Solution Brief ID Manager Simplified BYOD Management to Help Reduce IT Workload
2 ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD Table of Contents Introduction 3 How it Works 3 Authentication 3 ID Manager APIs 5 Supported Use Case 6 Scalability and Ease of Maintenance Through the Cloud 7 Reporting 8 Summary 8 About Aerohive 8
ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD 3 Introduction In today s highly connected organizations, end users expect to have Wi-Fi access across the campus and from any of their devices. While this requirement is essential for today s corporate and education environments, it also opens up a secure network to a multitude of potential issues with Bring-Your-Own- Devices (BYOD). Over the last years, Mobility has drastically reshaped the connotation and central use case for BYOD. BYOD started out as a means to support user devices primarily for work purposes. As a result, MDM was applied to secure the devices, and personal use was disallowed or strongly discouraged. Today, employees mobile devices like smartphones and tablets are invading the workplace. Users are unlikely to accept MDM on them - it is viewed as spyware and they demand to be able to use their devices for both private and work purposes. As a result, personal BYOD is today s primary use case. It also presents a set of unique challenges that cannot be addressed by MDM-supported BYOD implementation. Challenges include the need to support a wide variety of devices and OS, while at the same time satisfying the security team s demands for managed network access. An already overloaded IT department is then left to manage these devices to ensure that all BYOD have the appropriate level of network access and field the associated help-desk calls. How it Works One of the most difficult concepts in provisioning a fully functional BYOD management system is that the requirement for network access can vary widely. Some visitors only need Internet access, while employees and long-term contractors need extensive access to corporate applications and resources. A simple one size fits all BYOD network does not provide the granularity that is needed to deliver this differentiated access. Authentication The missing element is authentication integration, which is usually a costly and complex procedure requiring significant expertise in working with AAA infrastructure and often leads to additional hardware, software, and licensing expenses beyond the existing network infrastructure. All Aerohive access points, routers and switches are managed by HiveManager and already provide authentication services and integration with existing directory services. ID Manager leverages this capability and creates an authentication-specific private connection between the Aerohive devices and the Aerohive Cloud Services Platform. This allows the configuration of multiple BYOD profiles - from casual guests to fully secure employees that govern where, when and for how long devices can access the network and what type of content is available to them. ID Manager provides a strong feature set that enables organizations to pick the options that work best for them and that can integrate with existing authentication infrastructure. For example: For authentication protocols, ID Manager supports both RADSEC and SAML, with Active Directory Federation Services (ADFS). The latter are preferred methods for BYOD management in enterprises and higher-education organizations. Using AD Group Membership information to define which guest types are made available to employees vs. front desk personal. You can also use AD Member of data to define the number of credentials, either per user, or per company site, to manage license utilization across the company.
4 ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD To enable the diverse requirement of large organizations, ID Manager supports three types of authentication credentials: Private Pre-Shared Keys (PPSK). PPSK are an innovation from Aerohive and help bridge the gap between PSK and 802.1X certificates. Essentially, PPSK are strong, unique keys created for every device. They allow users to be individually identified, authenticated and assigned to a BYOD user profile. This is similar to the experience with 802.1X authentication, but without the associated overhead and deployment complexity. At the same time, PPSK are still based on PSK. As such, they are broadly supported by consumer devices and simplify the authentication process for the user compared to 802.1X certificates. This in turn helps reduce help desk calls. Traditional 802.1X certificates (WPA2-Enterprise) with Active Directory integration. While this is arguably the most secure authentication method, it also comes with high deployment complexity and added cost. BYOD management can require accommodating thousands of BYOD users, many with 3-5 devices. For such device volumes, 802.1X certificates are often not considered practical. In addition, many consumer devices do not support 802.1X certificates. Traditional Pre-Shared Keys (PSK), where all users have the same network password. PSKs are easy to administer, but simply not secure enough for continuous corporate use. And while they seem user-friendly at first, consider that if one device gets lost or stolen, all other devices on the network need to update their password. Since this is unlikely to go smoothly, the need for a global password update will increase the number of helpdesk calls and disrupt the end user experience. The diagrams above outline the usage scenarios with PSK in more detail. SSIDs with pre-shared keys have several advantages. They are easy to set up, are widely supported by client devices, and do not require authentication servers, certificates, or extra configurations on the clients. Despite these benefits, the fact that all users on the same SSID must use the same key creates issues: If one user leaves or loses the wireless client, the preshared keys on the access points and all clients must be changed to protect the wireless LAN from unauthorized access. All users on the SSID must belong to the same user profile and network policy, including the same QoS rate control and queuing policy, VLAN, tunnel policy, firewall policies, and schedules.
ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD 5 The diagrams above outline the usage scenarios with PPSK in more detail. With PPSK, it is possible to create network policies for individual users or groups of users including different VLANs, firewall policies, tunnels, and schedules. PPSK users and/or user groups can be defined in a spreadsheet program like Microsoft Excel, saved in a file formatted for CSV (comma separated values), and imported into HiveManager. ID Manager APIs Aerohive also offers ID Manager APIs that let customers and partners create unique, tuned BYOD management workflows for their environments. The APIs serve two major purposes: Allow customers to integrate ID Manager into their business systems. Let partners integrate ID Manager functionality with their own solutions. For example, a provider of visitor management systems can use the ID Manager APIs to integrate the guest credentials into the badge and/or print the credentials on the badge. To that end, the ID Manager REST APIs provide several basic functions: Authentication of the employee via Active Directory Query for available Guest Types Create and delete credentials Name and rename credentials Deliver credentials
6 ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD API Integration is simply enabled, via the Configuration Menu/ID Manager Settings in the web-based ID Manager interface. Aerohive has also implemented the ID Manager APIs in the ID Manager applications for ios and HTML5, to demonstrate our vision for ID Manager. The HTML5 application can be used for a broad range of devices and OS, or it can be hosted on a web server. The applications are available to customers as is, or as reference applications for customization. Supported Use Cases A key requirement for successful, scalable BYOD systems is to help reduce IT workload. ID Manager achieves this with its simplified and automated workflows that reduce help-deck calls, and allow off-loading of BYOD key generation and basic management to employees. Easy distribution of the BYOD keys is equally important. With ID Manager, keys can be emailed, sent via SMS, printed out, or even tweeted. Two important design considerations for ID Manager were to simplify the BYOD on-boarding process so that employees can accomplish it, and to provide flexibility for organizations around its implementation. As a result, ID Manager supports a variety of use cases for device registration: An employee registers their personal device for use on the company network. They can use either the web-based interface of ID Manager, or the new ID Manager applications for ios and HTML5. Both the web-based interface and the applications have a simple, intuitive UI that allow entering of user and device information, and automatic generation of device keys in only a few steps. This use case is becoming the pre-dominant requirement for BYOD. Employees expect to be able to access the company network on their personal devices, and use them for both work-related and casual tasks during the workday. Providing an easy, convenient method of onboarding their own devices will reduce the IT workload considerably. ID Manager IOS app, Personal Key Generation.
ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD 7 A guest uses a self-service kiosk in the lobby to register a guest profile. Self-service kiosks are a convenient way for guests to register themselves, and may be a requirement if the lobby is not staffed, or not staffed continuously. ID Manager allows for a self-service portal to be created and served via a web Browser in a kiosk, with two options to do so: o IT can provision web-enabled computers or tablets in the lobby and set the guest policy through their HiveManager interface. o The IT administrators can also enable guests to self-register through a Captive Web Portal on guests own mobile devices. With either option, IT can specify encryption, time until expiration, and device profiles for registrations. The Aerohive Cloud Services Platform even includes automatic localization into different languages. Captive Web Portal A lobby host accesses the web-based ID Manager to generate a guest profile. The receptionist uses their computer or a tablet to access the web-based interface of ID Manager. A variety of guest profiles can be configured by IT, and will then be presented to the receptionist so they can choose the appropriate guest profile, e.g. a temporary visitor, a summer intern or a long-term contractor, all with appropriate access rights. I ID Manager Web Interface Guest Types Employee Sponsorship: An employee registers a guest, or group of guests. This can also be done in advance of the actual visit so that the network key(s) will be ready upon guests arrival. The employee can do so by using: o o The web-based interface of ID Manager or The new ios ID Manager application on their mobile device. Scalability and Ease of Maintenance through the Cloud ID Manager utilizes the Aerohive Cloud Services Platform to eliminate the need for any additional hardware or software. As a result, it scales seamlessly, and can manage secure, profile-based access for thousands of users anywhere in the world. Scalability is becoming a key requirement for BYOD systems in enterprises or higher education organizations (e.g. colleges). Consider an organization with 10,000 and more employees or students. A user population this size translates quickly into a need for more than 50,000 keys, plus keys for guests. ID Manager handles these and larger volumes of credentials. Another advantage of the cloud services platform is that the latest features and security enhancements are applied automatically, and across the entire user base - whether it s in one location or distributed
8 ID MANAGER: SIMPLIFIED BYOD MANAGEMENT TO HELP REDUCE IT WORKLOAD internationally. These are very tangible benefits that help further reduce the IT workload associated with BYOD management. Reporting ID Manager includes comprehensive reporting features for tracking and analysis of device usage, including: Number of authentication requests, accepted and rejected Accounting log to track user data transfer Session time tracking Audit log for monitoring administrative and operator usage of the system With this information, IT administrators are well equipped to monitor ongoing usage and determine whether any adjustments are needed to ensure the desired level and manner of system usage. Summary In the past, provisioning secure, identity-based BYOD management has required the attention of an already overstretched IT staff and front desk personnel to administer credentials. Today s enterprises need a solution that is simple to deploy and administer, and helps reduce the IT workload resulting from BYOD initiatives. ID Manager can effectively address these requirements: with it s automated, simplified workflows it enables IT to offload key generation and basic management to employees. It enables secure, profile-based administration of credentials that provides well-defined access rights to employees and different types of guests, depending on their needs. With it s comprehensive set of functionality; IT will be able to effectively manage the deployment of current and future BYOD initiatives. About Aerohive Aerohive (NYSE: HIVE) enables our customers to simply and confidently connect to the information, applications, and insights they need to thrive. Our simple, scalable, and secure platform delivers mobility without limitations. For our tens of thousands of customers worldwide, every access point is a starting point. Aerohive was founded in 2006 and is headquartered in Sunnyvale, CA. Aerohive is a registered trademark of Aerohive Networks, Inc. All product and company names used herein are trademarks or registered trademarks of their respective owners. All rights reserved. Aerohive Networks, Inc. 330 Gibraltar Drive Sunnyvale, California 94089 USA phone: 408.510.6100 toll-free: 866.918.9918 fax: 408.510.6199 www.aerohive.com info@aerohive.com