Blog Automation

Addressing the Onslaught of IoT and Mobile Devices with Context-Based Policies

Bettina Baumgart Senior Manager, Product Marketing Published 24 Apr 2019

Today, two-thirds of all business leaders believe their companies must accelerate the pace of digitalization to remain competitive.

For companies to garner the benefits of digitalization, the network must transform. Without a dynamic resilient network that securely delivers applications and connects devices, digital transformation grinds to a halt. Consistent granular policies throughout the entire network are critical to the digital transformation journey towards the autonomous enterprise.

With IoT and a mobile-first workforce, an organization’s attack surface today is larger than ever before. In order to cost-effectively manage security and insure compliance for network access, IT needs a solution that can:

  • Deliver end-to-end visibility from the mobile edge to the data center to the multi-cloud
  • Enable flexible and powerful control of resources through context-based policy management
  • Provide automation to simplify mobile device onboarding

In my last blog post, “Automation, Visibility, and Access Policies – From the Edge to the Cloud,” I pointed out the importance of access policies. In this blog, I go deeper into how access policy actually works and what data needs to be collected and correlated to increase network assurance.

Visibility

In order to ensure network security and meet compliance mandates, IT must be able to identify all of the devices connected to the network.  They must also understand the risks associated with granting each different kind of end system access to the network. As an example, the risks associated with an IT-managed desktop computer are very different from those associated with an employee-owned and largely-unmanaged tablet.

Control

Once a device is detected, identified, and the risk assessed, the proper controls must be placed on the access. The access policy should be granular and, to satisfy security and compliance requirements, it should enforce the principle of least privilege.

Automation

Only with a network access control solution that automatically discovers, risk assesses, and provisions devices is it possible to securely manage the diversity of IoT and mobile devices.

ExtremeControl provides visibility, control, and automation that allows organizations to cost-effectively and securely manage an autonomous enterprise.

Context-Based Policy Management

When onboarding a new device you can set additional granular policies to learn more about the device and user. The information enables better access control and provisioning decisions. Our ExtremeControl solution automatically discovers and tracks over 50 attributes per user and device on the network. This rich store of information provides more intelligent policy enforcement for security and compliance. Our network access control solution goes beyond simple role-based access control to eliminate potential security holes. It uses context-based policy management, enabling a single policy all the way from the edge, across the campus network, into the data center and multi-cloud.

Context-based access management extends access control decisions beyond username and role to include device type, identity, device location, day and time, authentication method, and device security posture.

Real Life Examples – Why You Want Context-Based Policy Management

Let’s make this real and talk about what you can do with context-based access management by setting granular policies with key attributes:

  • User Attributes: The username authenticates employees and distinguishes different employees and their roles from guests and contractors. The role is used to allocate privileges to a user. This can be used to grant access to required networked resources and applications as well as prioritizing or rate limiting traffic.

    For example, you can define the policy so a guest user is given no access to data center servers and has only rate-limited Internet access. You can decide to restrict the access to engineering servers or protocols such as ICMP or SNMP for an HR manager. As an engineer, on the other hand, you might not want to access HR servers, but they need to use networking protocols.

Get the latest stories sent straight to your inbox!

  • Device Attributes are used to determine if the device is managed by the IT department or if it is a BYOD device. The device attributes also determine the type of device, e.g. IoT device or mobile phone, and the operating system.

    As an example, you might consider setting the policy so that an authenticated user gets full access from his IT managed laptop, but only limited access from his personal iPad.

  • Location: The location of a device can be determined as coarsely as wired vs wireless vs VPN (outside the corporate boundaries) or as granularly as switch and port, or SSID and access point. Access and provisioning can be applied differently to the same user and device based on location.

    In a healthcare organization, you can define the access policy so that a doctor sitting in a nearby coffee shop gets only limited or no access to sensitive patient data.

  • Day & Time: These access attributes enable you to define different policies, for example business hours or class time to limit the risk during off hours.

    Another example is if you run a retail store and see an on-prem point-of-sales device become active: that might raise a red flag.

  • Authentication Type: The strength of the method used to authenticate onto the network such as MAC vs. Web vs. password vs. digital certificates vs. 2-factor, effects the risk associated with granting access. ExtremeControl supports all standard authentication methods, so you can choose the strongest authentication methods for high-level access.

    You can set the policy so that access to the PCI cardholder data environment is denied if a customer does not authenticate with 802.1x.

  • Device Security State: It’s critical to define access permission for devices based on their security state.

    For example, in a hospital, you can allow a physician’s iPad to access a patient’s EMR via a VDI client. While doctors are walking in the patient wing, Microsoft Windows and Apple MAC OS X end systems can be assessed by a downloadable agent to determine if they meet the organization’s minimum security requirements before they are granted access to networked resources.

    Agentless network-based scans can also be used for assessment: end systems that fail assessment can be denied access until the  problems are corrected. You can quarantine any device that is not running an up-to-date anti-virus program.

  • Application Type: In many organizations, you want to restrict the use of applications for certain user groups. ExtremeControl together with Extreme Management Center allow you to see who is accessing which application from which device. With this information you can prioritize certain users for individual applications and also limit access for let’s say students to only learning applications.

The examples above describe use cases for several of the key access attributes. The strength lies in combining these attributes for fine-grained control that meets your organization’s security and compliance requirements.

“Healthcare IT is challenged with balancing the cost of securing medical devices within a budget, all the while taking into consideration patient care and the security of the hospital. ExtremeControl has enabled us to cost-effectively secure our medical devices with network segmentation and create a zero trust environment.” – AVP of Information Security Christopher Frenz, Interfaith Medical Center

Fine-Grained, Consistent Policies From the Edge to Multi-Cloud

The challenge of the autonomous enterprise is to build a policy-based infrastructure that reaches from the edge to the campus, to data center and multi-cloud. Network assurance is critical to manage numerous IoT devices, mobile devices, and applications. In today’s heterogeneous networks access policies need to be consistent and adapt automatically to network changes. To eliminate security holes, policies must be automatically rolled out across the entire network. With ExtremeControl and Extreme Management Center you can build a solid base for network assurance and enjoy the following key benefits:

  • Automated device and fabric deployments based on site policies
  • Fingerprinting and granular access control for users, devices, and applications
  • Virtual machine visibility and policy for VMWare and multi-cloud environments
  • Management of visibility and control for multi-vendor devices
  • Device configuration checks for compliance with GDPR, PCI, HIPAA
  • Open API-based connectors with key security infrastructure vendors and industry-leading applications for enhanced network security

Only Visibility and Automated Granular Network Policies Can Secure Your Proprietary Data

With its context-based access control that collects and correlates numerous attributes for devices, users, and applications, ExtremeControl keeps you on top of security breaches and compliance issues. In The 8 Analytics Features You Need to Get Your Time Back I described the wide range of device and application analytics that Extreme Management Center correlates to provide a clear picture of the security status of devices connected to the network; thus simplifying risk assessment and fault resolution. Alerts for potential access risks and application performance degradations help you prevent data breaches and service interruptions. Machine-assisted tuning of network and application performance thresholds as well as smart packet capture for forensics further improves the security posture.

To learn more request a demo of ExtremeControl.

 

Related Enterprise Stories