CLEARPASS ACCESS MANAGEMENT SYSTEM

advertisement
sales selling guide
CLEARPASS ACCESS MANAGEMENT SYSTEM
A fully integrated and complete solution for access security and policy
management, which enables IT to centrally define and enforce policies
that meet organizational requirements.
CONFIDENTIAL – for Aruba Networks employees
and Authorized Partners only
A fully integrated and
complete solution
sales selling guide
clearpass access management system
Table of Contents
opportunity overview
solution overview
the market
the solution
the sales process
3
4
6
9
18
2
sales selling guide
clearpass access management system
OPPORTUNITY OVERVIEW
Why sell the ClearPass Access Management System?
Why this opportunity is worth your time
Value of a
typical sale
Small deal: $15,000-$35,000 USD (to gain entry into a new account).
Medium deal: $50,000-$75,000 USD.
Large deal: $100,000+ USD.
Very large deal: $250,000 up to $1 million USD.
Time to close
For a small deal, closing can be as short as 8-10 weeks. More typical (e.g. where budget is needed): 3-12 months.
Other benefits
• Consultancy business: Professional services can be up to 20% of the deal.
• Support revenues: Generate 12-15% in annual service.
• Enables you to talk wider within your customer’s organization (e.g. to the CMO’s team).
• Unlock a single vendor stronghold; create opportunity to talk about other (Aruba WLAN) solutions.
• Upsell: Sell additional capacity and module licenses as users and devices increase.
• As a partner, you can cross-sell other Aruba products, and other vendors’ products and applications (via integration),
such as MobileIron enterprise mobile management (EMM), Security Information and Event Management (SIEM), Palo
Alto Networks firewalls.
Why it is worth your customers’ time
Many enterprise IT organizations want to allow employees, contractors and guests to connect their own mobile devices to the corporate network
to get work done. They are responding to the growing expectations of a new generation of users who consider it their birthright to use mobile
devices for every aspect of work, collaboration and personal communication.
Known as #GenMobile, they represent a majority of today’s workforce and are continuing to grow. The onus is now on IT to attract and retain
these tech-savvy workers in a highly competitive job market. And the only way to do this is to adapt to the way they want to work.
ClearPass gives IT the opportunity to centrally develop, automate, enforce and audit network access policies that enable them to meet
organizational and industry compliance requirements, while creating a memorable user experience.
What are key advantages of ClearPass?
ClearPass is the one access management solution that:
• Works efficiently and cost-effectively across multivendor wired and wireless networks.
• Is highly scalable and manages access security in very large deployments across multiple sites. It also handles authentication requests in
environments with high densities of devices.
• Delivers AAA with policy management, self-service guest network access, device onboarding, device health checks from a single platform.
• Automates and simplifies every aspect of BYOD to improve the user experience and reduce IT costs.
• Enables all your business and IT systems – MDM, helpdesk, SIEM and threat-defense – to be network-fluent through RESTful APIs and data
feeds that orchestrate workflows.
• Let’s you create context-aware policies – based on user roles, device types, location, application use, and time of day – for differentiated
access to network resources.
THE OPPORTUNITY IN BRIEF
ClearPass Access Management System:
• Provides a central point for policy management.
• Allows mobile devices to securely connect to the network and roam with very little IT intervention.
• Creates an attractive work environment for #GenMobile employees and contractors.
• Let’s enterprise IT enhance the user experience for employees and guests.
• Enables customers to reduce network operating costs.
3
sales selling guide
clearpass access management system
solution OVERVIEW
Solution description
The ClearPass Access Management System – ClearPass enables customers to control access via automated policies for wired, wireless and
remote (VPN) networks. The solution provides an organization the capability to:
• Efficiently develop, automate, enforce and audit access security policies.
• Manage and refine policy from a central location.
With ClearPass, the customer has a single point of policy implementation at a device and user level, which better protects the network
against threats, and the organization’s assets against improper use. For example, accessing account data from a laptop at HQ can be
allowed, but accessing account data from a wired port in a branch office can be prevented using ClearPass Policy Manager.
ClearPass Policy Manager – The core of the solution is an enterprise RADIUS/TACACS+ hardware appliance or virtual machine (VM) server
with advanced policy control. It includes:
• Profiling: Identifies and classifies devices on the network.
• Advanced reporting (Insight): Reporting, analytics, alerts, and compliance verification.
• ClearPass Exchange: RESTful based Application Program Interfaces (API) for integration with other systems, including but not limited to
third-party Mobile Device Management (MDM), firewalls and Security Incident and Event Manager (SIEM).
• AirGroup registration portal: Makes plug-and-play network services for media management (e.g. Apple AirPrint/AirPlay, DLNA, UPnP)
controllable and secure within an enterprise network.
Advanced features
Additional features for managing guest access, device configuration and assessments are delivered via three separate modules. Available
through purchase of perpetual or subscription licenses:
• ClearPass Guest: Simplifies workflow processes, allowing receptionists, employees and other non-IT staff to create temporary accounts for
Wi-Fi access. Once registered, ClearPass Guest delivers account login credentials to users via SMS text message or email. Accounts can be
set to expire automatically after a specific number of hours or days.
• ClearPass Onboard: Fully automates device provisioning for IT via a built-in administration interface. ClearPass Onboard offers full selfservice provisioning for Windows, Mac OSX, iOS, and Android devices that include configuration of 802.1X settings as well as the distribution
of unique device credentials. IT can revoke credentials for devices that have been lost/stolen/sold by deleting them from the database.
• ClearPass OnGuard: Aruba’s Network Access Control (NAC) solution. ClearPass OnGuard enables organizations to run advanced endpoint
assessments, as well as baseline health checks to ensure compliance and safeguards before devices connect to a secure network.
Aruba and partner services
• Guest portal customization: Aruba Professional Services deliver
support for customizing the look and feel of guest portals.
• Design and deployment: Delivered by Aruba or specialist partners.
• Support: Delivered via the partner or direct from Aruba.
• Security policy development.
• End-user training.
4
sales selling guide
clearpass access management system
Using ClearPass to benefit the business
ClearPass enables the organization to directly access and
implement security policies using Access Management in a
complete end-to-end process.
1
2
MAIN CUSTOMER BENEFITS
• Visibility: The ClearPass platform provides ability to
capture device information across all networks, ensuring
that security policies leverage device attributes and
ownership for all authentication services.
3
• Security: Enforcement, auditing and reporting features
enable customers to comply with relevant regulations and
legislation, demonstrate compliance, and mitigate the risk
of a breach in access security.
• Workflow: Users are able to connect securely and easily
from tablets, smartphones, and laptops delivering an
improved mobility experience across both corporateowned and user-owned devices (e.g. BYOD).
• Mobility: Employees given the flexibility to work from
their preferred locations and devices while maintaining
security posture.
WHAT NETWORK ACCESS POLICY DO WE
NEED FOR THE BUSINESS?
DEVELOP
• PROFILE USERS AND DEVICE TYPES
• BUILD/IMPROVE ACCESS SECURITY POLICY
AUTOMATE
• EASILY ENROLL GUESTS AND
ONBOARD DEVICES – RELIEVE
IT BURDEN
4
5
• Cost: The automated workflows, reduction in IT help
tickets through self-service and the reduced number of
appliances required to secure enterprise mobility, make
the ClearPass solution efficient and cost-effective.
ENFORCE
• APPLY POLICY
• CONTROLL ACCESS
• CHECK DEVICE HEALTH
AUDIT
• RE-PROFILE
• CHECK COMPLIANCE
• ANALYZE USAGE
DO WE NEED TO CHANGE THE POLICY?
6
MANAGE AND REFINE
• SIMULATE POLICY CHANGE
• ENHANCE USER EXPERIENCE
5
sales selling guide
clearpass access management system
THE MARKET
Target markets
Why customers need ClearPass
Across all verticals and organizations, there is a growing need to allow access to corporate networks from mobile devices. These devices may
be corporate-owned, or owned by the end user (e.g. BYOD, or for guest access).
Until recently, the NAC function has largely been targeted at enforcing access security policies for Windows PCs. Aruba employs a software
approach that extends enterprise mobility intelligence across wired and wireless networks, all the way to users, devices, and apps. Now
control is being extended to mobile devices running a variety of operating systems.
ClearPass meets the extended NAC requirement, but also does a lot more for the customer’s business than previous network security or
AAA solutions. So, although many opportunities might arise from a need for improved Network Access Control, it is important to explain to
your customer what else can be achieved with ClearPass. It is this complete capability that sets ClearPass apart.
WHY THE MARKET IS ATTRACTIVE NOW
• There has been rapid and widespread growth in types and models of mobile devices, which people find convenient in regards to
business application.
• The availability of apps and services (including cloud) has made mobile devices indispensable. Owners expect to be able to use them
for work and for interacting with organizations, from any location.
• The ‘consumerization of IT’ is now a reality. Giving employees a choice about how they work has become essential for staff
recruitment and retention.
• Competitive pressures continue to drive organizations to look for ways to enhance customer experience while containing costs.
• IT departments are being outpaced by user demand. They need tools that accelerate the onboarding of new devices and reduce
workload by employing self-service, while enforcing security and providing visibility.
Which of my customers shall I target?
A “yes” answer to some of the following questions mean they are a good prospect.
YES
1
Has the prospect or another organization in the same industry sector recently suffered a security breach?
2
Is a large proportion of the prospect’s workforce using mobile devices?
3
Do they hire contractors, or work collaboratively with partners/agencies?
4
Do they have a frequent or large numbers of guests?
5
Do they have distributed offices?
6
Are they moving into a new building, or consolidating sites?
7
Have they recently been or are they about to be involved in a merger or acquisition?
8
Are they a public sector organization that is being encouraged by a government entity to share resources?
9
Are they in an industry where new regulations or legislation have recently been or are about to be introduced, which
relate to information security or operational risk?
10
Do they have a heterogeneous (multi-vendor) network?
NO
6
sales selling guide
clearpass access management system
Market needs
General market needs and ClearPass’ response
Visibility and control
Organizations in all verticals want visibility of how their network is being accessed – from where, by whom and using what device. They need
to be sure that only authorized users are allowed access, and that unsecure or compromised devices are either denied access or removed
from the network.
ClearPass offers a crystal-clear picture of whom and what is connecting to your network, when they connect and where. ClearPass provides
the all-important visibility and reporting needed to implement controls based on users’ mobility habits.
Compliance:
Organizations must comply with mandatory security requirements, regulations and legislation, and protect networks against data loss and
cyber-attacks.
ClearPass provides Enterprise-grade AAA, RADIUS/TACACS+, 802.1X and non-802.1X services. The full suite of customizable captive portal
options for guest access, BYOD, and resource sharing meets, and surpasses industry security standards.
Productivity
Many organizations are looking to improve employee productivity by providing staff with secure access from any device, so that users have a
wider range of tools to get work done.
ClearPass’ support for third-party mobile device management (MDM) promotes BYOD and allows staff and guests to access the network
from any number of personal or company devices. This empowers network users to engage with each other on a multitude of platforms.
User engagement
This is of growing importance, especially in finance (retail banking), retail and hospitality. Being able to deliver targeted information to users
based on context (user profile, location) is a major driver for fostering customer loyalty.
Cost containment
Organizations want to reduce the burden on already overstretched IT resources and avoid/lower the costs of owning and replacing devices.
ClearPass provides a cost-effective solution that can be deployed on any network and requires no changes to your current infrastructure.
Self-service onboarding allows users to join the network without needing IT assistance, representing a company savings upwards of $500
USD per personal device onboarded.
Mobility
Many organizations are frustrated by the difficulties of using mobile devices for business and enforcing an appropriate access security policy.
They wish to improve the mobility experience for their customers, staff, contractors and partners.
ClearPass is cost-effective, secure, and provides ease of deployment. It is simply the best way to rollout and manage mobility as the
#GenMobile workforce connects to enterprise networks.
Business drivers in selected verticals
Healthcare
• Enable guest access for patients and hospital visitors.
• Allow doctors, nurses, and admin staff to self-configure their own devices.
• Enable clinicians to securely access patient data, regardless of location.
• Securely transfer patient data based on user privileges and/or device profile.
Finance
• Use mobile devices for enhanced customer interaction (e.g. electronic signatures).
• Implement visitor guest access for regulators, auditors, and consultants.
• Phase out corporate-owned devices by allowing staff to purchase and use their own devices.
• Deploy improved Access Management to comply with the latest industry regulations (Basel III).
7
sales selling guide
clearpass access management system
Retail and Hospitality
• Attract customers by offering guest Wi-Fi.
• Engage with customers by pushing tailored advertisements to personal devices using contextual information.
• Improve customers’ experience with Wi-Fi that remembers them on their next visit, and automatically logs them into Wi-Fi.
• Enforce PCI requirements with secure access.
Education
• Enable students to use personal devices for interactive learning.
• Allow non-IT specialists to securely grant guest access to students, parents, and authorized visitors.
• Save money in schools by promoting BYOD and allowing students to use their own devices.
ClearPass worldwide addressable market size
MARKET TRENDS
Analysts like Frost & Sullivan and Gartner are forecasting that
organizations worldwide will spend a growing amount on NAC
solutions over the next four years. From a worldwide market
worth of $350 million USD in 2014, market analysts forecast
that demand will steadily increase at a rate of almost 31% per
year, and estimate that market worth will surpass $1 billion USD
by 2018. This represents a major opportunity for partners to
work with Aruba to establish ClearPass as a primary source of
revenue generation.
$M
1200
1000
800
600
400
200
0
2014
2015
2016
2017
2018
Source: Aruba view, based on reports from Frost & Sullivan
and Gartner
8
sales selling guide
clearpass access management system
The solution
How ClearPass meets customer needs
What are the business needs of key people in your customer’s organization? Here’s how ClearPass addresses each need.
CIO: ACCESS MANAGEMENT NEEDS
Need
How the business need is addressed
Provide good network service
• ClearPass OnGuard protects against unsecure and compromised devices, enabling organizations
to allow use of employee-owned devices without putting the business at unnecessary risk.
• ClearPass Onboard automatically configures and provisions mobile devices, enabling employees
and guests to easily and securely connect to enterprise networks.
• Employees and guests are given permission to self-configure their own devices. The ClearPass
Onboard portal detects a device’s operating system and guides the user through the appropriate
configuration package.
• ClearPass Guest delivers account login credentials to users via SMS text message or email. Accounts
can be set to expire automatically after a specific number of hours or days.
• Executives want to use their
own devices
• Employees use multiple devices
• Employees bring their own devices
(i.e. BYOD)
• Simple guest access
Reduce the risk of a security breach
• Guard against malicious attacks
• Maintain the trust of customers
and partners
• With ClearPass, network access security policies can be defined centrally, then implemented
consistently across all wired and wireless network access points, minimizing the risk of leaving a
vulnerability that can be exploited.
• User authentication, context, and role-based profiling, guard against unauthorized users gaining
access to sensitive areas of the network and data.
CFO: FINANCIAL NEEDS
Need
How the business need is addressed
Contain the costs of network access
security management.
• Automated device configuration and provisioning reduce the cost of access security, especially
when introducing 802.1X into a wired network or moving to a new site.
• A single ClearPass Policy Manager appliance can handle up to 25,000 unique endpoints across
multiple networks, so even with redundant architecture the amount of server hardware required
is relatively small.
• Optional advanced feature modules mean customers pay only for functionality they
actually need.
• ClearPass Exchange ensures that the functionality of other investments is exploited to increase
security, reduce support costs, and improve the customer experience.
• IT staff no longer needs to be involved in onboarding new devices, registering guests, or assisting
contractors; significantly reducing ongoing administration costs.
• Users can use their own devices, reducing cost to the organization which would otherwise be
responsible for provision and replacing company devices.
• Implementation
• Network equipment upgrades
• Hardware
• License fees
• Administration costs
• Multiple device support
• Dealing with visitors
Predictability of costs over the lifetime
of ClearPass solution.
• Scalability and linear growth
• Availability of perpetual licenses
• Licensing flexibility
• ClearPass provides a single integrated system that can adapt as the organization grows and
changes. ClearPass can scale to very large deployments and provide centralized control for new
sites, without the need to rip and replace hardware or software.
• Aruba operates a license overrun scheme to lessen the cost impact when usage grows, and to
allow organizations to meet short-term spikes in access demand (e.g. during special events or
unexpected peaks in user activity).
• Organizations have the option of a perpetual license or a subscription licensing format, whichever
best suits their business model.
• Enterprise licenses can be shared across the Guest, Onboard, and OnGuard modules.
9
sales selling guide
clearpass access management system
CSO: SECURITY NEEDS
Need
How the business need is addressed
Secure network access
• ClearPass provides granular access security management which enables contextual access
control in respect to location, device and user level.
• ClearPass Policy Manager supports advanced user and device authentication based on 802.1X,
non-802.1X and web portal access methods.
• Guest access workflow can be designed to require confirmation by a trusted sponsor.
• Embedded Certificate Authority (CA) support allows ClearPass to work with existing Public Key
Infrastructure (PKI) or act as its own CA.
• ClearPass is accredited as compliant to FIPS 140-2 for cryptographic modules.
• User identification
• Role-based profiling
• Certificate of authority accreditation
Protection against malware
• Device health checks
• Remediation
• Post-access removal
• ClearPass OnGuard performs advanced endpoint posture assessments before
devices connect.
• Automatic remediation workflows can be applied to non-compliant devices.
• Certificates and profiles can be issued to devices to allow for easy removal from the network if
required (e.g. if devices are compromised, lost or stolen).
Compliance to regulations and
relevant legislation
• Appropriate level of security
• Reports and audit trails
• ClearPass provides the ability to develop, automate, and enforce an access security policy that
meets the organization’s business requirements, then refine that policy as new regulations come
into effect or the business’ needs change.
• Audit and reporting allow customers to check and demonstrate compliance.
CMO: USER ENGAGEMENT NEEDS
Need
How the business need is addressed
Improve the mobility experience
of users.
• ClearPass allows customers to modernize their infrastructure to cater to and attract #GenMobile
employees.
• ClearPass works with a wide range of mobile platforms including: iOS, Android, Windows Mobile,
Windows Phone 8, Mac and Symbian OS.
• ClearPass Exchange makes it easy to integrate with third-party solutions such as MDM, so
organizations can manage mobile and other devices.
• Self-registration speeds network access, while Media Access Control (MAC) caching makes sign-on
straightforward for returning users.
• Single sign-on to the network and Auto-sign-on for applications makes working via mobile devices
quicker and easier.
• Attract and retain staff
• Allow network access from and
manage mobile devices
• Wide choice of devices
• Simple registration
Enhance the experience of
guest users.
• Customized portals
• Social login
• Text messaging
• Relevant communication
• Portals can be customized with a wide range of options, including localized language support and
location-specific information.
• If desired, guests can use social networking identities to gain access, and receive login instructions
and other information via SMS.
• Using the optional advertising module, context-based messages can be sent to users (e.g. special
offers in stores).
10
sales selling guide
clearpass access management system
IT/NETWORK DIRECTOR: INFRASTRUCTURE NEEDS
Need
How the business need is addressed
Simple implementation
• ClearPass requires fewer physical appliances than other solutions, and can be ran as a virtual
machine (VM) on existing hardware.
• There is no need to replace existing network infrastructure.
• Automatic device profiling and self-registration relieve the IT burden of tracking devices.
• Detailed diagnostic information assists network administrators (e.g. in troubleshooting failed
802.1X authentications).
• Minimal new hardware
• No change to existing infrastructure
• Automated assistance to reduce IT
effort involved
System performance
• ClearPass solutions have proven reliability in ‘live’ customer networks.
• Solutions scale easily to manage up to a million endpoints from a single cluster, and can handle a
high density of authentication requests.
• Unlike other offerings, ClearPass does not operate ‘in line’. Thus, ClearPass has minimal effect on
network performance and no consequent scaling issues.
• Reliability
• Scalability
• Effect on the network
The competitive landscape
How does the competition rate and who are they?
Use this table to identify Aruba’s strengths and how to beat the competition.
Scoring: 0 = No capability, 1 = Very weak, 5 = Exceptionally strong, “?”= No information
clearpass competitors
Aruba
ClearPass
Cisco
(ISE/ACS)
ForeScout
Bradford
Networks
Juniper
Networks
HP
Smaller niche Wi-Fi
players (e.g. Meru,
Aerohive, Extreme)
Interoperability
5
2
4
3
2
2
2
Vendor’s Wi-Fi knowledge
4
3
1
0
2
2
2-4
Proven, stable solution
5
5
0
0
3
2
4
Scalability
4
4
3
2
3
1-2
1-2
Completeness of solution
5
3
2
3
3
3
2-4
Ease of deployment
5
4
3
3
3-4
3
2
Solution for multi-vendor
networks
5
2
4
2
3
?
2-4
Our Major Strengths:
• Solution for multi-vendor networks
• Interoperability with third party solutions: MDM, SIEM, billing, admittance, SMS
• Proven, stable and completeness of solution
• Scalability
EMPHASIZE THESE POINTS!
11
sales selling guide
clearpass access management system
HOW TO WIN
We win if:
• We tie down the scope of the requirements early in the sales cycle.
• The customer has an Aruba WLAN, and is implementing a refresh.
• The network is multi-vendor or wholly Aruba.
• The requirements are biased towards access for contractors/guests.
• The customer experiences a demo and the ClearPass management interface.
• When an evaluation is needed, we sign off targeted success criteria in advance.
We lose if:
• The prospect has too few users/devices, or has too simple a business model to benefit from Access Management.
• We try to compete with smaller niche vendors by offering only a subset of ClearPass.
• There is a strong ‘Cisco only’ attitude, across both wired and wireless access.
12
sales selling guide
clearpass access management system
How to beat the competition
Capability
Capability Explained
Supporting Facts and Proof Points
Solution for multivendor Networks
• Across multi-vendor networks, ability
to develop, automate, enforce, and
audit an access security policy.
• Applicable to wired and wireless
networks.
• In many deployments, ClearPass manages access to Cisco, Avaya, and
HP networks.
• We have customers with both wired and wireless deployments
(e.g. SAP).
• Other vendors’ offerings don’t provide centralized visibility and control
across heterogeneous networks from a single, integrated system.
For example, Cisco ISE is difficult to administer in non-Cisco (e.g.
WLAN) environments.
Interoperability
• ClearPass is standards-based.
• Features integration with enterprise
applications.
• Connectivity to other Access
Management systems (e.g. MDM).
• Provision of Application Program
Interfaces (API).
• ClearPass features flexibility of vendor.
• ClearPass employs standards-based protocols and interfaces (e.g.
using standard web APIs to receive context data from new sources).
• The solution is integrated with hundreds of commonly used enterprise
tools (e.g. Palo Alto Networks firewalls, Splunk SIEM).
• ClearPass enforces network policies based on device status from third
party MDM vendors like AirWatch and MobileIron.
• ClearPass works with any multivendor infrastructure, and is easily
extended to network security business and IT systems you already
have in place.
Vendor’s Wi-Fi
knowledge
• Experience in Wi-Fi and network control.
• Aruba’s business focus is in
wired/wireless network security.
• Current market leadership.
• Technical competence and skilled staff.
• Aruba has been delivering Wi-Fi networks for 13 years.
• We are a Gartner magic quadrant leader in Wired and Wireless LAN
Access Infrastructure.
• Our SEs and profession services engineers are well versed in wireless
LAN technology and integration.
Proven and stable
solution
• Reliable reference network.
• Many in service solutions.
• Number of licenses continues to grow.
• Large user community.
• Aruba features a strong partner
community.
• ClearPass is in service across many verticals globally, whereas Cisco’s
references are nearly all for its legacy ACS and not its replacement, ISE.
• ForeScout is locally strong for small to mid-size deployments, but
weak elsewhere.
• Juniper’s deployment numbers have plummeted since 2012. Juniper
now partners with Aruba.
Scalability
• Ability to add new users easily.
• Ability to enforce policy across
multiple sites.
• Capable of high-density
authentication.
• ClearPass successfully manages network access security in very large
scale deployments as with SAP (with 66,000 users worldwide), Barclays,
and the Los Angeles Unified School District.
• ClearPass customers can enforce policy across multiple sites from a
central location. ForeScout works ‘in line’ and requires many appliances.
• The San Francisco International Airport is a prime example of
ClearPass’ ability to handle high-density authentication requests.
Completeness of
solution
• Access Policy management and
enforcement.
• Guest functionality.
• Device profiling and onboarding.
• System automation.
• Trouble-shooting tools.
• ClearPass delivers a complete set of functionality for managing network
access security in a unique, single integrated system.
• Optional modules include: guest self-registration and advertising,
device onboarding, and device posture validation.
• Self-service workflows and ClearPass Exchange enable complete
automation of processes that quarantine devices in the event of a
policy breach.
• ClearPass comes complete with diagnostic tools for investigating
system problems (e.g. trouble-shooting failed authentications).
Ease of deployment
• Automated tasks.
• Off-network policy simulation and
test deployment.
• Accredited engineers.
• Partners that assist with deployment.
• ClearPass simplifies setting up and implementing policies by
automating device profiling and onboarding.
• With ClearPass, customers can trial changes to policies without
affecting users. This allows an organization to test the effects prior to
rolling them out.
• We have Professional Services Partners with the accredited skills to
assist customers with policy design and deployment.
13
sales selling guide
clearpass access management system
Success stories
VMware
A leading technology company with over 14,000 employees, deploys ClearPass Policy Manage, Onboard and Guest for enterprise
mobility project.
• ClearPass’ ease of use and built-in Certificate Authority beats Cisco and ForeScout.
The challenge
VMware, the industry-leader in virtualization software, was looking for a comprehensive solution to provide secure guest access, enroll
BYOD devices onto the corporate network, and authenticate company-owned devices onto the wireless network using .1X authentication.
VMware also wanted a best-of-breed security solution that could manage its mixed environment of legacy Trapeze infrastructure, and newly
upgraded Cisco WLAN.
The response
After the RFI responses, VMware invited Aruba, Cisco and ForeScout to take part in lab trials and a small Proof of Concept (POC). The VMware
team appreciated the ease of use, built-in Certificate Authority (CA), and the platform flexibility that Aruba ClearPass provides. In addition,
because we were able to set up the system faster, we completed the evaluation two weeks ahead of the competition. After a more in-depth
evaluation to a larger user base, VMware selected ClearPass as its global standard.
The result
In a deal initially worth $750,000 USD, ClearPass will have been implemented globally for wireless access management by the end of 2014.
This includes data centers in Palo Alto for the Americas, Ireland for EMEA, India for APAC, and appliances in other countries. This will enable
VMware to globally roll out MS Lync and support BYOD, along with contractor and guest access. In addition, ClearPass technicians detected
WLAN issues VMware had in one of its executive buildings. As a result, we were able to replace Cisco ISE with Aruba Wi-Fi and AirWave WLAN
management, increasing the value of the VMware deal to $3 million USD.
SAP
Multi-national enterprise selects ClearPass over ISE to replace Cisco ACS.
• ClearPass’ scalability preferred over Cisco’s ISE.
The challenge
Headquartered in Walldorf, Germany, SAP AG is a global leader in enterprise software, with locations in more than 130 countries. Having
experienced stability issues with ACS, the company investigated Cisco ISE, but found that administration complex, the GUI was not intuitive,
and there were maintenance and upgrade issues.
The response
As a long-term customer of Aruba WLAN the Aruba account team has built close relationships with key decision makers. Meeting on a
regular basis, the Aruba team was able to pick up on SAP’s concerns about ISE and propose ClearPass as an alternative. An evaluation was
rapidly arranged, demonstrating that ClearPass could address the issues that SAP was experiencing with Cisco ISE. SAP’s infrastructure and
service teams were particularly impressed with the ClearPass’ ease of use and deployment, which Cisco’s ACS
and ISE lacked.
The result
ClearPass is now in service for SAP’s 66,000 employees worldwide. Eight ClearPass appliances were installed in Germany, four each in
Singapore and in Philadelphia, all of which are managed centrally from SAP in Germany. The ClearPass Guest module, which replaced an
internally developed system, provides secure SAP-branded Internet access to over 15,000 guests and consultants.
14
sales selling guide
clearpass access management system
University Hospital of Toulouse
A hospital moves to a new site and implements LAN access security.
• ClearPass preferred for multivendor interoperability and single platform extensibility.
The challenge
Our WLAN customer, the University Hospital of Toulouse in France, had plans to consolidate multiple sites to a new building. At the same
time, it wanted to add 802.1X-based authentication to its unsecured Cisco LAN. With only three people in its network team, moving to
automated access security would eliminate the manual configuration of 18,000 Ethernet ports.
The response
When the hospital approached Cisco, it discovered that Cisco’s ISE proposition would complicate things by requiring a large number of
appliances, and not offering perpetual licenses, making the ISE solution costly. Our network integration partner, Orange, proposed an
evaluation of both solutions, to compare ISE and ClearPass, in which the ClearPass solution was running in one-quarter of the time.
The result
CHU Toulouse realized that the profiling available with ClearPass would enable it to onboard all peripherals quickly; including IP cameras,
alarms, and door-locking mechanisms within the Building Management’s system. Two ClearPass 25,000 user appliances (one for
redundancy), together with a combined 600 licenses for Onboard and OnGuard, were sufficient to ensure that the hospital could improve
network security, as well as move to its new site promptly and in a cost-efficient manner.
California Polytechnic State University (Cal Poly)
Replacement of legacy AAA solution for complete ClearPass Access Management System.
• Initial security interest, then guest access requirement, resulted in full ClearPass and WLAN deployment.
The challenge
The opportunity at California Polytechnic State University (Cal Poly) in San Luis Obispo, CA started out as an authentication, authorization
and accounting (AAA) requirement to replace Cisco ACS. However, after talking to the university’s security and IT staff, the Aruba sales team
established a need for guest access. Besides hosting visitors, Cal Poly runs conferencing facilities during the summer months. Surprisingly,
the team also discovered that none of the dormitories on campus had wireless access.
The response
Following a focused sales campaign lasting 18 months, in a deal worth approximately $1 million we supplied Cal Poly with AP-93H 802.11n
access points, along with $300,000 USD worth of ClearPass. We provided secure-managed .1X access and MAC
authentication for both Aruba’s wireless and Cisco’s wired ports. In addition, ClearPass Guest with self-service allowed secure access
for short-term visitors.
The result
By choosing ClearPass, Cal Poly has been able to easily enable mobility to new environments. Apple TVs are being installed in classrooms,
requiring the need for AirGroup registration. The university is in the process of moving to Alcatel equipment, thus benefiting from ClearPass’
multi-vendor capability. And by investing in ClearPass Onboard, Cal Poly has been able to offer secure access to multiple types of tablet
devices. The university’s staff is now considering deployment of ClearPass OnGuard. The clear message from the Aruba sales team is to
identify who has responsibility for security, get these individuals together with networking, and sell ClearPass’ total capability: don’t just
settle for winning based on the initial requirement and move on.
15
sales selling guide
clearpass access management system
The financial business case
ClearPass’ IT off-load vs. an increase in staff resources. Supporting network access from employees, contractors and guests can significantly
burden IT and administration resources. This business case shows how labor costs can be decreased through adopting ClearPass. For this
example we have used a scenario where an organization has a limited number of contractors, a growing number of guests, and whose
employees want to use their own devices.
Also, there are wired ports that need to be secured and managed (for moves and hardware changes). The areas of cost savings shown here
are applicable to many types of organizations.
“Main assumptions”
Year 1
Year 2
Year 3
Wired ports: 6 changes per year to 20% of
the ports
Wired ports*
$1,500 USD
$1,500 USD
$1,500 USD
Employees: average of 2 devices each, replacing 1
every year
Employees*
$3,000 USD
$3,500 USD
$4,000 USD
Contractors: connect 1 device for an average 2
month contract
Contractors*
$200 USD
$200 USD
$200 USD
Guests: connect 1 device every visit for an average
of 7 days
Guests*
$250 USD
$500 USD
$750 USD
Forecast costs without ClearPass
Year 1
Year 2
Year 3
IT staff time
USD
USD
USD
Wired ports (securing, product adds, and moves)
$59,800
$59,800
$59,800
Employee devices (onboarding, audit, and technical help)
$59,800
$69,800
$79,800
Contractors (onboarding, audit, and technical help), plus waiting time
$24,900
$24,900
$24,900
Guests (resolving technical issues)
$4,300
$8,600
$13,000
$10,400
$20,700
$31,100
$159,200
$183,800
$208,600
ClearPass system, including redundancy and optional modules
$140,800
$71,300
$9,200
Professional services cost (delivered by partner)
$10,000
$5,000
$5,000
System maintenance
$19,300
$29,000
$29,900
Internal IT deployment, training and, management costs
$25,000
$25,000
$25,000
Wired ports (securing, adds, moves)
$10,000
$10,000
$10,000
Employee devices (onboarding, audit, and technical help)
$8,100
$9,500
$10,900
Contractors (onboarding, audit, and technical help), plus waiting time
$2,100
$2,100
$2,100
Guests (resolving technical issues)
$1,400
$2,900
$4,300
$0
$0
$0
Total Costs
$216,700
$154,800
$96,500
Cost Savings
$-57,500
$29,000
$112,200
Administration staff time
Contractors and guests (registration, and issuing login details)
Forecast costs with ClearPass
Total Costs
Purchase, deployment, and maintenance
IT staff time
Administration staff time
Contractors and guests (registration, and issuing login details)
16
sales selling guide
clearpass access management system
THE BOTTOM LINE
• Total savings over three years $83,700.
• Net Present Value (NPV) at 10% $56,000.
• Internal Rate of Return (IRR) is 67%.
Over 3 years, ClearPass reduces IT resource requirements by 2.7 man years.
Additional ClearPass solution benefits
• ClearPass servers with RADIUS/TACACS+ and advanced policy controls saves the cost of replacing or upgrading existing wired and
wireless infrastructure.
• Improved guest experience: Generating repeat business and enhancing brand value.
• Better guest management and employee/contractor removal reduces/eliminates unauthorized Wi-Fi use.
• No need for multiple Wi-Fi networks (e.g. separate networks for employees and guests).
• Wired ports can be protected and create an audit trail, reducing the risk of a security breach.
• Future proof: Growth in mobility and collaboration will not increase IT staff overhead.
17
sales selling guide
clearpass access management system
THE SALES PROCESS
Qualification
Use the questions on this page to help you capture information about the prospect and qualify the sale, before committing more resources.
What business problem is the prospect trying to solve? (Tick all those that apply)
Key qualification factors (The more questions you can answer ‘YES’ to, the better)
Yes
1
Will the prospect be looking to control network access for more than 500 devices?
2
Do they want to open up their network to new types of devices, or does the organization have a need to improve
security as a result of a growing number of mobile devices?
3
Have they recently made a large investment in mobile devices (e.g. smartphones, tablets)?
4
Are they insourcing either IT or network service?
5
Are they looking to replace Cisco ACS?
6
Do they have a problem with limited IT support, locally or at remote sites? Is there a shortage of IT professionals or
a lack of IT skills (especially with regard to handling requests from devices connecting to the network)?
No
Deal discovery guidance
A prospect meeting should identify the following:
1.The number of devices currently connected to the network.
2.The maximum number of guests per day.
3.The number of devices requiring health checks (OnGuard).
4.The type of devices allowed onto the network.
5.Total number of devices/endpoints to be authenticated.
6.The identity stores that are employed for user and device authentication.
7.Existing policies for guest access, remote access, and certificates.
8.Alternative solutions that the prospect is considering.
18
sales selling guide
clearpass access management system
Dealing with objections
Objection: We’re a Cisco house.
Real concern: Your system might not be compatible. Why should I risk my reputation buying non-Cisco?
Answer: The fact that you have heavily invested in Cisco is not a problem. Aruba has successfully deployed ClearPass into many Cisco
environments, including SAP worldwide, major bank Emirates NBD in the Middle East, and VMware in the United States. Our customers tell
us that ClearPass is much easier to deploy and manage than the equivalent Cisco offering, and it also costs less. May I setup a demo for you,
so that you can see why others have chosen ClearPass over Cisco ISE?
Objection: Aruba is known as a Wi-Fi only company.
Real concern: I don’t want to risk putting this into my wired network.
Answer: It’s true that Aruba has built its reputation on providing enterprise-class Wi-Fi networks. However, ClearPass was designed from
the outset to work across both wired and wireless multi-vendor networks. We have successfully deployed ClearPass into many wired
environments, including enterprises, hospitals, retail outlets, and schools. Aruba has been recognized by Gartner as a magic quadrant
leader in the provision of Network Access Control, as well as Wired and Wireless LAN Access Infrastructure.
Objection: We don’t need a complete solution.
Real concern: I don’t want to spend money on functionality I don’t need.
Answer: The great thing about ClearPass is that it is a modular solution, so you only have to buy what you actually need. Built-in is all the
functionality you require to deploy a consistent access security policy across both wired and wireless networks, extended to mobile devices.
If you decide later that you want additional functionality, such as guest access, or more capacity, then this is easily added. Let me organize a
demo for you, so that you can decide which modules you would require to support your business.
Objection: We’re happy with what we have.
Real concern: I don’t want to buy extra security I don’t need.
Answer: The primary reason that organizations like yours are investing in improving their network access control is to allow secure access
from all devices. Many customers tell us that their employees, contractors, partners, and guests now expect to use mobile devices for work,
and for interacting with the organization. ClearPass offers you a way to meet this demand from a single integrated platform, while delivering
many other benefits, such as providing visibility, enabling compliance, improving employee productivity and containing costs. Can I run
through an example business case with you, to show you how ClearPass could actually save you money?
19
sales selling guide
clearpass access management system
Typical deals
Examples of customer pricing and product mix for deals of different size and complexity.
The table below shows figures for the first year. Upselling will generate revenues in the second year that can be 50-100% of first year revenues.
Solution Sizing
Small
Medium
Large
Very Large
Endpoints
100-500
500-2,000
5,000+
25,000
Guest licenses
100
500
2,000+
5,000+
Onboard or OnGuard licenses
100
2,000
5,000+
25,000+
Sales Revenue
USD
USD
USD
USD
Hardware VM appliances
$5,000
$25,000
$50,000
$75,000
Software licenses
$5,000
$20,000
$45,000
$100,000
Integration and customization
$5,500
$9,500
$17,500
$27,500
Other service
$1,000
$2,000
$6,000
$12,000
Maintenance and support
$2,500
$10,000
$19,000
$35,000
First year gross sales value
$22,000
$66,500
$137,500
$249,500
Sales tactics
Use these tactics to start a conversation, differentiating ClearPass from the competition.
If you already have a lead, or a customer has come to you with a specific problem, use these tactics to upsell the complete ClearPass solution.
If your prospect’s primary concern is not in the table, use the information in this Sales Guide to create your own questions and ideal outcome.
If the prospect is
concerned about…
Then ask your contacts about…
Help them to…
EMPHASIZE…
NAC or AAA/RADIUS
Upgrades.
• Any issues or limitations?
• Future upgrades?
• How users authenticate?
• The number of devices connecting?
Understand the importance
of linking policy management
to security solutions.
Scalability and
workflows.
Securing employees and guests
connecting to the network with
their own devices.
• Critical areas of network security?
• Any recent breaches or attacks?
• Types of devices connecting?
• Number and type of guests per day?
Describe the ideal access
management solution,
providing robust security
across all devices and users.
Completeness of security
solutions covering all
scenarios.
How to manage guests and
Onboard employee devices with
limited IT resources.
• Number and type of guests?
• The registration process?
• How devices are onboarded?
• The time IT spends today?
See how onboarding and
policy management can be
automated with self-service
and visibility.
Employees are not
guests, and have
different needs.
How to implement a single
Mobile Device/Application
Management framework.
• Which departments want this?
• Who has concerns?
• Is there demand from users?
• Has MDM been deployed?
• Are there any privacy or compliance issues?
Appreciate how they can
manage a mix of devices
without compromising security,
privacy or compliance.
MDM needs network
security.
20
sales selling guide
clearpass access management system
A typical sales cycle
The diagram below shows the steps and key sales activities for identifying an opportunity and taking it through to a won deal.
PROSPECTING (2-8 WEEKS)
LEAD GENERATION
RFP
LEAD GENERATION
QUALIFICATION
Sector • Size • Need
SALES PRESENTATION
Business level
How Aruba addresses the pain
User experience
Deployment strategy
Professional services
DISCOVERY
Assessment survey
Security policy
SOLUTION DEVELOPMENT (6-16 WEEKS)
DEMONSTRATION
Sales demo
Technical demo
REFERENCE CALL
PROPOSAL
Design • Sizing
Licenses • Redundancy
EVALUATION OR PROOF OF CONCEPT*
Success criteria
CLOSE (2-6 WEEKS)
SALE
Terms
IMPLEMENTATION
UI customization
Professional services
Aruba advice
UPSELL
Guest
Onboard
OnGuard
CASE STUDY
Win Flash Report
*By exception. Only offer a POC after approval from Aruba.
PARTNER
PARTNER WITH ARUBA SUPPORT
ARUBA
ARUBA WITH PARTNER SUPPORT
KEY FACTORS FOR A SUCCESSFUL SALES CYCLE
• Evaluation (or POC) must be preceded by signed success criteria.
• All sales opportunities must include Professional Services for network design and deployment.
21
sales selling guide
clearpass access management system
Contacts and resources
Key Aruba Contacts
Trent Fierro, Sr. Product & Solutions Marketing Manager
[email protected]
1.408.585.1912
Alan Ni, Sr. Product & Solutions Marketing Manager
[email protected]
1.408.990.2563
Aruba Channel Inquiries
[email protected]
Demos and evaluations
To arrange a demo for your customer, make use of your online System Engineering Enablement Lab (SEEL) resource:
https://afp.arubanetworks.com/afp/index.php/SEEL_Live_Demo_Program
To request a 90-day ClearPass/QuickConnect evaluation when needed:
http://clearpass.arubanetworks.com/webservice/eval_request.php
Aruba Networks PartnerEdge Program URL
Aruba Networks PartnerEdge Program
http://www.arubanetworks.com/pdf/partners/channel/Aruba_PartnerEdge_Brochure.pdf
Become an Aruba Networks Channel Partner
http://www.arubanetworks.com/partners/channel/us-canada/
https://arubanetworkskb.secure.force.com/prm/PartnerApplication
ClearPass Certification and Specialization (Login required
http://inter.viewcentral.com/events/cust/cust_tracks.aspx?company_login_id=aruba&pid=1&track_id=6
Aruba Partner Center
https://arubanetworkskb.secure.force.com/prm/
ClearPass Access Management Solution Overview
http://www.arubanetworks.com/products/clearpass/
Partner training
Consult your Channel Account Manager (CAM) for details of ClearPass training for partner SEs.
1344 Crossman Ave | Sunnyvale, CA 94089
1.866.55.ARUBA | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]
www.arubanetworks.com
©2014 Aruba Networks, Inc. Aruba Networks®, Aruba The Mobile Edge Company® (stylized), Aruba Mobilty Management System®, People Move. Networks
Must Follow.®, Mobile Edge Architecture®, RFProtect®, Green Island®, ETIPS®, ClientMatch®, Bluescanner™ and The All Wireless Workspace Is Open For
Business™ are all Marks of Aruba Networks, Inc. in the United States and certain other countries. The preceding list may not necessarily be complete and the
absence of any mark from this list does not mean that it is not an Aruba Networks, Inc. mark. All rights reserved. Aruba Networks, Inc. reserves the right to change,
modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba Networks, Inc. uses commercially reasonable
efforts to ensure the accuracy of the specifications contained in this document, Aruba Networks, Inc. will assume no responsibility for any errors or omissions.
SP_ClearPass_072514
Download
Related flashcards
Create Flashcards