BYOD: The Y2K of Networking?
BYOD is scary, and scary sells products. Good for us. But, the reality is that BYOD has become a bit like Y2K. It’s a big problem that isn’t that big.
Mobile is surging, yes, but product peddlers have blown it way out of proportion. Wild-eyed Crackberry-turned-iAddict users are making enterprises reassess their wireless strategies. But truth be known, most businesses really want to do a few simple things with BYOD:
- Find an easy way to onboard all devices (organization- and user-owned)
- Automatically provide user-based policies when a user connects
- See who is accessing the network with which devices
- Extend wired security and design (content filtering, firewalls, and VLANs) to the wireless network
- Add wireless capacity to networks with 2x, 3x, or 4x devices per user
- Keep it simple, cost-effective, and leverage existing infrastructure!
Sure, some organizations also want to directly manage devices and apps, provide NAC (and anti-x) inspection, quarantine, and remediation, and then filter, control, and steer their users with highly customized policies based on seventeen unique criteria including (but not limited to) user, device, location, time, access method, user mood, moon phase, ambient outdoor temperature, tide levels, and pant size.
Understandably, some organizations (such as those with strict compliance requirements) need highly customized security policies in place. Where IT staff expertise and budgets are sufficient, we wholeheartedly recommend it.
But despite the BYOD hype claiming that everyone needs all the customization and then some, we’re hearing a different story from the middle of the enterprise market.
And when it comes to BYOD, very few companies really want to implement every bell and whistle because (a) they don’t have time, (b) they don’t have the skilled staff, (c) they don’t have the budget, (d) they don’t see the need, or more likely, (e) all of the above. But more important, organizations already have the right network components to address their BYOD basics without having to purchase more network equipment:
- Authentication - you already securely authenticate users against your authentication server (LDAP, AD, etc.). Even if you don’t want to use 802.1X, there are still excellent options.
- Network security – many organizations have already invested time and energy designing proper network segmentation and security with VLANs, ACLs, firewalls, and content filters. Why replicate the configuration and complexity on wireless devices if you’re already doing it on the wire?
- Role-based access policies – you know who people are and where they belong on the network; now it’s time to use that information to make sure everyone gets the right access and nothing else. This can apply to device types too.
- Visibility – There are many devices in the network that can monitor who’s on your network and what they’re doing. A smart Wi-Fi system provides this information at the edge, where you can make provisioning changes as needed.
Role-based access is often the biggest hurdle, but for those that have group policies wrapped up with a pretty bow, the new question that needs answering is whether all users and devices are the same. Users with personal devices are forcing the question. Thus, the basic problem surrounding BYOD is that users are known but devices aren't.
IT needs to know what devices are on the network at any time and who owns them. But, network access has already been restricted by network security and segmentation (and any other overlay solutions in place, such as NAC and content filters). This raises some important questions:
- How are personal devices initially provisioned to gain network access?
- How is each device identified, associated with a user, and then tracked?
- How is a user/device restricted to a WLAN or VLAN/firewall policy?
There are a few easy-to-use features that have been around before the BYOD bell started ringing that will help most organizations overcome the BYOD blues.
Dynamic Pre-Shared Keys (DPSKs) are a unique Ruckus feature for organizations that aren’t ready to wade into the deep end with 802.1X. A DPSK is a 62-byte key generated by the ZoneDirector. Each key is paired with a specific device, allowing the key/device/user combination to be managed and monitored individually. It’s a bit like Goldilocks. 802.1X/EAP is confusing and/or difficult to implement. PSKs have security weaknesses and management problems. DPSKs are just right. They offer the best of both worlds:
- Unique access credentials for each user and device
- Individual control of user credentials (creating and revoking)
- No certificates, complex configuration, or backend dependencies
- Valid users can’t decrypt each other’s traffic
Zero-IT Activation is another unique feature from Ruckus that is often wed with DPSKs—or may be used with 802.1X. Zero-IT is a secure onboarding tool that allows users to self-provision devices without IT intervention.
Users connect to a provisioning network, securely login with their domain credential (or against a Ruckus user database), and Zero-IT auto-configures their device with the appropriate network profile and its associated privileges. The device re-connects to the proper network and the user receives access, based on the role-based policies in place. IT stays out of the onboarding loop and yet they retain full control over the user/device access. They also have visibility to see who registered the device, what type of device it is, and plenty more.
For enterprises that want additional device-specific flexibility, ZoneFlex software includes client OS fingerprinting capabilities as well. When joined with user, role, and time-based policies, IT staff will have even more granularity, if they need the extra layers of control.
Here's an illustration that shows what happens when configuring ZoneFlex for BYOD. And below is a short video that actually takes you through the steps. Quick setup. Easy access. Productive users – how BYOD is meant to be.