As employees force network managers to embrace bring-your-own-device (BYOD) policies, wireless LAN, mobility and...
network access control (NAC) vendors are scrambling to provide mobile device management solutions that take different approaches to solving the same problem.
“Over the last year [bring your own device] has really skyrocketed,” said Jared Griffith, CTO of Cinergy Wi-Fi, a Utah-based systems integrator that partners with wireless LAN vendors Ruckus Wireless and Aerohive. “Requests are coming in from users to bring devices that corporations can’t afford [to issue].”
Bring-your-own-device programs can enable companies to lower mobility costs while making employees more flexible and productive. For state of West Virginia employees, that flexibility could make a huge difference.
“It’s very costly to the state to purchase these devices. Second, most employees already have two devices because they’re restricted from using their state devices for personal use. This gives them more flexibility [so they can use] one device as opposed to two or three. Finally, It allows employees to take advantage of more current technologies,” said Kyle Schafer, CTO of the state of West Virginia.
To handle this shift toward bring-your-own-device programs, a number of vendors have released new products in the past few months. Enterasys Networks updated its NAC capabilities to simplify bring-your-own-device programs; network access control vendor Avenda Systems added features to its flagship product eTIPs 4.0, including an automated system for registering personal devices; Cisco Systems introduced a wireless-only license of its Identity Services Engine to support early personal device initiatives; and Ruckus Wireless introduced FlexConnect technology, aimed at automating authentication on its wireless LAN infrastructure.
Wireless LAN: A bring-your-own-device foundation
Building a stable and secure network that can support devices and the kinds of high-bandwidth applications users need to access can be the biggest challenge to a bring-your-own-device initiative, said Cinergy's Griffith.
“When people say they want to do bring-your-own-device, we look at the amount of users, estimate the paths for how people are getting on and what resources they are [accessing]. Are they high-bandwidth resources like streaming video and VoIP calls on their personal devices? Griffith said.
“It’s about protecting mission-critical applications. That comes down to good old-fashioned wireless LAN engineering. When I build this network, I have to build it based on the applications that are going to be on the network, not for coverage. If you build a network for coverage and then I add 50 devices to it, it slows the network down, if not crashing it completely.”
Authentication crucial in bring-your-own-device plans
Authenticating users and maintaining network security can carry a lot of management overhead, but these are crucial features to bring-your-own-device initiatives.
Cisco Systems' Identity Services Engine (ISE) for mobility is a server that makes network contextual policy decisions by combining the access control and security capabilities of 802.1x and NAC infrastructure with directory services, such as Microsoft Active Directory. Although ISE can require device security posture checks via NAC, ISE is on a user’s identity more than the individual device he is using.
“What you really want to do is associate policy with end users,” said Paul Durzan, Cisco director of mobility. “You don’t really care about what device they are bringing on the network. You just want to know that whenever [a user] logs on with his device that it really is him and that the device is secure and doesn’t carry malicious software.”
Ruckus Wireless takes a lighter-weight approach that doesn’t require NAC agents and 802.1x supplicants. Its new FlexConnect technology uses a dynamic pre-shared key (DPSK). On most consumer-grade wireless routers, shared key authentication is effective, but it doesn’t scale for an enterprise since all the users connected to the device share a single key that can easily fall into the wrong hands. With Ruckus’ DPSK, each user gets a unique, automatically generated key after authenticating to a central directory service such as Active Directory. The DPSK process is transparent to the user, who only enters a username and password into a login screen via a captive portal.
“I have one customer who uses DPSK and FlexConnect to connect 50-plus doctors who walk around a clinic with iPads,” Griffith said. “They use iPads for [Electronic Medical Records], they take notes, write prescriptions, look at X-rays, all off these devices. They connect into the network and VPN into [these services] as a session.”
Mobile device management solutions and virtual dekstops can help deliver applications securely
In the state of West Virginia government offices, state employees have generally relied on agency-issued BlackBerrys for mobility, but they've been pushing for email and calendar access on their personal iPhones and iPads. Until recently, Schafer’s staff has denied such requests, but after recognizing the advantages of a bring-your-own-device policy, the state engaged with mobile device management vendor Good Technology to support email and calendaring services on employee-owned devices.
With Good’s mobile device management solution, all state data contained within email and calendaring is secure, according to Rob West, West Virginia’s acting director of client services.
“Good completely segments off all state data from the rest of the phone,” West said. “It’s a separate, encrypted container. That allows us to wipe that portion as opposed to everything off the phone [if it’s stolen]. In addition to that, we require a password or pin access to that encrypted container.”
Now Schafer's staff is looking at solutions to put VPN capabilities on employees’ personal devices so that they can securely access applications like Microsoft SharePoint.
Meanwhile in San Jose, Calif., Campbell Union High School District director of technology Charles Kanavel has taken a different approach, adopting Citrix desktop virtualization and application virtualization technologies that allow students and staff to access resources through their own devices across a Cisco Systems-based wireless LAN. Students and staff can download a Citrix receiver app on their smartphones, tablets and laptops, authenticate with a username and password, and access dozens of applications and services.
“We decided that instead of figuring out a device that works for everyone and pushing it out that way, let’s work on the service,” Kanavel said. “If a kid wants to come in and work on AutoCAD on his mobile device, then our focus should be on making that service as rock solid and reliable as possible and accessible from lots of different devices and places. We can let the student worry about what device they want to use to access the service.”
Bring your own device: Beyond the technical challenges
Many IT managers are discovering that a bring-your-own-device policy must go beyond technology and into addressing cultural issues and legal ambiguities.
Schafer is not yet promoting his shop's bring-your-own-device policy because he's waiting for a few opinions from the attorney general's office. One of those outstanding issues is whether the Freedom of Information Act (FOIA) will mean that state workers who use personal devices for state business will have to turn over their phone records in response to a FOIA request.
“We’ve also recommended a [BYOD] stipend,” Schafer said. “If someone does use their own technology for work, they save us money from the state’s perspective, so we would like to encourage them to use their own technologies through a stipend program. But we need a legal opinion on whether that stipend should be considered taxable income.”
For Kanavel, teachers’ attitudes toward student-owned devices is one of its biggest BYOD challenges. Until recently, most teachers saw cell phone use in a classroom as a distraction or an opportunity for cheating, with students texting each other under their desks.
“I spoke to these teachers and said, 'You guys are constantly asking for more computers and more resources in the classroom. Well, smartphones today are as powerful as a laptop.’ I’m working with teachers on strategies on how they can incorporate them into a classroom,” Kanavel said.
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.