The new mobility challenge revolves around managing and protecting the explosion of network connected devices brought about by the adoption and expansion of the ‘Internet of Things.’ Gartner now predicts 50 Billion devices to be connected by 2020, blurring the lines between user and IoT device access, while also highlighting the importance of securing the network. As a result, enterprises face the challenge of how to effectively classify who and what is accessing the network via the many available gateways.
IoT devices that utilise wireless infrastructure are increasing and with it, the need for more effective identity management. Existing endpoint management solutions, agents and databases have traditionally been deployed and used, but the exponential growth in IoT devices caused these solutions to no longer be adequate to manage the security policies for all different use-case scenarios. Instead you need an access platform that uses the same access controls across the network while also providing different security postures for IoT and mobile user devices.
Meeting the expectations of mobile employees
Users expect simple and pervasive connectivity to access their enterprise systems. However, traditional approaches to providing mobile and remote access have caused frustration, with users often having to navigate legacy VPNs and un-intuitive software to securely access internal corporate resources. Utilising a complicated log in process is a simple example of security becoming a barrier instead of an enabler. When you add ever increasing numbers of IoT devices to the mix, you need an approach that balances the user experience with the right level of security.
Additionally, an employee expects to gain access to data wherever they are and they’re often unaware of the implications of using an untrusted or public network. The risk is multiplied when accessing sensitive information like patient records, company financials, or legal documents, which would normally only be allowed on a trusted, company owned and controlled device in a secure corporate environment. Regardless, your users still expect it to be as easy is if they were in the office.
The modern enterprise has evolved from BYOD to an environment that must provide secure access for a multitude of devices and users with importance on the security implications of this activity on the network.
Working with your IT department you can ensure the user is protected while giving your employees the flexibility to work on a mobile basis, either in or out of the office.
Identity Management in Access Control
The baseline in providing a tailored security approach starts with properly identifying the user or device. Who or what is this person or device that is attempting to access the network, and should they be allowed in? To determine this, you need to a directory of approved users or devices to refer to and a trusted way for the user to confirm that they are who they say they are.
Directory services come in all shapes and forms and are already integral to onsite enterprise networks, but when a user or device comes onto your network, what is the best way to confirm their identity?
Common approaches can include:
- Username and password
- Prior enrolment of the user’s device
- Multi-factor identification such as SMS, one-time pin or password
- Biometrics, such as a fingerprint or facial scanning
- Sponsor approval by an authorised person
- Self-provisioning as a guest, filling out the required information.
The problem is that no one single security policy will fit the multitude of scenarios, users or devices that require access.
The best solutions today take context into account. i.e. who is the user (or IoT device), where they are, what device they are using and what they are trying to access. These solutions rely on multiple security policies that increase the level of security depending on the context of the user or device. For example, if a user is just sending an email, then username and password authentication may be sufficient. However, if they are accessing sensitive company financials, multi-factor authentication may be enforced for added security.
By combining policy enforcement firewalls and a contextual management platform, you can set the appropriate policies based on identities, devices and locations that satisfy the needs of different groups of users within a single wireless network configuration. Traffic flows simply adapt to the mobility state of the mobile user and device.
The Role of Encryption
Once you have secured identity and network access, the second major challenge is in the transmission of the data itself – especially on Wi-Fi. Wi-Fi traffic in public spaces is often unencrypted and broadcast across an unsecured space so is easily intercepted. Regardless of whether this data is transmitted from a user or an IoT device, a level of encryption is needed. Mobility-based encryption solutions, based on certificates, can be quite cumbersome to manage and use - which again impacts the user experience negatively.
An alternative option revolves around virtual intranet access (VIA) clients. This is a hybrid IPsec/SSL VPN, but unlike traditional VPN software, VIA offers a zero-touch end-user experience and automatically configures wireless LAN settings on client devices with support for Android, iOS, Mac OS X, Linus and Windows.
When this is combined with a real-time solution that allows you to automatically detect and categorise endpoints, you can take advantage of contextual attribute sharing that extends visibility to your existing perimeter security solution. Once you know exactly what’s connecting to your network, you can enforce the right policies.
This is a big factor as ultimately; mobility security will continue to evolve. So rather than adding an additional layer of complexity, solutions should integrate to your existing services to build a long-term mobility success.
As a specialist network solutions provider, Matrix CNI can give you the right, independent advice and help you put the right foundations in place for long term security success.