January 17, 2011

Counterpoint: Another approach to supporting iPads on the corporate network

The issues go beyond just the iPad but it’s a good example of how IT is challenged today – supporting new applications and devices every day but still be efficient and secure. Bring your own PC (BYOPC) programs are becoming increasingly popular for today’s businesses since they allow individuals to work from the device of their choice, which not only increases employee satisfaction but also lowers IT costs. Bring your own (BYO) iPad, tablet, netbook, smartphone – you name it –poses even higher security and management challenges to the corporate IT. And even if corporate devices are used, the fact that potentially private and sensitive corporate data resides together on a single device is a security concern.

Just imagine all the “apps” that typically get installed on today’s smartphones and iPads. They are not controllable so this opens a huge backdoor into today’s enterprise IT infrastructures. And all of this happens on a variety of hardware and software platforms. Restricting the use of additional “apps” on the devices via organizational rules is not really a workable solution. And if one does so the value of these new devices to the employee is suddenly very limited.

And, as always in IT, the world is grey, not black or white and everyone has a different approach to the problem. Especially when it comes to NAC I’ve seen a lot of different solutions being deployed by our customers since I took over the role of the solution architect at the end of 2006. Luckily we architected it in a way that allows maximum flexibility.

Our NAC detects new devices on the infrastructure automatically and profiles them to determine the type of device. Various sources such as network based assessment, DHCP OS fingerprinting, captive portal (used for remediation and registration, guest services) and external profilers can be used. The Device type can be an Operating System Family, Operating System or Hardware Type. Access to resources can be controlled by using the device type information – without the need for authentication if desired but it can be combined with strong authentications well.

From my point of view there are pro’s and con’s to the approach from my colleague Rich Casselberry . While one can detect obvious vulnerabilities it is not really possible to control the apps on the device itself. Strong authentication helps to keep unwanted devices off the network. Combined with our device type detection mechanism in NAC – as stated before – one can at least restrict access by policy on non-IT managed devices like an iPAd – even valid credentials are provided. But user and application behavior is not fully controllable and access to various resources must be allowed so the use of an iPad is beneficial to the user and the business.

Talking to a lot of customers with high requirements for data security and privacy like banks and hospitals they seem to be in favor of a “thin client” approach that can be also applied to BYO devices. Using virtual desktop infrastructures the confidential data is not just put out onto the device and but presented to the user. From my point of view this is the Holy Grail for endpoint security. Especially when you can ensure that the device is always connected. This is reality for campus usage and is becoming reality on any location in the developed world. NAC along with our Enterasys policy can then ensure that only the VDI protocol into the data center can be used inside the corporate network so no malicious attacks can be originated from that device. And Internet services can still be accessed so the apps on the device can provide the maximum benefit.

Anyway, this is another approach to the problem of supporting consumer devices on the corporate net. How are you handling the issue?

About The Contributor:
Markus NispelVice President Solutions Architecture and Innovation

Markus Nispel is the Vice President Solutions Architecture and Innovation at Extreme Networks. Working closely together with key customers his focus is the strategic solution development across all technologies provided by Extreme. In his previous role he was responsible as the Chief Technology Strategist and VP Solutions Architecture for the Enterasys Networks solutions portfolio and strategy, namely NAC Network Access Control, SDN Software Defined Networks, DCM Data Center Management, MDM Mobile Device Management Integration, OneFabric, OneFabric Connect and OneFabric Data Center as well as the network management strategy. This position is tied to his previous role in Enterasys as Director Technology Marketing and as a member of the Office of the CTO. In addition to this role he advises key accounts on a worldwide basis in strategic network decisions. Before its activity for Enterasys Markus Nispel was active as system Engineer at Cabletron Systems. Markus Nispel studied at the university of applied sciences in Dieburg and graduaded 1996 as Dipl. – Engineer for communications technology. He collected first professional experience at E-Plus Mobile Communications within the group of network optimization of their DCS cellular mobile network.

See My Other Posts