|Issue:||North America 2013|
|Topic:||‘Virtually’ secure your BYOD initiative|
|Title:||Chief Technology Officer|
As Chief Technology Officer at Bradford Networks, Mr Andrus oversees all strategic technology functions, which includes evolution of the current product line, new product and services development and setting the future corporate R&D strategy. Mr Andrus has over 20 years of experience in developing software solutions for enterprise and telecommunication network management applications; his professional background includes assignments as a Senior Architect at Aprisma Management Technologies and senior engineering positions at Cabletron Systems. His secure, highly available, network management solutions include patented automated device discovery methodologies.
Frank Andrus holds a BS in computer science from Franklin Pierce College in NH.
BYOD, the use of an employee’s own device to access company data, requires companies to install systems to defend the integrity of their data and of their networks. To simplify BYOD security issues, employee devices may be required to log-on to company networks and data using a safe environment called a virtualised desktop. The desktop – in conjunction with Network Access Control (NAC) to manage who and what is connecting to the network – provides a secure online work environment.
Bring-Your-Own-Device (BYOD) – the use of personally owned employee devices on corporate networks, was one of the most disruptive trends for IT in 2012; the trend is likely to continue unabated.
Many companies are now trying to figure out how to balance employee demand for BOYD with the need to maintain network security. Some organizations view desktop virtualisation as a potential solution to the problem of securing company data when used on personal devices. While virtualisation provides tremendous benefits for desktop management and helps alleviate some concerns on off-premises use of company data usage, it fails to address the most basic and fundamental aspect of a secure BYOD policy – understanding exactly who and what is connecting to the network.
Network Access Control (NAC) addresses these network blind spots, and it has emerged as a fundamental technology for implementing a secure BYOD policy.
Device visibility in a virtual world
Undoubtedly, virtualisation has made life easier for IT. By separating the user/employee environment from the physical machine, IT can deliver an image of the applications, processes or data that together make up the entire desktop experience. Furthermore, in a virtualised environment, IT only has to manage and update one or two images, as opposed to managing and updating hundreds or thousands of end points devices. This creates a more secure environment, as virtualisation minimizes the potential impact if a machine is lost, or if there is a hardware failure. The data and applications reside on the central server- not on the device itself.
However, virtualisation does not address the core tenets of network security – the ability to ‘see’, to be aware of, every user and device that connects to the network. Virtualisation only provides a virtualised environment, it does not control who and what is connected to a network. Network Access Control plugs this security holes in virtualised environments – without impacting employee choice or productivity.
In general, there are three primary ways an organization utilizes virtualisation. In each case, NAC used in tandem with virtualisation can strengthen BYOD security and improve employee productivity.
Use Case 1: This is the most common business scenario. In this use case, the desktop image lives in the data centre and provides access to a limited, isolated network that the company makes available to BYOD users. It varies by organization, but this separate network could include access to the Internet and to a single enterprise application that can access critical data. Users click on a lightweight app installed on their laptop, smartphone, tablet or other endpoint device to launch the virtual desktop.
Organizations that adopt this approach sometimes assume they don’t need visibility and control of the devices connecting to the network because the BYOD users only have access to a small, isolated network, while the main network is off-limits. This assumption is incorrect and potentially dangerous; it fails to account for the human element of BYOD. Users want to be able to use all the applications on their devices for both personal and business use. Employees do not bring their own devices to work to simply turn them into a corporate asset with a corporate owned operating system (usually Windows based) that limits the functionality and look and feel of the BYOD device. They want to use their own devices to their full capabilities and access the Internet and other applications via the corporate network. This requires full network connectivity.
Accordingly, IT still needs full visibility and control of endpoint devices on their corporate networks. NAC fills this gap by providing:
• Network Security: NAC ensures that only devices that fit a specific security profile can access the network. The organization determines the profile, but typically focuses on defined devices, OS level, up-to-date AV, and other critical security postures that impact network security.
• Role-Based Access: NAC automates the provisioning of appropriate resource access, based on the user and their device. For example, when an employee connects to the network using a company device, they can access a broad set of corporate resources according to their credentials. However, if the same employee logs on using a personal device, NAC will limit access to the virtual desktop and isolate the environment behind it.
• Resource Management: NAC helps organizations control and limit the number of devices users bring onto the network. When employees are able to bring any device they want onto this type of network, organizations can quickly run out of resources. NAC will tell you how many laptops, Androids, iPads, etc. are accessing the network, and allow automated access control based on the type of device.
Use Case 2: In this scenario, the application image lives at the data centre. Instead of virtualising the entire desktop, this approach virtualises only the primary applications that the organization makes available to employees. When adding BYOD into the mix, the user is able to access the specific businesses applications virtually, but the device itself still needs network connectivity. This means that, as in the first use case, IT still needs to know what devices are on the network and which users are using them. As outlined above, NAC plays a critical role in this environment, detecting what user is requesting network access, what device they’re using, and whether or not their configuration is secure.
Use Case 3: In this virtualisation scenario, the desktop image lives on the user’s device and a low-level OS downloads the desktop image whenever the device is powered up. Any data that is subsequently added or changed is synchronised with the central database in the data centre.
From an organizational perspective, this may be the most secure, stand-alone virtualised environment. IT only has to ensure that one OS is secure. This helps the overall security posture, but still fails to address network security- the initial stage of identifying exactly who and what is connecting to your network. NAC provides this visibility, while enforcing proper access policies.
A NAC for virtualisation
Now that we’ve examined three general cases for virtualisation and how NAC can be used to create a secure, productive BYOD environment, let’s take a closer look at how this plays out in the real world.
Institutions of higher education have been dealing with the BYOD issue for years; they can provide useful insight into the problem IT managers at organisations of all types are now facing. Like many organizations, Bryant University adopted virtualisation to streamline IT management costs and reduce the footprint of its data centre. This provided a huge cost savings by moving away from managing thousands of individual endpoint machines to managing a single desktop image in the data centre. This strategy gives students, teachers and faculty members the freedom to use their device of choice – a true BYOD environment.
However, from a security perspective, since all users still required network connectivity to access the school’s applications risks remained. To deal with the risks, to maintain security, the IT team at Bryant implemented a NAC solution to automatically detect and register every device, authenticate users, scan for policy compliance and provision network access accordingly.
Since the implementation of NAC, the on-boarding process of new devices has been rendered a non-event, enabling the IT staff to focus their efforts and time on other critical projects, instead of being bogged down by network access requests and security issues.
Bryant University is a good example of how the implementation of NAC in conjunction with virtualisation can plug the blind spots that are inherent in a BYOD environment and ensure that greater user device freedom doesn’t come at the expense of sensible and strong network security.