Your IT team sees people in hallways, conference rooms, sitting outside the building—and they’re all using mobile devices. Even the CEO and the VP of business development have new iPads. In fact, according to Gartner Inc., 90% of organizations will support corporate applications of some sort on personal devices by 2014.
Clearly, it’s time to develop a plan that will enable your organization to support the growing demand for Bring Your Own Device (BYOD) initiatives, which include personal smartphones and tablets onto organization’s wireless network. But what about network access security?
As the popularity of personal devices in the workplace has grown, organizations have to consider not only security, but also wireless bandwidth issues, privacy, and compliance-related concerns. Typically, users either circumvent policies to get their own devices connected, or IT teams are forced to create holes that can compromise the security of the organization. Security versus access is something that every IT team eventually must face, but there is a fairly simple fix available for this problem, and understanding user identity is the key.
In a scenario where dozens or possibly even hundreds of personal mobile devices seek access to a network, it’s imperative that IT organizations are able to tie a user’s identity and role to the devices they are connecting to within that network. Once that information is known, access policies then help control what and who are on the network, and differentiates their access based on the user’s role and if these new devices meet certain guidelines. This correlation provides valuable network visibility while also helping to pinpoint possible security holes. What’s more, this type of insight enables organizations to take a proactive stance of tracking, logging, and managing every mobile device, instead of guessing how they’re being used.
Most experts believe that allowing devices that users feel comfortable using will foster productivity and help reduce corporate expenses. Anecdotes, like the following from a financial services representative allowing the use of personal iPads onto his wireless network, abound: “The ability to quickly adapt the network to support these new devices is a key security advantage in our industry, as regulations and auditing are a large part of the business.” By being proactive this company is reducing its exposure and also providing invaluable oversight that ultimately protects the customer.
So where do you start? The first step is to determine if your existing network access equipment and policy solution are adequate. Can you easily identify users and devices, perform pre- and post-authentication checks, allow and deny access, and then selectively grant proper network access privileges? A modern network access security solution should be able to deliver all of the preceding capabilities plus built-in identity role-mapping, network access control, AAA (authentication, authorization, accounting) services, fingerprinting and real-time endpoint reporting.
The second step is to ensure that the access control policies already in place for a user’s company-owned desktop or laptop can be leveraged. Using a policy system that is independent of device type will save your IT team from duplicating its efforts, and it also ensures a smoother transition for the end users. You’ll also want to ensure that the new solution can leverage existing identity stores as well as old and newer networking equipment.
Next you’ll want to select a solution that allows you to differentiate access by attributes such as device type; if it is registered for use; or from where in the network it is connecting. For example, if the device has not been registered for use on the network then an IP address will never be granted. Device registration helps to tie a user to a particular smartphone or tablet and also provides visibility into which devices are being brought into your organization.
The solution must also provide useful information about the user once on the network. Common questions are: How many devices have they connected to the network? Are they all connecting from the same location? For example, if a worker is using his laptop at work but his personal device is trying to connect from a remote location, then you may not want to grant him access to important resources. The user may have travelled off-site and may only require email access.
While this sounds like a lot to expect from a single solution, the need to differentiate access based on a user’s role and device type is what’s driving the demand for next-generation user and device access intelligence, which includes NAC solutions. Putting an advanced solution in place directly addresses critical network access security needs by enabling the development of user and device profiling while also delivering improved network access visibility, and business-specific reporting capabilities.
While the future is uncertain, the one thing we can always expect is change. In this example, change is the evolving landscape of devices coming onto your networks. Change is the shift of users’ preference for tablets versus laptops, and from company-issued phones to personal smartphones.
All of this change means IT managers must quickly take action to ensure corporate and personal assets can securely co-exist on the corporate wireless network—and user and device intelligence a clearly a differentiation that can undoubtedly play a key role in their success.