Professional Documents
Culture Documents
SALES GUIDE
ClearPass Access Management Solution Sales Guide – Confidential – Aruba Networks and Partners only
CLEARPASS ACCESS MANAGEMENT SOLUTION
SALES GUIDE
ContentsPage
OPPORTUNITY OVERVIEW
Why sell ClearPass Access Management? 1
SOLUTION OVERVIEW
Solution description 2
Using ClearPass to benefit the business 3
THE MARKET
Target markets 4
Market needs 5
THE SOLUTION
How ClearPass meets customer needs 6
The competitive landscape 8
How to beat the competition 9
Success stories 10
The financial business case 12
Why it is worth your customers’ time What are ClearPass’ key advantages?
Many customers want to open up their networks to ClearPass is the only access management solution that:
access from mobile devices (smartphones, laptops,
• Works efficiently and cost-effectively across multi-
tablets etc.), owned by the organization or by the end
vendor wired and wireless networks
user. They are responding to a growing expectation by
employees and visitors that they should be able to use • Is highly scalable, managing access security in
mobile devices for work and for interacting with the very large deployments, across multiple sites, and
organization. handling high density authentication requests
• Delivers policy management, policy enforcement,
#GenMobile, people that have a preference for all guest functionality, device profiling and onboarding
things mobile, are an increasing proportion of the from a single platform
workforce. Organizations need to attract this talent • Has workflow and interoperability to provide
pool to remain competitive. automation and self-service which improves user
experience and reduces IT costs
ClearPass offers organizations the opportunity to • Enables contextual policy management to a location,
centrally develop, automate, enforce and audit an device and user level
access security policy that will enable them to meet
business requirements and comply with regulations
and legislation, while enhancing the user experience.
SOLUTION DESCRIPTION
1
What network
access policy do we
need for the
business?
2 DEVELOP
• Profile users
and device
types
Y
OLIC • Build/Improve Access
3 AUTOMATE
P Security Policy
E
N
6 MANAGE
FI
RE
AND REFINE
• Easily enrol
guests and
• Simulate policy onboard devices
change – relieve
• Enhance user IT burden
experience
Do we need to
modify the
policy?
4 ENFORCE
5 AUDIT
• Re-profile • Apply policy
• Check compliance • Control access
• Analyse usage • Check device health
TARGET MARKETS
YES NO
1 Has the prospect or another organization in the same industry sector recently suffered a security breach?
7 Have they recently been or are they about to be involved in a merger or acquisition?
8 Are they a public sector organization that is being encouraged by government to share resources?
Are they in an industry where new regulations or legislation have recently been or are about to be
9
introduced, which relate to information security or operational risk?
10 Do they have a heterogeneous (multi-vendor) network?
MARKET NEEDS
What are the business needs of key people in your customer’s organization? Here’s how ClearPass addresses
each need.
Provide a good service • ClearPass OnGuard protects against unsecure and compromised devices, enabling
− executives wanting to use own organizations to allow use of employee-owned devices without putting the business
devices at undue risk
− employees using multiple • ClearPass Onboard enables employees and contractors to easily and securely
devices onboard their newly-supplied or own devices – by provisioning 802.1X settings and
− employees bringing their own issuing certificates
devices (i.e. BYOD) • Onboard provides the ability to customize the portal and workflow for each user
− simple guest access group and device
• ClearPass Guest provides customizable portals, plus support for guest sponsors and
IT-controlled guest privileges, to make self-registration by guests straightforward
Reduce the risk of a security breach • With ClearPass, network access security policy can be defined centrally, then
− guard against malicious attacks implemented consistently across all wired and wireless network access points,
− maintain the trust of customers minimizing the risk of leaving a vulnerability that can be exploited
and partners • User authentication, context and role-based profiling guard against unauthorized
users gaining access to sensitive areas of the network and data
Contain the costs of network access • Automated device configuration and provisioning reduce the cost of access security,
security management especially when introducing 802.1X into a wired network or moving to a new site
− implementation • A single ClearPass Policy Manager appliance can handle up to 25,000 unique
− network equipment upgrades endpoints across multiple networks, so even with a redundant architecture the
− hardware amount of server hardware required is relatively small
− licence fees • Optional advanced feature modules mean customers pay only for the functionality
they actually need
− administration costs
• ClearPass Exchange ensures functionality of other investments is exploited to
− multiple device support
increase security, reduce support costs, and improve customer experience
− dealing with visitors
• IT staff no longer need be involved in onboarding new devices, or registering and
assisting contractors and guests, significantly reducing ongoing administration costs
• Users can use their own devices, reducing the cost of provision and replacement
Predictability of costs over lifetime • ClearPass provides a single integrated system that can adapt as the organization
of solution grows and changes; it can scale to very large deployments and provide centralized
− scalability and linear growth control for new sites, without the need to rip and replace hardware or software
− availability of perpetual licences • A
ruba operates a licence overrun scheme to lessen the cost impact when usage
− licensing flexibility grows, and to allow organizations to meet short-term higher demand for access
(e.g. during special events or unexpected peaks in user activity)
• Organizations have the option of a perpetual or subscription licensing format,
whichever better suits their business model
• Enterprise licences can be shared across the Guest, Onboard and OnGuard modules
Secure network access • ClearPass provides granular access security management which enables
− user identification contextual access control to a location, device and user level
− role-based profiling • ClearPass Policy Manager (CPPM) supports advanced user and device
− certificate of authority authentication based on 802.1X, non-802.1X and web portal access methods
− accreditation • Guest access workflow can require confirmation by a trusted sponsor
• Embedded Certificate Authority (CA) support allows ClearPass to interwork with
existing Public Key Infrastructure (PKI) or act as its own CA
• CPPM is accredited as compliant to FIPS 140-2 for cryptographic modules
Protection against malware • ClearPass OnGuard performs advanced endpoint posture assessments before
− device health checks devices connect
− remediation • Automatic remediation workflows can be applied to non-compliant devices
− post-access removal • Certificates and profiles can be issued to devices to allow for easy removal from
the network if required (e.g. if devices are compromised, lost or stolen)
Compliance to regulations and relevant • ClearPass provides the ability to develop, automate and enforce an access
legislation security policy that meets the organization’s business requirements, then refine
− appropriate level of security that policy as new regulations come into force or business needs change
− reports and audit trails • Audit and reporting allow customers to check and demonstrate compliance
Improve the mobility experience of users • ClearPass allows customers to modernize their infrastructure to cater for and
− attract and retain staff attract the #GenMobile employee
− allow network access from and • ClearPass works with a wide range of mobile platforms, including iOS, Android,
manage mobile devices Windows Mobile, Windows Phone 8, Mac and Symbian OS
− wide choice of devices • ClearPass Exchange makes it easy to integrate with third-party solutions such
− simple registration as MDM, so organizations can manage mobile and other devices
• Self-registration speeds network access, while MAC caching makes sign-on
straightforward for returning users
• Single sign-on to the network and applications makes mobile working quicker
and easier
Enhance the experience of guest users • Portals can be customized with a wide range of options, including localized
− customized portals language support and location-specific information
− social login • If desired, guests can use social networking identities to gain access, and
− text messaging receive login instructions and other information via SMS
− relevant communication • Using the optional advertising module, context-based messages can be sent to
the user (e.g. special offers in stores)
Simple implementation • ClearPass requires fewer physical appliances than other solutions, and can be
− minimal new hardware run as a virtual machine on existing hardware
− no change to existing infrastructure • There is no need to change out or upgrade existing network infrastructure
− automated assistance to reduce IT • Automatic device profiling and self-registration relieve the IT burden of
effort involved onboarding
• Detailed diagnostic information assists network administrators (e.g. in
troubleshooting failed 802.1X authentications)
System performance • ClearPass solutions have proven reliability in ‘live’ customer networks
− reliability • Solutions scale easily to manage up to a million endpoints from a single cluster,
− scalability and can handle a high density of authentication requests
− effect on the network • Unlike other offerings, CPPM does not operate ‘in line’, and so has minimal
effect on network performance and no consequent scaling issues
Use this table to identify Aruba’s strengths and for guidance on how to beat the competition.
CLEARPASS COMPETITORS
Bradford Networks
Aerohive, Extreme)
players (e.g. Meru,
Aruba ClearPass
Juniper Networks
Cisco (ISE/ACS)
ForeScout
HP
Capabilities
Solution for multi-vendor networks 5 2 4 3 2 ? 2
Interoperability 4 3 3 ? 2 1 2-4
Vendor’s Wi-Fi knowledge 5 5 0 0 3 2 4
Proven, stable solution 4 4 3 2 3 1-2 1-2
Scalability 5 3 2 3 3 3 2-4
Completeness of solution 5 4 3 3 3-4 3 2
Ease of deployment 3 2 4 2 3 ? 2-4
HOW TO WIN
We win if … We lose if …
• We tie down the scope of the requirements early • The prospect has too few users/devices or has too
in the sales cycle simple a business model to benefit from access
• The customer has an Aruba WLAN, and is security policy management
implementing a refresh • We try to compete with smaller niche vendors by
• The network is wholly Aruba or multi-vendor offering only a subset of ClearPass
• The requirements are biased towards access for • There is a strong ‘Cisco only’ attitude, across both
contractors/guests wired and wireless
Interoperability • Standards based • ClearPass employs standards-based protocols and interfaces (e.g. using
• Integration with enterprise standard web APIs to receive context data from new sources)
applications • The solution is integrated with hundreds of commonly used enterprise
• Connectivity to other tools (e.g. Palo Alto Networks firewalls, McAfee anti-malware)
management systems (e.g. • Aruba works with 5+ MDM partners (including AirWatch, MobileIron and
MDM) Citrix)
• Provision of APIs • We can deploy ClearPass into any vendor environment, and support
• Flexibility of vendor most smart mobile devices
Vendor’s Wi-Fi • Experience in Wi-Fi • Aruba has been delivering Wi-Fi networks for 13 years
knowledge • Business focus • We are a Gartner magic quadrant leader in Wired and Wireless LAN
• Market leadership Access Infrastructure
• Technical competence • We have many SEs trained in wireless technology, and run the Airheads
• Skilled staff community of engineers professionally engaged with wireless LANs etc.
Proven, stable • References • ClearPass is in service globally across many verticals, whereas Cisco’s
solution • In service solutions references are nearly all for ACS (not its replacement, ISE)
• Number of licences • ForeScout is locally strong (e.g. in ME) for small to mid-size deployments,
• User community but weak elsewhere
• Partner community • Juniper’s deployment numbers have plummeted since 2012
Scalability • Ability to add new users • ClearPass successfully manages network access security in very large
easily scale deployments (e.g. SAP with 66,000 users worldwide, Barclays, Los
• Policy enforcement across Angeles Schools)
multiple sites • ClearPass customers can enforce policy across multiple sites from
• High density authentication a centralized location. ForeScout works ‘in line’ and requires many
appliances
• The World Trade Center Exhibition in Dubai 2013 is a prime example of
the capability of ClearPass to handle high density authentication requests
Completeness of • Policy management • ClearPass uniquely delivers a complete set of functionality for managing
solution • Policy enforcement network access security in a single, integrated system
• Guest functionality • Optional modules include guest self-registration and advertising, device
• Device profiling and onboarding, and device posture validation
onboarding • Workflow and ClearPass Exchange enable complete automation of
• Automation processes such as quarantining devices
• Trouble-shooting tools etc • ClearPass comes complete with tools for investigating problems (e.g.
diagnostics for trouble-shooting failed authentications)
Ease of • Automated tasks • ClearPass automated device profiling and onboarding simplify setting up
deployment • Policy simulation devices and implementing policy
• Test deployment • With ClearPass, customers can trial changes to policy offline and test
• Accredited engineers their effects, prior to rolling them out
• Partners that can deploy • We have Professional Services Partners with the accredited skills to assist
customers with design and deployment
SUCCESS STORIES
Enterprise: SAP selects ClearPass over ISE to Healthcare: A hospital moves to a new site
replace Cisco ACS and implements LAN security
For this example business case we have used the scenario of an organization with a limited number of contractors
and a growing number of guests, and whose employees are to be enabled to use their own devices. Also, there are
wired ports that need to be secured and managed (for moves and changes). The areas of cost savings shown here
are applicable to many types of organization.
Main assumptions
Year1 Year 2 Year 3
Wired ports: 6 changes per year to 20% of the ports Wired ports 1,500 1,500 1,500
Employees: average of 2 devices each, replacing 1 every year Employees* 3,000 3,500 4,000
Contractors: connect 1 device for an average 2 months contract Contractors* 200 200 200
Guests: connect 1 device every visit for an average of 7 days Guests* 250 500 750
Staff costs assume typical Western Europe working conditions and salaries for IT and administration staff.
* - Maximum number of users of mobile devices in any 24 hour period
THE
BOTTOM LINE Cost saving –57.5 29.0 112.2
QUALIFICATION
Use the questions on this page to help you capture information about the prospect and qualify the sale, before
committing more resources.
What business problem is the prospect trying to solve? [Tick all those that apply]
Gain visibility of how the network is being accessed . . . . Enhance user engagement . . . . . . . . . . . . . . . . . . .
Comply with mandatory security requirements . . . . . . . . . Contain the costs of access security . . . . . . . . . . .
YES NO
1 Will the prospect be looking to control network access for more than 500 devices?
2 Do they want to open up their network to new types of devices, or have a need to improve security as a
result of a growing number of mobile devices?
3 Have they recently made a large investment in mobile devices (e.g. smartphones, tablets)?
6 Do they have a problem with limited IT support, in terms of number of people, locally at remote sites, or
skills (especially with regard to handling requests from devices connecting to the network)?
REAL CONCERN Your system might not be compatible. Why should I risk my reputation buying non-Cisco?
ANSWER The fact that you have heavily invested in Cisco is not a problem. Aruba has successfully
deployed ClearPass into many Cisco environments, including SAP worldwide, major bank
Emirates NBD in the Middle East, and Sainsbury’s retail in the UK. Our customers tell us that
ClearPass is much easier to deploy and manage than the equivalent Cisco offering, and it
also costs a lot less. May I organize a demo for you, so that you can see why others have
chosen ClearPass over Cisco?
REAL CONCERN I don’t want to risk putting this into my wired network.
ANSWER It’s true that Aruba has built its reputation on providing enterprise-class Wi-Fi networks.
However, ClearPass was designed from the outset to work across both wired and wireless
multi-vendor networks. We have successfully deployed ClearPass into many wired
environments, including enterprises, hospitals, retail outlets and schools, and have been
recognized by Gartner as a magic quadrant leader in the provision of Network Access
Control, as well as for Wired and Wireless LAN Access Infrastructure.
ANSWER The great thing about ClearPass is that it is a modular solution, so you only have to buy
what you actually need. Built-in is all the functionality you require to be able to deploy a
consistent access security policy across both wired and wireless networks, extended to
mobile devices. If you decide later that you want additional functionality, such as guest
access, or more capacity, then this is easily added. Let me organize a demo for you, so that
you can decide which modules you would require to support your business.
ANSWER The primary reason that organizations like yours are investing in improving their network
access control is to allow secure access from mobile devices. Many customers tell us that
their employees, contractors, partners and guests all now expect to be able to use mobile
devices for work, and for interacting with the organization. ClearPass offers you a way to
meet this demand from a single integrated platform, while delivering many other benefits,
such as providing visibility, enabling compliance, improving employee productivity and
containing costs. Can I run through an example business case with you, to show you how
ClearPass could actually save you money?
TYPICAL DEALS
Examples of customer pricing and product mix for deals of different size and complexity.
The table below shows figures for the first year. Upselling will generate revenues in the second year that can be
50-100% of first year revenues.
SALES TACTICS
Use these tactics to start a conversation, differentiating ClearPass from the competition.
If you already have a lead, or a customer has come to you with a specific problem, use these tactics to upsell the
complete ClearPass solution. If your prospect’s primary concern is not in the table, use the information in this Sales
Guide to create your own questions and ideal outcome.
Securing employees and • Critical areas of network security Describe the ideal access Completeness of security
guests connecting to the • Any recent breaches or attacks? management solution, solution covering all
network with their own • Types of devices connecting providing robust security scenarios
devices across all devices and
• Number and type of guests per day
users
How to manage guests • Number and type of guests See how onboarding and Employees are not
and onboard employee • The registration process policy management can guests, and have different
devices with limited IT • How devices are onboarded be automated with self- needs
resources service and visibility
• The time IT spends today
How to implement a • Which departments want this? Appreciate how they can MDM needs network
single Mobile Device/ • Who has concerns? manage a mix of devices security
Application Management • Is there demand from users? without compromising
framework security, privacy or
• Has MDM been deployed?
compliance
• Any privacy or compliance issues?
The diagram below shows the steps and key sales activities for identifying an opportunity and taking it through to a
won deal.
RFP
Lead
Generation Sales Presentation
Business level
How Aruba addresses the pain
Qualification Discovery User experience
Sector • Size • Need Assessment survey Deployment strategy
Security policy Professional Services
Case Study
Win Flash Report
Partner Partner with Aruba support Aruba Aruba with Partner support
Partners with ClearPass Certification can obtain a free NFR licence of ClearPass from Channel Marketing EMEA at
channelmktg-emea@arubanetworks.com.
Other enquiries
Send an email with your detailed question(s) to channelmktg-emea@arubanetworks.com.
Online resources
Aruba Networks PartnerEdge http://www.arubanetworks.com/assets/channel/Aruba_PartnerEdge_EMEA_Brochure.pdf
Program
How to Become an Aruba http://partners.arubanetworks.com
Networks Channel Partner in
EMEA
ClearPass Certification and https://aruba.app.box.com/files/0/f/2438649095/ClearPass_Sales_Assets
Specialization (Login required)
ClearPass Access Management http://www.arubanetworks.com/solutions/adaptive-trust-security/
Solution Overview
System Engineering Enablement https://afp.arubanetworks.com/afp/index.php/SEEL_Live_Demo_Program
Lab (SEEL)
Partner training
Training in ClearPass is available for partners, including free-of-charge online sales training.
Confidential. All rights reserved. Document structure © Expertek Consultants Ltd, 2014.
The information contained herein is confidential and the property of Aruba Networks, Inc.
No liability is accepted for errors or omissions. www.expertek.co.uk. EMEA version: V1.1
©2014 Aruba Networks, Inc. Aruba Networks®, Aruba The Mobile Edge Company® (stylized), Aruba Mobility Management System®, People Move.
Networks Must Follow.®, Mobile Edge Architecture®, RFProtect®, Green Island®, ETIPS®, ClientMatch®, Bluescanner™ and The All Wireless Workspace
Is Open For Business™ are all marks of Aruba Networks, Inc. in the United States and certain other countries. The preceding list may not necessarily
be complete and the absence of any mark from this list does not mean that it is not an Aruba Networks, Inc. mark. All rights reserved. Aruba
Networks, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While
Aruba Networks, Inc. uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba Networks,
Inc. will assume no responsibility for any errors or omissions. No material may be reproduced for any purpose, private or commercial, without prior
permission from Aruba Networks.