BYOD in the Enterprise
With the “consumerization of IT”, users are no longer content with the standard business offering and instead want broader flexibility to use their own devices such as the iPhone and iPad. This change results in a serious issue for businesses (especially Enterprise organisations), as it is difficult to support an ever growing number of devices, as well as ensure security is maintained and corporate policies are enforced.
This challenge is often summarised by the industry as “Bring You Own Device” or “BYOD”, however in my opinion it is much more about platform independence, as companies may start to offer support for non-standard devices and operating systems, but still require them to be corporate owned. In fact I predict that for most Enterprises, corporate owned devices will be their first step towards true BYOD.
Regardless of the depth of BYOD, the challenge for IT remains the same, how do you deliver a strategy that will enable secure device access, visibility, and policy control, without impacting the user experience? In my opinion the answer lies with the network.
Over the past year we have seen a boom in Mobile Device Management (MDM) vendors, which all aim to provide a control mechanism for mobile devices (iPhone, iPad, etc.) The problem is that these services often rely upon third party software (an app) being installed on each individual device. This in itself raises some challenges (like how you get the app to the device), but more worryingly puts your business at the mercy of the MDM vendor. For example, when Apple releases the next major update (at least once a year) or Windows 8 / Android finally takes off with a “killer device”, the business will have to wait for it to be supported by the MDM vendor. This in itself could take months, which immediately puts IT behind the business need (not a great place to be).
That is why I believe a better approach is to build the relevant security, control and visibility mechanisms directly into the network, creating an intelligent network. This does not mean that you don’t need an MDM vendor (because you do); however in my opinion this should be looked at as a small part of the broader strategy.
Why build an “Intelligent Network”?
Imagine a world where a user connects to the corporate network (via cable, wireless or remote access) and the network automatically authenticates the user and their device (independently) and based on the result seamlessly provides the appropriate level of access. For example, an employee with a corporate (Windows based) laptop may get full access (trusted), but that same user with an Apple Mac or an iPad (non-trusted) may only get limited access (maybe Internet and VDI).
Even with this basic feature enabled, the risk (security and compliance) has been significantly reduced, as you can guarantee that non-trusted devices are segregated, therefore reducing the impact of virus and malware propagation, as well as ensuring you have complete control over their level of access. The other great thing is that all of this control is achieved without impacting the user experience (no additional user interaction or training required).
So that covers access and control, how about on-boarding (AKA provisioning)? Again, imagine if a user were to connect a non-trusted device to the corporate network, but instead of getting access denied they are automatically prompted to identify the device (possibly via an MDM service). This would allow the user to accept a corporate policy and seamlessly register the device, at which point the network would provision any required profiles (certificates) and instantly provide a pre-defined level of access. This automatic on-boarding (provisioning) process could be a huge time saver for IT support and enable the user to instantly start using the new device, while all the time having guaranteed the appropriate security and control is in place.
The final component would be visibility, with the main requirement being the ability to quickly see and pull reports for all end devices connected to the network (across all access types) as well as instantly take action in the event of an issue. This level of viability is rarely achieved today in large networks, normally requiring end point management software to report on the clients health. Unfortunately, as previously described the requirement for client software is less viable in a platform independent (BYOD) world.
To summarise, by enabling an intelligent network we can guarantee access and security is maintained (regardless of the device) as well as automatically handling device on-boarding and gaining full end point visibility.
Sounds great, but is it even possible?
Introducing Cisco Identity Services Engine (ISE), which is part of their Borderless Network Architecture and is an evolution of the Cisco security product range. More specifically it consolidates existing products and services, such as ACS and NAC into one unified platform.
It enables and underpins all of the above features to deliver a truly intelligent network, including secure device access, on-boarding and policy control, as well as full end point visibility (of every device on your network). It even enables end point posture assessment and seamlessly integrates with the major MDM vendors (such as MobileIron).
The video below highlights the key features of Cisco ISE and how it enables businesses to proactively prepare for their inevitable BYOD future:
As described in the video, Cisco ISE can be deployed in a centralised or decentralised model, offering deployment flexibility for different environments. It’s also available as a dedicated appliance or as a virtual image (VMware), therefore you can setup and configure Cisco ISE incredibly quickly, even putting it into “monitor only” mode, ensuring their will be no impact to your production network.
Personally I’m very excited about the prospect of Cisco ISE, as for me it is the first BYOD solution that offers unified access across wired, wireless and remote access and doesn’t rely upon specific end point software. I will be watching (and testing) this technology over the next few months to see if it can live up to the vision.