Expert interview series continue with Jon Green, aka. jgreen, and Carlos Gomez, aka. carlos, who joined me to talk about best practices in enabling secure authentication for employee and guest owned mobile devices.
To hear more about BYOD and what it means for your network, join us at Airheads Social for a live video event on the topic. Video will be streamed on Airheads Social homepage on February 21st 10am PST. You can register at: http://www.arubanetworks.com/register/BYOD/index.html
Let's start with employees... who use one or more mobile devices to get their job done, in addition to using the standard IT assigned laptops. If their organization is BYOD friendly, they are allowed to gain access to some - not all - corporate information using smartphones and tablets. Some corporations are going one step further and sponsoring large scale roll-out of smartphones and tablets to their employees. In either of these cases, enabling secure authentication for these untraditional non-Windows platforms turns out to be a big challenge for IT organizations.
Here are the best practices in a nutshell:
- Make sure you define security policies in advance (who is allowed to see what using which device)
- Make sure the WLAN infrastructure validates both the user and the device during authentication
- Based on user and device credentials, apply pre-defined access control rules for each user-device combination
Jon argues that the most secure way to authenticate both device and user credentials is to use client-side certificates. Since these are non-Windows platforms, "machine authentication" as we know it is out of question. For IT organizations who choose to utilize client-side certificates, I recommend that they employ a remote / auto-enrollment mechanism for employee or corporate owned smartphones and tablets - otherwise the number of devices that need to be manually provisioned will be far too large to support.
Here is what Jon has to say on the topic. Be sure to check out his 5-part series on Digital Certificates as well: http://bit.ly/z4DVDE
It is important to note that a lot of the wireless LANs out there utilize 802.1x/PEAP authentication for corporate employee access. Since PEAP does not validate the end user device, it is quite easy for employees to connect their smartphones and tablets to the network using the same corporate username & password, without IT's knowledge and permission. Not good. You cannot secure what you cannot see - so it is highly recommended for IT organizations to utilize a solution that can at least automatically identify the types of devices accessing the corporate network.
Next up is Carlos who highlights another challenge for IT organizations - enabling secure authentication for guest users and their devices. Guest Wi-Fi access sounds simple enough. Challenge is in keeping an audit trail of who got access to the guest network, and when & how. And unless IT organizations have the time and resources to manually create credentials for every guest device and apply different policies for different types of guests (contractors, temporary workers, partners, etc.), they need to utilize a self-registration system to its fullest. Here is what Carlos has to say on the topic.
So by requiring employees to authorize and manage Wi-Fi access for their guests, it is possible to integrate sponsor-based authorization with guest user self-registration. This also creates an audit-trail of who gave permission to guest users for network access. It is important to note that self-registration system needs to be simple enough for every guest user to use and it should seamlessly interoperate with different mobile device OS browsers. Otherwise, it means increased number of support tickets for IT and that's certainly not a good thing.
We can certainly talk about these two topics in a lot more detail, so we are looking forward to your feedback. Let us know of any additional questions, comments.
Ozer Dondurmacioglu is the general manager for Meridian Apps at Aruba, a Hewlett Packard Enterprise company.
