Resolving Wi-Fi Security in BYOD Environments

Transcription

1 Resolving Wi-Fi Security in BYOD Environments A Frost & Sullivan White Paper Avni Rambhia, Industry Manager ICT Jarad Carleton, Principal Consultant ICT

2 frost.com BYOD is Everywhere... 3 Enterprise Security Priorities Today BYOD is Conspicuously Absent... 4 Better Wi-Fi Network Controls are Needed for BYOD Environments... 6 Why Security is Intractable... 6 Solutions on the Market Today... 7 Fujitsu inetsec Smart Finder: A Network Management Solution Designed for SMBs... 9 Conclusions...10 contents

3 Resolving Wi-Fi Security in BYOD Environments BYOD is Everywhere Mobile devices are popular and more deeply involved in business every day. People are bringing their own smartphones and tablets into the office, and in a typical company, the IT department will provide employees with Wi-Fi access that enables employees to use these ultra-mobile devices for work. In universities, wireless connectivity is surpassing wired connectivity in use, not only in classrooms and on campus, but also in dormitories. From phones to tablets and laptops, to gaming consoles and IP streaming devices, Wi-Fi is transforming educational campus connectivity, productivity, and classrooms. In healthcare, devices from hospital beds to monitors are wirelessly connected, as are staff tablets and peripheral devices such as printers. It s also common for visitors and patients to bring in their own devices. Retail is also seeing growing use of wireless, from handheld scanners to tablets. As this occurs, IT teams and corporate leadership are struggling to craft policies and safeguards to enhance productivity, secure data, and ensure that wireless resources are used judiciously. Regrettably, many IT departments prioritize speed over security as they scramble to meet C-suite directives to support personally owned devices. When this occurs it often causes a cascade of informal device use across the entire organization. The forecast below illustrates why BYOD has become so pervasive. 1 Figure 1: U.S. Tier 1 Mobile Subscriber Forecast, Subscribers (Millions) % Smartphones Smartphones Feature Phones 94.6% Smartphones 68.9% Feature Phones 5.4% Feature Phones Source: Frost & Sullivan 3

4 frost.com The flip side of the enhanced productivity that mobile devices provide is the growth in security vulnerabilities and exploits. A few representative statistics illuminate the security challenge: One mobile device was lost or stolen every 5 seconds (on average) in 2012; 90% of ethical hacking engagements were successful in gaining access to highly sensitive information (PwC mobile app report, 2012), which is worrisome when combined with high loss and theft rates of these devices; New mobile malware families and variants increased by 244% between Q and Q1 2013; 2 86% of Android malware-laden apps are repackaged versions of legitimate apps (IEEE Security & Privacy 2012); and ios malware has been found in third-party app stores and even Apple s own App Store. It s no surprise then that information security professionals say App Security and Mobile Security are #1 and #2 threat areas to their organizations. 3 Enterprise Security Priorities Today BYOD is Conspicuously Absent Network security is not a new field, but it is receiving renewed attention in the face of evolving technology and threats. A Frost & Sullivan survey of nearly 900 IT decision-makers showed that regulatory compliance and minimizing customer identity theft and fraud were the biggest motivators of spending on network security; minimizing service downtime was a noteworthy consideration of importance for retail and government verticals. Figure 2: Top Security Priority 11% 16% 27% 8% 9% 14% 16% 19% 42% 8% 10% 9% 7% 15% 14% 32% 32% 42% 21% 37% 22% 36% 9% 25% 21% 19% 11% 14% 21% 18% Education Government Financial Services Healthcare Retail Total Sample Minimizing damage to organization s reputation Minimizing theft of intellectural property Minimizing customer identity theft/fraud Minimizing or having no breach of laws and regulations Minimizing service downtime Source: Frost & Sullivan analysis 4 4

5 Resolving Wi-Fi Security in BYOD Environments Network security has traditionally been achieved using a combination of tools such as anti-malware, firewall/vpn, data leakage prevention, and security incident event monitoring (SIEM). Firewalls, VPNs and anti-malware solutions constituted the most widely deployed types of network security. In 2012 in the US, 77% deployed a firewall and VPN, although it was in the top-three priorities for 86% of respondents. Twenty-eight percent had deployed NAC, but it was the top priority of less than 10% of respondents and within top-three priorities of less than 40% of respondents. Within market verticals, education stayed close to the average for security solutions deployed across all industries in the United States. Government had much higher emphasis on NAC (40% deployed, 49% top-three) and slightly higher emphasis on firewall (81% deployed, 88% top-three). Healthcare had similar VPN levels as government, but less-than-average levels of NAC. Figure 3: Currently Deployed Security Solutions Total Sample Currently Deployed Security Solutions United States, 2012 Perceived Importance of Security Solutions: United States, 2012 #1 Ranking #2 Ranking #3 Ranking 77% 63% 27% Anti-malware Data loss prevention (DLP) Firewall/VPN 13% 18% 15% 51% 33% 20% 21% 25% 10% 28% 13% 11% 3% IDS/IPS Network access control (NAC) SIEM Unified threat management(utm) 3%5% 6% 8% 13% 2% 5% 9% 17% 2% Other Source: Frost & Sullivan analysis 5 One trend that is conspicuous by its absence is Wi-Fi network security. The problem is that companies regard BYOD as a challenge that can be resolved with mobile device management (MDM) or digital containers. Those who do have MDM or digital container solutions in place to manage BYOD environments tend to rely on isolating visitor and employee devices to a guest wireless network that is considered by IT staff to be as risky as the Internet itself. My biggest challenge with BYOD is that employees browsing the Internet on their smartphones congest our networks and slow down business application performance. IT director at a medium-sized accounting firm 5

6 frost.com Very few enterprises are at the point of strategically formulating device-specific IT policies; even fewer are at a point of evaluating solutions to streamline policy enforcement and resource optimization specific to device use cases; and only a handful are able to accurately identify and track devices that attach to their wireless networks. This paper examines the security issues that accompany the skyrocketing use of personal mobile devices on Wi-Fi networks in enterprise verticals such as retail, healthcare, government, education and financial services. It also sheds light on technological advances that are bringing enterprise-class Wi-Fi network security management tools within reach of small and large businesses. Better Wi-Fi Network Controls are Needed for BYOD Environments For medium-sized businesses with limited IT resources, or large businesses with globally distributed offices, it is difficult to gather the manpower and resources to strategically roll out scalable, secure Wi-Fi networks. Often, Wi-Fi is implemented in an ad-hoc fashion with simple access controls based on username and password that are usually available at the reception desk or written on a white board; only seldom are logon credentials changed. This not only causes potential security issues, but also leads to productivity issues, including lower employee attention and poor network performance. The typical IT response is to purchase additional bandwidth, throttle the Wi-Fi network down from time to time when traffic gets too high, or to restrict the number of devices supported on the Wi-Fi network at any time. However, these are inefficient solutions to a problem that continues to grow in magnitude. Why Security is Intractable Managing guests on a relatively open Wi-Fi network is hard enough; managing employee devices on a Wi-Fi network to which they already connect companyowned devices is much harder. For example, most SMBs report that they do not have effective ways to restrict users or employees from logging into the Wi-Fi network from their own device; in many cases they are not even aware of which devices or how many devices are on the network. There are simple options, such as Microsoft active directory, where IT teams can leverage the user s existing corporate credentials to authenticate their personal devices; however, this provides identification, not control. Some enterprises also report the issue that Wi-Fi authentication with active directory credentials happens in clear text rather than an encrypted protocol, so the potential risks outweigh the benefits. We have an Internet-only Wi-Fi on the campus for vendors and temporary personnel. We have a password we give them, but I don t change it often. IT director, medium-sized healthcare firm 6

7 Resolving Wi-Fi Security in BYOD Environments White list and black list is great, but the system we use takes four or five hours a week to manage. If another solution saved three hours a week, I d look at it closely. IT director, medium-sized healthcare firm As a result of lax controls, neighbors, ex-employees, or drive-bys can all end up using a wireless network without a company s knowledge, especially if passwords are not changed frequently. White lists and black lists, where devices with specific MAC IDs are allowed or disallowed on the network using network access control (NAC) technology, are a better option to control Wi-Fi access. However, manually whitelisting and blacklisting devices is cumbersome and care is needed to ensure that lost devices or devices belonging to ex-employees are blacklisted in a timely fashion. To accomplish this, IT teams that are already constrained need additional budget and man hours. Further, white and black lists are not conducive to environments where devices owned by visitors frequently come and go. In the end it becomes a numbers game, based on how much an organization is willing to spend to track everything. A draconian solution is to block all devices from Wi-Fi access, but it will negatively impact productivity and competitive edge in nearly every situation. It is also unfeasible for an IT department to firmly enforce in light of significant pressure and demands from employees and executives. Solutions on the Market Today Companies large and small have policies that address what company resources, equipment, and cloud-based services can be accessed and how they can be used by employees. The challenge for many organizations, however, is that company policies tend to focus on company-owned computers and laptops. What has frequently been left out of the equation is how to enforce company policies in a BYOD environment that inevitably occurs after IT begins supporting personal devices for executives on an ad hoc basis. The security challenge with BYOD can also get tricky for industries that are regulated or have strong incentives to protect corporate data and ensure that reasonable steps are taken to prevent data leakage. The financial services, healthcare, and legal industries are all industries with a need to have better BYOD security, including organizations with fewer than 500 employees. BYOD can be a productivity booster, but the use of personal devices in the workplace also implies that device owners bring and use their own cloud services on those devices. That s why it s critical for businesses of 7

8 frost.com every size to be able to centrally control which devices can associate with the corporate Wi-Fi network. Solutions that are in use today to manage BYOD and Wi-Fi network access vary in cost and functionality: 1. Mobile Device Management (MDM) These solutions can be expensive for small- or medium-sized companies. Employees tend to be uncomfortable allowing an employer to install a centrally controlled security solution that has the ability to remotely wipe all data from a personal device. 2. Enterprise platforms such as Microsoft Outlook have the ability to lock and wipe data from a personal device. These platforms can also prevent a user from accessing corporate unless the device itself is password protected. However, similar to digital containers offered by some MDM solutions, these features rely on the phone to be honest with the enterprise system about its state of health. Smartphones and tablets that have been rooted or jail-broken by mobile malware are inherently dishonest and have been able to circumvent some of these centralized controls. 3. Separate guest wireless networks Implementing wireless networks that truly separate the secure corporate Wi-Fi from the guest network requires an organization to purchase additional access points to ensure that secure Wi-Fi data doesn t transit guest Wi-Fi access points. 6 These installations also don t provide data on who is using the guest network and if they are consuming excessive amounts of data. 4. In-band security devices Devices that are in-band put central control and data flow over the same path to manage Wi-Fi networks, but they can impact network performance, require IT resources to manage real-time alerts and issues, and if something goes wrong with the device, it can bring the Wi-Fi network down. We have almost 600 devices connected to the Wi-Fi network today (mid-august) and we haven t started the new trimester or new student orientation yet. IT director, medium-sized international graduate business school It s clear that Wi-Fi in general needs better controls, especially if it is installed as an afterthought and grown ad-hoc. Nevertheless, current solutions are not able to effectively meet the needs for most medium and many large businesses. Sophistication varies across the board by company size rather than by market vertical. Large organizations tend to be organized; small organizations can see everyone in the office, so managing Wi-Fi networks is easier, but SMBs are caught in the middle. They need to be savvy but don t have the smarts or budget to deal with tier-1 solutions. Fortunately, growing awareness of the issue is driving innovation and new products are becoming available that can solve these BYOD and Wi-Fi security pain points in a cost-efficient, resource-efficient, and performanceefficient manner. 8

9 Resolving Wi-Fi Security in BYOD Environments Fujitsu inetsec Smart Finder: A Network Management Solution Designed for SMBs As previously discussed, security solutions to date have comprised of a mixture of mobile device management (MDM), network access control (NAC), and data leakage prevention (DLP) solutions. The problem for many organizations is that these solutions can require upfront installations that can cost in the tens to hundreds of thousands of dollars, in addition to the ongoing fees with costs up to $10 per device per year. While this level of expenditure and complexity might be palatable for large enterprises, it is unreasonably high for medium-sized business in the employee range or large corporations that are not subject to regulatory oversight. inetsec Smart Finder uses non-intrusive, out-ofband methods for device discovery and classification, which ensures it isn t the cause of a Wi-Fi network slowdown. inetsec Smart Finder can discover, manage and report on 3,000 devices with a single appliance priced at less than $7,000. Installation doesn t require a costly professional service, has been described by current users as plug-and-play, and the access control policy manager runs on a standard off-theshelf server. Consequently, the cost to manage access control policies using inetsec Smart Finder is close to $2 per device each year. inetsec Smart Finder delivers at an attractive price point while delivering BYOD management features that enable a medium- to largesized business to easily enforce connectivity policies and monitor network usage. When an employee leaves the company, we remove their device from the Smart Finder white list and they can t get back on the Wi-Fi network, even though they have log-on credentials with a password. IT director, ABBYY Easing the burden for resource-constrained IT departments, inetsec Smart Finder automates device discovery and enables device self-registration. It also automates the enforcement of white and black lists, generates categorized reports on which devices are connected to a specific network, and provides application visibility and management at Layer 7. Visibility and management at the Layer 7 level helps mitigate the risks brought by unwanted applications and can be used to improve bandwidth usage. In addition, authorization lists for Wi-Fi network access can be sourced externally through simple open-source APIs in the policy enforcement server, allowing more complex security enforcement solutions to interface with the inetsec Smart Finder appliance if required. 9

10 frost.com Other devices we use to secure our networks take a lot of time to get up and running; inetsec Smart Finder took us less than one hour. IT director, ABBYY Fujitsu has specifically designed inetsec Smart Finder to address the burden imposed by the explosion of personal devices used in the workplace for personal and business use. It was also designed to address this business pain point in a cost-effective and resourceeffective manner by providing a core set of features that can be competently configured and deployed by a small IT team or an individual. Conclusions The BYOD trend will continue to grow as smartphone and tablet ownership continues to rise. As device ownership steadily increases, demand for Wi-Fi access in the workplace will also grow. Getting a grip on the challenge today is the best way to manage productivity and bandwidth costs. Although large-scale networking and MDM solutions will solve part of the Wi-Fi security problem, they can be costly and cumbersome to install and maintain. These classes of solutions are also out of reach for many medium-sized businesses with constrained IT budgets and personnel. Further, with the increase in mobile malware and the rising rate of theft for smartphones and tablets, an easy-to-manage solution that can monitor and manage personal devices on the corporate Wi-Fi without overwhelming IT departments is essential. Basic monitoring and classification devices like inetsec Smart Finder offer a great starting point to automate the time-consuming creation of white and black lists for devices in the workplace. They also help businesses improve Wi-Fi network security and begin to tame the downside of the BYOD trend before it impacts productivity and IT budgets. Considering the fact that inetsec Smart Finder will allow IT administrators to integrate it with complementary systems such as MDM and SIEM, it will continue to provide value to IT departments as they grow with their business and become more sophisticated. 10

11 frost.com ENDNOTES 1. Tablet growth reflects a similar upward trend, with unit sales growing from 130M in 2012 to 400M in F-Secure Mobile Threat Report, January-March Frost & Sullivan research 4. Frost & Sullivan study: Evolving IT Security Trends and Challenges Within Today s Organizations (NC06-74) 5. Frost & Sullivan study: Evolving IT Security Trends and Challenges Within Today s Organizations (NC06-74) 6. Wireless access points that offer a secured Wi-Fi network and a guest network over the same infrastructure are not considered secure enough for some regulated industries and companies with valuable intellectual property.

12 Auckland Bahrain Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi/NCR Detroit Dubai Frankfurt Iskander Malaysia/Johor Bahru Istanbul Jakarta Kolkata Kuala Lumpur London Manhattan Mexico City Miami Milan Mumbai Moscow Oxford Paris Pune Rockville Centre San Antonio São Paulo Seoul Shanghai Shenzhen Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw Washington, DC Silicon Valley 331 E. Evelyn Ave. Suite 100 Mountain View, CA Tel Fax San Antonio 7550 West Interstate 10, Suite 400, San Antonio, Texas Tel Fax London 4 Grosvenor Gardens London SW1W 0DH Tel +44 (0) Fax +44 (0) GoFrost myfrost@frost.com Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation that addresses the global challenges and related growth opportunities that will make or break today s market participants. For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public sector and the investment community. Is your organization prepared for the next profound wave of industry convergence, disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer dynamics and emerging economies? For information regarding permission, write: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041