BYOD Security: Going Beyond 802.1x
November 14, 2012 Leave a comment
Today, businesses of all kinds are being forced to take a hard look at how they manage access to their network. Employees want to use the latest mobile device. Temporary workers and/or consultants need access to certain resources. Guests want to go online.
Leaving the door wide open for anyone, using any device, is a recipe for disaster. In certain industries, such as retail, where credit card and identity theft are rampant, it can expose you to major losses and penalties. But every business, regardless of the industry they are in, risks loss of information and disruption on the network if they do not put network access controls in place.
Many businesses mistakenly think it’s enough to simply use the user name and password that are part of the IEEE 802.1x standard. The problem is that 802.1x wasn’t designed for the world of Bring Your Own Device (BYOD). In a BYOD environment, you need to identify characteristics about both the user and the device. Also, while most new devices are equipped for 802.1x, they may not be configured or configured properly. For all of these reasons, relying on 8021x is not enough.
That’s why more and more companies are implementing centralized network access control (NAC) solutions. These are available from a range of providers—for example the one from Avaya is called Identity Engines.
Using a NAC solution, you can pre-establish identities or roles for people and devices. You can set up policies for guests, business partners, employees, the type of device being used, etc. Instead of manually checking the credentials and configuring each user or device one by one as they seek access to your network, the NAC does it for you.
For example, you might set a policy so that an employee in human resources with responsibility for sensitive personnel issues gets unrestricted access to any location on your network, but only if their laptop complies with the appropriate security policy.
Other non-HR employees may get broad access, except for personnel and finance records, but the requirement for security software on their device may be different.
Business partners may get a different level of access—for example only to specific projects.
You can set different policies to take effect based on where a person is working—outside or inside the enterprise
You can set the policy so that an employee using a device issued or managed by your enterprise can get access to your network directly. However, if the employee is bringing in a new or unmanaged device (i.e., BYOD), they are redirected to a portal (much like the portal you often encounter when staying in a hotel). Their device gets vetted and a decision is made to allow or deny the connection.
Employees or business partners can also be presented with a dissolvable application. This is software that is accessed via a portal and automatically configures the device based on your rules. It then “dissolves”: it doesn’t remain on the client device. This is a great way to easily configure a large number of devices, for example to bring all employee laptops in compliance with a new 802.1x security policy.
More and more NAC solutions are appearing on the market as the BYOD phenomenon keeps growing. When you pick one, make sure it can work with your existing network infrastructure (wired and wireless) and directories. Your goal is to combine flexibility and control: there are going to be lots of different people and devices seeking access to your network. You want to be able to easily accommodate the safe ones without driving yourself crazy trying to identify the problems.
For more information, check out this Avaya whitepaper https://www.avaya.com/usa/registration/byod-and-the-wireless-revolution/; |
And this IT guide to BYOD https://www.avaya.com/usa/registration/it-guide-to-mobile-collaboration-byod/