A boundless approach to BYOD

Impressions Following InfoSec 2013 and other…..

Expectedly, the recurring trend among exhibiting security vendors was BYOD – most of whom exploited the threats and current available solutions for the BYOD scenario, centering their pitch on the vulnerability that BYOD creates for networks, whether security related or policy related. <!–more>

On the other side of the spectrum, it was interesting to note that the network administrators/managers coming to our booth were voicing many pains regarding their NAC abilities/subsequent blind spots, and were more interested in hearing about comprehensive solutions for their networks, perhaps in an understanding that BYOD was only part of their challenge.

So why was there an apparent gap between the market buzz, and the noise we heard on the ground?

Let’s think about it; there is no doubt that BYOD solutions come to challenge the real and potent vulnerability of wireless network layers to unknown mobile devices. The question I ask is why are the not less compelling threats from the “traditional access layers” not discussed with the same sense of urgency and “buzz”?  If anything, these threats have increased owing to the rapidly changing landscape of the network array.

One of the main pitches one could hear from BYOD vendors is the crucial phase of “mapping the workforce”, in an attempt to define who/when/what can use a personal device to access the corporate network –  this being an indispensable prerequisite for any BYOD technology to truly succeed. Here, in their opinion, lies the success or failure of any BYOD deployment. Let’s analyze for a second what that is actually spelling out; Most BYOD solutions tackle three fundamental questions; what type of device is in use? Where is the device accessing the network? And maybe most importantly- What type of data is the device accessing remotely?Now, are these BYOD questions, or do they relate to all NAC scenarios?

I would argue that it is these fundamental questions that are actually at the core, and relate to NAC in general. Network security really doesn’t begin, or end with BYOD, despite the enormous market buzz. You can scrutinize personal devices as much as you like, choosing to deploy MDM technologies, agents and certificates, whilst at the same neglect your network’s virtual array, your cloud applications, or even the unpretentious Ethernet ports at your organization which are generally not “considered” to be a threat at all. Moreover, what good are the various BYOD technologies if you can’t enforce them over ALL of the network? After all- When a guest at your company connects his personal laptop into an Ethernet port in your meeting room, would anyone even notice that this is a BYOD scenario? Probably not.

A boundless approach on the other hand that challenges the conventional NAC approach of looking under the lampost necessitates a comprehensive look at the network. The solution needs to be able to locate and scrutinize ALL the non-corporate devices, on all access layers,  have them undergo registration with the various MDMs if present, or undergo satisfactory authentication if not,  without making changes to infrastructure in the process.  Don’t get me wrong, BYOD must be on your agenda, but it goes hand in hand with a comprehensive and smart NAC solution for your entire network.

Alex Moeller