Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How are you handling BYOD?

This thread has been viewed 0 times

  • 1.  How are you handling BYOD?

    Posted Jan 01, 2014 02:00 PM

     

    How is everyone is handling BYOD? Where I work BYOD started out with grandiose visions. But, the lawyers got ahold of it and now it’s nothing more than sponsored guest access for corporate devices.
     
     
    I really am trying to convince, the powers that be that BYOD is more than just guest access and that we need to embrace MDM, location services and policy control. That way we can have the security that the lawyers want and the freedom that users desire to allow them to do their job anytime at anyplace.
     
    A true BYOD solution should be transparent, to the end user, just another way to connect to the network. This solution should be also intuitive to configure for the administrator and allow for granular policy control.
     
    A big stumbling block I run into with our current situation is that we have zero visibility into the client devices. We have no idea what software is running on the device, where a user is located, Finally, as far as access control goes,  it’s an all or nothing scenario, which scares the business types.
     
    I’m thinking if we deployed a MDM solution, this would give us insight into the client side. Location services would tell us where our clients are and AAA policy control, would also us to grant granular access, getting rid of that all of nothing access solution.
     
     
    How are you handling BYOD?


  • 2.  RE: How are you handling BYOD?

    EMPLOYEE
    Posted Jan 02, 2014 02:30 AM

    Perhaps the simplest thing is if the corporate connections are using dot1x with EAP-PEAP.  With this method, whether they like it or not, they have BYOD cause it's just based on username/password and users become savy in being able to connect their devices.

     

    With machine authentication enforced, you can then just adjust the 'user-auth' role and restrict their access as required.  This does require all the corporate devices to be windows based and to be in AD as a machine, but a lot of companies have this already.  This is a good cheap and cheerful way of doing it and works really well.

     

    A more elegant way of doing it is with Clearpass Onboard, but the expense of that is hard to justify sometimes.



  • 3.  RE: How are you handling BYOD?

    Posted Jan 03, 2014 09:52 AM

    Thanks for the thoughts,

     

    alot of the issues of BYOD could be solved , if people , had a clearer focus, of what they wanted.. i want BYOD.. what does that mean...to a user that means freedom to work from anywhere on anything...

     

    well to an admin or security person, BYOD could give you fits... 

     

    how do you balance , the freedom against, the security you need to maintain..

     

    thats why i am advocating MDM, and AAA policy control.., with a clearly defined focus of what your trying to accomplish.. know what your trying to do. and communicate within your organization.

     

     

     

     



  • 4.  RE: How are you handling BYOD?

    EMPLOYEE
    Posted Jan 03, 2014 06:15 PM

    It's funny when people say that they've implemented BYOD for employees and you find out that they're just letting them use the guest network.

     

    • I guess they haven't considered how a few hundred more devices on the guest network would actually impact traffic for guests.
    • They're probably not getting a good picture of who's on the guest network and how much time they're there. Or how much traffic they're generating.
    • Are they letting people VPN back into the internal network with personal devices? That's another problem.

    Might be better to create a personal devices policy on the internal SSID so that you can least see who's connecting, how many devices per person, you don't impact the guest network, and you can manage which roles get to specific resources. Looking at a high level example, maybe executives get to the Internet and internal apps versus other roles can only to get to the Internet.

     

    Nowadays you can also use MDM and app management to see where devices and your resources are. And you can take action if devices are lost or stolen. 

     

    Hopefully more people chime in so that we can see what approach is being used more often.

     

    Trent

     



  • 5.  RE: How are you handling BYOD?

    EMPLOYEE
    Posted Jan 04, 2014 07:40 AM

    A lot of companies I see consider BYOD as just letting them have internet without the hassle of a guest captive portal.  To that end a simple PSK ssid that shares the same vlan as their existing guest network is normally sufficient.

     

    I don't consider this to be very elegant or scalable, but for many it is a quick and effective fix to address BYOD.



  • 6.  RE: How are you handling BYOD?

    Posted Mar 01, 2014 05:58 AM

    byod is more then just the right tool. it requires knowing what is wanted exactly. but it also requires knowing what you users are willing to put up with. visibility usually means software installation, which requires giving rights to application which a users might not like. add to that the more impacting action that sometimes can be performed, wipe, clear, then it becomes even more difficult.

     

    as said before, im also interested in seeing what others are doing, but i can easily understand it isnt going as far as we from technical point of view would like.