Traditionally, enterprise network security was relatively straightforward because early network devices were attached via physical connections. Today, mobility is driving much of the network design, and wireless local area networks have become a major component of the corporate network.
BYOD is a growing phenomenon in all industries both private and public. All organisations are facing the common challenges of provisioning mobile devices for secure access to the network and scaling the WLAN solution to meet the onslaught of devices, without an overwhelming burden on IT.
Here are nine best practice examples for managing and securing BYOD:
1. Provision user-owned wireless devices without jeopardising the security of the network
Getting the IT team to manually configure each device’s Wi-Fi profile is not scalable. Manual configuration by the end user is exponentially more risky because of the complex nature of the operation.
This is not a one-time event as there is enough device and user “churn” year over year to overwork any IT team.
The optimal solution is a self-provisioning application requiring little or no intervention from IT.
To ensure network security, any person attempting to access the network must be identified and authenticated against a trusted network source, for example Active Directory, using the settings defined by an IT policy created to handle the complexities of diverse user types and mobile OS products.
2. Limit access to network resources based on the class of user/device pair
To properly manage network resources, there must be a mechanism by which a user is granted access to a defined set of network resources and services. Each user may have unique access service and resource rights on the same network.
This can be based on a user “class” or on individual permissions and device class, but it is necessary to ensure that network resources are secure and accessed only by those permitted to do so from authorised devices.
3. Manage corporate-owned devices and user-owned devices
The basic requirement here is the ability to identify the device of the authenticated user. This is necessary because a user may have two or more Wi-Fi devices connected to the network. Identifying what is corporate owned and what is user owned may dictate the network services available to that user/device pair.
4. Scale without compromising the network bandwidth
Logically, there is a limit to the number of devices and classes of applications that the network can simultaneously support.
With BYOD, where there may be a higher device-to-user ratio, it is critical to estimate user traffic loading and to have the ability to analyse bandwidth problems when they occur.
A sophisticated BYOD solution will also provide methods for traffic load partitioning in order to maximise resources with minimal impact on the user community.
5. Keep track of devices and how they are being used
To properly manage a dynamic BYOD environment, it will be important to be able to produce network-level transaction and client state reports for troubleshooting.
This requires that the infrastructure itself support the capability for real-time and after-the-fact reporting and troubleshooting. This information is vital for the review of bandwidth demands that is necessary for network planning.
6. Manage a single user with multiple wireless devices
With wireless devices, mobile workers can perform their duties as long as they have a Wi-Fi connection. As a result, it will be important to support a single user who is logged into the network from two devices concurrently.
Full logging and tracking of these devices must be provided, along with the ability to generate summary reports by user.
7. Manage a consistent set of applications across a varying set of mobile devices
In order to manage assets or applications like managing network resources, a BYOD solution must be able to associate a user/device pair to a specific “class” of application and restrict access to other resources.
8. Manage corporate data written to a mobile device
In an ideal deployment, a BYOD solution does not permit corporate data to be written to mobile device storage. To achieve this level of control a true Virtual Desktop Infrastructure (VDI) should be implemented and should complement any BYOD-imposed security controls.
Without a VDI, mobile device control would be under the domain of a Mobile Device Management (MDM) solution and might allow deletion of specific data objects or force a “wipe” of the device itself.
9. Assign specific bandwidth allocations to specific users or devices
BYOD environments need to support multiple applications that vary in bandwidth demand. Standard web applications place little demand on bandwidth, but voice and video applications can place high demands. The ability to manage bandwidth by user/device pair is important to ensure network reliability.
Load balancing and applying “fairness” rules to application-specific traffic is important to ensure the best experience for all network users.
[Ilan Rubin is managing director, Wavelink, a company that specialises in the supply, marketing and support of a range of leading edge enterprise mobility and UC solutions.]