Two of Aruba's product managers, Carlos Gomez (aka. carlos) and Cameron Esdaile (aka. -cam-) participate at Tech Field Day's Wi-Fi Mobility Symposium 2012 (#WMS12) and Wireless Field Day 2 (#WFD2) events. Topic was BYOD and they certainly had quite a bit to share. I have tried to summarized the main points of discussion in this blog entry. Both presentations were recorded and you can find the videos below.
To hear more about BYOD and what it means for your network, join us for a live video event on the topic. Video will be streamed on Airheads Social homepage on February 21st 10am PST.
Alright, let's start with what BYOD really means for an IT organization. Some challenges are vertical specific (eg. retail vs higher education) but some are common across all. First of all, BYOD means a lot of devices in the network - two sometimes three per user. That eventually means a lot more support tickets and manual labor for IT engineers. They are going to need solutions for enabling BYOD on their network that are going to save them time.
Some organizations sponsor the rollout of consumer grade mobile devices to employees - through credit for the partial or the full purchase amount. And some organizations simply ask their employees to bring their personal mobile devices to work - the most common form of BYOD. Either way, network security and data integrity is a big concern. While BYOD brings flexibility, it increases risk. Security experts in IT have to utilize a solution which will deliver on both fronts.
Where applications live is also changing - if you are using an iOS device for work, you are most probably storing content or accessing applications using the cloud services. For instance, Dropbox data storage service lives in the cloud, is very simple to use and free up to 5GB worth of data. Dropbox contains more confidential information from end users mobile devices than many IT organizations hope for. Hence IT experts need to enable application level access and data control for employee owned mobile devices in order to be able to sleep at night.
BYOD means simplicity for the end user - that's really the biggest driver of this phenomenon. So while an IT organization need to have the right set of tools and policies in place to enable BYOD, they have to ensure that such a solution does not hinder end user productivity and happiness.
Let's hear from Carlos at WMS12 before we continue our discussion. Carlos's presentation from WMS12 is also attached to this blog entry if you want to download and take a look.
As Carlos highlighted, there are several use cases for BYOD that we see commonly out there. First and most common one has to do with enabling a "Limited Access Zone" (LAZ) for an employee's personal mobile device. It effectively means that the personal device will be authenticated to the secure Wi-Fi network just like an IT provisioned laptop, but it will be assigned a separate network access policy post-authentication. Another common need is the need to revoke device level access when it is lost or stolen, while user level access is still enabled for other devices that belong to the same user.
Looking at these two cases, what's the requirement for the network? It needs to authenticate the device AND the user and be aware of the user role and device type while enforcing the network access rules.
Let's hear more from Carlos and Cam at WFD2 before we conclude our discussion.
Let's summarize the engineering steps to prepare your network for BYOD.
1. Automatically onboard device to save time
- Supplicant configuration
- Push device level credentials
- Enable device level posture
- Set authentication type for device
2. Get AAA services ready for BYOD
- Incorporate enrollment workflow in AAA
- Authorize specific or all user groups to enroll device
- Store device level credentials
- Link user to device
3. Control device access
- Revoke device level access when/if required
- Enable device identification in the network
- Ensure device/user level policy enforcement
- Separate corporate and employee liable devices
4. Ensure visibility and reporting
- Enable inventory visibility
- Utilize tools for device specific troubleshooting
- Ensure visibility to per device auth and enforcement
All, sounds simple enough right 😉 Let's continue to conversation here at Airheads Social to find the best solutions out there to easily enable secure BYOD in your network.
