View
649
Download
2
Category
Preview:
DESCRIPTION
The challenges of BYOD for campus network by Leonard Raphael
Citation preview
The Challenges of BYOD for campus Network
Leonard Raphael, 10th October 2013
BYOD Momentum
Identifying the Risks with BYOD
Security as the Main Challenge
BOYD Creates Management Challenges & Role of Network Access Control
Mitigating Risk
Agenda
BYOD Expertise Know Every
Device Know Ever User Reduce Help Desk Minimise Risk Ensure
Compliance
3
What to Expect …
BYOD Maturity Roadmap
Block
Contain
Disregard
Embrace
Visibility Automation
Archiving is much more difficult Data on personally owned devices is more difficult to archive because some of it is stored on the
mobile devices themselves, not necessarily on the backend servers that are operated by IT. Monitoring content is more difficult Monitoring content sent from and received by mobile devices is much more difficult than it is
from a conventional desktop infrastructure. This means that legal and regulatory violations are easier to commit, which can lead to adverse legal judgments and regulatory sanctions.
Users are more autonomous Mobile users tend to be more independent from IT’s control because they are outside of the
office and so IT cannot control how devices are used. Compliance is more difficult According to an Osterman Research survey, nearly two in five organisations find managing
policies for e-discovery or regulatory compliance to be difficult or very difficult, while 35% find managing other types of policies to be this difficult. Managing mobile policies for issues like e-discovery and regulatory compliance is slightly more difficult than managing other types of policies.
The environment is more diverse The normal desktop infrastructure consists of mostly Windows machines and possibly some Macs
and maybe a few Linux machines. The typical BYOD environment, on the other hand, is much more diverse, typically consisting of iPhones, Android smartphones, iPads, Windows phones, BlackBerry devices, and other platforms. Further complicating the management of this environment is that there are multiple versions of the operating systems in use, each of which can provide users with slightly different capabilities.
BOYD Challenges
Containing the Risk of a Cyber Threat
Data Consolidatio
n
DataExfiltration
Internal Network
Scan
PhishingEmail on Device
Device Compromise
d
Attack Surface is Multiplying With Every New Device
New Risks With Personal Mobile Devices
Configuration
Devices
Applications
Consistent
UnmanagedManaged
Diverse
User DownloadedCorp Push
Websites OpenContained
Risk
EndpointProtection EmergingMature
Network Security Gap / Blindspots
NAC is now one of the key mechanisms for mitigating
the risks of consumerisation (BYOD)
GartnerStrategic Road Map for Network Access ControlPublished: 11 October 2011 ID:G00219087
Enable BYOD
60% Know The Devices
9%
Have Access to Campus Networks, Systems, and Data
Download/Store/Forward Sensitive Information
Why are Personal Devices Risky?
9
Managing Risk of BYOD
Network Risk
Device Risk
Application RiskMalicious Applications
Vulnerable Devices
Unauthorized Network Access
11
Gartner’s Best Practices to Address BYOD
Mobile Device Mgmt
Hosted Virtual Desktop
Network Access Control
Implementing the right Technologies Implement the right Network Policy Providing the right Resources to meet the
challenges.
Mitigate Risk
3 Phases of Network Access Control
Employee
EndpointCompliance
GuestNetworking
ConsumerizationBYOD
CorpDevice
GuestDevice
HybridDevices
Guest Hybrid Users
Secure BYOD Essentials
NETWORKSENTRY
BYOD RISKMITIGATION
BYOD RISKASSESSMENT
Role-Based Network Access Policies
WHO WHAT WHERE WHEN
TRUSTEDUSERS
TRUSTEDTIME
TRUSTEDDEVICES
TRUSTEDLOCATIONS
16
Role-Based Access Policies
Profiles
Information Locations Devices
IP PII
Guest Access
Office
Telemarketer
Branch Office
Road
Laptop
SmartPhone
iPadDesktop
Academic Staffs g g h h h a a a
Researchers g g h h a
Students g g h h h a a
University Staffs g h a
Guest Users g g a a
SECURITY WIRED & WIRELESSMOBILITY
BYOD Network SmartEdge Platform
WHOWHATWHEREWHEN
NETWORKSENTRY
NETWORKACCESS
CONTROL
SECUREBYOD
GUESTMANAGEMENT
REGULATORYCOMPLIANCE
EDGEVISIBILITY
ENDPOINTCOMPLIAN
CE
EASY 802.1XONBOARDING
NETWORKANALYTICS
NAC – 3 Generations
Employee
EndpointCompliance
GuestNetworking
ConsumerizationBYOD
CorpDevice
GuestDevice
AllDevices
Guest All Users
Appliance
Cloud
Virtual Server
Appliance Appliance
Virtual Server1.0
2.0
3.0
Network Edge VisibilityWHO WHAT WHEN
Real-TimeVisibility
SingleNetwork Sentry
Appliance
….
LOCATION 2
LOCATION N
LOCATION 1
WHERE
VPN
Network Inventory
Secure BYOD / Network Access Control
IdentifyUser
AssignNetwork Access
AssessRisk
IdentifyDevice
NoAccess
GuestAccess
RestrictedAccess
UnrestrictedAccess
Device Profiling
Safe Policy-Based Network Access
Location 1
Location HQ
CaptivePortal
FacultyData
StudentsData
GuestAccessLow Trust
Required VLAN
No TrustRequired VLAN
Med TrustRequired VLAN
High TrustRequired VLAN
FacultyRegistered DeviceCompliance
StudentRegistered DeviceCompliance
Any UserAny DeviceNot Jailbroken
Any UserAny Device
SingleMgmt
Appliance
GuestAccess
Guest ManagementLocation 1
Location HQ
CaptivePortal
SingleMgmt
Appliance
Remote Registration and Scanning
In need of assistance, please call the Help Desk.
Authorized Users
Pre-Authorized Guest With An Account
Device Registration
Self-Service Guest Registration
WelcomeTo gain network access users are required to adhere to our established registration policies. Please select one of the following options:
Delegated & Automated
UserDevice
Compliance
End-to-End BYOD Solution
Enterprise SSIDFull Access
Guest SSIDInternet Only
Blocked Devices
Enterprise Resources
Network Sentry
Internet
Captive PortalClassify User/Device/Location
Enforce Policies
Xirrus Wireless AP/Array MDM
AAAAD/LDAP
802.1x
Open or PSK
Restricted Access
EmailAppsDatabases
• Visibility• Policy Manager• Automation / Control• Compliance
XMS
Mobility Device Management
Network Analytics
Network Sentry/Analytics
HTTPS HTTPS
Network Sentry
Appliance
ReportServer
Network Sentry
Data Warehouse
AnalyticsEngine
JobScheduler
Security Rules
WHO
WHAT
WHERE
WHEN
COMPLIANCE
INVENTORY
ANOMALIES
EXCEPTIONS
SmartEdge Platform / SecurityEliminate BYOD Blind Spots
Guests, Contractors, Students
ActiveDirectoryDevices
And Users
Non-ActiveDirectoryDevices
and Users
AD RegisteredDevices & Users
100% Devices & Users
Partial Visibility Remediation
100% Visibility
Remediation
Palo AltoNetworksAgent
Palo AltoNetworksFirewall
Recommended