NAC Strategies for Supporting BYOD Environments

Transcription

1 G NAC Strategies for Supporting BYOD Environments Published: 22 December 2011 Analyst(s): Lawrence Orans, John Pescatore Network access control (NAC) will be a key element in a flexible approach to securing a "bring your own device" (BYOD) environment. Using Gartner's framework for analyzing the risks of consumerization, this research highlights how NAC policies can be used in combination with other approaches to implement the four strategies outlined in the framework Contain, Embrace, Block and Disregard. Key Findings NAC helps to protect the network, but it is only one component of a broader BYOD security strategy. Other solutions, such as mobile device management (MDM) and hosted virtual desktops (HVDs), are needed to secure mobile endpoints. A Contain strategy solves an immediate need for mainstream organizations by isolating mobile devices from the corporate network. Network managers will need to stay with a Contain strategy for at least two to three years, because the broader IT department will need to develop mature processes for supporting an Embrace strategy. Recommendations Most organizations should start with a Contain strategy and use NAC policies to isolate personally owned mobile devices in a limited access zone, where they may access a subset of applications and data. In enterprises that aspire to an Embrace BYOD strategy, network security managers should work jointly with IT counterparts to develop NAC policies that complement mobile device strategies. For example, use NAC to ensure that only endpoints with MDM agents are granted network access.

2 What You Need to Know NAC provides one of the most flexible approaches to securely supporting BYOD. For example, NAC policies can be modified as an organization moves from a Contain strategy to an Embrace strategy, and can also be used for Block strategies. Other technologies, such as MDM and HVD, will be used to complement NAC, particularly by enterprises that adopt an Embrace strategy. Analysis Survey data from Gartner, published in May 2011, shows continued strength in the BYOD phenomenon (see "CIO Attitudes Toward Consumerization of Mobile Devices and Applications"). The survey results indicate that U.S.-based CIOs predict that 38% of mobile devices will be owned by employees in two years. European rates were lower (see Note 1). The same survey indicates that, in many organizations, BYOD security initiatives are lacking (see Note 2). Developing formal BYOD policies is critical, because personally owned devices present risks to the network in the form of unintended denial of service and other threats to network stability, such as the spread of malware. Network managers need to protect their networks from the BYOD phenomenon, while the broader IT department works with business leaders to establish an official BYOD strategy. No matter what strategy is selected, the ability to detect when unmanaged devices are in use for business purposes will be required and that requires NAC. In "Optimal Security Approaches for the Secure Use of Consumer IT," Gartner presented a framework for analyzing the business risk of consumerization. Based on a two-dimensional analysis that maps security "pressure" against the value to the business, it yields the four options of Embrace, Contain, Block and Disregard (see Figure 1 and Note 3). The horizontal axis, "Security 'Pressure,'" refers to security demands from internal forces (such as securing confidential data) and/ or external forces (such as regulatory compliance). For example, a publicly traded company that is subject to multiple compliance regimes or a business that would be jeopardized by a major security breach would rate "high" on the Security "Pressure" axis. The vertical axis, "Value to Business," refers to the value that the user delivers to the business through the use of the consumer technology (in this case, a personally owned mobile device). In this research, we apply the framework to show how NAC can mitigate some of the risks of BYOD. Page 2 of 8 Gartner, Inc. G

3 Figure 1. Mapping Security Responses to Risk and Business Value High Embrace Contain Value to Business Disregard Block Low Low Security "Pressure" High Source: Gartner (December 2011) The Contain strategy will be relevant for most mainstream organizations. As noted in the following sections, the Block strategy is too draconian, and the Embrace strategy represents a huge cultural shift that adds technical and operational complexity. A Contain strategy will satisfy the needs of most organizations and give them the time to architect effective plans to migrate to an Embrace strategy. A Disregard strategy equates to ignoring the presence of personally owned devices in a corporate environment. This is a poor choice, and organizations that adopt a Disregard strategy don't make any policy or technology changes. In the sections below, we focus on how network managers can use NAC to adopt Contain, Embrace and Block strategies. Contain The basic Contain strategy should be: "Allow some people to use some devices to access some resources." Most organizations are unprepared to support a broader approach in 2012 because of budget, technology and process issues (see the Embrace section). A Contain approach is the best way for network managers to demonstrate flexibility, yet still retain an appropriate level of control over the network. Contain is the correct strategy in an environment where: Executives demand to use their personally owned mobile devices at work. Gartner, Inc. G Page 3 of 8

4 Business units can justify the benefits of BYOD and are pressuring the IT department to support them. Using NAC to Implement a Contain Strategy NAC policies should be used to create a limited access zone (LAZ) to isolate personally owned devices from the corporate network (see "Strategic Road Map for Network Access Control"). Because organizations are still reacting to the BYOD phenomenon and have yet to formulate formal policies, most IT organizations can't control personally owned devices in the same way they control corporate-owned devices. For example, they haven't installed endpoint protection platform agents, mandated configuration policies or implemented life cycle management tools. For these reasons, personal devices should be positioned in the LAZ where they don't present a threat to sensitive applications on the corporate network. An LAZ will function as a third network zone for most organizations, because it will be distinct from the production network and the wireless guest network. While the guest network allows only Internet access, the LAZ will allow access to a subset of applications and data. NAC policies will limit access to sensitive resources, depending on the device and possibly the user's role. Wireless guest networks are limited in scope (see "Four Key Decisions That Enterprises Must Make Before Implementing a Guest Access WLAN"). They are generally only accessible from visitor areas and some conference rooms. The LAZ is broader, because it should be accessible wherever an employee needs wireless or wired access. It's not enough for the LAZ to be a wireless-only network, because employee-owned MacBooks and other personally owned laptops should connect to the LAZ. The combination of authentication, profiling (discovering a device and identifying its OS), and enforcing access policies should be used to create the LAZ. The concept should be piloted in one location to gain experience in implementing and operating a policy-based network. Building an LAZ at every remote location and applying consistent BYOD policy rules throughout the network are more challenging efforts that will require a strong policy management console and disciplined operational processes. However, for many organizations, this approach can be done in conjunction with rolling out second-generation wireless LAN (WLAN) architectures, because most BYOD device access will be via WLAN. NAC policies should also apply to personally owned laptops that connect via VPN, although this use case is less urgent, because remote devices do not pose a stability threat at Layer 2. However, compromised endpoints can spread malware to other endpoints through an IPSec VPN connection, so endpoint configuration policies should also apply in this scenario. Embrace There is a huge operational and support gap between a Contain strategy (let some people BYOD for some things) and an Embrace strategy (allow everyone to BYOD for almost everything). In an Embrace BYOD environment, the corporate network looks similar to a typical college campus residential network, where students bring their personal devices to school. In that environment, where the school doesn't control the endpoint, it forces compliance through what it can control access to the network. If an endpoint is not compliant with security policies, it will not be granted Page 4 of 8 Gartner, Inc. G

5 access to the network. That rigid model of blocking network access is unacceptable in a corporate environment, because it prevents critical employees from doing their jobs and meeting customer needs. The need for flexibility is a key reason why an Embrace strategy will be slow to be adopted in most businesses. Common characteristics of an Embrace environment will be: Grassroots BYOD adoption has exceeded 30% of the employee population. The organization's ability to manage personally owned devices rises to the level of managing today's Windows-based endpoints. For example, the mature use of MDM for enforcing security policies and the use of HVDs for centrally managing and securing sensitive data and applications are two examples of technologies that will be widely adopted in Embrace environments to reach this goal. Using NAC to Implement an Embrace Strategy In the Embrace scenario, mobile devices have proliferated throughout the organization. Instead of restricting some personal devices to an LAZ, the entire network must be able to enforce policies and control access for personally owned devices. Essentially, the main corporate wireless and wired LANs will replace the LAZ. Scaling policy enforcement to an enterprisewide level is a challenging task, particularly the support issues related to troubleshooting failed authentication and/or failed access to key resources. For many enterprises, it will be another contributing factor for delaying the adoption of an Embrace strategy. Network managers that need to support an Embrace approach will need to scale up their implementation of the same technologies used in the Contain approach. Authentication, profiling and policy enforcement will be deployed on a broader scale and will, therefore, be more operationally complex to manage. Policies will need to be more granular, and will likely need to check for the presence of MDM agents and other mobile device software. Block The Block strategy will not be appropriate for most enterprises because of the attractiveness to both IT management and employees of allowing BYOD. However, some organizations that exhibit the following characteristics will need to prohibit BYOD via the Block approach: Highest degrees of security consciousness (examples include government intelligence agencies, the military and some financial services companies) Strongest emphasis on network stability and reliability (examples include manufacturing environments and critical infrastructures, such as power and utility companies) Using NAC to Implement a Block Strategy The only way to block the use of BYOD is to be able to detect when devices connect to the network and to determine whether the device is managed or not. Network managers will need to implement Gartner, Inc. G Page 5 of 8

6 authentication across wired and wireless networks to execute an effective Block strategy. Authentication based on 802.1X, which is already widely deployed in wireless networks, is a strong option for extending authentication to the wired network. Commercial NAC-based solutions will also be effective, but they are overkill if only authentication policies will be enforced. With authentication comes the requirement to manage an exception list of devices that don't support the authentication method. Profiling technology is an optional but helpful way to identify these exceptions and automate the management of the list. Recommended Reading Some documents may not be available as part of your current Gartner subscription. "Use Managed Diversity to Support the Growing Variety of Endpoint Devices" "Strategic Road Map for Network Access Control" "Case Study: 802.1X-Based Guest Network for a Wired LAN" Evidence In 2011, Gartner surveyed CIOs and senior executives attending our CIO forums in the U.S. and Europe to gauge their opinions about future mobile device strategies, and the impact of consumerization on the way in which smartphones and tablets are provided and managed. The results of these surveys are presented in "CIO Attitudes Toward Consumerization of Mobile Devices and Applications" and reflect strong momentum for the BYOD trend. Note 1 CIO Predictions on BYOD Adoption We asked the following question at Gartner CIO forums in the U.S. and Europe in 2011: "In two years' time, approximately what percentage of the mobile devices (laptops, tablets and mobile phones) used in your organization will be owned by employees?" The survey results showed that the average expectation for employee ownership in two years was 38% among U.S. respondents, but only 20% in Europe. The sharp difference was attributed to differences in roaming data costs, European data privacy regulations and several other factors (see "CIO Attitudes Toward Consumerization of Mobile Devices and Applications" for more information). Note 2 Security Status of Mobile Devices We asked the following question at Gartner CIO forums in the U.S. and Europe in 2011: "Do you believe that the security currently applied to mobile devices, such as smartphones and tablets, used in your organization is adequate and would satisfy an auditor?" U.S. and European respondents were very consistent in their assessment of security; only 27% to 28% believed that their mobile security would satisfy an auditor, 41% to 42% believed it wouldn't, Page 6 of 8 Gartner, Inc. G

7 and the remainder were not sure (see "CIO Attitudes Toward Consumerization of Mobile Devices and Applications" for more information). Note 3 Explanation of Block, Contain, Disregard and Embrace Strategies As outlined in "Optimal Security Approaches for the Secure Use of Consumer IT," the strategies are as follows: Block (or ban) the use of consumer-grade products or services by explicitly prohibiting their use in an appropriate policy; then enforce the policy by scanning for use or blocking port numbers or device drivers. Blocking is possible, but unpopular. Influential users, such as executives, will push for exceptions, forcing the IT department to move to another action on this list. However, there will always be some applications that are too sensitive, or some consumer technologies that are too unsafe, to use. A common example of a blocked consumer technology is peer-topeer file sharing. Contain actively accepts and facilitates use in well-defined situations, and in some cases implements controls to prevent the use of the consumer technology. This approach costs money, but enables the IT department to request a budget to manage and audit device configurations and performance. SSL VPNs are an early example of a Contain approach, because they enable the controlled connection of consumer devices to the corporate network. NAC for guest networking is a more recent example. Disregard essentially means "pretending" that the consumerization trend doesn't affect you, or at least not actively looking to see whether consumer technologies are in use. This is generally an unacceptable approach, except for areas of no business criticality, because it provides no support for the confidentiality, integrity, audit and available levels required by business. However, just as most enterprises don't really care which particular model of mobile phone or calculator employees use, there will always be some areas in which Disregard is the preferred approach. Embrace refers to the IT organization incorporating consumer-grade technology (or enterprise versions of consumer products/services) and promoting, delivering and supporting it just like any other IT-delivered product or service. This requires discipline for the IT department to request the budget to manage and audit device configurations and performance. Essentially, this approach adds enough security to make the use safe, but requires funding to do so. Gartner, Inc. G Page 7 of 8

8 Regional Headquarters Corporate Headquarters 56 Top Gallant Road Stamford, CT USA European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Japan Headquarters Gartner Japan Ltd. Atago Green Hills MORI Tower 5F Atago, Minato-ku Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website, ombudsman/omb_guide2.jsp. Page 8 of 8 Gartner, Inc. G