Securing Enterprises for BYOD
Gokul Nair, Product Manager, Cisco
‘Bring your own Device’ (BYOD) - It is one of the most talked about words in the technology world today. BYOD enables the employees to integrate their work stuff on to their personal devices such as Ipad, tablets etc. While this provides better blend between work and personal life and the associated satisfaction and flexibility to employees, it delivers improved productivity for enterprises through truly mobile and collaborating employees. This can also potentially bring in capex savings for the enterprises as they may not need to procure dedicated laptops or desktops for their employees. For these benefits, BYOD is a major phenomenon embraced by global enterprises of today. And guess it right, Enterprises in India are not behind in the game.
The comparison data covering the global market compiled as part of a market study done by Cisco helps to validate the point clearly. With 94% of Indian IT leaders seeing a growth in BYOD, with a strong 88% with positive outlook, it is clearly evident that BYOD is going to grow in India big time in coming years. Independent studies also mention that 57% of the Indian enterprises are planning to invest in BYOD and mobile technologies as the highest priorities.
That means Enterprises are no longer going to be the old closed environments. In order to continue enjoying the benefits of opex savings, increased productivity and flexibility, enterprises have already started adopting the new business trends such as mobile workforce, virtualized datacenters and cloud computing big time, in addition to BYOD. Given this scenario, what is the top of the mind concern of the CIOs of these enterprises?
Security & compliance! How can you secure access to your critical resources when your employees are no longer inside your enterprise premises? Expectedly, traditional IP based access control mechanisms will have limited impact in a dynamic environment like this. With the same access networks (wired or wireless) shared by different groups of users such as employees, contractors, guests etc, it is imperative to secure your campus network access with an end to end security solution as well. What should be the parameter that such an end to end access control mechanism be based upon? It is undoubtedly ‘Identity’ – the only parameter which will remain the same irrespective of the location, time, device or medium used to connect to the network.
Configuring identity based access control on your wireless network is the common norm. However, the remote access over internet or from branch networks, as well as your local wired network access also need to be secured with tight linkage to identity. Moreover, it is the need of the hour to ensure highly granular access level controls are provided even after authenticating someone into your network rather than providing him with an end to end free ride access. Not just the identity, parameters such as location, device used for access, time of the day, medium of access – all these information also should be used for providing the right level of access. Thus it translates into the requirement for an overall context based security solution! Solutions today have the capability to support identity based rules. But in order to have a truly scalable and end to end solution, we need an intelligent automated mechanism by which identity can be assigned and propagated to the firewall or your data center switch for rule enforcement.
Role or group or context based tagging is one of the successfully deployed approaches in order to achieve this objective. Users or devices can be classified and assigned to specific tags depending on the policy configuration. Classification can make use of traditional network segmentation methods like Vlan or Ip subnet for enabling migration to this model of tag based access control. The tag information can be propagated from the ingress network to the enforcement device in a hardware dependent way or a software controlled way depending on the readiness of your network to migrate to a tag based access control model. At the enforcement device, access control lists taking the form of a matrix combination of source tag and destination tag can help you achieve a highly scalable, efficient and topology independent end to end access control mechanism.
Combined with an easy to use and intuitive management tool that helps you configure the access rules in the language of your business policy itself, the approach will definitely help you reduce your operating expenses as well. It is highly debated if this sort of an approach should be software centric or hardware assisted. While software defined approach provide you with the cost benefits from lower capex, we cannot ignore the limitation associated with scale and throughput. Hence a hardware assisted solution will be ideal for providing you with line rate performance. An added advantage of tag based approach will be the capability to extend tags for purposes other than access control itself. You can potentially enable network services such as quality of service, load balancing etc selectively for each tag type depending on the policy configurations. That can justify any additional investment made on the hardware front for a new kind of technology as this is. It is quite sure that such a tagging mechanism could be the beginning of lot of new things for the modern enterprises, similar to the revolution which MPLS tags brought about once in the service provider segments! Tomorrow is indeed for Identity!