Allowing Personal Devices on the Corporate Wireless Network
Date: Wednesday , March 02, 2011
Your IT team sees people in hallways; conference rooms; sitting outside the building—and they’re all using a mobile device. Even the CEO and the VP of Business Development have new iPads. In fact, according to Gartner, 90 percent of organizations will support corporate applications of some sort on personal devices by 2014. Clearly, it’s time to develop a plan that will enable your organization to support the growing use of personal smartphones and tablets on the organization’s wireless network. But what about network access security?
As the popularity of personal devices in the workplace has grown, organizations have to consider not only security, but also wireless bandwidth issues, privacy, and compliance-related concerns. Typically, users either circumvent policies to get their own devices connected, or IT teams are forced to create holes that can compromise the security of the organization. Security versus access is something that every IT team eventually must face, but there is a fairly simple fix available for this problem, and understanding user identity is the key.
In a scenario where dozens or possibly even hundreds of personal mobile devices desire access to a network, it’s imperative that IT organizations are able to tie a user’s identity and role to the devices they are connecting to within that network. Once that information is known, access policies then help control what and who are on the network, and differentiates their access based on the user’s role and if these new devices meet certain guidelines. This correlation provides valuable network visibility while also helping to pinpoint possible security holes. Additionally, this type of insight enables organizations to take a proactive stance of tracking, logging and managing every mobile device, instead of guessing how they’re being used.
Most experts believe that allowing devices that users feel comfortable using will foster productivity and help reduce corporate expenses. Anecdotes, like the following from a financial services representative allowing the use of personal iPad tablets onto his wireless network, abound: “The ability to quickly adapt the network to support these new devices is a key security advantage in our industry, as regulations and auditing are a large part of the business.” By being proactive this company is reducing its exposure and also providing invaluable oversight that ultimately protects the customer.
So where do you start? The first step is to determine if your existing network access equipment and policy solution are adequate. Can you easily identify users and devices, perform pre and post-authentication checks, allow and deny access, and then selectively grant proper network access privileges? A modern network access security solution should be able to deliver all of the preceding capabilities plus built-in identity role-mapping, NAC, AAA services, finger-printing and real-time endpoint reporting.
The second step is to ensure that the access control policies already in place for a user’s company-owned desktop or laptop can be leveraged. Using a policy system that is independent of device type will save your IT team from duplicating effort and it also ensures a smoother transition for the end users. You’ll also want to ensure that the new solution can leverage existing identity stores, and old and newer networking equipment.
Next you’ll want to select a solution that allows you to differentiate access by attributes such as device type, if it is registered for use, or from where in the network it is connecting. For example, if the device has not been registered for use on the network then an IP address will never be granted. Registration of devices helps tie a user to a device and also provides visibility into which devices are being brought into your organization.
The solution must also provide useful information about the user once on the network. Common questions are: How many devices have they connected to the network? Are they all connecting from the same location? For example, if someone is using his or her laptop at work but their personal device is trying to connect from a remote location, then you may not want to grant them access to important resources. The user may have travelled off-site and may only require email access.
While this sounds like a lot to expect from a single solution, the need to differentiate access based on a user’s role and device type is what’s driving the demand for next-generation NAC solutions. Putting an advanced NAC solution in place directly addresses critical network access security needs by enabling the development of identity and device profiling while also delivering improved network access visibility, and intelligent reporting capabilities.
While the future is uncertain, the one thing we can always expect is change. In this example, change is the evolving landscape of devices coming onto your networks. Change is the shift of users’ preference for tablets versus laptops, and from company-issued phones to personal Smartphones. All of this change means IT managers must quickly take action to ensure corporate and personal assets can securely co-exist on the corporate wireless network—and intelligent network access differentiation can undoubtedly play a key role in their success.
The Author is the Founder & CEO of Avenda Systems