Bring Your Own Device is happening

Nader Baghdadi, Middle East regional sales director at Ruckus Wireless, says Bring Your Own Design to BYOD with what you have today.

Tags: Ruckus Wireless (www.ruckuswireless.com/)
  • E-Mail
Bring Your Own Device is happening Nader Baghdadi from Ruckus Wireless says that mobile is surging but “product peddlers have blown it way out of proportion”.
By  Nader Baghdadi Published  October 28, 2012

Nader Baghdadi, Middle East regional sales director at Ruckus Wireless, says Bring Your Own Design to BYOD with what you have today.

Bring Your Own Device (BYOD) identifies the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers and databases as well as their personal applications and data. Mobile is surging, yes, but product peddlers have blown it way out of proportion.

Sure, some organisations also want to directly manage devices and apps, provide NAC (and anti-x) inspection, quarantine, and remediation, and then filter, control, and steer their users with highly customised policies based on seventeen unique criteria including (but not limited to) user, device, location, time, access method, user mood, moon phase, ambient outdoor temperature, tide levels, and pant size. Understandably, some organisations (such as those with strict compliance requirements) need highly customised security policies in place. Where IT staff expertise and budgets are sufficient. But despite the BYOD hype claiming that everyone needs all the customisation and then some, the middle of the enterprise market may chafe against these assumptions.

When it comes to BYOD, very few companies in the mid-tier segment really want to implement every bell and whistle because (a) they don’t have time, (b) they don’t have the skilled staff, (c) they don’t have the budget, (d) they don’t see the need, or more likely, (e) all of the above.  But more important, organisations already have the right network components to address their BYOD basics without having to purchase more network equipment:

Authentication - You already securely authenticate users against your database servers (LDAP, AD) for some networking functions. Even if you don’t want to use 802.1X, there are still excellent options for user-specific wireless authentication.

Network Security -  Many organisations have already invested time and energy designing proper network segmentation and security with VLANs, ACLs, firewalls, and content filters. Why replicate configuration and complexity on wireless devices if you are already doing it on the wire?

Role-based access policies - You know who people are and where they belong on the network; now it’s time to use that information to make sure everyone gets the right access and nothing else. Authorisation policies can apply to device types too.

Visibility - There are many devices in the network that can monitor who’s on your network and what they’re doing. A smart Wi-Fi system provides this information at the edge, where you can make provisioning changes as needed, as network usage changes.

Role-based access is often the biggest hurdle, but for those that have group policies wrapped up with a pretty bow, the new question that needs answering is whether all users and devices are the same. Users with personal devices are forcing the question. Thus, the basic problem surrounding BYOD is that users are known but devices are not.

IT needs to know what devices are on the network at any time and who owns them. But, network access has already been restricted by network security and segmentation. This raises some important questions:

- How are personal devices initially provisioned to gain network access?
- How is each device identified, associated with a user, and tracked?
- How is a user/device restricted to a WLAN or VLAN/firewall policy?

There are a few easy-to-use Wi-Fi features that have been around before the BYOD bell started ringing that will help most organisations overcome the BYOD blues.

Dynamic Pre-Shared Keys (DPSKs) are a unique feature for organisations that aren’t ready to wade into the deep end of Wi-Fi BYOD security with 802.1X. Traditionally, WPA2-Personal uses a shared PSK for the entire network; there are several known security and manageability problems with these shared keys. However, with DPSK a unique, secure key is created for each user or device. By pairing each user/device with an individualised PSK credential, the key/device/user combination can receive a unique policy and can be managed and monitored individually. It’s a bit like Goldilocks.

802.1X/EAP is confusing and/or difficult to implement. PSKs have security weaknesses and management problems. DPSKs are just right. They offer the best of both worlds:

- Unique access credentials for each user and device
- Individual control of user credentials (creating and revoking)
- No certificates or complex configuration, or even backend system dependencies
- Valid users can’t decrypt each other’s traffic

DPSK is an ideal fit for the BYOD craze, especially for companies caught between the less palatable extremes of 802.1X and traditional passphrases.

Features that automate device provisioning, such as Zero-IT activation from companies such as Ruckus Wireless, are also uniquely beneficial for BYOD. Wed with DPSKs or 802.1X, zero-touch features offer a secure onboarding tool that allows users to self-provision devices without IT intervention.

In a typical workflow, users connect to a provisioning network, securely login with their domain credential, and the provisioning tool auto-configures their device with the appropriate network profile and its associated privileges.

The device re-connects to the proper network and the user receives access, based on the role-based policies in place on the Wi-Fi system—or obtained from a user database.

IT stays out of the onboarding loop and yet they retain full control over the user/device access. And in most systems, administrators gain visibility to see device-specific settings, which user registered the device, what type of device it is, and more.
For enterprises that want additional device-specific policies, most vendors have integrated software that profiles new devices using OS fingerprinting techniques. When joined with user, role, location, and time-based policies, IT staff will have even more granularity, if they need the extra layers of control.

These solutions are less intimidating than full-blown NAC and MDM approaches, but they solve the real problems for a majority of organisations. And the fortunate reality is that these solutions can be easy to setup and intuitive for BYODers to use.

If the WLAN is designed properly and provides reliable RF functionality, users stay connected and productive. And that is exactly how BYOD should be.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code