The following steps describe how to enable a BYOD environment that works for both users and the enterprise. It’s an approach that shifts the focus from traditional command and control to flexible policybased network provisioning that can support personal mobile devices. Employees can be productive on their preferred devices, without compromising security for the organization.
The process uses Bradford’s Network Sentry tool that provisions network access to corporate-owned and personal devices according to rules that you define. We’ll be using Network Sentry’s policy engine to define network access in a very granular way to meet the needs of different users and groups. We’ll then use Network Sentry to enforce compliance with those policies, provide visibility into all network access, and allow policies to be modified if needed.
1. Determine which mobile devices are allowed on the network
The first step is to determine what devices need to be supported, and if those devices are secure enough to be granted network access. Whether a device is considered safe does not have to be a binary permitted/not permitted decision; for example, a company may allow employees to onboard any device and get guest access, but only specific devices would be allowed further access. It’s very important at this initial stage to educate employees about security practices when using the corporate network, and if a device can’t be supported because it’s highly unsecure, now is the time to explain why. Employees also need to be involved in defining should reach out to different departments to understand the BYOD needs of their users rather than attempt to make this decision on its own. For example, physicians may feel that iPads are critical in the hospital because they can be easily sanitized—a detail that IT will probably want to know before they set the policy!
2. Determine which OS versions are allowed on the network
Once you’ve decided what personal devices to allow on your network, you need to determine which operating system version needs to be installed on each device. You then need to make sure the software patches are kept to date so the device will not become susceptible to viruses and spyware. Mobile Device Management (MDM) software that users download and install on their mobile device automatically keeps devices up to date, much like the patching mechanisms used for updating desktop PCs. It can also remotely wipe a device clean if it’s reported lost or stolen.
3. Determine which applications are mandatory (or prohibited) for
The next step is to determine what applications employees need to be productive, and what precautions you need to take. An IT administrator can configure the MDM software to enable network access only to specified enterprise application(s), and disable access to personal applications that could carry a security risk while the user is logged in. When the user logs out of the company network, they can go back to using their personal apps. Depending on the security posture, the policy could also be more forgiving, allowing a user to access personal apps while logged into a company server, as long as those apps were downloaded from trusted and reliable source, such as an app store. The MDM software can tell if someone has tampered with the device (jail-breaking), and downloaded software that is potentially not from an app store and thus less secure. Depending on the security posture defined in the policy, this could cause the device to be disabled, or for the user to be given guest status or some other limited access.
4. Determine which groups of employees will be allowed to use
Now you’re going to determine who can use the approved devices based on their profile: what group they belong to, what privileges they have, what device they’re using, and what applications they need to use. For example, physicians may be granted access to their iPads to view and update patient information, while nurses may only be granted access to their mobile phones for calls and text messages. Or different groups might be granted access to the same device but for different corporate applications depending on how the access policy is defined. The new NAC technology provides great flexibility in the way network access options can be defined, which are then monitored and enforced.