The Challenges of BYOD for campus Network

Leonard Raphael, 10th October 2013

BYOD Momentum

Identifying the Risks with BYOD

Security as the Main Challenge

BOYD Creates Management Challenges & Role of Network Access Control

Mitigating Risk

Agenda

BYOD Expertise Know Every

Device Know Ever User Reduce Help Desk Minimise Risk Ensure

Compliance

3

What to Expect …

BYOD Maturity Roadmap

Block

Contain

Disregard

Embrace

Visibility Automation

Archiving is much more difficult Data on personally owned devices is more difficult to archive because some of it is stored on the

mobile devices themselves, not necessarily on the backend servers that are operated by IT. Monitoring content is more difficult Monitoring content sent from and received by mobile devices is much more difficult than it is

from a conventional desktop infrastructure. This means that legal and regulatory violations are easier to commit, which can lead to adverse legal judgments and regulatory sanctions.

Users are more autonomous Mobile users tend to be more independent from IT’s control because they are outside of the

office and so IT cannot control how devices are used. Compliance is more difficult According to an Osterman Research survey, nearly two in five organisations find managing

policies for e-discovery or regulatory compliance to be difficult or very difficult, while 35% find managing other types of policies to be this difficult. Managing mobile policies for issues like e-discovery and regulatory compliance is slightly more difficult than managing other types of policies.

The environment is more diverse The normal desktop infrastructure consists of mostly Windows machines and possibly some Macs

and maybe a few Linux machines. The typical BYOD environment, on the other hand, is much more diverse, typically consisting of iPhones, Android smartphones, iPads, Windows phones, BlackBerry devices, and other platforms. Further complicating the management of this environment is that there are multiple versions of the operating systems in use, each of which can provide users with slightly different capabilities.

BOYD Challenges

Containing the Risk of a Cyber Threat

Data Consolidatio

n

DataExfiltration

Internal Network

Scan

PhishingEmail on Device

Device Compromise

d

Attack Surface is Multiplying With Every New Device

New Risks With Personal Mobile Devices

Configuration

Devices

Applications

Consistent

UnmanagedManaged

Diverse

User DownloadedCorp Push

Websites OpenContained

Risk

EndpointProtection EmergingMature

Network Security Gap / Blindspots

NAC is now one of the key mechanisms for mitigating

the risks of consumerisation (BYOD)

GartnerStrategic Road Map for Network Access ControlPublished: 11 October 2011 ID:G00219087

Enable BYOD

60% Know The Devices

9%

Have Access to Campus Networks, Systems, and Data

Download/Store/Forward Sensitive Information

Why are Personal Devices Risky?

9

Managing Risk of BYOD

Network Risk

Device Risk

Application RiskMalicious Applications

Vulnerable Devices

Unauthorized Network Access

11

Gartner’s Best Practices to Address BYOD

Mobile Device Mgmt

Hosted Virtual Desktop

Network Access Control

Implementing the right Technologies Implement the right Network Policy Providing the right Resources to meet the

challenges.

Mitigate Risk

3 Phases of Network Access Control

Employee

EndpointCompliance

GuestNetworking

ConsumerizationBYOD

CorpDevice

GuestDevice

HybridDevices

Guest Hybrid Users

Secure BYOD Essentials

NETWORKSENTRY

BYOD RISKMITIGATION

BYOD RISKASSESSMENT

Role-Based Network Access Policies

WHO WHAT WHERE WHEN

TRUSTEDUSERS

TRUSTEDTIME

TRUSTEDDEVICES

TRUSTEDLOCATIONS

16

Role-Based Access Policies

Profiles

Information Locations Devices

IP PII

Guest Access

Office

Telemarketer

Branch Office

Road

Laptop

SmartPhone

iPadDesktop

Academic Staffs g g h h h a a a

Researchers g g h h a

Students g g h h h a a

University Staffs g h a

Guest Users g g a a

SECURITY WIRED & WIRELESSMOBILITY

BYOD Network SmartEdge Platform

WHOWHATWHEREWHEN

NETWORKSENTRY

NETWORKACCESS

CONTROL

SECUREBYOD

GUESTMANAGEMENT

REGULATORYCOMPLIANCE

EDGEVISIBILITY

ENDPOINTCOMPLIAN

CE

EASY 802.1XONBOARDING

NETWORKANALYTICS

NAC – 3 Generations

Employee

EndpointCompliance

GuestNetworking

ConsumerizationBYOD

CorpDevice

GuestDevice

AllDevices

Guest All Users

Appliance

Cloud

Virtual Server

Appliance Appliance

Virtual Server1.0

2.0

3.0

Network Edge VisibilityWHO WHAT WHEN

Real-TimeVisibility

SingleNetwork Sentry

Appliance

….

LOCATION 2

LOCATION N

LOCATION 1

WHERE

VPN

Network Inventory

Secure BYOD / Network Access Control

IdentifyUser

AssignNetwork Access

AssessRisk

IdentifyDevice

NoAccess

GuestAccess

RestrictedAccess

UnrestrictedAccess

Device Profiling

Safe Policy-Based Network Access

Location 1

Location HQ

CaptivePortal

FacultyData

StudentsData

GuestAccessLow Trust

Required VLAN

No TrustRequired VLAN

Med TrustRequired VLAN

High TrustRequired VLAN

FacultyRegistered DeviceCompliance

StudentRegistered DeviceCompliance

Any UserAny DeviceNot Jailbroken

Any UserAny Device

SingleMgmt

Appliance

GuestAccess

Guest ManagementLocation 1

Location HQ

CaptivePortal

SingleMgmt

Appliance

Remote Registration and Scanning

In need of assistance, please call the Help Desk.

Authorized Users

Pre-Authorized Guest With An Account

Device Registration

Self-Service Guest Registration

WelcomeTo gain network access users are required to adhere to our established registration policies. Please select one of the following options:

Delegated & Automated

UserDevice

Compliance

End-to-End BYOD Solution

Enterprise SSIDFull Access

Guest SSIDInternet Only

Blocked Devices

Enterprise Resources

Network Sentry

Internet

Captive PortalClassify User/Device/Location

Enforce Policies

Xirrus Wireless AP/Array MDM

AAAAD/LDAP

802.1x

Open or PSK

Restricted Access

EmailAppsDatabases

• Visibility• Policy Manager• Automation / Control• Compliance

XMS

Mobility Device Management

Network Analytics

Network Sentry/Analytics

HTTPS HTTPS

Network Sentry

Appliance

ReportServer

Network Sentry

Data Warehouse

AnalyticsEngine

JobScheduler

Security Rules

WHO

WHAT

WHERE

WHEN

COMPLIANCE

INVENTORY

ANOMALIES

EXCEPTIONS

SmartEdge Platform / SecurityEliminate BYOD Blind Spots

Guests, Contractors, Students

ActiveDirectoryDevices

And Users

Non-ActiveDirectoryDevices

and Users

AD RegisteredDevices & Users

100% Devices & Users

Partial Visibility Remediation

100% Visibility

Remediation

Palo AltoNetworksAgent

Palo AltoNetworksFirewall