Ten Steps to Secure BYOD

nestmarkersNetworking and Communications

Nov 20, 2013 (3 years and 9 months ago)

139 views

WHITEPAPER
A secure and flexible way for companies of any size to make a successful transition to BYOD
Introduction•
BYOD: Adapting To An Increasingly Mobile World•
BYOD Demands A New Approach To Network Access Control•
Ten Steps To Secure BYOD•
Bringing BYOD To Life•
TEN STEPS TO SECURE BYOD
Ten Steps to Secure BYOD
As companies transition to a BYOD environment, questions like these
come up time and again:
How do you know what devices are connected to your network, •
and if they are authorized?
How do you know if employee-owned devices are up to date •
with the latest operating system versions and anti-virus/spyware
software? How can you enforce this?
How do you let employee-owned devices safely onto your network? •
Will they be full function or restricted to specific apps, locations,
etc.?
How do you enable but limit network access for contractors, •
partners and other guests?
When responding to an incident, can you replay the Who/What/•
Where/When of network access?
BYOD DEMANDS A NEW APPROACH TO NETWORK ACCESS
CONTROL
Dealing with heterogeneous, non-standard devices and resulting
security threats demands a new approach to Network Access Control
(NAC). For years, IT organizations have managed mobile devices as an
extension of how they managed PC desktops, with all devices owned by
the enterprise and issued to authorized users. Companies standardized
on one OS (Windows) with pre-installed applications. Network access
was binary, allowed or denied, based on the identity of the user, and the
end user didn’t have to worry about security.
With the transition to BYOD, that standardization dissolves, as does the
one-size-fits-all control that comes with it. We’re now moving to a world
that is largely mobile—a heterogeneous world of foreign devices with
widely different architectures and security levels. A new generation of
NAC technology is designed for this complex environment, providing
access control for enterprise networks that is much more flexible and
easier to manage than anything previously available. Bradford Networks
is at the forefront of these innovations.
A NAC tool such as Bradford’s Network Sentry addresses the key issues
required for a BYOD initiative to succeed. IT administrators can quickly
create highly granular network access policies for different devices and
categories of users, and then automate their enforcement. Visibility
about all users and devices (authorized or otherwise) that was previously
out of reach becomes available instantly. Users can bring their personal
devices to work, becoming more productive in a secure environment—
which ultimately makes the company more profitable.
The next section describes how to use next–generation Network Access
Control to make a BYOD solution work.
INTRODUCTION
BYOD (Bring Your Own Device) is a huge trend in corporations, hospitals
and universities, where employees and other users are allowed to
access the corporate network using a wide range of personal devices.
BYOD has wide appeal because employees value the convenience and
ease of use, while businesses recognize that it allows their staff to be as
productive as possible. However, the growth in personal devices being
brought into the enterprise network is also a potential security threat as
well as a huge headache for IT departments trying to make BYOD work.
This paper describes a secure and flexible way for companies of any
size to make a successful transition to BYOD. It uses groundbreaking
Network Access Control technology developed by Bradford Networks
to balance the device preferences of employees with the security
and control requirements of the enterprise. The approach combines
granular access policies, automated enforcement and complete
visibility into what devices and users are accessing the network. Users
are happier and more productive, while the enterprise can move to a
BYOD environment with confidence. That’s good news for employees,
and good news for the company.
BYOD: ADAPTING TO AN INCREASINGLY MOBILE WORLD
For decades, companies knew exactly which tools their employees
would be using to get their work done. The IT department assigned
them a desktop PC for the office, and perhaps a laptop and mobile
device for use at home or on the road. The company, through its IT
department, dictated what software would run on the device, and
retained an administrator password so they would always be in control.
Those days are over. Employees have their own personal devices
(laptops, tablets and smartphones), and those devices are often more
powerful and easier to use than what the company has assigned them.
They now expect and increasingly demand the freedom to use their
personal devices for work, accessing the company network to perform
their daily tasks. And employees and users are extremely resourceful – if
new technology can help them do their job better, they’ll use it, even
if it’s under the radar. Rather than fight the inevitable, more and more
organizations are allowing employees to use their personal devices for
work so they can be as productive as possible, rather than throwing
obstacles in their way.
As companies transition to a BYOD environment, IT departments
have to make some major adjustments along the way. Rather than
managing a small, predictable set of devices and configurations, BYOD
is a complex and dynamic landscape, with many different models of
laptops, tablets, and smartphones, some running Windows; but most
using iOS, Android, or some other operating system. They’re used by
many different categories of employees as well as guests – partners,
contractors, job candidates, interns and others – all expecting access to
your network, or at least a portion of it.
Traditional, one-size-fits-all command-and-control device management
won’t work in this dynamic environment. But how are you going to
identify, onboard and manage all of these different personal devices
and types of users? At the same time, you have to prevent unauthorized
access and other security risks (including cyber criminals preying on
unsuspecting users in order to slip through the company firewall).
THE “NEW NORMAL” IS BYOD: INDUSTRY FAST FACTS
Gartner predicts that by 2014, 90% of organizations will •
support corporate applications on personal devices.
1
When Apple overtook Microsoft’s market capitalization •
it was a strong indicator of the consumerization/BYOD
trend.
IDC found that in 2011, 40 percent of devices that •
information workers use to access business applications
are personally owned, a 10-point jump from 2010.
2
1 Source: “Opportunities and Conflicts Loom in the Wake of Google’s Motorola Mobility Deal”, Gartner, October 7, 2011
2 Source: IDC, June 14, 2011
Ten Steps to Secure BYOD
TEN STEPS TO SECURE BYOD
The following steps describe how to enable a BYOD environment that
works for both users and the enterprise. It’s an approach that shifts
the focus from traditional command and control to flexible policy-
based network provisioning that can support personal mobile devices.
Employees can be productive on their preferred devices, without
compromising security for the organization.
The process uses Bradford’s Network Sentry tool that provisions network
access to corporate-owned and personal devices according to rules
that you define. We’ll be using Network Sentry’s policy engine to define
network access in a very granular way to meet the needs of different
users and groups. We’ll then use Network Sentry to enforce compliance
with those policies, provide visibility into all network access, and allow
policies to be modified if needed.
1. Determine which mobile devices are allowed on the network
The first step is to determine what devices need to be supported, and if
those devices are secure enough to be granted network access. Whether
a device is considered safe does not have to be a binary permitted/not
permitted decision; for example, a company may allow employees to
onboard any device and get guest access, but only specific devices
would be allowed further access. It’s very important at this initial stage to
educate employees about security practices when using the corporate
network, and if a device can’t be supported because it’s highly unsecure,
now is the time to explain why.
Employees also need to be involved in defining the access policy and to
understand the reasoning behind it, because the policy will be enforced.
To ensure a successful implementation, IT should reach out to different
departments to understand the BYOD needs of their users rather than
attempt to make this decision on its own. For example, physicians may
feel that iPads are critical in the hospital because they can be easily
sanitized—a detail that IT will probably want to know before they set
the policy!
2. Determine which OS versions are allowed on the network
Once you’ve decided what personal devices to allow on your network,
you need to determine which operating system version needs to be
installed on each device. You then need to make sure the software
patches are kept to date so the device will not become susceptible
to viruses and spyware. Mobile Device Management (MDM) software
that users download and install on their mobile device automatically
keeps devices up to date, much like the patching mechanisms used for
updating desktop PCs. It can also remotely wipe a device clean if it’s
reported lost or stolen.
3. Determine which applications are mandatory (or prohibited) for
each device
The next step is to determine what applications employees need to be
productive, and what precautions you need to take. An IT administrator
can configure the MDM software to enable network access only to
specified enterprise application(s), and disable access to personal
applications that could carry a security risk while the user is logged in.
When the user logs out of the company network, they can go back to
using their personal apps.
Depending on the security posture, the policy could also be more
forgiving, allowing a user to access personal apps while logged into a
company server, as long as those apps were downloaded from trusted
and reliable source, such as an app store. The MDM software can tell if
someone has tampered with the device (jail-breaking), and downloaded
software that is potentially not from an app store and thus less secure.
Depending on the security posture defined in the policy, this could
cause the device to be disabled, or for the user to be given guest status
or some other limited access.
4. Determine which groups of employees will be allowed to use
these devices
Now you’re going to determine who can use the approved devices based
on their profile: what group they belong to, what privileges they have,
what device they’re using, and what applications they need to use. For
example, physicians may be granted access to their iPads to view and
update patient information, while nurses may only be granted access
to their mobile phones for calls and text messages. Or different groups
might be granted access to the same device but for different corporate
applications depending on how the access policy is defined. The new
NAC technology provides great flexibility in the way network access
options can be defined, which are then monitored and enforced.
5. Define the who, what, where and when of network access
In this step you’ll associate users and groups with a specific network
according to the policy you have defined. For example, Dr. John Smith,
Emergency Department physician, wants to use his iPad to access
medical records. Thus you need to assign a unique identifier (such as
a MAC address) to identify his device, identify the owner (Dr. Smith),
specify an SSID that identifies the wireless network, and specify the
physical Access Point(s) from which that network can be accessed. This
could involve specifying the following using the NAC tool:
User name:Dr. John Smith
Unique Identifier:D8:A2:5E:2D:85:AD
SSID/AP: Patient Info / Emergency-Room (where Patient Info is the
SSID and Emergency-Room is the access point
Time: 8:00 AM – 5:00 PM (Dr. Smith works the day shift.)
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
BYOD PROCESS
Contro
l
ac
c
c
es
s
s

b
ase
d
on t
h
h
e
n
ee
d
to
k
n
o
o
w
.
.
Fina
ll
y,
b
b
e sure
to con
d
u
u
c
t
t

cont
i
no
u
u
s
vulnera
b
b
ility
assess
m
m
e
n
n
t
s.
N
N
ext,
i
nven
t
t
o
r
y
y

y
y
our aut
h
or
i
i
ze
d
d

d
d
e
vi
ces.
T
T
h
en, inven
t
t
or
y
y

y
y
our aut
h
or
i
i
ze
d
d

u
sers.
D
e
e
te
r
r
min
e
w
h
i
ch

e
m
m
p
l
o
o
yees wi
ll

b
e
e

a
l
l
l
o
w
w
ed

to

use

t
h
es
e
e

d
evices
.
N
N
ext, w
h
at
a
a
p
p
lications are
r
r
e
q
u
u
ire
d
an
d

n
n
ot
p
ermitte
d?
E
E
d
u
u
cate emp
l
oyee
s
s

p
p
ri
o
o
r to purc
h
asing
a
a

m
m
o
b
i
l
e
d
evice
.
N
ow
,
,
w
h
o
h
as
n
e
e
t
w
w
o
r
k

access

b
a
a
se
d
on w
h
o,
w
w
h
a
t
t
, w
h
ere
a
n
n
d

w
w
h
en
?
Wh
ic
h
mo
b
b
i
l
e
de
vi
ces
wil
l
l

y
ou a
ll
ow
o
o
nt
o
o

y
our netw
o
o
r
k
?
N
ow, w
h
h
ic
h
h

OS
v
e
r
sio
n
s

w
i
ll

be

all
o
w
ed?
BYOD PROCESS
Ten Steps to Secure BYOD
These “Who/What/Where/When” specifications that define network
access for Dr. John Smith can now be carried over, with suitable
modifications, to other emergency room physicians and doctors on
other hospital units.
6. Educate your employees about the BYOD policy
Now that you’ve built out your BYOD policy, you want to make sure that
employees understand it, as well as the reasoning behind it. They also
need to understand that the policy will be enforced.
A lesson that Bradford Networks has learned from over 10 years of
securely on-boarding all types of mobile devices – first in the education
market and now in the mainstream – is that effective communication
with employees is essential for BYOD to succeed. Most security issues
that companies face are caused by users who are unaware of the rules
that the enterprise puts in place, or the risks of ignoring them. You want
to educate and engage them so the BYOD initiative will be a success.
And since employees are going to buy personal devices and receive
them as gifts, you want to be sure they know which devices to get.
7. Inventory authorized and unauthorized devices
You can’t create and implement a network access policy in a vacuum.
Before setting up controls to enforce your network access policies, you
need to conduct a reality check to see what devices are currently on the
network and who is using them.
In the past, inventorying all the devices on a complex corporate, hospital
or university network could take months or even years. This information
is now available in real-time, providing IT with complete visibility and
control of all devices on the network (including previously unknown
devices). By providing an accurate view into what devices are currently
using the network, the inventory will help you make sure the access
policy you have defined is sound, and in line with employee preferences
and requirements. You can then use that information to fine-tune the
BYOD policy if necessary before starting to enforce it in Step 9.
8. Inventory authorized and unauthorized users
You’ll also need to inventory all users (known and unknown) who are
currently accessing your network, and what devices they’re using. This
is where, for example, an IT administrator will discover that a group of
doctors are using iPads because they can be sterilized, even if the policy
dictates they should be using Blackberrys. (Yes, it has happened!)
Steps 7 and 8 give us a complete view into the current BYOD environment:
what devices are accessing the network, who owns them, what company
applications they’re accessing, and what personal applications are
running on their device (including apps with vulnerabilities that could
leave the enterprise at risk).

9. Control Access Based on the Need to Know
You’ve built your network access policy, educated the employees about
your BYOD initiative, used network visibility to inventory devices and
users currently on the network, and refined the policy if necessary
based on what the inventory revealed. Now it’s time to start enforcing
the network access control policy—the Who, What, Where and When of
network access control.

By providing this highly granular policy definition and automated
enforcement, Bradford’s Network Sentry technology gives BYOD users
the network access they need to be productive, while providing the
enterprise with acceptable security and control. If an unidentified user
tries to access the network, the Network Sentry can either reject them or
assign them guest status with fewer privileges, such as Internet access
for checking email, while denying access to back end servers.
10. Continuous Vulnerability Assessment and Remediation
You can’t just set up your BYOD based on a snapshot of security risks
and employee needs at a single point in time. You need to continuously
check for vulnerabilities and the changing needs of your employees,
and potentially modify your policy to reflect the changing needs of
your employees as well as evolving security threats. Bradford Networks
provides the visibility, enforcement, and granular flexibility that make
this dynamic BYOD environment possible, providing a “win – win”
solution for employees and the company.
BRINGING BYOD TO LIFE
BYOD is all about allowing employees to do their jobs and be as
productive as possible—which is why it’s being embraced by more and
more companies. But making it work is not as clear cut as it once was
when the company owned the assets and could make the rules.
Bradford Networks has pioneered the emergence of BYOD, and provides
network management tools and best practice methodologies to make
your BYOD initiative a success. Our Network Sentry product family is the
first network security offering that automatically identifies and profiles
all devices and users on a network, providing complete visibility and
control across all brands of equipment and devices.
Copyright © 2012 Bradford Networks. All rights reserved. Printed in USA. Bradford Networks and the logo are registered trademarks of Bradford Networks in the United States and/or other countries. BRADFORD.
cloud, Network Sentry, Campus Manager and NAC Director are either trademarks or registered trademarks of Bradford Networks or one of its affiliated companies in the United States and/or other countries. All other
trademarks or registered trademarks are the property of their respective owners. Bradford Networks reserves the right to change, without notice.
BN-001-08-001
One Broadway, 4th Floor Cambridge, MA 02142, USA
+1 866.990.3799
+1.603.717.9333
info@bradfordnetworks.com
www.bradfordnetworks.com
Address
Toll Free
Phone
Email

Web
Bradford Networks offers the best solution to enable secure network access for corporate issued and personal mobile devices. The company’s flexible Network
Sentry platform is the first network security offering that can automatically identify and profile all devices and all users on a network, providing complete vis-
ibility and control. Unlike vendor-specific network security products, Network Sentry provides a view across all brands of equipment and devices so nothing falls
through the cracks. Hundreds of customers and millions of users worldwide rely on Bradford to secure their IP networks.