Solved

BYOD and wireless security

Posted on 2013-10-30
7
331 Views
Last Modified: 2013-10-31
What things are most important to consider for implementing WiFi for BYOD?  For BYOD WiFi should you require two factor auth to get onto the corporate LAN?  The idea is to make it easy for employees to use their own devices while not infecting the network or getting hacked.
0
Comment
Question by:amigan_99
7 Comments
 
LVL 17

Assisted Solution

by:pergr
pergr earned 166 total points
ID: 39614795
It is not only about authentication. You should also consider some sort of end-point-management, meaning checking that for example anti virus is up to date before allowing access to all resources.
0
 
LVL 22

Assisted Solution

by:rickhobbs
rickhobbs earned 167 total points
ID: 39614909
Using certificate, radius, or smart key and login authentication in addition to, as pergr said, end point antivirus and spyware management, should cover your BYOD device usage.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 167 total points
ID: 39614929
A good NAC/NAP solution is something to look at, as well as a secure authentication platform.

Here's Cisco's take on BYOD.  It's a little dated (around a year old) but it's still very relevant...

https://supportforums.cisco.com/community/netpro/security/aaa/blog/2012/11/16/byod-presentations-at-cisco-live-cancun-2012
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39614981
Excellent - thanks much.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39615282
I'm late to the party
I’ll make this brief: BYOD is ok for non-critical or insensitive data. But you cannot expect MDM, NAC or DLP to let you have it both ways. We will not be able to stop dev’s or IT admins from getting BYOD if everyone else is too. Complexity is the enemy of security, BYOD adds untold complexity.
http://www.darkreading.com/sophoslabs-insights/forget-standardization-embrace-byod/240158442
The article above actually has this all wrong, and I can summarize it by using a single line from said article:
Employees can use any device to access corporate data or systems as long as the device is compliant with the security policy.
Sounds good on paper, fails in practice. Let’s say we do magically allow only authorized, encrypted, patched and anti-virus compliant devices to access the network. Cool, so no thief can see the data on the device should be it stolen, no one infects the device should the user launch a virus program, nice… What about if that user uses iCloud, and backs up Company data to apple, and apple get’s compromised, or an attacker does get past iCloud security: http://blog.crackpassword.com/2013/05/apple-two-factor-authentication-and-the-icloud/
MDM has no solution for another acronym, DLP. BYOD increases the surface area of Data Loss Prevention to the Nth degree.  Do not underestimate my kids, or any ones kids ability to do the wrong thing with the wrong data at anytime. I don’t let my kids have my work phone, but we do let them have our normal cell phones, when those lines are blurred by BYOD, who knows what can happen. Also note that there are precisely 1001 file sharing app’s out there, depending on the platform, some can be homegrown, written by the user. Some can be malicious and sold as legitimate:
http://www.symantec.com/connect/blogs/android-threat-tackles-piracy-using-austere-justice-measures
When you’re dealing with security, KISS, keep it simple stupid, and BYOD is not simple, and not simple is the enemy of security.
I cannot say this any better than it’s been said here: http://www.schneier.com/essay-323.html
Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
I cannot agree that we sacrifice security for convenience. I can’t see a point in BYOD, if we are somehow not providing enough desktops or laptops for everyone. BYOD is an excuse to be lazy, please give me one good example of BYOD is better than a PC or Laptop. You can’t control what the user is willingly doing or what they are wittingly doing. It’s easy for users to make mistakes with data.
I am with Marcus (link below), but Bruce starts out on Marcus’s side too, then switches at the end to embrace it, when everything he himself says that it’s a bad idea… go figure. Both think it’s a bad idea, one just accepts the fate that it’s going to happen anyway. We don’t have to accept that fate.

http://searchsecurity.techtarget.com/magazineContent/Should-enterprises-give-in-to-IT-consumerization-at-the-expense-of-security
Bottom line, don't let BYOD's touch you're sensitive data, and doing that is next to impossible if someone is motivated.
-rich
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39615290
Truth be told... I don't agree with BYOD either.  It's just a way to help cut costs for hardware (as a false economy in my eyes).

People who make the decisions hear the buzz-words and attend the seminars but don't really understand the challenges or consequences.

But hey... {nod and smile}
0
 
LVL 61

Expert Comment

by:btan
ID: 39615660
Look out for the AUS DSD and US DoD (NIST sp800-124 and SP800-153 can be useful) -use of Mobile smartphone device and wireless. MDM, MAM and MRM coming to into picture...Importantly, the security responsibilities lies not only at Organisation but end user play a bigger role to deter inadvertent "bridge" to perpetrator ... of course they have many other means of coming in.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now