Today’s enterprise is changing dramatically in the face of the BYOD phenomenon. With the advent of wireless devices and the requirement for mobility everywhere, wireless has moved from being a convenience into the primary access layer for corporate network connectivity. Now users aren’t connecting just their corporate-provided computers, but a bevy of personal and company-issued devices that are changing work from a place to go to a thing to do – anytime, anywhere, from any device.
The biggest question is not just how users and their myriad of personal and corporate devices will connect the network, but how these devices will be managed for productivity once they’re there? Meeting the mission critical connectivity requirements of access, authentication and security is the first step to transforming BYOD into productivity in corporate environments.
Connecting Users to the Network
The first challenge facing administrators looking to implement a BYOD solution is to define which devices qualify. Often, the term is misused to include any consumer-grade device connected to the corporate network. Instead, it refers to devices brought in by end users to connect to the network.
There is also a parallel initiative facing network administrators planning for mobility. IT may consider using consumer-grade devices (such as tablets) to lower hardware costs and increase productivity. For example, architectural designers have the ability to share images or presentations on their iOS devices without any intervention from the IT department. Additionally, employees can hold quick impromptu meetings with the ability to pull documents and presentations up on their tablet anytime, anywhere without technology being a detriment.
This Consumerization of IT also requires network intelligence to embrace the inherent cost savings and flexibility built into such devices, while controlling exactly what and how these devices are used on the network. A truly comprehensive mobile enterprise solution needs to address both Consumerization of IT as well as BYOD in order to support, contain and embrace mobile devices.
There are two major camps when it comes to ensuring mobile devices are accessing the network securely. On one side, there are many companies who are successful in deploying agent-based Mobile Device Management (MDM) solutions to ensure connected devices have the right software, permissions and security settings before allowing them to connect to the network. These agent-based solutions are popular with larger companies and education facilities that manage large numbers of corporate or school-issued mobile devices.
On the other side of the MDM spectrum is Network-based MDM, where there is no agent to install on the client device, and the network devices are intelligent enough to make classification decisions based on user identity, device type, location and time.
In order to provide a comprehensive BYOD and mobile device-friendly infrastructure, both agent-based MDM, as well as network-based MDM must be supported. This allows companies to leverage and control consumer devices in the enterprise, while also supporting users who will not accept the inherent risk to their personal data that comes along with installing an agent-based solution.
In turn, the network devices must be even more intelligent to provide administrators the ability to enforce MDM agent installation, or utilize user and device-level classification and access control to ensure secure and productive BYOD use on the network.
Authentication and Access
With BYOD, a major challenge in ensuring secure access is that these devices are developed to make connection to any type of network easy– even one requiring certificates. However, it is equally important to support older BYO devices that only support legacy networks using PSK, not certificate-based authentication.
One of the most common secure network types is to configure WPA2-Enterprise (802.1X) on the corporate SSID, which requires at least a username and password combination and acceptance of a server certificate in order to authenticate. But, unless the administrator requires that every device connected to this network also has a certificate installed on it, the modern mobile devices have made it as easy as checking the “Accept” button and entering network credentials to connect a BYO device to this type of secure network.
Security and Enforcement
The next step is ensuring the connected devices follow the guidelines for the network based on ‘context’ including identity, ownership, device, location and time.
Assignment of a user profile to a connected device is the heart of network policy enforcement. A user profile defines permissions to the network, such as what VLAN the user should be assigned to, the firewall, tunnel and Quality of Service (QoS) policies for that user or group of users, client enforcement features (such as SLA and client classification settings), and various other settings that can be applied on a per-user basis. Defining how the user profiles are applied is dependent on the type of authentication defined and the client classification rules configured.
Client classification allows administrators to implement full network-based mobile device management (NMDM). This means the devices providing access to the network, such as access points, switches or routers, are the ones doing the enforcement, rather than requiring an agent installed on the client. This provides complete flexibility for the supported clients and helps determine how many clients a single user can connect to via the network without any installation or compatibility issues.
When a WLAN solution offers a client classification feature, administrators get several layers of network-based mobile device enforcement, starting with the initial user authentication. When defining permissions based on context such as device type, device ownership, location and domain membership, the identity of the user should be the first variable considered. This allows for differentiation between BYO devices, such as iPads, owned by the executive staff versus the sales team. This also enforces different policies for users not only based on device context, but also by identity, rather than just making a blanket policy for all attached iPads.
Once the new profile is assigned based on contextual identity, permissions to the network will change based on the firewall, tunnel and schedule policies configured in the new profile. Even if all users and devices are connected to the same VLAN, an administrator must still enforce policies between users and network resources. This allows enforcement where traffic first enters the network, instead of having to traverse the entire infrastructure before eventually being restricted by a core security appliance. For instance, an administrator may wish to keep Employee BYO devices on the same network as corporate issued trusted clients, but the BYO devices only can access the Internet and not any restricted corporate resources.
Connecting Remote Users
The last piece of the BYOD connectivity puzzle is ensuring that employees remain productive and connected to essential resources, regardless of where that employee may be – at the corporate office, at a branch location, or even at home. Once the administrator has defined the network access policy, configured the available SSIDs and VLANs, and created policies to assign permissions based on identity and device type, that same policy should apply to any device accessing the corporate network from wherever that device and user are located.
After access and authentication permissions have been defined and the myriad of devices brought onto the corporate network are authenticated and secured, the biggest challenge presents itself: keeping these devices connected and providing a seamless and productive working experience while they’re on the network.