Why Identity is the Key
Employee, guest and device policy management and control
- By Krishna Prabhakar
- Oct 01, 2011
Most experts believe that allowing employees to use devices
they are comfortable with boosts their productivity and helps
reduce extraneous corporate expenses. This is reflected in
the increasing variety of personal devices that businesses
are adapting to their networks on a regular basis. The challenge
for IT administrators is to enable quick access to the
corporate network for mobile users while ensuring security,
compliance and data protection don’t get left by the wayside.
The increasing use of personal devices and end users’ expectation
of access is forcing organizations to rethink existing network
access initiatives. Many compliance and auditing requirements
also stress that organizations must capture access data and provide
reports. Being able to identify users and devices before granting
them access to the network is a key security advantage, and
a proactive approach for differentiating by user role and device
type reduces exposure to threats, ultimately protecting users as
well as the organization.
Employees, partners and visitors all speak to the growing demand
for “bring your own device” initiatives that tend to center
on the support of personal smartphones, laptops and tablets.
Gartner Inc. predicts that 90 percent of organizations will support
corporate applications of some sort on personal devices by
2014. But what about network access security?
Today, users either circumvent policies to get their own devices
connected, or IT teams are forced to create holes in the network
that can compromise the organization’s security. The tension between
security and access is something that every IT team eventually
must deal with, but there is a fairly simple solution. Understanding
the identity of who and what is attaching to the network
is the key.
In a scenario where dozens or possibly even hundreds of users
attempt to access a network with their personal devices, it’s
imperative that IT organizations be able to tie a user’s identity
and role to the devices connecting to the network, including the
role of “visitor.” Once that information is known, access policies
can then differentiate levels of access to network resources based
on the user’s need and the attributes of the device. For example,
a registered visitor with an unknown device may be granted Internet
access, whereas a long-term visitor with a known and approved
endpoint can be given specific intranet access in addition
to Internet access.
The ability to capture user and device information provides
valuable network visibility while also helping pinpoint possible
security holes. This information enables organizations to take the
proactive stance of tracking, logging and controlling the use of
mobile devices, instead of guessing who is using them and how
they’re being used.
The goal is to identify users and devices, perform authentication
analysis, allow and deny access, and then selectively grant
proper network access privileges. In select situations, accomplishing
this goal may require a combination of use-cases if limited
time and budget do not permit upgrades.
Network access security solutions should offer built-in components
that identify users and devices; use role-mapping within
policies; and offer network access control capabilities, AAA services,
finger-printing and real-time endpoint reporting. You’ll
also want to ensure that the new solution can store identity information
locally and access existing identity stores as well as old
and newer networking equipment.
Many organizations begin by automating their wireless guest access workflow. Who is considered a visitor?
Who can provide visitor access privileges—
administration, department head,
IT staff ? Can a visitor access the network
after business hours or on weekends? The
flexibility a dedicated network access solution
provides should enable an IT administrator
to create accounts easily and allow
others in the organization to participate in
the process.
A department administrator or “sponsor”
can be given the ability to create and
distribute access credentials, which means
the IT department doesn’t have to be involved
in every request. A local store within
the policy platform appliance eliminates
the need for disruptive adds/removes from
Active Directory or LDAP stores. Another
option should be the ability to assign
privileges to multiple sponsors. Separate
department sponsors can host their own
guest access portals, manage their own
visitor access requests and create reports
for the area.
Creating a policy that uses the start
and termination of visitors’ network access
privileges is also important, as is the
ability to request that visitors register their
device. It is important to ensure that if a
MAC address is used, other attributes of
the device also can be used in a policy.
Having this information helps create more
granular policies that can prevent MAC
spoofing and provide an IT department
more-detailed information for network
planning and audit purposes.
In some instances where seminars or
events are commonplace, or at universities
where the public has easy access to
the network, an option that requires visitors
to “pay for access” or enter a promotional
code is also attractive. PCI-compliant
credit card services can be used to
determine the length of guests’ stays and
capture payment information. Access is
granted based on the status of the credit
card transaction.
Real-World Example: University of San Diego
For a real-world end user example, we
can look at the University of San Diego.
Each summer USD welcomes more than
12,000 visitors for various on-campus
events, sports camps and conferences. The
IT team is responsible for providing access
to a guest network for all these visitors,
and it must manage the campus wireless
network, which supports more than
18,000 registered users and visiting guests
throughout the school year.
Things at USD are running smoothly
now, but back in the spring of 2009, before
it deployed any network access intelligence,
the IT team faced some real challenges
and hard deadlines to streamline
visitor management for the summer rush.
With key requirements defined—including
bulk account and self-registration options,
compatibility with the university’s
Aruba wireless network, credit card payment
and promotional code options, full
redundancy/failover, ability to customize
the guest captive portal, and activity and
reporting—the team began evaluating solutions.
USD chose the eTIPS 5000 Series
platform from Avenda Systems based on
its ease of use, ability to work with builtin
components for multiple use-cases, customer
service and price point.
As a result, USD now delivers secure
access to visitors, students, faculty, staff
and visitors alike. Identity-based access
controls provide full reporting, differentiate
user privileges and give visibility into
the devices on the network. USD also uses
a pay-for-access model that allows visitors
to select daily or weekly access before they
are allowed onto the network. USD staff
can now see who is using the guest network
and has valid records for any audit
requirements.
For group registration, USD can upload
a list of names or have the visitors
register themselves before they arrive on
the campus, which saves a lot of time for
the IT team. USD estimates the access
solution saves the IT team approximately
600 hours each year in support tasks and
management.
The Web-based portal used for registration
and visitor login allows the IT
department to run health and/or posture
checks on a visitor’s laptop, ensuring the
user’s antivirus software is up-to-date
without requiring anything from the user.
Security Check
A network access intelligence system must
have the ability to inform users that their
devices do not meet the requirements of
the network’s security posture and present
instructions that outline the steps they
must take to remedy the problem.
Components of the policies that were
created for the wireless network should
be reusable if common policies are to be
applied to a wired network. The use of
IP phones in conference rooms is often a
vulnerability, because users have become
accustomed to trying the extra port on the
back of the phone for access. Proactively
locking down access through the use of
stronger authentication is desirable.
Once the guest workflow is in place, it
is then easy to apply similar employee-specific
policies for wireless, wired and VPN
access. The policy solution should have a
means to provide user information once
users have connected to the network, such
as: How many devices has a user connected
to the network? Where on campus has
the user connected from? If an employee
is using a laptop at work but his personal
device is trying to connect from a remote
location, then you may not want to grant
him access to every resource. The user may
have traveled off-site and may require only
e-mail access.
Another common practice is to deploy
common policies throughout an enterprise,
so that when users move from
location to location they are granted a
familiar level of network access based on
their identity, role and device. The policy
solution should also be flexible enough
to cache user information across a cluster
and provide a consistent set of enforcement
parameters.
This may seem like a lot to expect from
a single solution. The need to differentiate
access based on a user’s role and device
type is what’s driving the demand for
solutions based on dynamic network access
intelligence. Network access control
and device profiling should be included
as additional components within a policy
solution. Having an advanced solution in
place directly addresses critical network
access security needs by profiling users
and devices while delivering improved network
access visibility and business-specific
reporting capabilities.
In today’s world, users are more mobile
than ever. The evolving landscape of
devices coming onto networks is driving
new habits, and it’s time for businesses to
accept that mobile devices help productivity—
and are here to stay.
Personal devices such as tablets, laptops,
company-issued phones and personal
smartphones are all a part of the network.
If IT managers stay proactive and
take appropriate action while adapting,
they will achieve success. While the future
is uncertain, the one thing we can always
expect is change.
This article originally appeared in the October 2011 issue of Network-Centric Security.