Solved

BYOD and wireless security

Posted on 2013-10-30
7
342 Views
Last Modified: 2013-10-31
What things are most important to consider for implementing WiFi for BYOD?  For BYOD WiFi should you require two factor auth to get onto the corporate LAN?  The idea is to make it easy for employees to use their own devices while not infecting the network or getting hacked.
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 17

Assisted Solution

by:pergr
pergr earned 166 total points
ID: 39614795
It is not only about authentication. You should also consider some sort of end-point-management, meaning checking that for example anti virus is up to date before allowing access to all resources.
0
 
LVL 22

Assisted Solution

by:Rick Hobbs
Rick Hobbs earned 167 total points
ID: 39614909
Using certificate, radius, or smart key and login authentication in addition to, as pergr said, end point antivirus and spyware management, should cover your BYOD device usage.
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 167 total points
ID: 39614929
A good NAC/NAP solution is something to look at, as well as a secure authentication platform.

Here's Cisco's take on BYOD.  It's a little dated (around a year old) but it's still very relevant...

https://supportforums.cisco.com/community/netpro/security/aaa/blog/2012/11/16/byod-presentations-at-cisco-live-cancun-2012
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Closing Comment

by:amigan_99
ID: 39614981
Excellent - thanks much.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39615282
I'm late to the party
I’ll make this brief: BYOD is ok for non-critical or insensitive data. But you cannot expect MDM, NAC or DLP to let you have it both ways. We will not be able to stop dev’s or IT admins from getting BYOD if everyone else is too. Complexity is the enemy of security, BYOD adds untold complexity.
http://www.darkreading.com/sophoslabs-insights/forget-standardization-embrace-byod/240158442
The article above actually has this all wrong, and I can summarize it by using a single line from said article:
Employees can use any device to access corporate data or systems as long as the device is compliant with the security policy.
Sounds good on paper, fails in practice. Let’s say we do magically allow only authorized, encrypted, patched and anti-virus compliant devices to access the network. Cool, so no thief can see the data on the device should be it stolen, no one infects the device should the user launch a virus program, nice… What about if that user uses iCloud, and backs up Company data to apple, and apple get’s compromised, or an attacker does get past iCloud security: http://blog.crackpassword.com/2013/05/apple-two-factor-authentication-and-the-icloud/
MDM has no solution for another acronym, DLP. BYOD increases the surface area of Data Loss Prevention to the Nth degree.  Do not underestimate my kids, or any ones kids ability to do the wrong thing with the wrong data at anytime. I don’t let my kids have my work phone, but we do let them have our normal cell phones, when those lines are blurred by BYOD, who knows what can happen. Also note that there are precisely 1001 file sharing app’s out there, depending on the platform, some can be homegrown, written by the user. Some can be malicious and sold as legitimate:
http://www.symantec.com/connect/blogs/android-threat-tackles-piracy-using-austere-justice-measures
When you’re dealing with security, KISS, keep it simple stupid, and BYOD is not simple, and not simple is the enemy of security.
I cannot say this any better than it’s been said here: http://www.schneier.com/essay-323.html 
Security is always a tradeoff, and security decisions are often made for non-security reasons. In this case, the right decision is to sacrifice security for convenience and flexibility. Corporations want their employees to be able to work from anywhere, and they're going to have loosened control over the tools they allow in order to get it.
I cannot agree that we sacrifice security for convenience. I can’t see a point in BYOD, if we are somehow not providing enough desktops or laptops for everyone. BYOD is an excuse to be lazy, please give me one good example of BYOD is better than a PC or Laptop. You can’t control what the user is willingly doing or what they are wittingly doing. It’s easy for users to make mistakes with data.
I am with Marcus (link below), but Bruce starts out on Marcus’s side too, then switches at the end to embrace it, when everything he himself says that it’s a bad idea… go figure. Both think it’s a bad idea, one just accepts the fate that it’s going to happen anyway. We don’t have to accept that fate.

http://searchsecurity.techtarget.com/magazineContent/Should-enterprises-give-in-to-IT-consumerization-at-the-expense-of-security
Bottom line, don't let BYOD's touch you're sensitive data, and doing that is next to impossible if someone is motivated.
-rich
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39615290
Truth be told... I don't agree with BYOD either.  It's just a way to help cut costs for hardware (as a false economy in my eyes).

People who make the decisions hear the buzz-words and attend the seminars but don't really understand the challenges or consequences.

But hey... {nod and smile}
0
 
LVL 63

Expert Comment

by:btan
ID: 39615660
Look out for the AUS DSD and US DoD (NIST sp800-124 and SP800-153 can be useful) -use of Mobile smartphone device and wireless. MDM, MAM and MRM coming to into picture...Importantly, the security responsibilities lies not only at Organisation but end user play a bigger role to deter inadvertent "bridge" to perpetrator ... of course they have many other means of coming in.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
logon time 6 59
no PBR recursive or PBR 9 32
192.168... network can't ping 18 36
setting up a Ubiquiti access point 3 25
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question