As businesses embrace BYOD, network engineers have to face up to the security implications of random, roving personal devices connecting to the corporate WLAN and accessing networked applications and data. How can they keep a tight grip on security when network client machines are no longer nailed down? Is it possible to administer the relative chaos of an ever changing population of devices and keep pace with multiple device types and operating systems?
Three aspects to the security challenge
Network access
A tablet or smartphone together with its owner – if they haven’t been approved and registered by the network administration team for full access – may lack the right credentials to log on to the WLAN in a secure and trusted manner. This means they’re likely to use open guest access via a second insecure WLAN. The result is that data flowing to and from the device is open to eavesdropping and interception by a third party – something which may never be discovered unless or until there’s a security breach.
Data leakage
The second issue applies even to devices which have been approved and registered for secure access and which log on through an authorised and encrypted connection. This is data leakage – transporting secure and restricted documents or other data outside the corporate environment, which may happen through storing corporate data locally on the device itself or through the use of cloud storage solutions like Dropbox.
At such times – and, for example, when employees leave an organisation – it’s vital that a mechanism exists for revoking access privileges given to particular devices. Some devices also offer a remotely triggered erase facility for deleting any stored business data.
Compliance
Finally, engineers need to consider compliance, which is closely linked to security. More and more organisations are having to meet ever-stricter compliance and governance obligations. For sectors such as finance, insurance and healthcare there are statutory requirements such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act.
Companies may also make their own internal rules, such as IBM banning the use of iCloud and Dropbox. In more extreme situations BYOD may be outlawed altogether, as is now the case with almost 50% of companies in India following fears of information leaks.
Sweeping the impact of BYOD under the carpet risks reducing business efficiency, increasing operating costs and compromising security and confidentiality. Instead BYOD should be – and can be when properly integrated – an asset to the business.
In my next blog I’ll look at ways to maintain security of the wireless environment. You can also find more information in our wireless resource centre
About the Author:
Stéphane Persyn | Fluke Networks | @Flukenetentemea
Stéphane Persyn is currently the Fluke Networks Field Marketing Manager for their wireless solutions and network performance solutions for the enterprise. He has over 10 years’ experience in the entire AirMagnet portfolio, from designing, surveying and modelling enterprise WLANs to security, BYOD, WIPS and the 802.11 protocol. He also manages network performance solutions including OptiView XG and OneTouch.
Stéphane joined Fluke Networks from HP where he was an engineer for HP Services for business bustomers.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.