FEATURE: BYOD
Eight ways to boost
network security
amidst BYOD
The continued rise of BYOD is inevitable,
and few corporate leaders will pass up the
productivity gains of a mobile workforce
that pays for their own devices. But it is easy
to lose track of long-term goals if you don’t
have a solid plan. These eight ideas are just
some of the things that should be considered
when preparing for BYOD.
1. Assign roles to users and devices: With users carrying
multiple devices, it’s smart to standardise on user roles
across the organisation, and then assign device roles too.
A smartphone issued by IT for a specific purpose may
require more access privileges than a personal device. User
and device roles also let you differentiate privileges by
device type for the same user. An IT administrator would
be allowed to change switch and controller configurations
with a laptop assigned a corporate role. But, that same
person would not be able to access sensitive networking
equipment using a tablet assigned a BYOD role.
2. Use profiling to create device categories: Accurately
profiled devices should be a cornerstone of your plan when
rolling out a secure BYOD initiative. As BYOD permeates
throughout your environment, not all users will be diligent
about downloading the latest versions of the operating
system. You’ll want to capture context that allows you to
see who is running what versions on iOS, Android, Chrome
and other operating systems. As new releases become
available, this data will give you the visibility to help
identify why authentications may be failing, the types of
devices that are experiencing issues, and more.
3. Use context within policies: It’s important to leverage
multiple sources of context to manage access. Data
can consist of user role, device profiling, location, and
once a certificate is issued to a specific user’s device, the
assumption is that it’s a BYOD. By enabling the use of
known data you can stop users from coming up with ways
to bypass policies. The use of device categories should
also be explored. All BYOD endpoints connecting over a
VPN can be treated differently compared to when they are
connected in the office.
4. Manage mobile app use: Enterprises need to define and
enforce policies that dictate who can access specific types
of data from which devices, with the ability to differentiate
between smartphones, tablets, laptops or IoT devices. To
be effective, enforcement must extend across MDM/EMM,
a policy management platform, and firewalls.
36
INTELLIGENTCIO
Manish Bhardwaj, Aruba’s Senior Marketing Manager
for Middle East and Turkey
5. Automate and simplify: Automation is essential for both
initial onboarding and to take action on non-compliant
devices (for example, quarantining them until they are
compliant). MDM/EMM solutions should share device
posture with a NAC solution to ensure that devices meet
compliance before being given access. By automating the
discovery and onboarding of non-compliant devices, you
can reduce costs and improve your security posture.
6. Go with certificates – they’re more secure than
passwords: Users will connect to guest networks more
frequently, leaving passwords exposed to theft, which
makes certificates a cornerstone of a secure mobile device
deployment. As the use of active directory and an internal
PKI for BYOD is not a best practice, an independent
Certificate Authority (CA) built to support personal devices
is preferred. A policy management solution that includes
the ability to distribute and update, as well as revoke
certificates should be explored.
7. Make everyone happy – simplify SSIDS: Multiple SSIDs
complicate life for IT and users alike. With effective policy
management enforcement in place, BYOD and corporate-
owned devices can connect to common SSIDs. Reducing
the options for users makes it easier for IT to maintain
SSIDs across multiple locations. Consolidation of SSIDs
can also improve Wi-Fi performance. The key to improving
your security posture revolves around your ability to
leverage roles, location and policy enforcement to ensure
that devices receive the access that IT expects, even
when using common SSIDs. When personal devices are
connected to a common 802.1X network, IT can provide
Internet access only if desired.
8. Consider next-generation multi-factor authentication
(MFA): These days, enterprise data access is often
initiated from smartphones and tablets. As these devices
are easily shared, many IT professionals are turning to new
forms of MFA to ensure that the user of a device is really
the person requesting access. Now when a user connects
to a network or opens an application, IT can require a
secondary challenge that is as simple as picking up your
smartphone and scanning your fingerprint, for example. n
www.intelligentcio.com