Security in the cloud not only relates to cloud service providers, storage strategies and common practices, but to the connection of new generation tablet PCs, smartphones, laptop computers, and other mobile devices to the corporate network.
These often privately-owned devices - known as BYO (bring your own) devices - are able to sidestep the physical, logical and personnel security controls associated with traditional networking management functions, because in many instances, the enterprise is unaware of their existence.
Yet these devices are increasingly popular in the business sphere, because users are able increase the productivity and efficiency of their users.
It's a phenomenon known as the 'consumerisation of IT'. Today users expect their BYO devices to seamlessly link into the corporate network and complement or even replace their existing desktop PC. Their functionality is enhanced by the addition of any number of after-market applications.
Perilous apps
However, any 'app' bought from an online store is a security hazard, and represents a potential unguarded backdoor into the corporate network. Realising that restricting the use of apps on the devices via rules/policies is impractical, IT managers are looking to new-generation solutions to allay security concerns around the 'explosive' mix of private data and sensitive corporate data on BYO devices.
BYO devices can connect to the corporate network in a number of ways - either via WiFi or wired Ethernet links, or through fixed-mobile convergence transfer calls from a cellular network to the corporate WiFi network.
BYO devices are able to sidestep the physical, logical and personnel security controls.
Martin May is regional director of Enterasys Networks.
The challenge facing IT managers is to choose a security solution that best fits their business needs. For example, if only e-mail services are required to be accessed, then it makes sense to block WiFi access and limit access of all BYO devices via 3G/4G cellular services.
In this scenario, corporate data (such as e-mails and their attachments), along with contact data, can reside on the device, but it has limited access into the corporate IT infrastructure.
If this level of access is required, then other security controls and usage guidelines need to be established, including 'device type detection', a key step necessary towards more stringent security measures such as device assessment and access control.
Complementing device type detection solutions are a number of new cloud-based, managed wireless offerings designed to implement not only network access control (NAC) functions - such as authentication, authorisation, assessment, threat monitoring and remediation - but to profile and track any BYO device and user on the infrastructure.
From this platform, other vital security solutions, including network and agent-based assessment, DHCP (Dynamic Host Configuring Protocol) operating system fingerprinting, captive portal and external profile controllers can be employed.
In order to allow anytime/anywhere access to the corporate network, the network must be able to identify devices and users and dynamically grant them access, in terms of an appropriate authentication policy for BYO devices.
The real deal
Today there are many groundbreaking technical methods for authenticating BYO devices and users, including new-generation NAC (NACNG) solutions that support multiple authentication techniques.
Also playing an important role in securing BYO devices is Web-based registration. Because they are not managed by the corporate IT, the devices lack suitable security configurations such as encryption settings for WiFi or strong authentication using certificates. NACNG provides an embedded Web portal that allows users, using their credentials, to register their devices.
Subsequent actions could include the configuration of the device in an automated workflow using protocols such as WMI (Windows Management Instrumentation) or MDM (Mobile Device Management), which are dependent on the use of encryption on the WiFi network. It could also include the enrolment of certificates.
While the authentication process is an important component of any BYO device management programme, the function of 'assessment' goes significantly further to address the end system itself. In doing so, the compliance of the BYO device endpoint configuration with company regulations can be confirmed, while potential vulnerabilities on the device can be detected. Remediation of these vulnerabilities can then be applied.
Following successful authentication and assessment, the final step in bringing a mobile BYO device onto the corporate network is 'authorisation'. It is recommended that policies are enforced at the access layer - the entry point - into the network infrastructure. This reduces the risk associated with attacks on the infrastructure and also allows for more accurate control of the device by the IT manager.
Dynamic authorisation at the entry point also enables the rules applied to the device to move with it throughout its travels on the network, seamlessly across wired connections and wirelessly, into the cloud.
Share