After another flashy offense misses out on a Super Bowl win, they found that securing the ball would have also helped. The same is true for network policies. Rolling out employee-friendly BYOD and work from anywhere programs is great, but IT must have a decent grasp on how to leverage roles, contextual data, and policy management that secures your data.
We usually hear about the lack of a policy engine from prospective customers. They're using legacy AAA when looking to roll out new services and they run into a ton of issues, so they start looking for something new. But even when they're looking, they often need examples on why policy management matters. Let's take a quick look at the basics.
Roles: Legacy AAA solutions do not have a good way to define or put users and devices into different buckets. Access for users that carry multiple devices is easier to manage if you can create policies for their devices as well. An IT-issued laptop should probably have a different role than a personal smartphone.
When using one SSID for IT-issued and BYOD, it's much easier to enforce that good user, Peyton with an IT-issued laptop can get to Intranet and Internet services, but when using a smartphone, he only gets Internet access. In this example, device roles and categories are used within a policy rule.
Categories versus Context: I just introduced the idea of a category, so let's expand on that a little. Categories let you put groups of devices into buckets and leverage their attributes. Device context (or attributes) should be collected to ensure that devices that look like smartphones are smartphones. Or printers are really printers, etc. You also want to leverage the status of the device or its location when connecting the network, which is context as well.
For example, just because a device is a smartphone, you may want to make sure that it's not jailbroken before letting it onto your enterprise network. Using this context is something that you can't do with an AAA solution easily. It would involve buying external components that may add complexity, which is usually not the goal.
Policy management: When dealing with the bigger picture, static rules that were built for devices that never move is probably ok, but that's not the case today. Dynamic policy enforcement that includes AAA services, roles and context for wired, wireless and VPN access is the new standard. And to ensure that context never gets old, built-in profiling should be a part of the policy management solution you look at.
I've really only talked about smartphones, laptops, and printers. Next month we'll take a look at the Internet of Things (IoT) as it's a new concern. Not only do you need a good game plan for traditional devices, it's time to think again.
Would like to hear your thoughts on AAA versus Policy Management and what you're hearing about IoT.
