» WHITE PAPER Bradford Networks. All rights reserved

Transcription

1 » WHITE PAPER Network Access Control in the BYOD Era 3rd Generation NAC mitigates the risks of unmanaged devices so that workers can be more productive

2 White Paper» Network Access Control in the BYOD Era 1 Today s enterprises increasingly support the use of mobile devices by their employees and guest workers. Executives, knowledge workers, contractors and even third-party suppliers are connecting their mobile devices to corporate servers. Sales teams need access to customer and order information in their company CRM systems. Doctors and clinicians need access to patient data. Students require access to academic networks as well as the Internet. Across all types of organizations, users at all levels seek to improve productivity through access to information resources from a wide variety of mobile devices. Increasing productivity is a noble intent, but it shouldn t be done in such a way as to compromise network security. Fortunately, the two can coexist through the latest generation of network access control (NAC) technology. NAC has long played a role in assessing the risk of users and devices that are joining the network. Now NAC is even more important because of the bringyour-own-device (BYOD) phenomenon of unmanaged personal devices and guest users. With the popularity of BYOD, an untold number of new devices are making their way onto enterprise networks. To counter the threats these devices can introduce, organizations need to have increased visibility into their networks. They need to understand who these mobile users are in order to assess the risk of each user and every device that is attempting to join the network. The most effective way to do this is through risk mitigation access control policies. The Changing Landscape Until fairly recently, enterprises managed network infrastructures that were self-contained within the physical confines of their well defined perimeters. A company could build strong defenses at the network edge and be fairly confident about keeping the bad guys out and the important data in. Figure 1: Evolution of Network Access Security However, over the past few years or so, several gamechanging trends made their way into the enterprise: users became mobile, companies opened their networks to outside parties, and employees started to use their personally-owned smart devices for work activities. In a short period of time, organizations have gone from an employee-only network with one single standard company-issued device per user to a far more open network that must support multiple non-standard devices per user. What s more, these devices may or may not be company issued and controlled. To manage these trends many organizations have turned to NAC technology. NAC enables administrators to precisely define and control how devices and users gain access to network resources.

3 White Paper» Network Access Control in the BYOD Era 2 The early versions of NAC functioned as a way to authenticate and authorize endpoints (primarily managed PCs) on the network using simple scanand-block technology either allowing or blocking network access based on set security policies. NAC later evolved to address the emerging demand for managing guest access on corporate networks by facilitating limited Internet access for external users such as visitors, contractors and business partners. While these early generations of NAC products provide control over traditionally managed endpoints, the unrelenting march to BYOD has created unique challenges. First and foremost, there is virtually no device configuration standardization. There are hundreds of permutations of device type, brand, operating system and security health status and it s getting worse as time goes on. Second, many of these devices are consumer-oriented and they do not come with enterprise class security enabled by default. Network managers must therefore assume a device is compromised and treat it accordingly until proven otherwise. Having so many unknowns when a user wants to connect a device to the network can create serious gaps in security and network visibility. Security Gaps Allowing people to utilize mobile devices to perform their work increases productivity, but it comes at a price that being a corresponding increase in risk. As enterprises extend their networks, they are increasing the potential attack surface. Plain and simple, more devices = more attack points. This expanded mobile device footprint is one place where cyber criminals are targeting their efforts: the outermost layer where the weakest link in security is often the user on a mobile device. Many users don t recognize the security risks that their actions (or inactions) and their devices represent. For example, many people don t even enable the basic security features that come with their smartphones and tablets. What s more, they see little harm in downloading dozens of mobile apps from dubious sources. Even legitimate app stores such as those hosted by Apple and Google are known to offer applications riddled with malware. In fact, Juniper Networks reports that mobile malware grew 614% from March 2012 to March Appthority reports that 83% of the most popular mobile apps are associated with security risks and privacy issues 2. From a cyber criminal s perspective, mobile devices and applications represent a weak link to the greater network that can be exploited for profit. The reality is that unmanaged mobile devices have a high potential to provide a foot in the door for a cyber criminal who wants access to company data and intellectual property. The criminal isn t the only concern, however. Even authorized users sometimes can get access to a network segment or data that they don t have rights to, either inadvertently or through deliberate actions. For instance, an employee might gain access to a protected cardholder network in violation of PCI, or a hospital worker might gain access records for patients not assigned to her care, which violates HIPAA. Although these people may be legitimate users on the network, they have gained inappropriate access to specific resources, bringing risk to their organizations. 1 Third annual Juniper Networks Mobile Threats Report, Appthority, App Reputation Report, Summer 2013

4 White Paper» Network Access Control in the BYOD Era 3 What s Needed to Gain Control over Network Access in the BYOD Era? Mobile computing and BYOD are here to stay. If anything, their usage will increase and become the norm rather than the exception for the enterprise. According to Gartner, by 2014 some 90% of organizations will support corporate applications on personal devices 3. A CIO survey conducted at U.S. and UK Gartner summits indicate that by 2014, 80% of the global workforce will be eligible to participate in a BYOD program 4. Many organizations are going to need to open their networks to more third parties as it becomes increasingly important to partner with others in a globalized world. Moreover, regulatory requirements are growing tighter and the fallout from security breaches is getting more costly. All of these challenges point to the need for enterprises to (re)gain tight control over network access to reduce the risks of doing business while simultaneously enabling workers to do what they need to do. What s needed in terms of a NAC solution for today and into the future? NAC needs to be vendor agnostic, scalable, supportive of wired and wireless networks as well as multiple deployment options physical and virtual appliances, and cloud service. Most importantly, NAC needs to communicate and exchange information with all network devices, rather than requiring an access control solution for each network segment. Given the dynamic pace of BYOD environments, enterprises are looking for solutions that meet the following requirements: Flexible connectivity support The NAC must be vendor-agnostic and support all wired and wireless connectivity sources across the entire network. Broad range of device support New generations of mobile devices are coming to market every few months. Smartphones. Tablets. Gaming Devices. Now there s talk of watches and glasses that will soon be computing platforms. And let s not forget the headless devices that don t necessarily have a human requesting access: printers, security systems, medical devices and other components from the Internet of Things. Any NAC solution that a company deploys should be able to support whatever devices are capable of connecting to and accessing a network and its resources. High level of automation IT security professionals are stretched thin in most enterprises today. Any security device that s brought in must support a high level of automation so that it requires little care and feeding once it s deployed. A NAC solution must support user self-provisioning so that little to no intervention is needed to give someone the appropriate level of access based on the risk they pose. Automation should include basic remediation measures if a device is not up to par; for example, applying an important security patch or offering to update an outdated operating system. Granular policies Today s NAC device must support very specific levels of policies tied to both the user and the device. For instance, it may be fine for a doctor to use his tablet to access patient records while on the hospital ward but not from the hospital cafeteria. A high school student can be denied access to her school network at 3 a.m. because she really has no business being at school at that hour. The NAC must be able to determine such conditions all of them and make a judgment as to what level of access to provide for that specific request. Integration with other security solutions A NAC solution should not only co-exist but integrate with security solutions that perform complementary tasks in order to form a much stronger, secure enterprise network infrastructure. 3 Gartner, Opportunities and Conflicts Loom in the Wake of Google s Motorola Mobility Deal, October 7, Gartner, Creating a Bring Your Own Device Policy, April 2012.

5 White Paper» Network Access Control in the BYOD Era 4 Operation across infrastructure silos Today s network infrastructures are very complex. As network technology evolved and security needs increased, IT often deployed best-of-breed vendor-specific technologies independently to address various problems. The result: many of today s management and security functions operate within their own security silos. The solution to silo d information is a NAC security policy engine that leverages and integrates endpoint security, network infrastructure, and security infrastructure solutions, without requiring the huge investment of a wholesale redesign or forklift replacement of existing solutions. Scalable to support rapid growth Building operational processes (for example, automating mobile device registration) is key to scaling a BYOD project. Furthermore, an enterprise NAC solution must provide a scalable architecture that can support multiple locations across the enterprise, as well as tens or hundreds of thousands of devices so that the organization can onboard more and more devices as needed without costly upgrades or additional NAC devices. 3rd Generation NAC: Ready for the BYOD Era The 3rd generation of network access control technology is ideally suited to the challenges of BYOD, and delivers major advances to secure a much more dynamic environment. Let s take a deeper look at 3rd Generation NAC functionality that specifically addresses the challenges of BYOD. Network Edge Visibility The old adage You can t control what you can t see is more appropriate today than ever. Lack of visibility makes an organization vulnerable. Visibility means that from a single console, an organization is able to discover all network infrastructure gear across the many different locations to the extreme edges of the network, and get a clear view of all internal devices on the network (PCs, laptops, servers, medical devices, POS terminals, etc.) as well as all personal devices spanning different flavors of smartphones, tablets and gaming devices, and any other IP-based device. More importantly, the organization can automatically discover and interrogate all potential users associated with their devices before they are granted access to the network, regardless of where they are connecting from or how they are connecting (i.e., wired or wireless). This ability to identify devices and apply access policies before the connection takes place is an absolute prerequisite if BYOD is to be a serious option for any enterprise, school, hospital or other organization. Why? Consider this. Researchers at Purdue University analyzed how quickly malware can spread and found that malicious software can propagate to roughly 500,000 devices in just 100 seconds 5. While results will vary by incident, these figures provide a graphic reminder of how dangerous post-connect network access control can be. Just one infected device can spread an epidemic in minutes. Visibility includes not just the device type, but also the software configuration (including whether anti-virus and malware protection is up to date); who the user is and what devices he has registered with the network; and even the location and time of day of the connection request. The ability to see all devices on the network (authorized and unauthorized) before setting an access policy, enables users to define and enforce highly granular access policies based on multiple attributes, ultimately allowing for much more successful BYOD implementations. 5 Fibonacci Modeling of Malware Propagation, Zhang & Bhargava, 200

6 White Paper» Network Access Control in the BYOD Era 5 Automated Access Control Beyond visibility, a NAC solution must provide the flexibility to address the many variables of a BYOD access policy. Network administrators must be able to create and automatically enforce access policies that specify the type of network access users and their devices should have, and under what circumstances. These highly granular policies define the Who, What, Where and When of network access what group a user belongs to, what devices they re using, what applications they can access, the locations where they are allowed to connect and even the specific timeframe when access is allowed and any combination of these parameters can be used to determine access. Administrators should be able to choose to block and/ or remediate devices that do not comply with policy. For example, a company might ordinarily allow its sales representatives to access the network segment hosting the CRM database at any time. However, a sales rep s smartphone is showing an odd geolocation where he normally wouldn t travel. This may be indicative of the device being lost or stolen, in which case no or minimal access should be allowed at that time via that device. Many large organizations keep track of their end users in a directory system such as Active Directory or LDAP. Therefore a NAC solution s network access policies need to be granular and flexible enough to know who is joining the network by pulling data from and integrating with available directory systems. With granular and flexible policies, users and their devices can be directed to pre-determined network TRUSTED USERS WHO WHAT WHERE WHEN TRUSTED LOCATIONS segments such as Internet-only for guest users and unsupported devices, or full network access for authorized users. In some cases, the user may be isolated or directed to remedial services if their device has security issues, and this happens before the device is granted access to the corporate network. This type of automation assures that devices are managed so as to minimize the risk that these devices can present. Furthermore, these network access policies must be both granular and flexible enough to enable many different options for controlling bandwidth usage. For example: Specify how many devices employees can on-board based on their specific roles and needs in the organization, rather than simply allowing them to on-board as many devices as they want, which can and will consume precious network bandwidth and internet resources. Instead of a free-for-all, network access becomes monitored and controlled and as a result, so does resource consumption. Furthermore, network access policies must be flexible; otherwise users will be granted too much or not enough access. When a certain threshold is reached, organizations may need to restrict access to authorized personnel only and limit them to on-boarding just one device at a time. Restrict user access by time of day, by location, by job role or other criteria. Policy also can ensure that certain personnel, such as the CEO, can always get on the network with all of their devices rather than simply allow access on a first come, first served basis. Detect and even remove resource-hogging devices. With 3rd Generation NAC, the combination of visibility and granular, flexible policy-based access control allows administrators to manage BYOD devices efficiently and cost-effectively, giving users the TRUSTED TIME access they need while optimizing network performance. TRUSTED DEVICES Figure 2: Trust-based policies

7 White Paper» Network Access Control in the BYOD Era 6 Automated Provisioning 3rd Generation NAC helps address the human factor in BYOD. As people come to work, they expect to turn on their device and get right into the network. There s no time to fill out an access request form, or to contact a help desk for manual provisioning of a new worker (or guest) or a new device. A NAC solution supporting a BYOD environment must make on-boarding a seamless, simple interactive process simple for end users and hands-off for administrators. Automated self-provisioning allows potential users to register themselves and their device. The NAC solution can then do its risk assessment based on the Who, What, When and Where attributes of both the user and device, and provision the right level of access to the network based on the current circumstances. So for example, if the user is approved for access but his device is afflicted with malware, he can be directed to site for remediation. This automation greatly lessens the burden on IT support staff while giving workers the access they need much more quickly. Deprovisioning and off-boarding people and devices are important, too. It s essential to quickly shut off access once an end user separates from the organization. Automated provisioning is critical for large-scale organizations (or even large-scale events such as conferences) to maintain scalability, minimize manual processes and eliminate (or minimize) IT involvement and thereby minimize overall support and operating costs. Integration with the BYOD security ecosystem BYOD increases the attack surface and the number of potential threats exponentially. The onslaught of personal devices sometimes two or three per person makes it virtually impossible for administrators to take action manually when a device threatens a network. As a way to manage and control mobile device risk, many organizations deploy a Mobile Device Management (MDM) solution. MDM looks at what s on the mobile device itself, and gives IT administrators control over the data and applications on that device. But MDM doesn t provide the functionality to determine whether to allow a certain device to connect to the network and how much access to give it. In a BYOD environment where people are bringing in all sorts of devices on a massive scale, the organization s security ecosystem, including MDM and NAC, must work together to assess and control the health status of a device and make a decision about its access rights. When the firewall, IDS/IPS or other threat detection tool detects a security breach at a particular IP address, the NAC solution must be able to automatically identify the compromised device, isolate or move it to a safe guest network, and send an alert to the user and administrator. Depending on the type of threat and established security policies, it could even direct the user to take other remedial action. Secure BYOD is all about leveraging an organization s security ecosystem of solutions to work together seamlessly and automatically: to detect threats, identify and quarantine the offending device and provide remediation. The ability to automatically correlate information from different technologies and take action according to security policy allows end users to bring in as many personal devices as needed without compromising security. Figure 3: Secure BYOD Network Access Control

8 White Paper» Network Access Control in the BYOD Era 7 To accomplish central and seamless integration, a NAC must provide open APIs to work with common and popular security solutions, such as those provided by FireEye and Palo Alto Networks; with mobility applications from companies like AirWatch and MobileIron; and with network infrastructure vendors, from Aerohive to Xirrus, to name a few. NAC solutions that provide an open architecture enable organizations to leverage current and future point solutions to create a secure, integrated and automated BYOD environment that is appropriate for the risk posture the organization aims to maintain. Analytics The volume and diversity of devices connecting to both wired and wireless networks is increasing and changing on a daily basis. Organizations need to understand and manage the devices that are connecting to their network. This level of visibility and control is mandated by compliance regulations such as PCI and HIPAA, and is critical to any organization trying to properly secure its network. For administrators, unknown and questionable devices on their network represent a blind spot that introduces risk and uncertainty. By analyzing and visualizing large volumes of network access data over time, a NAC managing a BYOD environment should generate detailed reports that provide organizations with the long-term visibility and answers they need to make better business decisions; for example, to plan wireless network capacity, to manage software licenses, to provide better mobile device support, and to meet compliance requirements. Conclusion Network computing has changed dramatically in just a few years time. The old defense perimeter is porous at best and all but gone in worst case scenarios. There are many more users clamoring for access via their smartphones and tablets in addition to their traditional desktops and notebooks. Outsiders such as business partners, suppliers and third-party vendors need access to network-based resources such as applications and document shares. There s no assurance of a secure configuration on the hundreds or thousands of unmanaged devices in users hands. The IT security landscape is changing rapidly as well. Hackers and cyber thieves are using advanced persistent threats and other sophisticated means to get at intellectual property and other critical information assets. They are targeting networks weakest links: end users and their vulnerable devices. And as more and more devices are welcomed onto a company s network, the attack surface grows broader with each device. Security administrators need to regain control of this unwieldy networking environment. The point at which to assert control is before a risky user or device is allowed to have network access. 3rd Generation NAC products are designed with this precise scenario in mind. For any organization that allows BYOD or any style of remote or mobile computing 3rd Generation NAC is a must-have security solution. It s an important piece of an overall defense-in-depth security infrastructure for today and tomorrow. NAC enables worker productivity while helping to block a new generation of cyber threats. One Broadway, 4th Floor, Cambridge, MA 02142, USA Toll Free Phone Web info@bradfordnetworks.com Bradford Networks offers the best solution to enable secure network access for corporate issued and personal mobile devices. The company s flexible Bradford Networks platform is the first network security offering that can automatically identify and profile all devices and all users on a network, providing complete visibility and control. Unlike vendor-specific network security products, Bradford Networks provides a view across all brands of network equipment and connecting devices eliminating the network blind spots that can introduce risk. Copyright. Printed in USA. Bradford Networks and Network Sentry are trademarks of Bradford Networks in the United States and/or other countries. All other trademarks or registered trademarks are the property of their respective owners.