Personal check

Nader Baghdadi on the challenge presented by personal devices in the workplace
Nader Baghdadi says businesses must look at the issue of BYOD.
Nader Baghdadi says businesses must look at the issue of BYOD.


Bring Your Own Device (BYOD) identifies the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers and databases as well as their personal applications and data. Mobile is surging, yes, but product peddlers have blown it way out of proportion.

BYOD trend is making enterprises reassess their wireless strategies. But truth be known, most businesses really only want to do a few simple things with BYOD:

1. Find an easy way to onboard all devices (organisation- and user-owned)
2. Automatically provide user-based policies when a user connects
3. See who is accessing the network with which devices
4. Extend wired security and design (content filtering, firewalls, and VLANs) to the wireless network
5. Add wireless capacity to networks with 2x, 3x, or 4x devices per user
6. Keep it simple, cost-effective, and leverage existing infrastructure

Sure, some organisations also want to directly manage devices and apps, provide NAC (and anti-x) inspection, quarantine, and remediation, and then filter, control, and steer their users with highly customised policies.

Understandably, some organisations (such as those with strict compliance requirements) need highly customized security policies in place. Where IT staff expertise and budgets are sufficient. But despite the BYOD hype claiming that everyone needs all the customization and then some, the middle of the enterprise market may chafe against these assumptions.

When it comes to BYOD, very few companies in the mid-tier segment really want to implement every bell and whistle because (a) they don’t have time, (b) they don’t have the skilled staff, (c) they don’t have the budget, (d) they don’t see the need, or more likely, (e) all of the above. But more important, organizations already have the right network components to address their BYOD basics without having to purchase more network equipment:

• Authentication - you already securely authenticate users against your database servers (LDAP, AD, etc.) for some networking functions. Even if you don’t want to use 802.1X, there are still excellent options for user-specific wireless authentication.

• Network security – many organizations have already invested time and energy designing proper network segmentation and security with VLANs, ACLs, firewalls, and content filters. Why replicate the configuration and complexity on wireless devices if you’re already doing it on the wire?

• Role-based access policies – you know who people are and where they belong on the network; now it’s time to use that information to make sure everyone gets the right access and nothing else. Authorization policies can apply to device types too.

• Visibility – There are many devices in the network that can monitor who’s on your network and what they’re doing. A smart Wi-Fi system provides this information at the edge, where you can make provisioning changes as needed, as network usage changes.

Role-based access is often the biggest hurdle, but for those that have group policies wrapped up with a pretty bow, the new question that needs answering is whether all users and devices are the same. Users with personal devices are forcing the question. Thus, the basic problem surrounding BYOD is that users are known but devices aren't.

IT needs to know what devices are on the network at any time and who owns them. But, network access has already been restricted by network security and segmentation (and any other overlay solutions in place, such as NAC and content filters). This raises some important questions:

• How are personal devices initially provisioned to gain network access?
• How is each device identified, associated with a user, and tracked?
• How is a user/device restricted to a WLAN or VLAN/firewall policy?

There are a few easy-to-use Wi-Fi features that have been around before the BYOD bell started ringing that will help most organizations overcome the BYOD blues.

Dynamic Pre-Shared Keys (DPSKs) are a unique feature for organizations that aren’t ready to wade into the deep end of Wi-Fi BYOD security with 802.1X. Traditionally, WPA2-Personal uses a shared PSK for the entire network; there are several known security and manageability problems with these shared keys.

However, with DPSK a unique, secure key is created for each user or device. By pairing each user/device with an individualized PSK credential, the key/device/user combination can receive a unique policy and can be managed and monitored individually. It’s a bit like Goldilocks.

802.1X/EAP is confusing and/or difficult to implement. PSKs have security weaknesses and management problems. DPSKs are just right. They offer the best of both worlds:

• Unique access credentials for each user and device
• Individual control of user credentials (creating and revoking)
• No certificates, complex configuration, or backend dependencies
• Valid users can’t decrypt each other’s traffic

DPSK is an ideal fit for the BYOD craze, especially for companies caught between the less palatable extremes of 802.1X and traditional passphrases.

Features that automate device provisioning, such as Zero-IT activation from companies such as Ruckus Wireless, are also uniquely beneficial for BYOD. Wed with DPSKs or 802.1X, zero-touch features offer a secure onboarding tool that allows users to self-provision devices without IT intervention.

In a typical workflow, users connect to a provisioning network, securely login with their domain credential, and the provisioning tool auto-configures their device with the appropriate network profile and its associated privileges.

The device re-connects to the proper network and the user receives access, based on the role-based policies in place on the Wi-Fi system—or obtained from a user database. IT stays out of the onboarding loop and yet they retain full control over the user/device access. And in most systems, administrators gain visibility to see device-specific

Nader Baghdadi is the Middle East regional sales director at Ruckus Wireless

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.

Editor's Choice

Emerson expands analytics platform for industrial enterprise-level wireless infrastructure management
Plantweb Insight platform adds two new Pervasive Sensing applications that manage wireless networks more efficiently with a singular interface to the enterprise
Digitalisation seen as a competitive advantage by Middle East private businesses
Nearly 80 per cent of private business leaders acknowledge that digitalisation can impact business sustainability
Etisalat introduces Multi-Access Edge Computing architecture delivering best-in-class video streaming performance for 5G networks
MEC architecture achieves performance gains of as much as 90% in video streaming, validating how ultra-low-latency applications will be delivered over 4G and 5G networks

Most popular

Don't Miss a Story