Smartphones and other personal devices can now be found in most businesses as users are staying connected to the corporate network from anywhere, any time. It’s the stuff that keeps IT and security managers up at night — mobile users, multiple devices per user, and enterprise data on the move. Security for Bring Your Own Device (BYOD) and mobile must now be part of a larger conversation when securing the network for the new digital workplace. Based on existing customers’ best practices, this paper outlines eight things you can do to boost network security amidst BYOD.
ASSIGN ROLES TO USERS AND DEVICES
A smartphone issued by IT for a specific purpose may require more access privileges than a personal device. IT-issued laptops would have different roles than smartphones and tablets. The value is your ability to create different rules for each device type or role. User and device roles also let you differentiate privileges by device type for the same user. An IT administrator would be allowed to change switch and controller configurations with a laptop assigned a corporate role. But, that same person would not be able to access sensitive networking equipment using a tablet assigned a BYOD role.
USE PROFILING TO CREATE DEVICE CATEGORIES
Accurately profiled devices should be a cornerstone of your plan when rolling out a secure BYOD initiative. As BYOD permeates throughout your environment, not all users will be diligent about downloading the latest versions of the operating system. You’ll want to capture context that allows you to see who is running what versions on iOS, Android, Chrome and other operating systems.
USE CONTEXT WITHIN POLICIES
It’s important to leverage multiple sources of context to manage access. Data can consist of user role, device profiling, location, and once a certificate is issued to a specific user’s device, the assumption is that it’s a BYOD. Doing this greatly enhances productivity, usability and security. By enabling the use of known data, you can stop users from coming up with ways to bypass policies.
The use of device categories should also be explored. The idea is to again leverage context to enforce privileges across a large category of devices. All BYOD endpoints connecting over a VPN can be treated differently than when connecting in the office. Printers can be managed differently than game consoles or Apple TVs.
MANAGE MOBILE APP USE
Enterprises need to define and enforce policies that dictate who can access specific types of data from which devices, with the ability to differentiate between smartphones, tablets, laptops or IoT devices. To be effective, enforcement must extend across MDM/EMM, a policy management platform, and firewalls.
AUTOMATE AND SIMPLIFY
Automation is essential for both initial onboarding and to take action on non-compliant devices. MDM/EMM solutions should share device posture with a NAC solution to ensure that devices meet compliance before being given access. Integrating with helpdesk applications and SIEM can provide an enhanced experience for the user and IT for improved problem resolution.
GO WITH CERTIFICATES – THEY’RE MORE SECURE THAN PASSWORDS
A policy management solution that includes the ability to distribute and update, as well as revoke certificates should be explored. Integration with an MDM/EMM solution should be an option in the event that device management was deployed prior to investing in a network access policy management solution.
MAKE EVERYONE HAPPY – SIMPLIFY SSIDS
The key to improving your security posture revolves around your ability to leverage roles, location and policy enforcement to ensure that devices receive the access that IT expects, even when using common SSIDs. When personal devices are connected to a common 802.1X network, IT can provide Internet access only if desired.
CONSIDER NEXT-GENERATION MULTI-FACTOR AUTHENTICATION (MFA)
These days, enterprise data access is often initiated from smartphones and tablets. As these devices are easily shared, many IT professionals are turning to new forms of MFA to ensure that the user of a device is really the person requesting access. Instead of token generation devices that are easily lost, there’s a better way. Now when a user connects to a network or opens an application, IT can require a secondary challenge that is as simple as picking up your smartphone and scanning your fingerprint, taking a selfie, or clicking on a pre-determined image from within the images library.
CONCLUSION
In the end, a central component that brings everything together starts with an advanced policy management platform. One that includes AAA services, NAC, BYOD onboarding and third-party integration with event-driven remediation.
