BYOD Security: Going Beyond 802.1x

Today, businesses of all kinds are being forced to take a hard look at how they manage access to their network. Employees want to use the latest mobile device. Temporary workers and/or consultants need access to certain resources. Guests want to go online.

Leaving the door wide open for anyone, using any device, is a recipe for disaster.  In certain industries, such as retail, where credit card and identity theft are rampant, it can expose you to major losses and penalties. But every business, regardless of the industry they are in, risks loss of information and disruption on the network if they do not put network access controls in place.

Many businesses mistakenly think it’s enough to simply use the user name and password that are part of the IEEE 802.1x standard. The problem is that 802.1x wasn’t designed for the world of Bring Your Own Device (BYOD). In a BYOD environment, you need to identify characteristics about both the user and the device. Also, while most new devices are equipped for 802.1x, they may not be configured or configured properly. For all of these reasons, relying on 8021x is not enough.

That’s why more and more companies are implementing centralized network access control (NAC) solutions. These are available from a range of providers—for example the one from Avaya is called Identity Engines.

Using a NAC solution, you can pre-establish identities or roles for people and devices.  You can set up policies for guests, business partners, employees, the type of device being used, etc. Instead of manually checking the credentials and configuring each user or device one by one as they seek access to your network, the NAC does it for you.

For example, you might set a policy so that an employee in human resources with responsibility for sensitive personnel issues gets unrestricted access to any location on your network, but only if their laptop complies with the appropriate security policy.

Other non-HR employees may get broad access, except for personnel and finance records, but the requirement for security software on their device may be different.

Business partners may get a different level of access—for example only to specific projects.

You can set different policies to take effect based on where a person is working—outside or inside the enterprise

You can set the policy so that an employee using a device issued or managed by your enterprise can get access to your network directly.  However, if the employee is bringing in a new or unmanaged device (i.e., BYOD), they are redirected to a portal (much like the portal you often encounter when staying in a hotel). Their device gets vetted and a decision is made to allow or deny the connection.

Employees or business partners can also be presented with a dissolvable application. This is software that is accessed via a portal and automatically configures the device based on your rules. It then “dissolves”: it doesn’t remain on the client device.  This is a great way to easily configure a large number of devices, for example to bring all employee laptops in compliance with a new 802.1x security policy.

More and more NAC solutions are appearing on the market as the BYOD phenomenon keeps growing. When you pick one, make sure it can work with your existing network infrastructure (wired and wireless) and directories. Your goal is to combine flexibility and control: there are going to be lots of different people and devices seeking access to your network. You want to be able to easily accommodate the safe ones without driving yourself crazy trying to identify the problems. 

 

For more information, check out this Avaya whitepaper https://www.avaya.com/usa/registration/byod-and-the-wireless-revolution/;

And this IT guide to BYOD  https://www.avaya.com/usa/registration/it-guide-to-mobile-collaboration-byod/

Advertisements

About Vic Levinson
Telecommunications and IT professional with over 20 years experience in Business Telecommunications. Specializing in voice over IP (VoIP) for business: hosted VoIP, business VoIP phone systems, SIP providers, carriers, T1's - the works. Founded Prime Telecommunications in 1993 and providing business communications solutions. Cloud Applications- everything from hosted network security, hosted Disaster Recovery, hosted printer management, data centers and colocation solutions for businesses.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: