can be exploited. • User authentication, context, and role-based profiling, guard against unauthorized users gaining access to sensitive areas of the network and data. CFO: FINANCIAL NEEDS Need How the business need is addressed Contain the costs of network access security management. • Automated device configuration and provisioning reduce the cost of access security, especially when introducing 802.1X into a wired network or moving to a new site. • A single ClearPass Policy Manager appliance can handle up to 25,000 unique endpoints across multiple networks, so even with redundant architecture the amount of server hardware required is relatively small. • Optional advanced feature modules mean customers pay only for functionality they actually need. • ClearPass Exchange ensures that the functionality of other investments is exploited to increase security, reduce support costs, and improve the customer experience. • IT staff no longer needs to be involved in onboarding new devices, registering guests, or assisting contractors; significantly reducing ongoing administration costs. • Users can use their own devices, reducing cost to the organization which would otherwise be responsible for provision and replacing company devices. • Implementation • Network equipment upgrades • Hardware • License fees • Administration costs • Multiple device support • Dealing with visitors Predictability of costs over the lifetime of ClearPass solution. • Scalability and linear growth • Availability of perpetual licenses • Licensing flexibility • ClearPass provides a single integrated system that can adapt as the organization grows and changes. ClearPass can scale to very large deployments and provide centralized control for new sites, without the need to rip and replace hardware or software. • Aruba operates a license overrun scheme to lessen the cost impact when usage grows, and to allow organizations to meet short-term spikes in access demand (e.g. during special events or unexpected peaks in user activity). • Organizations have the option of a perpetual license or a subscription licensing format, whichever best suits their business model. • Enterprise licenses can be shared across the Guest, Onboard, and OnGuard modules. 9 sales selling guide clearpass access management system CSO: SECURITY NEEDS Need How the business need is addressed Secure network access • ClearPass provides granular access security management which enables contextual access control in respect to location, device and user level. • ClearPass Policy Manager supports advanced user and device authentication based on 802.1X, non-802.1X and web portal access methods. • Guest access workflow can be designed to require confirmation by a trusted sponsor. • Embedded Certificate Authority (CA) support allows ClearPass to work with existing Public Key Infrastructure (PKI) or act as its own CA. • ClearPass is accredited as compliant to FIPS 140-2 for cryptographic modules. • User identification • Role-based profiling • Certificate of authority accreditation Protection against malware • Device health checks • Remediation • Post-access removal • ClearPass OnGuard performs advanced endpoint posture assessments before devices connect. • Automatic remediation workflows can be applied to non-compliant devices. • Certificates and profiles can be issued to devices to allow for easy removal from the network if required (e.g. if devices are compromised, lost or stolen). Compliance to regulations and relevant legislation • Appropriate level of security • Reports and audit trails • ClearPass provides the ability to develop, automate, and enforce an access security policy that meets the organization’s business requirements, then refine that policy as new regulations come into effect or the business’ needs change. • Audit and reporting allow customers to check and demonstrate compliance. CMO: USER ENGAGEMENT NEEDS Need How the business need is addressed Improve the mobility experience of users. • ClearPass allows customers to modernize their infrastructure to cater to and attract #GenMobile employees. • ClearPass works with a wide range of mobile platforms including: iOS, Android, Windows Mobile, Windows Phone 8, Mac and Symbian OS. • ClearPass Exchange makes it easy to integrate with third-party solutions such as MDM, so organizations can manage mobile and other devices. • Self-registration speeds network access, while Media Access Control (MAC) caching makes sign-on straightforward for returning users. • Single sign-on to the network and Auto-sign-on for applications makes working via mobile devices quicker and easier. • Attract and retain staff • Allow network access from and manage mobile devices • Wide choice of devices • Simple registration Enhance the experience of guest users. • Customized portals • Social login • Text messaging • Relevant communication • Portals can be customized with a wide range of options, including localized language support and location-specific information. • If desired, guests can use social networking identities to gain access, and receive login instructions and other information via SMS. • Using the optional advertising module, context-based messages can be sent to users (e.g. special offers in stores). 10 sales selling guide clearpass access management system IT/NETWORK DIRECTOR: INFRASTRUCTURE NEEDS Need How the business need is addressed Simple implementation • ClearPass requires fewer physical appliances than other solutions, and can be ran as a virtual machine (VM) on existing hardware. • There is no need to replace existing network infrastructure. • Automatic device profiling and self-registration relieve the IT burden of tracking devices. • Detailed diagnostic information assists network administrators (e.g. in troubleshooting failed 802.1X authentications). • Minimal new hardware • No change to existing infrastructure • Automated assistance to reduce IT effort involved System performance • ClearPass solutions have proven reliability in ‘live’ customer networks. • Solutions scale easily to manage up to a million endpoints from a single cluster, and can handle a high density of authentication requests. • Unlike other offerings, ClearPass does not operate ‘in line’. Thus, ClearPass has minimal effect on network performance and no consequent scaling issues. • Reliability • Scalability • Effect on the network The competitive landscape How does the competition rate and who are they? Use this table to identify Aruba’s strengths and how to beat the competition. Scoring: 0 = No capability, 1 = Very weak, 5 = Exceptionally strong, “?”= No information clearpass competitors Aruba ClearPass Cisco (ISE/ACS) ForeScout Bradford Networks Juniper Networks HP Smaller niche Wi-Fi players (e.g. Meru, Aerohive, Extreme) Interoperability 5 2 4 3 2 2 2 Vendor’s Wi-Fi knowledge 4 3 1 0 2 2 2-4 Proven, stable solution 5 5 0 0 3 2 4 Scalability 4 4 3 2 3 1-2 1-2 Completeness of solution 5 3 2 3 3 3 2-4 Ease of deployment 5 4 3 3 3-4 3 2 Solution for multi-vendor networks 5 2 4 2 3 ? 2-4 Our Major Strengths: • Solution for multi-vendor networks • Interoperability with third party solutions: MDM, SIEM, billing, admittance, SMS • Proven, stable and completeness of solution • Scalability EMPHASIZE THESE POINTS! 11 sales selling guide clearpass access management system HOW TO WIN We win if: • We tie down the scope of the requirements early in the sales cycle. • The customer has an Aruba WLAN, and is implementing a refresh. • The network is multi-vendor or wholly Aruba. • The requirements are biased towards access for contractors/guests. • The customer experiences a demo and the ClearPass management interface. • When an evaluation is needed, we sign off targeted success criteria in advance. We lose if: • The prospect has too few users/devices, or has too simple a business model to benefit from Access Management. • We try to compete with smaller niche vendors by offering only a subset of ClearPass. • There is a strong ‘Cisco only’ attitude, across both wired and wireless access. 12 sales selling guide clearpass access management system How to beat the competition Capability Capability Explained Supporting Facts and Proof Points Solution for multivendor Networks • Across multi-vendor networks, ability to develop, automate, enforce, and audit an access security policy. • Applicable to wired and wireless networks. • In many deployments, ClearPass manages access to Cisco, Avaya, and HP networks. • We have customers with both wired and wireless deployments (e.g. SAP). • Other vendors’ offerings don’t provide centralized visibility and control across heterogeneous networks from a single, integrated system. For example, Cisco ISE is difficult to administer in non-Cisco (e.g. WLAN) environments. Interoperability • ClearPass is standards-based. • Features integration with enterprise applications. • Connectivity to other Access Management systems (e.g. MDM). • Provision of Application Program Interfaces (API). • ClearPass features flexibility of vendor. • ClearPass employs standards-based protocols and interfaces (e.g. using standard web APIs to receive context data from new sources). • The solution is integrated with hundreds of commonly used enterprise tools (e.g. Palo Alto Networks firewalls, Splunk SIEM). • ClearPass enforces network policies based on device status from third party MDM vendors like AirWatch and MobileIron. • ClearPass works with any multivendor infrastructure, and is easily extended to network security business and IT systems you already have in place. Vendor’s Wi-Fi knowledge • Experience in Wi-Fi and network control. • Aruba’s business focus is in wired/wireless network security. • Current market leadership. • Technical competence and skilled staff. • Aruba has been delivering Wi-Fi networks for 13 years. • We are a Gartner magic quadrant leader in Wired and Wireless LAN Access Infrastructure. • Our SEs and profession services engineers are well versed in wireless LAN technology and integration. Proven and stable solution • Reliable reference network. • Many in service solutions. • Number of licenses continues to grow. • Large user community. • Aruba features a strong partner community. • ClearPass is in service across many verticals globally, whereas Cisco’s references are nearly all for its legacy ACS and not its replacement, ISE. • ForeScout is locally strong for small to mid-size deployments, but weak elsewhere. • Juniper’s deployment numbers have plummeted since 2012. Juniper now partners with Aruba. Scalability • Ability to add new users easily. • Ability to enforce policy across multiple sites. • Capable of high-density authentication. • ClearPass successfully manages network access security in very large scale deployments as with SAP (with 66,000 users worldwide), Barclays, and the Los Angeles Unified School District. • ClearPass customers can enforce policy across multiple sites from a central location. ForeScout works ‘in line’ and requires many appliances. • The San Francisco International Airport is a prime example of ClearPass’ ability to handle high-density authentication requests. Completeness of solution • Access Policy management and enforcement. • Guest functionality. • Device profiling and onboarding. • System automation. • Trouble-shooting tools. • ClearPass delivers a complete set of functionality for managing network access security in a unique, single integrated system. • Optional modules include: guest self-registration and advertising, device onboarding, and device posture validation. • Self-service workflows and ClearPass Exchange enable complete automation of processes that quarantine devices in the event of a policy breach. • ClearPass comes complete with diagnostic tools for investigating system problems (e.g. trouble-shooting failed authentications). Ease of deployment • Automated tasks. • Off-network policy simulation and test deployment. • Accredited engineers. • Partners that assist with deployment. • ClearPass simplifies setting up and implementing policies by automating device profiling and onboarding. • With ClearPass, customers can trial changes to policies without affecting users. This allows an organization to test the effects prior to rolling them out. • We have Professional Services Partners with the accredited skills to assist customers with policy design and deployment. 13 sales selling guide clearpass access management system Success stories VMware A leading technology company with over 14,000 employees, deploys ClearPass Policy Manage, Onboard and Guest for enterprise mobility project. • ClearPass’ ease of use and built-in Certificate Authority beats Cisco and ForeScout. The challenge VMware, the industry-leader in virtualization software, was looking for a comprehensive solution to provide secure guest access, enroll BYOD devices onto the corporate network, and authenticate company-owned devices onto the wireless network using .1X authentication. VMware also wanted a best-of-breed security solution that could manage its mixed environment of legacy Trapeze infrastructure, and newly upgraded Cisco WLAN. The response After the RFI responses, VMware invited Aruba, Cisco and ForeScout to take part in lab trials and a small Proof of Concept (POC). The VMware team appreciated the ease of use, built-in Certificate Authority (CA), and the platform flexibility that Aruba ClearPass provides. In addition, because we were able to set up the system faster, we completed the evaluation two weeks ahead of the competition. After a more in-depth evaluation to a larger user base, VMware selected ClearPass as its global standard. The result In a deal initially worth $750,000 USD, ClearPass will have been implemented globally for wireless access management by the end of 2014. This includes data centers in Palo Alto for the Americas, Ireland for EMEA, India for APAC, and appliances in other countries. This will enable VMware to globally roll out MS Lync and support BYOD, along with contractor and guest access. In addition, ClearPass technicians detected WLAN issues VMware had in one of its executive buildings. As a result, we were able to replace Cisco ISE with Aruba Wi-Fi and AirWave WLAN management, increasing the value of the VMware deal to $3 million USD. SAP Multi-national enterprise selects ClearPass over ISE to replace Cisco ACS. • ClearPass’ scalability preferred over Cisco’s ISE. The challenge Headquartered in Walldorf, Germany, SAP AG is a global leader in enterprise software, with locations in more than 130 countries. Having experienced stability issues with ACS, the company investigated Cisco ISE, but found that administration complex, the GUI was not intuitive, and there were maintenance and upgrade issues. The response As a long-term customer of Aruba WLAN the Aruba account team has built close relationships with key decision makers. Meeting on a regular basis, the Aruba team was able to pick up on SAP’s concerns about ISE and propose ClearPass as an alternative. An evaluation was rapidly arranged, demonstrating that ClearPass could address the issues that SAP was experiencing with Cisco ISE. SAP’s infrastructure and service teams were particularly impressed with the ClearPass’ ease of use and deployment, which Cisco’s ACS and ISE lacked. The result ClearPass is now in service for SAP’s 66,000 employees worldwide. Eight ClearPass appliances were installed in Germany, four each in Singapore and in Philadelphia, all of which are managed centrally from SAP in Germany. The ClearPass Guest module, which replaced an internally developed system, provides secure SAP-branded Internet access to over 15,000 guests and consultants. 14 sales selling guide clearpass access management system University Hospital of Toulouse A hospital moves to a new site and implements LAN access security. • ClearPass preferred for multivendor interoperability and single platform extensibility. The challenge Our WLAN customer, the University Hospital of Toulouse in France, had plans to consolidate multiple sites to a new building. At the same time, it wanted to add 802.1X-based authentication to its unsecured Cisco LAN. With only three people in its network team, moving to automated access security would eliminate the manual configuration of 18,000 Ethernet ports. The response When the hospital approached Cisco, it discovered that Cisco’s ISE proposition would complicate things by requiring a large number of appliances, and not offering perpetual licenses, making the ISE solution costly. Our network integration partner, Orange, proposed an evaluation of both solutions, to compare ISE and ClearPass, in which the ClearPass solution was running in one-quarter of the time. The result CHU Toulouse realized that the profiling available with ClearPass would enable it to onboard all peripherals quickly; including IP cameras, alarms, and door-locking mechanisms within the Building Management’s system. Two ClearPass 25,000 user appliances (one for redundancy), together with a combined 600 licenses for Onboard and OnGuard, were sufficient to ensure that the hospital could improve network security, as well as move to its new site promptly and in a cost-efficient manner. California Polytechnic State University (Cal Poly) Replacement of legacy AAA solution for complete ClearPass Access Management System. • Initial security interest, then guest access requirement, resulted in full ClearPass and WLAN deployment. The challenge The opportunity at California Polytechnic State University (Cal Poly) in San Luis Obispo, CA started out as an authentication, authorization and accounting (AAA) requirement to replace Cisco ACS. However, after talking to the university’s security and IT staff, the Aruba sales team established a need for guest access. Besides hosting visitors, Cal Poly runs conferencing facilities during the summer months. Surprisingly, the team also discovered that none of the dormitories on campus had wireless access. The response Following a focused sales campaign lasting 18 months, in a deal worth approximately $1 million we supplied Cal Poly with AP-93H 802.11n access points, along with $300,000 USD worth of ClearPass. We provided secure-managed .1X access and MAC authentication for both Aruba’s wireless and Cisco’s wired ports. In addition, ClearPass Guest with self-service allowed secure access for short-term visitors. The result By choosing ClearPass, Cal Poly has been able to easily enable mobility to new environments. Apple TVs are being installed in classrooms, requiring the need for AirGroup registration. The university is in the process of moving to Alcatel equipment, thus benefiting from ClearPass’ multi-vendor capability. And by investing in ClearPass Onboard, Cal Poly has been able to offer secure access to multiple types of tablet devices. The university’s staff is now considering deployment of ClearPass OnGuard. The clear message from the Aruba sales team is to identify who has responsibility for security, get these individuals together with networking, and sell ClearPass’ total capability: don’t just settle for winning based on the initial requirement and move on. 15 sales selling guide clearpass access management system The financial business case ClearPass’ IT off-load vs. an increase in staff resources. Supporting network access from employees, contractors and guests can significantly burden IT and administration resources. This business case shows how labor costs can be decreased through adopting ClearPass. For this example we have used a scenario where an organization has a limited number of contractors, a growing number of guests, and whose employees want to use their own devices. Also, there are wired ports that need to be secured and managed (for moves and hardware changes). The areas of cost savings shown here are applicable to many types of organizations. “Main assumptions” Year 1 Year 2 Year 3 Wired ports: 6 changes per year to 20% of the ports Wired ports* $1,500 USD $1,500 USD $1,500 USD Employees: average of 2 devices each, replacing 1 every year Employees* $3,000 USD $3,500 USD $4,000 USD Contractors: connect 1 device for an average 2 month contract Contractors* $200 USD $200 USD $200 USD Guests: connect 1 device every visit for an average of 7 days Guests* $250 USD $500 USD $750 USD Forecast costs without ClearPass Year 1 Year 2 Year 3 IT staff time USD USD USD Wired ports (securing, product adds, and moves) $59,800 $59,800 $59,800 Employee devices (onboarding, audit, and technical help) $59,800 $69,800 $79,800 Contractors (onboarding, audit, and technical help), plus waiting time $24,900 $24,900 $24,900 Guests (resolving technical issues) $4,300 $8,600 $13,000 $10,400 $20,700 $31,100 $159,200 $183,800 $208,600 ClearPass system, including redundancy and optional modules $140,800 $71,300 $9,200 Professional services cost (delivered by partner) $10,000 $5,000 $5,000 System maintenance $19,300 $29,000 $29,900 Internal IT deployment, training and, management costs $25,000 $25,000 $25,000 Wired ports (securing, adds, moves) $10,000 $10,000 $10,000 Employee devices (onboarding, audit, and technical help) $8,100 $9,500 $10,900 Contractors (onboarding, audit, and technical help), plus waiting time $2,100 $2,100 $2,100 Guests (resolving technical issues) $1,400 $2,900 $4,300 $0 $0 $0 Total Costs $216,700 $154,800 $96,500 Cost Savings $-57,500 $29,000 $112,200 Administration staff time Contractors and guests (registration, and issuing login details) Forecast costs with ClearPass Total Costs Purchase, deployment, and maintenance IT staff time Administration staff time Contractors and guests (registration, and issuing login details) 16 sales selling guide clearpass access management system THE BOTTOM LINE • Total savings over three years $83,700. • Net Present Value (NPV) at 10% $56,000. • Internal Rate of Return (IRR) is 67%. Over 3 years, ClearPass reduces IT resource requirements by 2.7 man years. Additional ClearPass solution benefits • ClearPass servers with RADIUS/TACACS+ and advanced policy controls saves the cost of replacing or upgrading existing wired and wireless infrastructure. • Improved guest experience: Generating repeat business and enhancing brand value. • Better guest management and employee/contractor removal reduces/eliminates unauthorized Wi-Fi use. • No need for multiple Wi-Fi networks (e.g. separate networks for employees and guests). • Wired ports can be protected and create an audit trail, reducing the risk of a security breach. • Future proof: Growth in mobility and collaboration will not increase IT staff overhead. 17 sales selling guide clearpass access management system THE SALES PROCESS Qualification Use the questions on this page to help you capture information about the prospect and qualify the sale, before committing more resources. What business problem is the prospect trying to solve? (Tick all those that apply) Key qualification factors (The more questions you can answer ‘YES’ to, the better) Yes 1 Will the prospect be looking to control network access for more than 500 devices? 2 Do they want to open up their network to new types of devices, or does the organization have a need to improve security as a result of a growing number of mobile devices? 3 Have they recently made a large investment in mobile devices (e.g. smartphones, tablets)? 4 Are they insourcing either IT or network service? 5 Are they looking to replace Cisco ACS? 6 Do they have a problem with limited IT support, locally or at remote sites? Is there a shortage of IT professionals or a lack of IT skills (especially with regard to handling requests from devices connecting to the network)? No Deal discovery guidance A prospect meeting should identify the following: 1.The number of devices currently connected to the network. 2.The maximum number of guests per day. 3.The number of devices requiring health checks (OnGuard). 4.The type of devices allowed onto the network. 5.Total number of devices/endpoints to be authenticated. 6.The identity stores that are employed for user and device authentication. 7.Existing policies for guest access, remote access, and certificates. 8.Alternative solutions that the prospect is considering. 18 sales selling guide clearpass access management system Dealing with objections Objection: We’re a Cisco house. Real concern: Your system might not be compatible. Why should I risk my reputation buying non-Cisco? Answer: The fact that you have heavily invested in Cisco is not a problem. Aruba has successfully deployed ClearPass into many Cisco environments, including SAP worldwide, major bank Emirates NBD in the Middle East, and VMware in the United States. Our customers tell us that ClearPass is much easier to deploy and manage than the equivalent Cisco offering, and it also costs less. May I setup a demo for you, so that you can see why others have chosen ClearPass over Cisco ISE? Objection: Aruba is known as a Wi-Fi only company. Real concern: I don’t want to risk putting this into my wired network. Answer: It’s true that Aruba has built its reputation on providing enterprise-class Wi-Fi networks. However, ClearPass was designed from the outset to work across both wired and wireless multi-vendor networks. We have successfully deployed ClearPass into many wired environments, including enterprises, hospitals, retail outlets, and schools. Aruba has been recognized by Gartner as a magic quadrant leader in the provision of Network Access Control, as well as Wired and Wireless LAN Access Infrastructure. Objection: We don’t need a complete solution. Real concern: I don’t want to spend money on functionality I don’t need. Answer: The great thing about ClearPass is that it is a modular solution, so you only have to buy what you actually need. Built-in is all the functionality you require to deploy a consistent access security policy across both wired and wireless networks, extended to mobile devices. If you decide later that you want additional functionality, such as guest access, or more capacity, then this is easily added. Let me organize a demo for you, so that you can decide which modules you would require to support your business. Objection: We’re happy with what we have. Real concern: I don’t want to buy extra security I don’t need. Answer: The primary reason that organizations like yours are investing in improving their network access control is to allow secure access from all devices. Many customers tell us that their employees, contractors, partners, and guests now expect to use mobile devices for work, and for interacting with the organization. ClearPass offers you a way to meet this demand from a single integrated platform, while delivering many other benefits, such as providing visibility, enabling compliance, improving employee productivity and containing costs. Can I run through an example business case with you, to show you how ClearPass could actually save you money? 19 sales selling guide clearpass access management system Typical deals Examples of customer pricing and product mix for deals of different size and complexity. The table below shows figures for the first year. Upselling will generate revenues in the second year that can be 50-100% of first year revenues. Solution Sizing Small Medium Large Very Large Endpoints 100-500 500-2,000 5,000+ 25,000 Guest licenses 100 500 2,000+ 5,000+ Onboard or OnGuard licenses 100 2,000 5,000+ 25,000+ Sales Revenue USD USD USD USD Hardware VM appliances $5,000 $25,000 $50,000 $75,000 Software licenses $5,000 $20,000 $45,000 $100,000 Integration and customization $5,500 $9,500 $17,500 $27,500 Other service $1,000 $2,000 $6,000 $12,000 Maintenance and support $2,500 $10,000 $19,000 $35,000 First year gross sales value $22,000 $66,500 $137,500 $249,500 Sales tactics Use these tactics to start a conversation, differentiating ClearPass from the competition. If you already have a lead, or a customer has come to you with a specific problem, use these tactics to upsell the complete ClearPass solution. If your prospect’s primary concern is not in the table, use the information in this Sales Guide to create your own questions and ideal outcome. If the prospect is concerned about… Then ask your contacts about… Help them to… EMPHASIZE… NAC or AAA/RADIUS Upgrades. • Any issues or limitations? • Future upgrades? • How users authenticate? • The number of devices connecting? Understand the importance of linking policy management to security solutions. Scalability and workflows. Securing employees and guests connecting to the network with their own devices. • Critical areas of network security? • Any recent breaches or attacks? • Types of devices connecting? • Number and type of guests per day? Describe the ideal access management solution, providing robust security across all devices and users. Completeness of security solutions covering all scenarios. How to manage guests and Onboard employee devices with limited IT resources. • Number and type of guests? • The registration process? • How devices are onboarded? • The time IT spends today? See how onboarding and policy management can be automated with self-service and visibility. Employees are not guests, and have different needs. How to implement a single Mobile Device/Application Management framework. • Which departments want this? • Who has concerns? • Is there demand from users? • Has MDM been deployed? • Are there any privacy or compliance issues? Appreciate how they can manage a mix of devices without compromising security, privacy or compliance. MDM needs network security. 20 sales selling guide clearpass access management system A typical sales cycle The diagram below shows the steps and key sales activities for identifying an opportunity and taking it through to a won deal. PROSPECTING (2-8 WEEKS) LEAD GENERATION RFP LEAD GENERATION QUALIFICATION Sector • Size • Need SALES PRESENTATION Business level How Aruba addresses the pain User experience Deployment strategy Professional services DISCOVERY Assessment survey Security policy SOLUTION DEVELOPMENT (6-16 WEEKS) DEMONSTRATION Sales demo Technical demo REFERENCE CALL PROPOSAL Design • Sizing Licenses • Redundancy EVALUATION OR PROOF OF CONCEPT* Success criteria CLOSE (2-6 WEEKS) SALE Terms IMPLEMENTATION UI customization Professional services Aruba advice UPSELL Guest Onboard OnGuard CASE STUDY Win Flash Report *By exception. Only offer a POC after approval from Aruba. PARTNER PARTNER WITH ARUBA SUPPORT ARUBA ARUBA WITH PARTNER SUPPORT KEY FACTORS FOR A SUCCESSFUL SALES CYCLE • Evaluation (or POC) must be preceded by signed success criteria. • All sales opportunities must include Professional Services for network design and deployment. 21 sales selling guide clearpass access management system Contacts and resources Key Aruba Contacts Trent Fierro, Sr. Product & Solutions Marketing Manager trent@arubanetworks.com 1.408.585.1912 Alan Ni, Sr. Product & Solutions Marketing Manager ani@arubanetworks.com 1.408.990.2563 Aruba Channel Inquiries info@arubanetworks.com Demos and evaluations To arrange a demo for your customer, make use of your online System Engineering Enablement Lab (SEEL) resource: https://afp.arubanetworks.com/afp/index.php/SEEL_Live_Demo_Program To request a 90-day ClearPass/QuickConnect evaluation when needed: http://clearpass.arubanetworks.com/webservice/eval_request.php Aruba Networks PartnerEdge Program URL Aruba Networks PartnerEdge Program http://www.arubanetworks.com/pdf/partners/channel/Aruba_PartnerEdge_Brochure.pdf Become an Aruba Networks Channel Partner http://www.arubanetworks.com/partners/channel/us-canada/ https://arubanetworkskb.secure.force.com/prm/PartnerApplication ClearPass Certification and Specialization (Login required http://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=6 Aruba Partner Center https://arubanetworkskb.secure.force.com/prm/ ClearPass Access Management Solution Overview http://www.arubanetworks.com/products/clearpass/ Partner training Consult your Channel Account Manager (CAM) for details of ClearPass training for partner SEs. 1344 Crossman Ave | Sunnyvale, CA 94089 1.866.55.ARUBA | T: 1.408.227.4500 | FAX: 1.408.227.4550 | info@arubanetworks.com www.arubanetworks.com ©2014 Aruba Networks, Inc. Aruba Networks®, Aruba The Mobile Edge Company® (stylized), Aruba Mobilty Management System®, People Move. Networks Must Follow.®, Mobile Edge Architecture®, RFProtect®, Green Island®, ETIPS®, ClientMatch®, Bluescanner™ and The All Wireless Workspace Is Open For Business™ are all Marks of Aruba Networks, Inc. in the United States and certain other countries. The preceding list may not necessarily be complete and the absence of any mark from this list does not mean that it is not an Aruba Networks, Inc. mark. All rights reserved. Aruba Networks, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba Networks, Inc. uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba Networks, Inc. will assume no responsibility for any errors or omissions. SP_ClearPass_072514
