Close

HPE Aruba Networking Blogs

Is Your Device Innocent or Guilty?

In most societies, it's been drilled into us that "innocence until proven guilty" is a basic right. However, from a cyber security standpoint in the mobility world, where BYOD is prevalent and IT has few controls over the devices users bring into the enterprise, the opposite is true.

To quote Hemingway, "All things truly wicked start from innocence."

Therefore, when dealing with non-IT issued devices in the enterprise, it is prudent to ensure that devices have been scanned and are compliant with corporate policy before providing complete network access so that you do not leave your company vulnerable to compromise and data loss.

Without endpoint controls, IT must assume that users and devices are guilty until proven innocent. As traditional point security solutions cannot mitigate or remediate breaches brought in by new BYOD vectors once a breach has been let in, it is a best practice to assess the health of a device during an initial connection. Not after the device has been given access.

That being said, BYOD devices brought in by guests, contractors, and employees must have been scanned for vulnerabilities BEFORE they are allowed to access the network. This may seem like common sense, but some NAC vendors believe in a trust first, remediate later, approach to facilitate the speed with which these devices are allowed onto the network.

Although the thought of quickly allowing access to the network seems great from a user experience standpoint, this approach usually backfires since this model opens the floodgates to allow for a network breach.

In our model, ClearPass OnGuard ensures that laptops are scanned to meet IT defined policy requirements before being granted network access. For organizations that must adhere to regulatory compliance, OnGuard can also help keep to ensure that disk encryption is running and that you can maintain a record of which devices consistently fail compliance requirements.

Other items that can be assessed for compliance are USB controls, P2P application blocking, spyware updates, hotfix/patch updates, and much more.

For smartphones and tablets, ClearPass works with MDM/EMM applications to exchange contextual information so that the same control you have over laptops with OnGuard will also work with smart devices.

To learn more about ClearPass and ClearPass OnGuard, view our white paper here.