As the demand for mobility continues to increase, and Wi-Fi continues to replace Ethernet as the preferred corporate access layer, many organizations are facing similar security issues and requirements. This is particularly significant with the increasing number of guests, contractors and employees who are using their own devices on corporate networks. In recent years, there has been an increase of personal devices entering the workplace with many organizations adopting BYOD policies.
Overall, having a Bring Your Own Device (BYOD) policy has proved to be a good business policy. By allowing employees, contractors and guests to connect their own devices, such as laptops, smartphones, and tablets, to the corporate wireless network, enterprises have been able to save money while increasing productivity and team motivation (Frost & Sullivan). However, there are certain challenges to securing the organization’s WiFi network in a BYOD environment. Without addressing these issues properly, you are leaving your company’s assets and data vulnerable.
Approaches to BYOD on WiFi
Some companies allow BYOD usage for everybody, on the company WiFi, whether employees, contractors or guests, while others maintain a strict Zero BYOD-WiFi hookup. There are companies that choose the middle ground approach of allowing employees to connect their own devices on the corporate wireless network but have a separate WiFi network for guests and contractors, and some allow contractors to connect to the company WiFi for specific tasks. Either way, the question of how to handle BYOD and WiFi security seems to come up in many conversations we have with IT teams in regards to network security and secure mobile device management.
How Does BYOD Impact the Security of Company Wireless Networks?
In general, security risks comprise the most serious challenges in a BYOD environment (other than the danger of overloading your bandwidth and IT support issues). Once employees leave the company, they take their personal devices. This could mean that sensitive corporate data and assets (intellectual or physical) are unsecured, especially in environments that use passkeys for WiFi access. Enforcing security policies on the endpoints that are not owned by the company is not practiced by many companies as it seems like an impossible task for IT Departments, however, below we will discuss the easier methods and controls that can be implemented, rather easily, to make sure that WiFi-BYOD security is properly addressed.
Data leakage – If an employee neglects to install a security update on their private device, it could put your data at risk. Mobile devices such as laptops, phones and tablets are susceptible to cyber-attacks and require constant patch updates to handle security loopholes, and even a single missed patch can leave your company, and its data, vulnerable. These devices are constantly exposed to vulnerabilities and it is difficult to control which corporate data might be accessed via these endpoints.
Malware infections – If an employee were to accidentally install malware onto their device, while it is connected to the corporate WiFi network, they could spread the malware to other devices. The employee might even unknowingly install keylogging software, thereby enabling unauthorized users to obtain company usernames and passwords, and use them to gain access to sensitive or private enterprise data.
IT infrastructure – Most organizations with BYOD policies must invest time, energy, and money to assure that BYOD policies are compliant with security and privacy policies. To avoid the need to divert more time and resources later on to fix problems, IT personal must make sure to implement BYOD nac exactly according to policy from the beginning.
Mixing corporate and personal data – Sometimes it is difficult to distinguish between personal data and corporate data. If the endpoint were to be lost or stolen, company data would be at risk of exposure. There are also privacy concerns when employees leave the company.
Employee, Guest and Contractor BYOD – The Differences
Guests – Typically, these are visitors that are around for short visits, and in some work places we have observed that the same WiFi network that is used for employee devices is made available to guests.
Contractors – Most often these are professionals, outsourced to perform a specific job or project, sometimes collaborating with employees, and therefore they remain at the company (physically or virtually) for longer time periods compared with guests, and require the use of their own devices. In this case we have observed access that is granted to more sensitive data and resources, depending on the project, such as accounting, HR, legal, insurance, IT, intellectual data, technology, and more.
Employees – the permanent team members who may require access 24/7/365 depending on how geo-distributed the organization is and how quickly they need to be able to access corporate data to perform their duties.
Individual User WiFi Authentication
When examining WiFi security, it is crucial to consider the method being used to authenticate to the network. At Portnox we recommend WPA2-Enterprise, also referred to as WPA-802.1X mode. It authenticates to WiFi by using different identities instead of a single password. An identity can be credentials (user + password) or it can be a digital certificate. The WPA2-Enterprise authentication method is a great fit for any enterprise, large or small, allowing organizations to properly secure their wireless networks and making sure that they are compliant with security best practices.
By implementing enterprise-grade WiFi security that can authenticate all devices requesting access to the network, all endpoints are better protected. Access can be set to identify suspicious endpoints and to deny network access. This would protect the most internal network with the most important data and assets as wells as help to safeguard technology assets and employee devices.
Implementing identity-based WiFi access control would mean that employees are granted access based on their personal user ID or credentials, thus dramatically reducing the chances of unauthorized access to the organization’s Wi-Fi network, and it would ensure a much better security standard over the shared password practice. Team members will have access to corporate WiFi, that would allow them access to the systems and information to best perform their jobs. However, if they leave the company, instead of having to change everybody’s password for WiFi, you only have to cancel out those individual credentials.
Practices for Securing BYOD
Using enterprise-grade WiFi security enables the company to allow access to specific SSIDs and to authenticate based on any method. Some companies set up an SSID dedicated to employees for both company-issued and personal devices. This means that employees can connect their smartphones, tablets, etc. to that WiFi network, and it is a separate SSID from the one used for guests and contractors. The guests at these companies can connect to a pure guest internet connection.
In cases where the company is using Active Directory credentials to authenticate to the network, the company cannot stop employees from connecting their BYOD. So the best practice in cases like these is to have managed corporate devices authenticated with certificates, to use personal AD credentials to authenticate employee BYOD and to have easy onboarding for guests and contractors via a separate SSID. If contractors need access to certain corporate data, temporary user credentials could be provided.
Some companies do not have Public Key Infrastructure (PKI) so they are “stuck” using personal credentials and thus, cannot completely control employee BYOD and enforce to use company vs. BYOD network. Still, when using SaaS/cloud-delivered WiFi security such as Portnox CLEAR, CLEAR itself includes a certificate authority. This means that companies can issue network authentication certificates to their corporate endpoints, without the need to deploy PKI (unless there is already such infrastructure in place).
Taking the Next Step
Allowing employees, contractors and guests to connect their devices to the company WiFi network can be done in a secure and simple way. By taking a few easy steps online, you can keep your WiFi network, company assets and data secure while incorporating a productive and user-friendly BYOD environment. Regardless of how you would like to authenticate devices, Portnox CLEAR’s Secure WiFi can help you navigate through the process and provides easy SaaS implementation within a few minutes. Contact Portnox Security today for expert advice to help you move forward with your secured BYOD & WiFi.
See a Demo of CLEAR – Please fill out this form: