By: Ahmed Rezk, Channel Systems Engineering Manager, Middle-East and Turkey at Aruba, a HPE Company
Navigating the landscape of enterprise security can be daunting – the threats typically fly under the radar, and the broad array of malware, hacks and data theft shows real innovation. Worse, the level of malicious sophistication is also on the upswing. In tandem, corporate users enjoy communicating, computing and transacting business on a variety of wired and wireless networks – using multiple devices. And the threat vectors continue to grow, exponentially.
Consequently, IT departments are turning to policy management platforms that give them visibility into who and what is connecting to their networks, with ways to measure and predict. They seek security management that is both adaptive to how people now work and is easily customized. And they want a management interface that accommodates wireless and remote users, as well as emerging technologies and services like cloud computing and the Internet of Things (IoT).
This is much more than ticking off boxes on a spec sheet – CISOs, CSOs and security professionals are demanding a fully integrated, multi-vendor approach for security management. Consequently, today's management platforms have to deliver a number of critical features including authentication, authorization, and accounting (AAA) services, which control access to networks and servers, automated workflows for BYOD and guest access, as well as providing audit and bill-back information, which are essential.
The platform must also be agile and sophisticated enough to embrace new levels of enforcement mechanisms for security in a mobile world. Today's security platforms must embrace authentication and enforcement models for wired networking; public wireless connectivity; and users who tunnel in via IP-based virtual private networks (VPNs) to be effective.
Security-conscious enterprises now require enforcement policies that utilize real-time contextual data to grant network privileges. In parallel, policy management platforms must support end-device profiling that identifies device types and respective attributes that connect to networks. And real-time troubleshooting tools are valuable as they solve connectivity and other end-user issues quickly. Enterprises have tried to achieve many of those objectives with siloed security products, but they are finding it more useful to reduce complexity – the number of management consoles – and the ability to use multiple solutions if they can automatically leverage contextual information between.
What this means is that there there is room for third-party products like mobile device management (MDM) and enterprise mobility management (EMM), firewalls and security information and event management tools. But the primary management platform must be used to coordinate defenses where everything works as a coordinated solution.
Migrating to Policy Management from Basic AAA
Since Active Directory or LDAP are still used to administer security policies for most internal users and devices, IT departments aren't able to perform enforcement using real-time contextual data. Context like user roles, device types, ownership, location, and app usage – are all essential to enforcing policies as users move through their day and work with multiple devices. With this model, laptops can be given more rights than smartphones based on device type, for example. Policy management takes all those factors into account and dynamically enforces which resources can be accessed.
In addition, today’s policy management systems let users configure their own devices for secure Wi-Fi or wired connectivity. Workflows that include MDM/EMM data makes it easy to detect if a device is company issued or BYOD.
This sort of security management transition can't be done in a firehose fashion; security professionals agree that a phased approach is the smartest way to move from legacy AAA to centralized policy management. IT departments can then ensure that highly mobile workers get seamless access to the apps, printers and network services they’re authorized to use, no matter where they are or what device they're using.
Managing in the BYOD Era
IT professionals have been sorely tested by the BYOD trend with both internal users and network guests. Managing the onboarding process of everyone's personal devices can strain IT and helpdesk resources, and if not properly handled, can also create security problems.
Robust management platforms allow for any Windows, Mac OS X, iOS, Android, Chromebook and Ubuntu devices to be automatically onboarded via a user-driven, self-guided portal. Required SSIDs, 802.1X settings and necessary device certificates are then automatically configured on authorized devices.
By working with unique device certificates, users then don't need to enter login credentials repeatedly throughout the day – or worry as much about password theft when connected to guest networks. Menu-driven capabilities ensure the rapid revocation and deletion of certificates for specific mobile devices if a user leaves an organization or if the device is lost or stolen.
How to Treat Guests
The BYOD challenges don't apply just to internal users. Any visitor – guest, customer, partner or other external third-party – will arrive with at least one device that requires network access – wired or wireless. Good security management requires a simple model that automates and simplifies the provisioning of network access for guests, but also provides expansive security features that keep data, computing resources and other users safe.
Self-registration lets guests create their own log-in credentials, which are delivered via printed badges, SMS text or email. Credentials can be stored for specific periods of time and set to expire automatically. Guest traffic on the network should also be configured to run separately from enterprise traffic.
Today's most robust security management platforms allow guest portals to be customized with options like advertising and local language support. Guest policy management must also include the ability to set bandwidth limitations on guest sessions to maintain service-level agreements and robust throughput for all users.
Network access management systems that integrate with next-generation, application-aware firewalls for additional protection against non-http traffic and content filtering that prevents access to inappropriate or offensive websites is also recommended.
Regular Checkups of Device Health
Prevention is especially good medicine for the security of enterprises and their datacenters. IT must have the means to perform endpoint health checks to ensure that laptops are fully compliant with internal requirements which check for the latest patches and updates before they're allowed to connect.
In addition to system-wide, per-session NAC protection, enterprises should be able to specify whether to allow or deny capabilities like peer-to-peer applications or USB storage devices. Administrator dashboards make it easy to identify non-compliant devices, users, and the reasons for non-compliance. Access can be denied if storage is not encrypted; this also gives IT leverage with users to ensure that offending laptops get updated as needed. Endpoints that aren't in compliance can be automatically remediated or quarantined with today's security management platforms.
These sorts of security functions are no longer just nice to have – they're essential to today's most competitive businesses. And with the advent of cloud computing and an explosion of IoT devices, robust security management is essential for enterprises. End-users – accustomed to high levels of performance, easy access and self-service – expect the same of business networks.
Security platforms that integrate policy management with authentication, authorization and accounting will lay the groundwork for more robust computing and IT-fueled productivity. And they’ll keep networks, devices, data and users safe in the process.