Bring Your Own Device (BYOD) identifies the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers and databases as well as their personal applications and data. Mobile is surging, yes, but product peddlers have blown it way out of proportion.
BYOD trend is making enterprises reassess their wireless strategies. But truth be known, most businesses really only want to do a few simple things with BYOD:
1. Find an easy way to onboard all devices (organisation- and user-owned)
2. Automatically provide user-based policies when a user connects
3. See who is accessing the network with which devices
4. Extend wired security and design (content filtering, firewalls, and VLANs) to the wireless network
5. Add wireless capacity to networks with 2x, 3x, or 4x devices per user
6. Keep it simple, cost-effective, and leverage existing infrastructure
Sure, some organisations also want to directly manage devices and apps, provide NAC (and anti-x) inspection, quarantine, and remediation, and then filter, control, and steer their users with highly customised policies.
Understandably, some organisations (such as those with strict compliance requirements) need highly customized security policies in place. Where IT staff expertise and budgets are sufficient. But despite the BYOD hype claiming that everyone needs all the customization and then some, the middle of the enterprise market may chafe against these assumptions.
When it comes to BYOD, very few companies in the mid-tier segment really want to implement every bell and whistle because (a) they don’t have time, (b) they don’t have the skilled staff, (c) they don’t have the budget, (d) they don’t see the need, or more likely, (e) all of the above. But more important, organizations already have the right network components to address their BYOD basics without having to purchase more network equipment:
• Authentication - you already securely authenticate users against your database servers (LDAP, AD, etc.) for some networking functions. Even if you don’t want to use 802.1X, there are still excellent options for user-specific wireless authentication.
• Network security – many organizations have already invested time and energy designing proper network segmentation and security with VLANs, ACLs, firewalls, and content filters. Why replicate the configuration and complexity on wireless devices if you’re already doing it on the wire?
• Role-based access policies – you know who people are and where they belong on the network; now it’s time to use that information to make sure everyone gets the right access and nothing else. Authorization policies can apply to device types too.
• Visibility – There are many devices in the network that can monitor who’s on your network and what they’re doing. A smart Wi-Fi system provides this information at the edge, where you can make provisioning changes as needed, as network usage changes.
Role-based access is often the biggest hurdle, but for those that have group policies wrapped up with a pretty bow, the new question that needs answering is whether all users and devices are the same. Users with personal devices are forcing the question. Thus, the basic problem surrounding BYOD is that users are known but devices aren't.
IT needs to know what devices are on the network at any time and who owns them. But, network access has already been restricted by network security and segmentation (and any other overlay solutions in place, such as NAC and content filters). This raises some important questions:
• How are personal devices initially provisioned to gain network access?
• How is each device identified, associated with a user, and tracked?
• How is a user/device restricted to a WLAN or VLAN/firewall policy?
There are a few easy-to-use Wi-Fi features that have been around before the BYOD bell started ringing that will help most organizations overcome the BYOD blues.
Dynamic Pre-Shared Keys (DPSKs) are a unique feature for organizations that aren’t ready to wade into the deep end of Wi-Fi BYOD security with 802.1X. Traditionally, WPA2-Personal uses a shared PSK for the entire network; there are several known security and manageability problems with these shared keys.
However, with DPSK a unique, secure key is created for each user or device. By pairing each user/device with an individualized PSK credential, the key/device/user combination can receive a unique policy and can be managed and monitored individually. It’s a bit like Goldilocks.
802.1X/EAP is confusing and/or difficult to implement. PSKs have security weaknesses and management problems. DPSKs are just right. They offer the best of both worlds:
• Unique access credentials for each user and device
• Individual control of user credentials (creating and revoking)
• No certificates, complex configuration, or backend dependencies
• Valid users can’t decrypt each other’s traffic
DPSK is an ideal fit for the BYOD craze, especially for companies caught between the less palatable extremes of 802.1X and traditional passphrases.
Features that automate device provisioning, such as Zero-IT activation from companies such as Ruckus Wireless, are also uniquely beneficial for BYOD. Wed with DPSKs or 802.1X, zero-touch features offer a secure onboarding tool that allows users to self-provision devices without IT intervention.
In a typical workflow, users connect to a provisioning network, securely login with their domain credential, and the provisioning tool auto-configures their device with the appropriate network profile and its associated privileges.
The device re-connects to the proper network and the user receives access, based on the role-based policies in place on the Wi-Fi system—or obtained from a user database. IT stays out of the onboarding loop and yet they retain full control over the user/device access. And in most systems, administrators gain visibility to see device-specific
Nader Baghdadi is the Middle East regional sales director at Ruckus Wireless